公开(公告)号：US11316871B2

公开(公告)日：2022-04-26

申请号：US15891708

申请日：2018-02-08

Applicant: Cisco Technology, Inc.

Inventor： Santosh Ramrao Patil ,  Gangadharan Byju Pularikkal ,  David McGrew ,  Blake Harrell Anderson ,  Madhusudan Nanjanagud

IPC: H04W28/00 ,  H04L29/06 ,  H04L43/04 ,  H04L69/16 ,  H04W24/00 ,  H04W24/08

Abstract: Methods and systems to estimate encrypted multi-path TCP (MPTCP) network traffic include restricting traffic in a first direction (e.g., uplink) to a single path, and estimating traffic of multiple subflows of a second direction (e.g., downlink) based on traffic over the single path of the first direction. The estimating may be based on, without limitation, acknowledgment information of the single path, a sequence of acknowledgment numbers of the single path, an unencrypted initial packet sent over the single path as part of a secure tunnel setup procedure, TCP header information of the unencrypted initial packet (e.g., sequence number, acknowledgment packet, and/or acknowledgment packet length), and/or metadata of packets of the single path (e.g., regarding cryptographic algorithms, Diffie-Helman groups, and/or certificate related data).

公开(公告)号：US11223653B2

公开(公告)日：2022-01-11

申请号：US16512474

申请日：2019-07-16

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Keith Richard Schomburg

IPC: H04L29/06 ,  G06K9/62 ,  H04L9/12

Abstract: In one embodiment, a device obtains telemetry data regarding an encrypted traffic session in a network. The telemetry data includes Transport Layer Security (TLS) features of the traffic session and auxiliary information indicative of a destination address of the traffic session, a destination port of the traffic session, or a server name associated with the traffic session. The device retrieves, using the obtained telemetry data, a plurality of candidate processes from a TLS fingerprint database that relates processes with telemetry data from encrypted traffic sessions initiated by those processes. The device uses a probabilistic model to assign probabilities to each of the plurality of candidate processes. The device identifies one of the plurality of candidate processes as having initiated the encrypted traffic session based on its assigned probability.

公开(公告)号：US11057420B2

公开(公告)日：2021-07-06

申请号：US16370853

申请日：2019-03-29

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Andrew Zawadowskiy ,  Donovan O'Hara ,  Saravanan Radhakrishnan ,  Tomas Pevny ,  Daniel G. Wing

IPC: H04L29/06

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

公开(公告)号：US11032314B2

公开(公告)日：2021-06-08

申请号：US16220115

申请日：2018-12-14

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Julien Thomas Piet

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a security service classifies traffic telemetry data for traffic between an endpoint device and a server as potentially associated with a particular type of remote access Trojan (RAT). The security service constructs a scan message to elicit a type of server response associated with the particular type of RAT. The security service obtains a server response from the server, by sending the constructed scan message to the server. The security service determines whether the endpoint device is infected with the particular type of RAT, by validating whether the server response from the server matches the type of server response associated with the particular type of RAT.

公开(公告)号：US20210160275A1

公开(公告)日：2021-05-27

申请号：US16693885

申请日：2019-11-25

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  G06N20/00 ,  G06N5/04

Abstract: In one embodiment, a telemetry exporter in a network establishes a tunnel between the telemetry exporter and a traffic analysis service. The telemetry exporter obtains packet copies of a plurality of packets sent between devices via the network. The telemetry exporter forms a set of traffic telemetry data by discarding at least a portion of one or more of the packet copies, based on a filter policy. The telemetry exporter applies compression to the formed set of traffic telemetry data. The telemetry exporter sends, via the tunnel, the compressed set of traffic telemetry data to the traffic analysis service for analysis.

公开(公告)号：US20210160268A1

公开(公告)日：2021-05-27

申请号：US17142533

申请日：2021-01-06

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/24 ,  H04L12/851

Abstract: In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.

公开(公告)号：US20210105301A1

公开(公告)日：2021-04-08

申请号：US16594203

申请日：2019-10-07

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06

Abstract: In one embodiment, a device in a network intercepts traffic sent from a first endpoint destined for a second endpoint. The device sends a padding request to the second endpoint indicative of a number of padding bytes. The device receives a padding response from the second endpoint, after sending the padding request to the second endpoint. The device adjusts the intercepted traffic based on the received padding response. The device sends the adjusted traffic to the second endpoint.

公开(公告)号：US20200267164A1

公开(公告)日：2020-08-20

申请号：US16869726

申请日：2020-05-08

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US10735441B2

公开(公告)日：2020-08-04

申请号：US15848150

申请日：2017-12-20

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Vincent E. Parla ,  Jan Jusko ,  Martin Grill ,  Martin Vejman

IPC: H04L29/06 ,  G06F21/55 ,  H04L9/32 ,  G06F21/44 ,  G06F21/52

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

公开(公告)号：US20200244648A1

公开(公告)日：2020-07-30

申请号：US16851674

申请日：2020-04-17

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul ,  William Michael Hudson, JR. ,  Philip Ryan Perricone

IPC: H04L29/06 ,  G06F21/55 ,  H04L29/08 ,  H04L9/32

Abstract: In one embodiment, a device in a network observes traffic between a client and a server for an encrypted session. The device makes a determination that a server certificate should be obtained from the server. The device, based on the determination, sends a handshake probe to the server. The device extracts server certificate information from a handshake response from the server that the server sent in response to the handshake probe. The device uses the extracted server certificate information to analyze the traffic between the client and the server.