公开(公告)号：US11671447B2

公开(公告)日：2023-06-06

申请号：US17390518

申请日：2021-07-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40

CPC classification number: H04L63/1466 ,  H04L63/0485 ,  H04L63/166 ,  H04L63/30

Abstract: In one embodiment, a device in a network receives traffic sent from a first endpoint. The device sends a padding request to the second endpoint indicative of a number of padding bytes. The device receives a padding response from the second endpoint, after sending the padding request to the second endpoint. The device adjusts the received traffic based on the received padding response by adding one or more frames to the received traffic. The device sends the adjusted traffic to the second endpoint.

公开(公告)号：US11665194B2

公开(公告)日：2023-05-30

申请号：US17395264

申请日：2021-08-05

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N20/00

CPC classification number: H04L63/1458 ,  G06N20/00 ,  H04L63/1425 ,  H04L2463/144

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

公开(公告)号：US20230164185A1

公开(公告)日：2023-05-25

申请号：US18095443

申请日：2023-01-10

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew

IPC: H04L9/40 ,  G06F18/22 ,  G06F18/23

CPC classification number: H04L63/166 ,  H04L63/306 ,  G06F18/22 ,  G06F18/23

Abstract: Techniques and mechanisms for using passively collected network data to automatically generate a fingerprint prevalence database without the need for endpoint ground truth. The process first clusters all observations with the same fingerprint string and similar source and destination context. The process then annotates each cluster with descriptive information and uses a rule-based system to derive an informative name from that descriptive information, e.g., “winnt amp client” or “cross-platform browser”. Optionally, the learned database may be augmented by a user to clarify custom process labels. Additionally, the generated database may be used to report the inferred processes in the same way as databases generated with endpoint ground truth.

公开(公告)号：US20230129786A1

公开(公告)日：2023-04-27

申请号：US18088284

申请日：2022-12-23

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Vincent E. Parla ,  Jan Jusko ,  Martin Grill ,  Martin Vejman

IPC: H04L9/40 ,  G06F21/55 ,  H04L9/32 ,  G06F21/44 ,  G06F21/52

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

公开(公告)号：US11563771B2

公开(公告)日：2023-01-24

申请号：US16693885

申请日：2019-11-25

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N20/00 ,  G06N5/04

Abstract: In one embodiment, a telemetry exporter in a network establishes a tunnel between the telemetry exporter and a traffic analysis service. The telemetry exporter obtains packet copies of a plurality of packets sent between devices via the network. The telemetry exporter forms a set of traffic telemetry data by discarding at least a portion of one or more of the packet copies, based on a filter policy. The telemetry exporter applies compression to the formed set of traffic telemetry data. The telemetry exporter sends, via the tunnel, the compressed set of traffic telemetry data to the traffic analysis service for analysis.

公开(公告)号：US20220350913A1

公开(公告)日：2022-11-03

申请号：US17860217

申请日：2022-07-08

Applicant: Cisco Technology, Inc.

Inventor： Chris Allen Shenefiel ,  Robert Waitman ,  David McGrew ,  Blake Harrell Anderson

IPC: G06F21/62 ,  G06N20/00

Abstract: In one embodiment, a traffic analysis service that monitors a network obtains file metadata regarding an electronic file. The traffic analysis service determines a sensitivity score for the electronic file based on the file metadata. The traffic analysis service detects the electronic file within traffic in the network. The traffic analysis service causes performance of a mitigation action regarding the detection of the electronic file within the traffic, based on the sensitivity score of the electronic file.

公开(公告)号：US20220239678A1

公开(公告)日：2022-07-28

申请号：US17722131

申请日：2022-04-15

Applicant: Cisco Technology, Inc.

Inventor： Martin Rehak ,  David McGrew ,  Blake Harrell Anderson ,  Scott William Dunlop

IPC: H04L9/40

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.

公开(公告)号：US20220210183A1

公开(公告)日：2022-06-30

申请号：US17696081

申请日：2022-03-16

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing ,  Flemming Andreasen

IPC: H04L9/40 ,  H04L61/4511

Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.

公开(公告)号：US11303574B2

公开(公告)日：2022-04-12

申请号：US16910380

申请日：2020-06-24

Applicant: Cisco Technology, Inc.

Inventor： Michael Joseph Stepanek ,  Costas Kleopa ,  David McGrew ,  Blake Harrell Anderson ,  Saravanan Radhakrishnan

IPC: H04L12/851 ,  H04L47/2441 ,  H04L47/2483 ,  H04L47/25 ,  H04L47/2475 ,  H04L49/35 ,  H04L29/06 ,  H04W12/12 ,  H04W12/122 ,  H04W12/128

Abstract: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

公开(公告)号：US11140124B2

公开(公告)日：2021-10-05

申请号：US16722464

申请日：2019-12-20

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing

IPC: H04L29/12 ,  H04L29/08 ,  H04L29/06 ,  H04L12/851

Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.