公开(公告)号：US10375090B2

公开(公告)日：2019-08-06

申请号：US15469716

申请日：2017-03-27

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson

IPC: H04L29/06 ,  H04L12/851 ,  G06N20/00 ,  H04L29/08

Abstract: In one embodiment, a device in a network receives telemetry data regarding a traffic flow in the network. One or more features in the telemetry data are individually compressed. The device extracts the one or more individually compressed features from the received telemetry data. The device performs a lookup of one or more classifier inputs from an index of classifier inputs using the one or more individually compressed features from the received telemetry data. The device classifies the traffic flow by inputting the one or more classifier inputs to a machine learning-based classifier.

公开(公告)号：US10348745B2

公开(公告)日：2019-07-09

申请号：US15399003

申请日：2017-01-05

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Ivan Nikolaev

IPC: G06F21/55 ,  H04L29/06 ,  H04L29/08 ,  H04L29/12

Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.

公开(公告)号：US20190190794A1

公开(公告)日：2019-06-20

申请号：US15848101

申请日：2017-12-20

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Martin Rehak ,  Blake Harrell Anderson ,  Sunil Amin

IPC: H04L12/24 ,  H04L29/06

CPC classification number: H04L41/28 ,  G06F21/55 ,  H04L63/14 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20 ,  H04L67/143 ,  H04W12/12

Abstract: In one embodiment, a service receives data regarding administration traffic in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the received data to determine whether the administration traffic is authorized. The service flags the received data as authorized, based on the analysis of the received data. The service uses the data flagged as authorized to distinguish between benign traffic and malicious traffic in the network.

公开(公告)号：US20180097835A1

公开(公告)日：2018-04-05

申请号：US15285805

申请日：2016-10-05

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing ,  Flemming Andreasen

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/1441 ,  H04L61/1511 ,  H04L63/0428 ,  H04L63/1408 ,  H04L63/145 ,  H04L63/166

Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.

公开(公告)号：US20170201810A1

公开(公告)日：2017-07-13

申请号：US15083586

申请日：2016-03-29

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew ,  Alison Kendler

IPC: H04Q9/02 ,  H04L9/30 ,  H04L29/06

CPC classification number: H04Q9/02 ,  H04L9/3066 ,  H04L63/0428 ,  H04L63/0823 ,  H04L63/166 ,  H04Q9/00 ,  H04Q2209/30

Abstract: In one embodiment, a method includes receiving a flow including a plurality of bytes, each byte having one of a plurality of byte values, determining a byte value distribution metric based on a number of instances of each of the plurality of byte values in the flow, and transmitting telemetry data regarding the flow, the telemetry data including the byte value distribution metric.

公开(公告)号：US20170099304A1

公开(公告)日：2017-04-06

申请号：US14872336

申请日：2015-10-01

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Blake Harrell Anderson

IPC: H04L29/06 ,  G06F17/30

Abstract: In one embodiment, a method includes receiving data associated with a cluster at a computer and processing the data at the computer to automatically generate a description of the cluster. The data includes cluster data comprising data within the cluster and non-cluster data comprising a remaining set of the data. The description comprises a minimal set of features that uniquely defines the cluster to differentiate the cluster data from non-cluster data. An apparatus and logic are also disclosed herein.

公开(公告)号：US20240348645A1

公开(公告)日：2024-10-17

申请号：US18417256

申请日：2024-01-19

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L9/40 ,  G06N20/00

CPC classification number: H04L63/145 ,  H04L63/0428 ,  H04L63/1408 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US20240305539A1

公开(公告)日：2024-09-12

申请号：US18668697

申请日：2024-05-20

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Martin Rehak ,  Blake Harrell Anderson ,  Sunil Amin

IPC: H04L41/28 ,  G06F21/55 ,  H04L9/40 ,  H04L67/143 ,  H04W12/12

CPC classification number: H04L41/28 ,  G06F21/55 ,  H04L63/14 ,  H04L63/1425 ,  H04L63/1441 ,  H04W12/12 ,  H04L63/20 ,  H04L67/143

Abstract: In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.

公开(公告)号：US12088607B2

公开(公告)日：2024-09-10

申请号：US18592137

申请日：2024-02-29

Applicant: Cisco Technology, Inc.

Inventor： Martin Rehak ,  David McGrew ,  Blake Harrell Anderson ,  Scott William Dunlop

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/166

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.

公开(公告)号：US20240236118A1

公开(公告)日：2024-07-11

申请号：US18152649

申请日：2023-01-10

Applicant: Cisco Technology, Inc.

Inventor： David Arthur McGrew ,  Blake Harrell Anderson

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/0236 ,  H04L63/1425

Abstract: This disclosure describes techniques and mechanisms for detecting and alerting on domain fronting within a network using network location context. Popular services are often hosted by multiple CDNs to increase resiliency and decrease latency. The techniques described herein utilize this insight to identify anomalous encrypted sessions by first creating a baseline of domain name resolutions for a given customer site. The techniques may then look for encrypted sessions destined to an IP address that is anomalous for the given domain name and is known to support domain fronting.