知搜-全球专利检索

  1. Login
  2. Sign Up

Search Results

108 records (took 0.022 seconds)

    Deploying just in time (JIT) deceptions at scale in networks
    1.
    发明授权
    Deploying just in time (JIT) deceptions at scale in networks 有权

    公开(公告)号:US12289342B2

    公开(公告)日:2025-04-29

    申请号:US18122074

    申请日:2023-03-15

    Applicant: Cisco Technology, Inc.

    Inventor: Vincent E. Parla

    IPC: H04L9/40

    Abstract: Techniques for utilizing a deception service to deploy deceptions at scale in a network, such as, for example, a client network. The deception service may be configured to generate a small number (e.g., 5, 10, 15, etc.) of deceptions of hosts and/or services associated with the network (or emulations of the hosts/services and/or emulations of protocols associated with the hosts/services) and deploy them to a number of deception host computing devices that cover all of the components and/or technologies found in the network. The deception service may map a large number (e.g., 1000, 100,000, 1,000,000, etc.) of IP addresses available in the network to the deceptions, making it appear as though a large number of deceptions exist, when in reality the IP addresses map back to a small number of deceptions. The deception service may assign/unassign IP addresses to and/or from deceptions and/or actual hosts in the network as needed.

    ENFORCING CONDITIONAL ACCESS TO NETWORK SERVICES BASED ON AUTHORIZATION STATUSES ASSOCIATED WITH NETWORK FLOWS
    2.
    发明申请
    ENFORCING CONDITIONAL ACCESS TO NETWORK SERVICES BASED ON AUTHORIZATION STATUSES ASSOCIATED WITH NETWORK FLOWS 有权

    公开(公告)号:US20250071111A1

    公开(公告)日:2025-02-27

    申请号:US18453952

    申请日:2023-08-22

    Applicant: Cisco Technology, Inc.

    Inventor: Vincent E. Parla

    IPC: H04L9/40 H04L61/4511

    Abstract: This disclosure describes techniques for enforcing conditional access to network services. In an example method, a first computing device detects a second device operating in a per-flow authorization mode. The first device receives a first request from a second computing device to communicate with a third computing device using a first network flow and determines that the first flow is authorized (e.g., because of an active past authentication and/or the third device's authentication exemption). Data associated with the first request is transmitted to the third device. The first device then receives a second request to communicate with a fourth computing device using a second network flow and determines that the second flow is not authorized (e.g., because it is not associated with an active past authentication and/or the fourth device is not exempt from authentication). Data associated with the second request is not transmitted to the fourth device.

    Automatic encryption for cloud-native workloads
    3.
    发明授权
    Automatic encryption for cloud-native workloads 有权

    公开(公告)号:US12192186B2

    公开(公告)日:2025-01-07

    申请号:US18389417

    申请日:2023-11-14

    Applicant: Cisco Technology, Inc.

    Inventor: Kyle Andrew Donald Mestery Vincent E. Parla

    IPC: H04L9/40 H04L12/46

    Abstract: Techniques for routing service mesh traffic based on whether the traffic is encrypted or unencrypted are described herein. The techniques may include receiving, from a first node of a cloud-based network, traffic that is to be sent to a second node of the cloud-based network and determining whether the traffic is encrypted or unencrypted. If it is determined that the traffic is encrypted, the traffic may be sent to the second node via a service mesh of the cloud-based platform. Alternatively, or additionally, if it is determined that the traffic is unencrypted, the traffic may be sent to the second node via an encrypted tunnel. In some examples, the techniques may be performed at least partially by a program running on the first node of the cloud-based network, such as an extended Berkeley Packet Filter (eBPF) program, and the like.

    USING NON-ROUTABLE ADDRESSING TO REDUCE ATTACK SURFACE IN SECURE ACCESS SYSTEMS
    4.
    发明申请
    USING NON-ROUTABLE ADDRESSING TO REDUCE ATTACK SURFACE IN SECURE ACCESS SYSTEMS 有权

    公开(公告)号:US20240396938A1

    公开(公告)日:2024-11-28

    申请号:US18368421

    申请日:2023-09-14

    Applicant: Cisco Technology, Inc.

    Inventor: Vincent E. Parla Andrzej Konrad Kielbasinski Valentiu Vlad Santau Peter S. Davis

    IPC: H04L9/40 H04L61/4511

    Abstract: Techniques for a client device configured with a kernel driver framework (KDF) to establish connection(s) with target workload(s) provisioned in remote network(s) (e.g., an enterprise network) using non-routable synthetic IP address(es) (e.g., a loopback address within a link-local address range, a unique local address within a discard prefix range, and/or the like). The KDF may intercept DNS requests from application(s) executing on a client device, generate and return a synthetic IP address associated with a given domain in the DNS request, and establish a connection with a secure access gateway using the non-routable synthetic IP address. Additionally, the KDF may invoke an external browser with an authentication redirect to a randomly generated synthetic IP address on a randomly generated port, where a local listener on a client device may listen on the synthetic IP address and random port to obtain and/or store authentication data for later use.

    AUTOTUNING OPTIMAL KEEPALIVE INTERVALS FOR SECURE SESSIONS
    5.
    发明公开
    AUTOTUNING OPTIMAL KEEPALIVE INTERVALS FOR SECURE SESSIONS 审中-公开

    公开(公告)号:US20240291800A1

    公开(公告)日:2024-08-29

    申请号:US18115374

    申请日:2023-02-28

    Applicant: Cisco Technology, Inc.

    Inventor: Vincent E. Parla Oleg Bessonov Andrew Zawadowskiy

    IPC: H04L9/40

    CPC classification number: H04L63/0254 H04L63/0272

    Abstract: Techniques for auto tuning keepalive packets intervals to an optimal interval are described. A remote secure session between a client device and a server over a network is established. A determination is made to identify an optimal keepalive interval for sending packets to keep the remote secure session alive over the network, the optimal keepalive interval defining an amount of time between sending of packets that keep a connection open through middleboxes in the network. Keepalive test probes are transmitted by the client device and to the server at different time intervals. An optimal keepalive interval is determined based at least in part on the keepalive test probes transmitted at the different intervals. The client device transmits information indicating the optimal keepalive interval to the server. Finally, the client device transmits keepalive packets according to the optimal keepalive interval.

    Policy-based workload orchestration for enterprise networks
    7.
    发明授权
    Policy-based workload orchestration for enterprise networks 有权

    公开(公告)号:US12063269B2

    公开(公告)日:2024-08-13

    申请号:US18122571

    申请日:2023-03-16

    Applicant: Cisco Technology, Inc.

    Inventor: Vincent E. Parla Kyle Andrew Donald Mestery

    IPC: H04L67/101 H04L9/40 H04L41/0803 H04L41/0894 H04L67/1008

    CPC classification number: H04L67/101 H04L41/0803 H04L41/0894 H04L63/0272 H04L63/0281 H04L63/1416 H04L63/20 H04L67/1008

    Abstract: Techniques for operationalizing workloads at edge network nodes, while maintaining centralized intent and policy controls. The techniques may include storing, in a cloud-computing network, a workload image that includes a function capability. The techniques may also include receiving, at the cloud-computing network, a networking policy associated with an enterprise network. Based at least in part on the networking policy, a determination may be made at the cloud-computing network that the function capability is to be operationalized on an edge device of the enterprise network. The techniques may also include sending the workload image to the edge device to be installed on the edge device to operationalize the function capability. In some examples, the function capability may be a security function capability (e.g., proxy, firewall, etc.), a routing function capability (e.g., network address translation, load balancing, etc.), or any other function capability.

    HTTP/3 and HTTP/2 connectivity detection using parallel probes for preferred protocol selection
    9.
    发明授权
    HTTP/3 and HTTP/2 connectivity detection using parallel probes for preferred protocol selection 有权

    公开(公告)号:US11930069B1

    公开(公告)日:2024-03-12

    申请号:US18115516

    申请日:2023-02-28

    Applicant: Cisco Technology, Inc.

    Inventor: Vincent E. Parla

    IPC: G06F15/16 H04L67/02 H04L67/2871

    CPC classification number: H04L67/02 H04L67/2871

    Abstract: Techniques for determining whether HTTP/2 or HTTP/3 is a preferred protocol for communication between a client device and a server over a network are described. A change associated with a network interface of a client device is detected. Based at least in part on detecting the change, a determination is made to identify a preferred communication protocol for a network over which the client device communicates using the network interface. A HTTP/2 probe is transmitted over the network and to a server. A HTTP/3 probe is transmitted over the network and to the server. In response to not receiving a HTTP/3 probe response, the preferred communication protocol is determined to be HTTP/2. In response to receiving the HTTP/2 probe response and the HTTP/3 probe response, the preferred communication protocol is determined to be HTTP/3. The client device communicates with the server over the network using the preferred communication protocol.

Patent Agency Ranking