公开(公告)号：US20160352628A1

公开(公告)日：2016-12-01

申请号：US14724635

申请日：2015-05-28

Applicant: CISCO TECHNOLOGY, INC.

Inventor： K. Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel G. Wing ,  Ram Mohan Ravindranath ,  William C. VerSteeg ,  Charles U. Eckel

IPC: H04L12/721

CPC classification number: H04L45/38 ,  H04L12/4633 ,  H04L45/302

Abstract: A computer-implemented method includes sending a first request message to a first server associated with a first access network indicative of a request for an indication of whether the first server is configured to support prioritization of tunneled traffic, receiving a first response message from the first server indicative of whether the first server is configured to support prioritization of tunneled traffic, establishing one or more first tunnels with a security service when the first response message is indicative that the first server is configured to support prioritization of tunneled traffic, sending first flow characteristics and a first tunnel identifier to the first server; and receiving the first flow characteristics for each first tunnel from the first server at a first network controller. The first network controller is configured to apply a quality of service policy within the first access network for each tunnel in accordance with the flow characteristics.

Abstract translation: 计算机实现的方法包括向与第一接入网络相关联的第一服务器发送指示对第一服务器是否被配置为支持隧道通信的优先级的指示的请求的第一请求消息，从第一接入网络接收第一响应消息 服务器，其指示第一服务器是否被配置为支持隧道传输的流量的优先级，当第一响应消息指示第一服务器被配置为支持隧道传输的流量的优先级时，建立与安全服务的一个或多个第一隧道，发送第一流特性 以及到所述第一服务器的第一隧道标识符; 以及在第一网络控制器处从第一服务器接收针对每个第一隧道的第一流特性。 第一网络控制器被配置为根据流量特性为每个隧道在第一接入网络内应用服务质量策略。

公开(公告)号：US09479534B2

公开(公告)日：2016-10-25

申请号：US14522064

申请日：2014-10-23

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Alessandro Duminuco ,  Hendrikus G. P. Bosch ,  Surendra M. Kumar ,  Humberto J. La Roche ,  Jeffrey Napper ,  Kevin D. Shatzkamer ,  Daniel G. Wing

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/166 ,  H04L63/0281 ,  H04L63/0435 ,  H04L63/168 ,  H04L67/02 ,  H04L67/42

Abstract: In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least one custom SSL record to an enveloping proxy. In another embodiment, a method can comprise receiving at least one regular secure sockets layer (SSL) record and at least one custom SSL record for a SSL session established between a client and a server; extracting the data from the at least one custom SSL; transmitting the at least one regular SSL record.

Abstract translation: 在一个实施例中，提供了一种用于实现网络之间的带内数据交换的方法。 该方法可以包括通过位于第一网络中的第一包络代理接收在客户端和服务器之间建立的SSL会话的至少一个常规安全套接字层（SSL）记录; 从位于所述第一网络中的网元接收所述数据; 将数据编码成至少一个自定义SSL记录; 以及将所述至少一个常规SSL记录和所述至少一个定制SSL记录发送到包络代理。 在另一个实施例中，一种方法可以包括：在客户端和服务器之间建立的SSL会话接收至少一个常规安全套接字层（SSL）记录和至少一个定制SSL记录; 从至少一个自定义SSL提取数据; 发送所述至少一个常规SSL记录。

公开(公告)号：US09450913B2

公开(公告)日：2016-09-20

申请号：US14169526

申请日：2014-01-31

Applicant: Cisco Technology, Inc.

Inventor： Tirumaleswar Reddy ,  Bill Ver Steeg ,  Daniel G. Wing

IPC: G06F15/173 ,  H04L29/12

CPC classification number: H04L61/2528 ,  H04L61/2514 ,  H04L61/2517 ,  H04L61/2582

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium for Content Delivery Networks Interconnection (CDNI) request routing using the PCP FLOWDATA option. In one aspect, a method includes receiving a request for content, and receiving, from a PCP server, flow characteristics for providing the content, where the PCP server receives the flow characteristics for providing the content from a PCP proxy that receives the flow characteristics from the client device. The method includes transmitting first data for querying the downstream content delivery network (CDN) to determine whether the downstream CDN can provide the content and satisfy the flow characteristics. The method includes receiving a response indicating the ability of the downstream CDN to provide the content and satisfy the flow characteristics, and transmitting second data based on the response, where the client device transmits flow metadata based on the second data to the PCP proxy.

Abstract translation: 方法，系统和装置，包括在用于内容传送网络互连（CDNI）的计算机存储介质上编码的计算机程序使用PCP FLOWDATA选项请求路由。 一方面，一种方法包括接收对内容的请求，以及从PCP服务器接收用于提供内容的流特性，其中PCP服务器从PCP代理接收到从PCP代理提供内容的流特性， 客户端设备。 该方法包括发送用于查询下游内容传送网络（CDN）的第一数据，以确定下游CDN是否可以提供内容并满足流量特性。 该方法包括接收指示下游CDN提供内容并满足流量特性的能力的响应，以及基于响应发送第二数据，其中客户端设备基于第二数据向PCP代理发送流量元数据。

公开(公告)号：US20160013985A1

公开(公告)日：2016-01-14

申请号：US14328421

申请日：2014-07-10

Applicant: CISCO TECHNOLOGY, INC.

Inventor： K. Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel G. Wing ,  William C. VerSteeg ,  Christopher Wild

IPC: H04L12/24 ,  H04L12/825 ,  H04L29/06

CPC classification number: H04L41/0896 ,  H04L41/18 ,  H04L41/5003 ,  H04L43/10 ,  H04L47/25 ,  H04L63/0807 ,  H04L63/0892 ,  H04L67/42

Abstract: An example method for facilitating on-demand bandwidth provisioning in a network environment is provided and includes receiving a request from a client at a first network for accommodating flow characteristics at a second network that is associated with executing an application at the first network, determining that the request cannot be fulfilled with available network resources allocated to the client by the second network, advising the client of additional cost for accommodating the flow characteristics, and authorizing additional network resources in the second network to accommodate the flow characteristics after receiving notification from the client of payment of the additional cost.

Abstract translation: 提供了一种用于促进网络环境中的按需带宽供应的示例性方法，并且包括从第一网络的客户端接收请求，以便在与在第一网络处执行应用相关联的第二网络处容纳流特性， 该请求无法通过第二网络分配给客户端的可用网络资源来满足，向客户端通知用于适应流量特性的额外成本，以及授权第二网络中的附加网络资源以在从客户端接收到通知之后适应流量特性 支付额外费用。

公开(公告)号：US20150271203A1

公开(公告)日：2015-09-24

申请号：US14522064

申请日：2014-10-23

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Alessandro Duminuco ,  Hendrikus G. P. Bosch ,  Surendra M. Kumar ,  Humberto J. La Roche ,  Jeffrey Napper ,  Kevin D. Shatzkamer ,  Daniel G. Wing

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/166 ,  H04L63/0281 ,  H04L63/0435 ,  H04L63/168 ,  H04L67/02 ,  H04L67/42

Abstract: In an embodiment, a method is provided for enabling in-band data exchange between networks. The method can comprise receiving, by a first enveloping proxy located in the first network, at least one regular secure sockets layer (SSL) record for a SSL session established between a client and a server; receiving the data from a network element located in the first network; encoding the data into at least one custom SSL record; and transmitting the at least one regular SSL record and the at least one custom SSL record to an enveloping proxy. In another embodiment, a method can comprise receiving at least one regular secure sockets layer (SSL) record and at least one custom SSL record for a SSL session established between a client and a server; extracting the data from the at least one custom SSL; transmitting the at least one regular SSL record.

公开(公告)号：US20130145044A1

公开(公告)日：2013-06-06

申请号：US13754220

申请日：2013-01-30

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Daniel G. Wing ,  Cullen Jennings ,  Jonathan D. Rosenberg

IPC: H04L29/12

CPC classification number: H04L29/12066 ,  H04L29/12386 ,  H04L29/12528 ,  H04L61/2521 ,  H04L61/2575

Abstract: In one embodiment, an endpoint elicits a pattern of STUN responses to identify security devices located on a call path. The endpoint then uses address information from the identified security devices to establish an efficient media flow with a remote endpoint. The endpoint can optimize the number of network devices and network paths that process the endpoint's keepalive message. Additionally, the endpoint may request custom inactivity timeouts with each of the identified security devices for reducing bandwidth consumed by keepalive traffic.

Abstract translation: 在一个实施例中，端点引出STUN响应的模式以识别位于呼叫路径上的安全设备。 然后，端点使用来自所识别的安全设备的地址信息来建立与远程端点的有效媒体流。 端点可以优化处理端点的keepalive消息的网络设备和网络路径的数量。 此外，端点可以请求自定义的不活动超时与每个已标识的安全设备，以减少由keepalive流量消耗的带宽。

公开(公告)号：US11785041B2

公开(公告)日：2023-10-10

申请号：US17696081

申请日：2022-03-16

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing ,  Flemming Andreasen

IPC: H04L9/40 ,  H04L61/4511

CPC classification number: H04L63/1441 ,  H04L61/4511 ,  H04L63/145 ,  H04L63/1408 ,  H04L63/0428 ,  H04L63/166

Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.

公开(公告)号：US11665194B2

公开(公告)日：2023-05-30

申请号：US17395264

申请日：2021-08-05

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N20/00

CPC classification number: H04L63/1458 ,  G06N20/00 ,  H04L63/1425 ,  H04L2463/144

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

公开(公告)号：US20220210183A1

公开(公告)日：2022-06-30

申请号：US17696081

申请日：2022-03-16

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing ,  Flemming Andreasen

IPC: H04L9/40 ,  H04L61/4511

Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.

公开(公告)号：US11140124B2

公开(公告)日：2021-10-05

申请号：US16722464

申请日：2019-12-20

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing

IPC: H04L29/12 ,  H04L29/08 ,  H04L29/06 ,  H04L12/851

Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.