公开(公告)号：US20240236118A1

公开(公告)日：2024-07-11

申请号：US18152649

申请日：2023-01-10

Applicant: Cisco Technology, Inc.

Inventor： David Arthur McGrew ,  Blake Harrell Anderson

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/0236 ,  H04L63/1425

Abstract: This disclosure describes techniques and mechanisms for detecting and alerting on domain fronting within a network using network location context. Popular services are often hosted by multiple CDNs to increase resiliency and decrease latency. The techniques described herein utilize this insight to identify anomalous encrypted sessions by first creating a baseline of domain name resolutions for a given customer site. The techniques may then look for encrypted sessions destined to an IP address that is anomalous for the given domain name and is known to support domain fronting.

公开(公告)号：US20240236117A1

公开(公告)日：2024-07-11

申请号：US18152542

申请日：2023-01-10

Applicant: Cisco Technology, Inc.

Inventor： David Arthur McGrew ,  Blake Harrell Anderson

IPC: H04L9/40

CPC classification number: H04L63/1416

Abstract: This disclosure describes techniques and mechanisms for improving blocking and alerting with domain fronting intelligence. The techniques may identify Internet infrastructure that supports domain fronting through passive data collection and active scanning of the data. The results of the active scanning are then used to generate enhanced threat intelligence feeds that associate indicators of compromise with their support of domain fronting. The new feeds are then used to perform more aggressive blocking, raise weak alerts that can be correlated to other alerts, and to create a more secure DNS system by de-prioritizing infrastructure that supports domain fronting for DNS responses.

公开(公告)号：US20240195705A1

公开(公告)日：2024-06-13

申请号：US18583370

申请日：2024-02-21

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Martin Rehak ,  Blake Harrell Anderson ,  Sunil Amin

IPC: H04L41/28 ,  G06F21/55 ,  H04L9/40 ,  H04L67/143 ,  H04W12/12

CPC classification number: H04L41/28 ,  G06F21/55 ,  H04L63/14 ,  H04L63/1425 ,  H04L63/1441 ,  H04W12/12 ,  H04L63/20 ,  H04L67/143

Abstract: In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.

公开(公告)号：US11936690B2

公开(公告)日：2024-03-19

申请号：US18095443

申请日：2023-01-10

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew

IPC: H04L27/06 ,  G06F18/22 ,  G06F18/23 ,  H04L9/40

CPC classification number: H04L63/166 ,  G06F18/22 ,  G06F18/23 ,  H04L63/306

Abstract: Techniques and mechanisms for using passively collected network data to automatically generate a fingerprint prevalence database without the need for endpoint ground truth. The process first clusters all observations with the same fingerprint string and similar source and destination context. The process then annotates each cluster with descriptive information and uses a rule-based system to derive an informative name from that descriptive information, e.g., “winnt amp client” or “cross-platform browser”. Optionally, the learned database may be augmented by a user to clarify custom process labels. Additionally, the generated database may be used to report the inferred processes in the same way as databases generated with endpoint ground truth.

公开(公告)号：US11916887B2

公开(公告)日：2024-02-27

申请号：US18160820

申请日：2023-01-27

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson

IPC: H04L9/40

CPC classification number: H04L63/0428 ,  H04L63/166

Abstract: According to an embodiment, a method receives one or more messages associated with connecting a client and a first host. At least one of the messages comprises an encrypted portion indicating the first host and at least one of the messages comprises a cleartext portion indicating a second host. The method determines first and second sets of links associated with the first and second host, respectively. The first set is determined based on monitoring a result of connecting the client and the first host. The second set is determined based on observing behavior associated with connecting to the second host. The method detects domain fronting in response to determining, based on comparing the first set of links and the second set of links, that the first host differs from the second host.

公开(公告)号：US11800260B2

公开(公告)日：2023-10-24

申请号：US17154053

申请日：2021-01-21

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew ,  Alison Kendler

IPC: H04L9/12 ,  H04L9/32 ,  H04Q9/02 ,  H04L9/40 ,  H04Q9/00 ,  H04L9/30

CPC classification number: H04Q9/02 ,  H04L9/3066 ,  H04L63/0428 ,  H04L63/166 ,  H04Q9/00 ,  H04L63/0823 ,  H04Q2209/30

Abstract: In one embodiment, a method includes receiving a traffic flow including a plurality of packets encrypted using a cryptographic protocol, determining cryptographic protocol data of the traffic flow, and transmitting telemetry data of the traffic flow including the cryptographic protocol data. In another embodiment, a method includes receiving telemetry data of a traffic flow including a plurality of packets encrypted using a cryptographic protocol, the telemetry data including cryptographic protocol data of the traffic flow, classifying the traffic flow based on the cryptographic protocol data using a machine learning classifier; and taking a remedial action with respect to the traffic flow based on the classification of the traffic flow.

公开(公告)号：US20230239319A1

公开(公告)日：2023-07-27

申请号：US18100502

申请日：2023-01-23

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N20/00 ,  G06N5/04

CPC classification number: H04L63/1458 ,  G06N20/00 ,  G06N5/04 ,  H04L63/0428

Abstract: In one embodiment, a telemetry exporter in a network establishes a tunnel between the telemetry exporter and a traffic analysis service. The telemetry exporter obtains packet copies of a plurality of packets sent between devices via the network. The telemetry exporter forms a set of traffic telemetry data by discarding at least a portion of one or more of the packet copies, based on a filter policy. The telemetry exporter applies compression to the formed set of traffic telemetry data. The telemetry exporter sends, via the tunnel, the compressed set of traffic telemetry data to the traffic analysis service for analysis.

公开(公告)号：US11711336B2

公开(公告)日：2023-07-25

申请号：US17466370

申请日：2021-09-03

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing

IPC: H04L61/4511 ,  H04L9/40 ,  H04L61/4541 ,  H04L67/61 ,  H04L69/22 ,  H04L47/2425

CPC classification number: H04L61/4511 ,  H04L61/4541 ,  H04L63/0428 ,  H04L67/61 ,  H04L47/2433 ,  H04L69/22

Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.

公开(公告)号：US11711308B2

公开(公告)日：2023-07-25

申请号：US17694060

申请日：2022-03-14

Applicant: Cisco Technology, Inc.

Inventor： Michael Joseph Stepanek ,  Costas Kleopa ,  David McGrew ,  Blake Harrell Anderson ,  Saravanan Radhakrishnan

IPC: H04L12/851 ,  H04L47/2441 ,  H04L47/2483 ,  H04L47/25 ,  H04L47/2475 ,  H04L49/35 ,  H04L9/40 ,  H04W12/12 ,  H04W12/122 ,  H04W12/128

CPC classification number: H04L47/2441 ,  H04L47/2475 ,  H04L47/2483 ,  H04L47/25 ,  H04L49/355 ,  H04L63/0254 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1458 ,  H04L63/166 ,  H04W12/12 ,  H04W12/122 ,  H04W12/128

Abstract: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

公开(公告)号：US20230179581A1

公开(公告)日：2023-06-08

申请号：US18160820

申请日：2023-01-27

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson

IPC: H04L9/40

CPC classification number: H04L63/0428 ,  H04L63/166

Abstract: According to an embodiment, a method receives one or more messages associated with connecting a client and a first host. At least one of the messages comprises an encrypted portion indicating the first host and at least one of the messages comprises a cleartext portion indicating a second host. The method determines first and second sets of links associated with the first and second host, respectively. The first set is determined based on monitoring a result of connecting the client and the first host. The second set is determined based on observing behavior associated with connecting to the second host. The method detects domain fronting in response to determining, based on comparing the first set of links and the second set of links, that the first host differs from the second host.