公开(公告)号：US11140124B2

公开(公告)日：2021-10-05

申请号：US16722464

申请日：2019-12-20

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing

IPC: H04L29/12 ,  H04L29/08 ,  H04L29/06 ,  H04L12/851

Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.

公开(公告)号：US20210297454A1

公开(公告)日：2021-09-23

申请号：US17330641

申请日：2021-05-26

Applicant: Cisco Technology, Inc.

Inventor： Brian E. Weis ,  Blake Harrell Anderson ,  Rashmikant B. Shah ,  David McGrew

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

公开(公告)号：US11108810B2

公开(公告)日：2021-08-31

申请号：US16869726

申请日：2020-05-08

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US11038893B2

公开(公告)日：2021-06-15

申请号：US15595016

申请日：2017-05-15

Applicant: Cisco Technology, Inc.

Inventor： Brian E. Weis ,  Blake Harrell Anderson ,  Rashmikant B. Shah ,  David McGrew

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

公开(公告)号：US11025654B2

公开(公告)日：2021-06-01

申请号：US16450164

申请日：2019-06-24

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson

IPC: H04L29/06 ,  H04L12/851 ,  G06N20/00 ,  H04L29/08

Abstract: In one embodiment, a device in a network receives telemetry data regarding a traffic flow in the network. One or more features in the telemetry data are individually compressed. The device extracts the one or more individually compressed features from the received telemetry data. The device performs a lookup of one or more classifier inputs from an index of classifier inputs using the one or more individually compressed features from the received telemetry data. The device classifies the traffic flow by inputting the one or more classifier inputs to a machine learning-based classifier.

公开(公告)号：US10728280B2

公开(公告)日：2020-07-28

申请号：US15245886

申请日：2016-08-24

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

公开(公告)号：US20200159947A1

公开(公告)日：2020-05-21

申请号：US16196035

申请日：2018-11-20

Applicant: Cisco Technology, Inc.

Inventor： Chris Allen Shenefiel ,  Robert Waitman ,  David McGrew ,  Blake Harrell Anderson

IPC: G06F21/62 ,  G06N20/00

Abstract: In one embodiment, a traffic analysis service that monitors a network obtains file metadata regarding an electronic file. The traffic analysis service determines a sensitivity score for the electronic file based on the file metadata. The traffic analysis service detects the electronic file within traffic in the network. The traffic analysis service causes performance of a mitigation action regarding the detection of the electronic file within the traffic, based on the sensitivity score of the electronic file.

公开(公告)号：US20200067972A1

公开(公告)日：2020-02-27

申请号：US16669831

申请日：2019-10-31

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing ,  Flemming Andreasen

IPC: H04L29/06 ,  H04L29/12

Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.

公开(公告)号：US20190312894A1

公开(公告)日：2019-10-10

申请号：US16450164

申请日：2019-06-24

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/851

Abstract: In one embodiment, a device in a network receives telemetry data regarding a traffic flow in the network. One or more features in the telemetry data are individually compressed. The device extracts the one or more individually compressed features from the received telemetry data. The device performs a lookup of one or more classifier inputs from an index of classifier inputs using the one or more individually compressed features from the received telemetry data. The device classifies the traffic flow by inputting the one or more classifier inputs to a machine learning-based classifier.

公开(公告)号：US20190253319A1

公开(公告)日：2019-08-15

申请号：US15892951

申请日：2018-02-09

Applicant: Cisco Technology, Inc.

Inventor： Panagiotis Theodorou Kampanakis ,  Blake Harrell Anderson ,  Brian E. Weis ,  Charles Calvin Byers ,  M. David Hanes ,  Joseph Michael Clarke ,  Gonzalo Salgueiro

IPC: H04L12/24 ,  G06N5/02 ,  H04L12/26

CPC classification number: H04L41/0893 ,  G06N5/025 ,  H04L41/0816 ,  H04L43/08

Abstract: In one embodiment, a classification device in a computer network analyzes data from a given device in the computer network, and classifies the given device as a particular type of device based on the data. The classification device may then determine whether a manufacturer usage description (MUD) policy exists for the particular type of device. In response to there being no existing MUD policy for the particular type of device, the classification device may then determine patterns of the analyzed data, classify the patterns into context-based policies, and generate a derived MUD policy for the particular type of device based on the context-based policies. The classification device may then apply one of either the existing or derived MUD policy for the given device within the computer network.