公开(公告)号：US10382462B2

公开(公告)日：2019-08-13

申请号：US15221838

申请日：2016-07-28

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Michal Sofka

IPC: H04L29/06 ,  G06N7/00 ,  G06N20/00

Abstract: In one embodiment, a method includes obtaining a set of samples, each of the set of samples including sample values for each of a plurality of variables in a variable space. The method includes receiving, for each of an initial subset of the set of samples, a label for the sample as being either malicious or legitimate; identifying one or more boundaries in the variable space based on the labels and sample values for each of the initial subset; selecting an incremental subset of the unlabeled samples of the set of samples, wherein the incremental subset includes at least one unlabeled sample including sample values further from any of the one or more boundaries than an unlabeled sample that is not included in the incremental subset; and receiving, for each of the incremental subset, a label for the sample as being either malicious or legitimate.

公开(公告)号：US20190190928A1

公开(公告)日：2019-06-20

申请号：US15848150

申请日：2017-12-20

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Vincent E. Parla ,  Jan Jusko ,  Martin Grill ,  Martin Vejman

IPC: H04L29/06 ,  G06F21/44 ,  H04L9/32

CPC classification number: H04L63/1416 ,  G06F21/44 ,  G06F21/52 ,  G06F21/55 ,  G06F21/554 ,  H04L9/3242 ,  H04L63/0428 ,  H04L63/0876 ,  H04L63/1425 ,  H04L63/1466

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

公开(公告)号：US10027562B2

公开(公告)日：2018-07-17

申请号：US14485644

申请日：2014-09-12

Applicant: Cisco Technology, Inc.

Inventor： Ivan Nikolaev ,  Martin Grill ,  Jan Jusko

IPC: G06F15/173 ,  H04L12/26 ,  H04L29/06

Abstract: Detecting network services based on network flow data is disclosed. Using a networking device, network flow data is obtained for a plurality of endpoints of a telecommunications network. Each endpoint of the plurality of endpoints is uniquely described by data comprising an IP address, a port, and a communication protocol. For each endpoint of a set of at least one endpoint selected from the plurality of endpoints, a plurality of peers of the endpoint is determined by detecting communication between the endpoint and the plurality of peers based on the network flow data. For each peer of a set of peers selected from the plurality of peers, a difference between a number of peers of the endpoint and a number of peers of said each peer is determined based on the network flow data. It is determined if the endpoint is a service based on the difference determined for each peer of the set of peers. Network management is performed based on the determination of whether the endpoint is a service.

公开(公告)号：US10735441B2

公开(公告)日：2020-08-04

申请号：US15848150

申请日：2017-12-20

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Vincent E. Parla ,  Jan Jusko ,  Martin Grill ,  Martin Vejman

IPC: H04L29/06 ,  G06F21/55 ,  H04L9/32 ,  G06F21/44 ,  G06F21/52

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

公开(公告)号：US20180034838A1

公开(公告)日：2018-02-01

申请号：US15221838

申请日：2016-07-28

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Michal Sofka

IPC: H04L29/06 ,  G06N7/00 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06N5/003 ,  G06N20/00 ,  G06N20/20 ,  H04L63/1416 ,  H04L63/1433 ,  H04L63/20

Abstract: In one embodiment, a method includes obtaining a set of samples, each of the set of samples including sample values for each of a plurality of variables in a variable space. The method includes receiving, for each of an initial subset of the set of samples, a label for the sample as being either malicious or legitimate. The method includes identifying one or more boundaries in the variable space based on the labels and sample values for each of the initial subset. The method includes selecting an incremental subset of the unlabeled samples of the set of samples, wherein the incremental subset includes at least one unlabeled sample including sample values further from any of the one or more boundaries than an unlabeled sample that is not included in the incremental subset. The method includes receiving, for each of the incremental subset, a label for the sample as being either malicious or legitimate.

公开(公告)号：US09596321B2

公开(公告)日：2017-03-14

申请号：US14748281

申请日：2015-06-24

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Tomas Pevny ,  Martin Rehak

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  H04L29/06 ,  H04L29/12 ,  H04L29/08

CPC classification number: H04L63/1441 ,  H04L43/08 ,  H04L61/2007 ,  H04L63/10 ,  H04L63/101 ,  H04L63/1433 ,  H04L63/1458 ,  H04L67/10 ,  H04L67/42

Abstract: In one embodiment, a method includes receiving client-server connection data for clients and servers, the data including IP addresses corresponding to the servers, for each one of a plurality of IP address pairs performing a statistical test to determine whether the IP addresses in the one IP address pair are related by common clients based on the number of the clients connecting to each of the IP addresses in the one IP address pair, generating a graph including a plurality of vertices and edges, each of the vertices corresponding to a different IP address, each edge corresponding to a different IP address pair determined to be related by common clients in the statistical test, and clustering the vertices yielding clusters, a subset of the IP addresses in one of the clusters providing an indication of the IP addresses of the servers serving a same application.

Abstract translation: 在一个实施例中，一种方法包括为执行统计测试的多个IP地址对中的每一个接收客户机和服务器的客户端 - 服务器连接数据，所述数据包括对应于服务器的IP地址，以确定是否在 一个IP地址对根据连接到一个IP地址对中的每个IP地址的客户端的数量，由公共客户端相关联，生成包括多个顶点和边缘的图形，每个顶点对应于不同的IP 地址，每个边缘对应于在统计测试中确定为由普通客户端相关的不同IP地址对，并且对生成簇的顶点进行聚类，其中一个集群中的一个IP地址的子集提供IP地址的指示 服务于同一应用程序的服务器。

公开(公告)号：US20200329059A1

公开(公告)日：2020-10-15

申请号：US16912471

申请日：2020-06-25

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Vincent E. Parla ,  Jan Jusko ,  Martin Grill ,  Martin Vejman

IPC: H04L29/06 ,  G06F21/55 ,  H04L9/32 ,  G06F21/44 ,  G06F21/52

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

公开(公告)号：US09813442B2

公开(公告)日：2017-11-07

申请号：US15421447

申请日：2017-02-01

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Tomas Pevny ,  Martin Rehak

IPC: G08B23/00 ,  G06F12/16 ,  G06F12/14 ,  G06F11/00 ,  H04L29/06 ,  H04L29/12 ,  H04L29/08 ,  H04L12/26

CPC classification number: H04L63/1441 ,  H04L43/08 ,  H04L61/2007 ,  H04L63/10 ,  H04L63/101 ,  H04L63/1433 ,  H04L63/1458 ,  H04L67/10 ,  H04L67/42

Abstract: In one embodiment, a method includes receiving client-server connection data for clients and servers, the data including IP addresses corresponding to the servers, for each one of a plurality of IP address pairs performing a statistical test to determine whether the IP addresses in the one IP address pair are related by common clients based on the number of the clients connecting to each of the IP addresses in the one IP address pair, generating a graph including a plurality of vertices and edges, each of the vertices corresponding to a different IP address, each edge corresponding to a different IP address pair determined to be related by common clients in the statistical test, and clustering the vertices yielding clusters, a subset of the IP addresses in one of the clusters providing an indication of the IP addresses of the servers serving a same application.

公开(公告)号：US09531742B2

公开(公告)日：2016-12-27

申请号：US15095076

申请日：2016-04-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Jan Jusko ,  Tomas Pevny ,  Martin Rehak

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/145 ,  H04L63/1466 ,  H04L63/1491 ,  H04L63/164 ,  H04L63/20

Abstract: In one embodiment a method, system and apparatus is described for detecting a malicious network connection, the method system and apparatus including determining, for each connection over a network, if each connection is a persistent connection, if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection, creating a feature vector for the first connection based on the collected statistics, performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections, and reporting detected outliers. Related methods, systems and apparatus are also described.

公开(公告)号：US11539721B2

公开(公告)日：2022-12-27

申请号：US16912471

申请日：2020-06-25

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Vincent E. Parla ,  Jan Jusko ,  Martin Grill ,  Martin Vejman

IPC: H04L29/06 ,  H04L9/40 ,  G06F21/55 ,  H04L9/32 ,  G06F21/44 ,  G06F21/52

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.