公开(公告)号：US20210360004A1

公开(公告)日：2021-11-18

申请号：US17360910

申请日：2021-06-28

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  ANDREW ZAWADOWSKIY ,  DONOVAN O'HARA ,  SARAVANAN RADHAKRISHNAN ,  TOMAS PEVNY ,  DANIEL G. WING

IPC: H04L29/06

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

公开(公告)号：US20210357815A1

公开(公告)日：2021-11-18

申请号：US17386020

申请日：2021-07-27

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: G06N20/00 ,  H04L29/06

Abstract: In one embodiment, a device in a network generates a feature vector based on traffic flow data regarding one or more traffic flows in the network. The device makes a determination as to whether the generated feature vector is already represented in a training dataset dictionary by one or more feature vectors in the dictionary. The device updates the training dataset dictionary based on the determination by one of: adding the generated feature vector to the dictionary when the generated feature vector is not already represented by one or more feature vectors in the dictionary, or incrementing a count associated with a particular feature vector in the dictionary when the generated feature vector is already represented by the particular feature vector in the dictionary. The device generates a training dataset based on the training dataset dictionary for training a machine learning-based traffic flow analyzer.

公开(公告)号：US20210349996A1

公开(公告)日：2021-11-11

申请号：US17382627

申请日：2021-07-22

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul

IPC: G06F21/55 ,  H04L12/24 ,  H04L29/06 ,  G06N20/00 ,  G06F21/56 ,  G06F9/4401 ,  G06F11/14 ,  H04L29/08

Abstract: In one embodiment, a device in a network tracks traffic features indicated by header information of packets of an encrypted traffic flow over time. The encrypted traffic flow is associated with a particular host in the network. The device detects an operating system start event based on the traffic features and provides data regarding the detected operating system start event as input to a machine learning-based malware detector to determine whether the particular host with which the encrypted traffic flow is associated is infected with malware. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.

公开(公告)号：US11165819B2

公开(公告)日：2021-11-02

申请号：US16906302

申请日：2020-06-19

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

公开(公告)号：US10897474B2

公开(公告)日：2021-01-19

申请号：US15191129

申请日：2016-06-23

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  H04L29/12 ,  H04L12/833 ,  H04L12/851 ,  H04L29/08 ,  G06N99/00 ,  G06N20/00

Abstract: In one embodiment, a device in a first network receives traffic flow information regarding a plurality of traffic flows in the first network. The device labels the traffic flow information by associating classifier labels to the traffic flow information. The device receives a generic traffic classifier that was trained using a training data set that comprises labeled traffic flow information for a plurality of other networks and excludes the traffic flow information regarding the plurality of traffic flows in the first network. The device acclimates the generic traffic classifier to the first network using the labeled traffic flow information regarding the plurality of traffic flows in the first network.

公开(公告)号：US10805341B2

公开(公告)日：2020-10-13

申请号：US15889392

申请日：2018-02-06

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  G06N20/00 ,  H04L29/08 ,  H04L12/24

Abstract: In one embodiment, a traffic analysis service receives captured traffic data regarding a Transport Layer Security (TLS) connection between a client and a server. The traffic analysis service applies a first machine learning-based classifier to TLS records from the traffic data, to identify a set of the TLS records that include Hypertext Transfer Protocol (HTTP) header information. The traffic analysis service estimates one or more HTTP transaction labels for the connection by applying a second machine learning-based classifier to the identified set of TLS records that include HTTP header information. The traffic analysis service augments the captured traffic data with the one or more HTTP transaction labels. The traffic analysis service causes performance of a network security function based on the augmented traffic data.

公开(公告)号：US10728158B2

公开(公告)日：2020-07-28

申请号：US16379352

申请日：2019-04-09

Applicant: Cisco Technology, Inc.

Inventor： Michael Joseph Stepanek ,  Costas Kleopa ,  David McGrew ,  Blake Harrell Anderson ,  Saravanan Radhakrishnan

IPC: H04L12/851 ,  H04L12/825 ,  H04L12/859 ,  H04L12/931 ,  H04L29/06 ,  H04W12/12

Abstract: In one embodiment, a networking device in a network detects a traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

公开(公告)号：US20200053103A1

公开(公告)日：2020-02-13

申请号：US16100361

申请日：2018-08-10

Applicant: Cisco Technology, Inc.

Inventor： Martin Rehak ,  David McGrew ,  Blake Harrell Anderson ,  Scott William Dunlop

IPC: H04L29/06

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.

公开(公告)号：US20200004958A1

公开(公告)日：2020-01-02

申请号：US16567377

申请日：2019-09-11

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul

IPC: G06F21/55 ,  G06F9/4401 ,  G06F11/14 ,  H04L29/06 ,  H04L29/08

Abstract: In one embodiment, a device in a network tracks changes in a source port or address identifier indicated by network traffic associated with a particular host in the network. The device detects an operating system start event based on the track changes in the source port or address identifier indicated in the traffic data associated with the particular host. The device provides data regarding the detected operating system start event as input to a machine learning-based malware detector. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.

公开(公告)号：US10452846B2

公开(公告)日：2019-10-22

申请号：US15648626

申请日：2017-07-13

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul

IPC: G06F21/55 ,  G06F9/4401 ,  G06F11/14 ,  H04L29/06 ,  H04L29/08 ,  H04L12/24 ,  G06F21/56 ,  G06N20/00

Abstract: In one embodiment, a device in a network tracks changes in a source port or address identifier indicated by network traffic associated with a particular host in the network. The device detects an operating system start event based on the track changes in the source port or address identifier indicated in the traffic data associated with the particular host. The device provides data regarding the detected operating system start event as input to a machine learning-based malware detector. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.