公开(公告)号：US20240314167A1

公开(公告)日：2024-09-19

申请号：US18122074

申请日：2023-03-15

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla

IPC: H04L9/40

CPC classification number: H04L63/1491 ,  H04L63/20

Abstract: Techniques for utilizing a deception service to deploy deceptions at scale in a network, such as, for example, a client network. The deception service may be configured to generate a small number (e.g., 5, 10, 15, etc.) of deceptions of hosts and/or services associated with the network (or emulations of the hosts/services and/or emulations of protocols associated with the hosts/services) and deploy them to a number of deception host computing devices that cover all of the components and/or technologies found in the network. The deception service may map a large number (e.g., 1000, 100,000, 1,000,000, etc.) of IP addresses available in the network to the deceptions, making it appear as though a large number of deceptions exist, when in reality the IP addresses map back to a small number of deceptions. The deception service may assign/unassign IP addresses to and/or from deceptions and/or actual hosts in the network as needed.

公开(公告)号：US20240314115A1

公开(公告)日：2024-09-19

申请号：US18122065

申请日：2023-03-15

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla

IPC: H04L9/40

CPC classification number: H04L63/0823 ,  H04L63/0281 ,  H04L63/0428

Abstract: Techniques for establishing a zero-trust network access (ZTNA) connection between a client device and a target resource of an enterprise network via a chain of authorization nodes. The chain of authorization nodes may comprise one or more nodes configured as a proxy, a relay, and/or the like. Each of the nodes may be associated with an authorization requirement that is to be satisfied before the next node in the authorization chain is reached. Once the target resource is reached, an authentication may be performed to authenticate the user of the client device with the target resource. The authorization credentials may be carried in a packet having encryption layers comprising the individual authorization credentials, as metadata in an encapsulated credential chain, and/or in blocks of a ledger associated with a blockchain network.

公开(公告)号：US20240291893A1

公开(公告)日：2024-08-29

申请号：US18373724

申请日：2023-09-27

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla

IPC: H04L67/141 ,  H04L9/40 ,  H04L67/146

CPC classification number: H04L67/141 ,  H04L63/0272 ,  H04L67/146

Abstract: Techniques for creating in/out App Connectors for secure access solutions without the need for STUN, TURN, and/or a long-lived control plane component. The techniques may include, among other things, establishing, by an App Connector associated with a workload hosted by an enterprise network, a pool of idle sessions between the App Connector and a termination node associated with the enterprise network. The techniques may also include determining, by the App Connector, that a first idle session of the pool of idle sessions has been consumed by the termination node to establish a communication session for a client device to communicate with the workload. Based at least in part on determining that the first idle session has been consumed, the techniques may include establishing, by the App Connector, a second idle session to be added to the pool of idle sessions between the App Connector and the termination node.

公开(公告)号：US12052329B2

公开(公告)日：2024-07-30

申请号：US18198124

申请日：2023-05-16

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L67/63 ,  H04L45/74 ,  H04L47/2475 ,  H04L67/1001

CPC classification number: H04L67/63 ,  H04L45/74 ,  H04L47/2475 ,  H04L67/1001

Abstract: Techniques for using computer networking protocol extensions to route control-plane traffic and data-plane traffic associated with a common application are described herein. For instance, a traffic flow associated with an application may be established such that control-plane traffic is sent to a control-plane node associated with the application and data-plane traffic is sent to a data-plane node associated with the application. When a client device sends an authentication request to connect to the application, the control-plane node may send an indication of a hostname to be used by the client device to send data-plane traffic to the data-node. As such, when a packet including the hostname corresponding with the data-plane node is received, the packet may be forwarded to the data-plane node.

公开(公告)号：US20240080313A1

公开(公告)日：2024-03-07

申请号：US17902201

申请日：2022-09-02

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L9/40

CPC classification number: H04L63/083 ,  H04L63/0272 ,  H04L63/0281

Abstract: Techniques for combining independent sessions between application(s) and a VPN, proxy service, or similar system, including inner protocol sessions (e.g., such as QUIC, etc.), coming from a single device to form a single logical session, where the single logical session could share a single authentication/authorization token are described. The techniques include receiving, from a device within a network, a request for a first application to access a service associated with the proxy service or the VPN, sending, to the device, a first authentication request, and receiving, from the device, a message including a token. The techniques may further include authenticating, by the proxy service or the VPN, the token using a unique identifier associated with the device and enabling, by the proxy service or the VPN, the device to access the service via a first session flow.

公开(公告)号：US20240028742A1

公开(公告)日：2024-01-25

申请号：US18084045

申请日：2022-12-19

Applicant: Cisco Technology, Inc.

Inventor： Andrew Zawadowskiy ,  Vincent E. Parla ,  Oleg Bessonov

IPC: G06F21/57 ,  G06F8/75 ,  G06F8/41

CPC classification number: G06F21/577 ,  G06F8/75 ,  G06F8/433 ,  G06F2221/033

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining a learned control flow diagram for a process on a computing system and monitoring execution of the process on the computing system using the control flow diagram. An unobserved transition is determined based on the learned control flow diagram and the unobserved transition is classified as safe or unsafe based on a monitoring component analysis. An action is performed based on the safety classification and the learned control flow diagram.

公开(公告)号：US20240028709A1

公开(公告)日：2024-01-25

申请号：US18084065

申请日：2022-12-19

Applicant: Cisco Technology, Inc.

Inventor： Andrew Zawadowskiy ,  Oleg Bessonov ,  Vincent E. Parla

IPC: G06F21/54 ,  G06F21/55

CPC classification number: G06F21/54 ,  G06F21/552

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining a learned control flow directed graph for a process executed on the computing system. A system call is identified during execution of the process as well as a predetermined number of transitions leading to the system call. A validity of the transitions leading the system call is determined based on the learned control flow directed graph and the computing system may perform an action based on the validity.

公开(公告)号：US11824845B2

公开(公告)日：2023-11-21

申请号：US17513062

申请日：2021-10-28

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla

IPC: H04L9/40 ,  H04L12/46

CPC classification number: H04L63/0485 ,  H04L12/4633 ,  H04L63/0236 ,  H04L63/166

Abstract: Techniques for routing service mesh traffic based on whether the traffic is encrypted or unencrypted are described herein. The techniques may include receiving, from a first node of a cloud-based network, traffic that is to be sent to a second node of the cloud-based network and determining whether the traffic is encrypted or unencrypted. If it is determined that the traffic is encrypted, the traffic may be sent to the second node via a service mesh of the cloud-based platform. Alternatively, or additionally, if it is determined that the traffic is unencrypted, the traffic may be sent to the second node via an encrypted tunnel. In some examples, the techniques may be performed at least partially by a program running on the first node of the cloud-based network, such as an extended Berkeley Packet Filter (eBPF) program, and the like.

公开(公告)号：US20230370424A1

公开(公告)日：2023-11-16

申请号：US18113248

申请日：2023-02-23

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Cullen Frishman Jennings

IPC: H04L9/40

CPC classification number: H04L63/0236 ,  H04L63/0281 ,  H04L63/0435

Abstract: Techniques for creating an optimal and secure data plane based on network constraints. The techniques may include establishing an initial networking connection for a data flow between a client device and a resource such that data plane traffic of the data flow is routed through a relay node disposed between the client device and the resource. In some examples, the techniques may include determining, using a Session Traversal Utilities for Network Address Translators (STUN) server, an alternate networking connection for the data flow that bypasses the relay node. Based at least in part on a determination that the alternate networking connection is a more optimal path for the data plane traffic than the initial networking connection, the techniques may include causing the data plane traffic of the data flow to be routed over the alternate networking connection.

公开(公告)号：US20230269305A1

公开(公告)日：2023-08-24

申请号：US17679499

申请日：2022-02-24

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla

IPC: H04L67/56

CPC classification number: H04L67/28

Abstract: Techniques for operationalizing workloads at edge network nodes, while maintaining centralized intent and policy controls. The techniques may include storing, in a cloud-computing network, a workload image that includes a function capability. The techniques may also include receiving, at the cloud-computing network, a networking policy associated with an enterprise network. Based at least in part on the networking policy, a determination may be made at the cloud-computing network that the function capability is to be operationalized on an edge device of the enterprise network. The techniques may also include sending the workload image to the edge device to be installed on the edge device to operationalize the function capability. In some examples, the function capability may be a security function capability (e.g., proxy, firewall, etc.), a routing function capability (e.g., network address translation, load balancing, etc.), or any other function capability.