公开(公告)号：US20240214425A1

公开(公告)日：2024-06-27

申请号：US18089252

申请日：2022-12-27

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  Janardhanan Radhakrishnan ,  Robert Tappenden ,  Jared Tierney Smith

IPC: H04L9/40 ,  G06F9/451

CPC classification number: H04L63/20 ,  G06F9/451 ,  H04L63/105

Abstract: Techniques for using an end-to-end policy controller to automatically discover and inventory enforcement points in a network. A network controller may leverage data associated with network devices in a network to identify paths between source endpoints and destination endpoints to establish an inventory of enforcement points along the paths. For example, the controller may consume telemetry data indicative of network events (e.g., firewall events, IPS event logs, netflow events, etc.) to figure out where enforcement points are provisioned with respect to traffic being observed. Additionally, the SDN controller may dynamically build a network topology providing indications of roles and/or locations of enforcement points.

公开(公告)号：US20210344648A1

公开(公告)日：2021-11-04

申请号：US17374468

申请日：2021-07-13

Applicant: Cisco Technology, Inc.

Inventor： Pradeep Patel ,  Jonathan A. Kunder ,  Ashish K. Dey ,  Andrew E. Ossipov ,  Jianxin Wang

IPC: H04L29/06 ,  G06F16/901 ,  H04L12/851

Abstract: A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet of the packet flow is received at the classifying network device. A determination is made that the non-control packet belongs to the packet flow by comparing data contained in the non-control packet to the stored data. The non-control packet of the packet flow is directed to a processing entity in response to the determining. A control packet of the packet flow is received at the classifying network device. The control packet of the packet flow is directed to the firewall network device.

公开(公告)号：US20190272376A1

公开(公告)日：2019-09-05

申请号：US15910458

申请日：2018-03-02

Applicant: Cisco Technology, Inc.

Inventor： Aaron T. Woland ,  Vivek Santuka ,  Moses Hernandez ,  Steven H. Chimes ,  Andrew E. Ossipov

IPC: G06F21/56 ,  H04L29/06

Abstract: A method for selecting either a first malware analysis system or a second malware analysis system to analyze a file is disclosed. The method includes obtaining, at a network security element, a file sent between a first device and a second device, the file having one or more associated attributes; analyzing, at the network security element, the one or more attributes of the file; selecting, based on the analyzing, either the first malware analysis system or the second malware analysis system as a selected malware analysis system for malware analysis of the file; and providing the file to the selected malware analysis system.

公开(公告)号：US09930013B2

公开(公告)日：2018-03-27

申请号：US14541445

申请日：2014-11-14

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov

IPC: H04L29/06

CPC classification number: H04L63/029 ,  H04L63/0236 ,  H04L63/061 ,  H04L63/0807 ,  H04L63/0876 ,  H04L63/126 ,  H04L63/1408 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/163

Abstract: An intermediate device (such as a firewall) is disposed between first and second devices (such as a client and a server device, respectively). Communications between the first and second devices are intercepted in both directions by the intermediate device, which spoofs the receiving device by modifying messages sent by the transmitting device. The modified message uses a key held by the intermediate device instead of a key belonging to the sending device.

公开(公告)号：US20150256431A1

公开(公告)日：2015-09-10

申请号：US14200669

申请日：2014-03-07

Applicant: Cisco Technology, Inc.

Inventor： Kevin A. Buchanan ,  Andrew E. Ossipov

IPC: H04L12/26 ,  H04L29/08

CPC classification number: H04L63/1408 ,  H04L67/22

Abstract: Presented herein are techniques for determining an initiator of network traffic, collecting at each of multiple instants of time, usage data for network traffic associated with the initiator, and storing historical usage data based on updates from usage data for the network traffic over time. Current usage data are compared to historical usage data of the initiator to determine whether current usage data are within an expected distribution with respect to the historical usage data. Based upon the comparison between the current usage data and the historical usage data, an inspection threshold is selected for traffic flows from the initiator, and a proportion of traffic flows associated with the initiator is determined to be inspected based on the inspection threshold.

Abstract translation: 这里提出了用于确定网络业务的发起者的技术，在多个时刻的每个时刻收集与发起者相关联的网络流量的使用数据，以及基于来自网络流量随时间的使用数据的更新来存储历史使用数据。 将当前使用数据与发起者的历史使用数据进行比较，以确定当前使用数据是否在相对于历史使用数据的预期分布内。 基于当前使用数据与历史使用数据之间的比较，选择来自发起者的业务流的检查阈值，并且基于检查阈值确定与启动器相关联的一部分业务流。

公开(公告)号：US11949659B2

公开(公告)日：2024-04-02

申请号：US17374468

申请日：2021-07-13

Applicant: Cisco Technology, Inc.

Inventor： Pradeep Patel ,  Jonathan A. Kunder ,  Ashish K. Dey ,  Andrew E. Ossipov ,  Jianxin Wang

IPC: H04L9/40 ,  G06F16/901 ,  H04L47/2441

CPC classification number: H04L63/0245 ,  G06F16/9017 ,  H04L47/2441 ,  H04L63/1425

Abstract: A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet of the packet flow is received at the classifying network device. A determination is made that the non-control packet belongs to the packet flow by comparing data contained in the non-control packet to the stored data. The non-control packet of the packet flow is directed to a processing entity in response to the determining. A control packet of the packet flow is received at the classifying network device. The control packet of the packet flow is directed to the firewall network device.

公开(公告)号：US20210029047A1

公开(公告)日：2021-01-28

申请号：US16520408

申请日：2019-07-24

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Zhijun Liu ,  Andrew E. Ossipov

IPC: H04L12/851 ,  H04L12/721 ,  H04L12/715

Abstract: A method is provided including obtaining at a newly added flow mapper node of a plurality of flow mapper nodes, from a first flow locator node of a plurality of flow locator nodes, a flow owner lookup request for flow state information that includes identification of a particular flow locator that is to handle processing of a packet flow. The newly added flow mapper node determines whether it has stored flow state information. When the newly added flow mapper node does not have stored flow state information, the newly added flow mapper node identifies a particular flow mapper node of the plurality of flow mapper nodes which has stored flow state information for the particular packet flow and services the flow owner lookup request using flow state information stored by the particular flow mapper node.

公开(公告)号：US10721211B2

公开(公告)日：2020-07-21

申请号：US15783706

申请日：2017-10-13

Applicant: Cisco Technology, Inc.

Inventor： Kent K. Leung ,  Xun Wang ,  Andrew E. Ossipov ,  Zhijun Liu ,  Jonathan Augustine Kunder

IPC: H04L29/06 ,  H04L29/12

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

公开(公告)号：US10715486B2

公开(公告)日：2020-07-14

申请号：US15890922

申请日：2018-02-07

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  Kent Leung ,  Zhijun Liu

IPC: H04L29/12

Abstract: A method is performed by a master network device among network devices of a cluster. The master network device receives cluster configuration information including a set of Internet Protocol (IP) addresses and a pool of port blocks associated with the IP addresses. Each port block includes multiple ports, and the pool of the port blocks is to be shared across and used by the network devices for port address translation on network connections with the network devices. The master network device divides the port blocks in the pool into multiple buckets. The master network device first allocates to each network device in the cluster a corresponding one of the buckets, and reserves each bucket that is not allocated for allocation to a potential new network device. When a new network device joins the cluster, the master network device second allocates to the new network device the port blocks from a corresponding one of the reserved buckets.

公开(公告)号：US20190245828A1

公开(公告)日：2019-08-08

申请号：US15890922

申请日：2018-02-07

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  Kent Leung ,  Zhijun Liu

IPC: H04L29/12

Abstract: A method is performed by a master network device among network devices of a cluster. The master network device receives cluster configuration information including a set of Internet Protocol (IP) addresses and a pool of port blocks associated with the IP addresses. Each port block includes multiple ports, and the pool of the port blocks is to be shared across and used by the network devices for port address translation on network connections with the network devices. The master network device divides the port blocks in the pool into multiple buckets. The master network device first allocates to each network device in the cluster a corresponding one of the buckets, and reserves each bucket that is not allocated for allocation to a potential new network device. When a new network device joins the cluster, the master network device second allocates to the new network device the port blocks from a corresponding one of the reserved buckets.