公开(公告)号：US20190312893A1

公开(公告)日：2019-10-10

申请号：US16432400

申请日：2019-06-05

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Ivan Nikolaev

IPC: H04L29/06 ,  H04L29/08

Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.

公开(公告)号：US10027562B2

公开(公告)日：2018-07-17

申请号：US14485644

申请日：2014-09-12

Applicant: Cisco Technology, Inc.

Inventor： Ivan Nikolaev ,  Martin Grill ,  Jan Jusko

IPC: G06F15/173 ,  H04L12/26 ,  H04L29/06

Abstract: Detecting network services based on network flow data is disclosed. Using a networking device, network flow data is obtained for a plurality of endpoints of a telecommunications network. Each endpoint of the plurality of endpoints is uniquely described by data comprising an IP address, a port, and a communication protocol. For each endpoint of a set of at least one endpoint selected from the plurality of endpoints, a plurality of peers of the endpoint is determined by detecting communication between the endpoint and the plurality of peers based on the network flow data. For each peer of a set of peers selected from the plurality of peers, a difference between a number of peers of the endpoint and a number of peers of said each peer is determined based on the network flow data. It is determined if the endpoint is a service based on the difference determined for each peer of the set of peers. Network management is performed based on the determination of whether the endpoint is a service.

公开(公告)号：US11108810B2

公开(公告)日：2021-08-31

申请号：US16869726

申请日：2020-05-08

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US20190253435A1

公开(公告)日：2019-08-15

申请号：US15896421

申请日：2018-02-14

Applicant: Cisco Technology, Inc.

Inventor： Lukas Machlica ,  Ivan Nikolaev ,  Karel Bartos ,  Martin Grill

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/56 ,  H04L29/12

CPC classification number: H04L63/145 ,  G06F21/554 ,  G06F21/56 ,  H04L61/1511 ,  H04L63/1425 ,  H04L2463/144

Abstract: In one embodiment, a security device in a computer network detects potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect abnormally high DNS requests made by a host attempting to locate a command and control (C&C) server in the computer network. The server device also detects potential DGA communications activity based on applying a hostname-based classifier for DGA domains associated with any server internet protocol (IP) address in a data stream from the host. The security device may then correlate the potential DGA searching activity with the potential DGA communications activity, and identifies DGA performing malware based on the correlating, accordingly.

公开(公告)号：US10348745B2

公开(公告)日：2019-07-09

申请号：US15399003

申请日：2017-01-05

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Ivan Nikolaev

IPC: G06F21/55 ,  H04L29/06 ,  H04L29/08 ,  H04L29/12

Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.

公开(公告)号：US10979451B2

公开(公告)日：2021-04-13

申请号：US15896421

申请日：2018-02-14

Applicant: Cisco Technology, Inc.

Inventor： Lukas Machlica ,  Ivan Nikolaev ,  Karel Bartos ,  Martin Grill

IPC: G06F21/55 ,  G06F21/56 ,  H04L29/06 ,  H04L29/12

Abstract: In one embodiment, a security device in a computer network detects potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect abnormally high DNS requests made by a host attempting to locate a command and control (C&C) server in the computer network. The server device also detects potential DGA communications activity based on applying a hostname-based classifier for DGA domains associated with any server internet protocol (IP) address in a data stream from the host. The security device may then correlate the potential DGA searching activity with the potential DGA communications activity, and identifies DGA performing malware based on the correlating, accordingly.

公开(公告)号：US20180191748A1

公开(公告)日：2018-07-05

申请号：US15399003

申请日：2017-01-05

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Ivan Nikolaev

IPC: H04L29/06 ,  H04L29/12 ,  H04L29/08

CPC classification number: H04L63/1416 ,  H04L61/1523 ,  H04L61/3065 ,  H04L63/1425 ,  H04L67/02 ,  H04L67/22 ,  H04L69/02 ,  H04W12/00514

Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.

公开(公告)号：US09654484B2

公开(公告)日：2017-05-16

申请号：US14448637

申请日：2014-07-31

Applicant: Cisco Technology, Inc.

Inventor： Martin Grill ,  Ivan Nikolaev

IPC: H04L29/00 ,  H04L29/06 ,  H04L29/08 ,  H04L29/12

CPC classification number: H04L63/1416 ,  H04L61/1511 ,  H04L63/145 ,  H04L67/104 ,  H04L2463/144

Abstract: Detecting DGA-based malware is disclosed. In an embodiment, a number of domain name server requests originating from a particular host among a plurality of hosts is determined. The number of domain name server requests are directed to one or more domain name servers. A number of internet protocol addresses contacted by the particular host is determined. Based on the number of domain name server requests and the number of internet protocol addresses contacted existence of malware on the particular host is determined.

公开(公告)号：US20160080236A1

公开(公告)日：2016-03-17

申请号：US14485644

申请日：2014-09-12

Applicant: Cisco Technology, Inc.

Inventor： Ivan Nikolaev ,  Martin Grill ,  Jan Jusko

IPC: H04L12/26 ,  H04L12/24

CPC classification number: H04L43/026 ,  H04L63/14

Abstract: Detecting network services based on network flow data is disclosed. Using a networking device, network flow data is obtained for a plurality of endpoints of a telecommunications network. Each endpoint of the plurality of endpoints is uniquely described by data comprising an IP address, a port, and a communication protocol. For each endpoint of a set of at least one endpoint selected from the plurality of endpoints, a plurality of peers of the endpoint is determined by detecting communication between the endpoint and the plurality of peers based on the network flow data. For each peer of a set of peers selected from the plurality of peers, a difference between a number of peers of the endpoint and a number of peers of said each peer is determined based on the network flow data. It is determined if the endpoint is a service based on the difference determined for each peer of the set of peers. Network management is performed based on the determination of whether the endpoint is a service.

Abstract translation: 公开了基于网络流数据检测网络服务。 使用网络设备，获得电信网络的多个端点的网络流数据。 多个端点的每个端点由包括IP地址，端口和通信协议的数据唯一地描述。 对于从多个端点中选择的至少一个端点的集合的每个端点，通过基于网络流数据检测端点与多个对等体之间的通信来确定端点的多个对等端。 对于从多个对等体中选择的一组对等体的每个对等体，基于网络流数据确定端点的对等端的数量与所述每个对等体的对等体的数量之间的差。 基于为对等体集合中的每个对等体确定的差异来确定端点是否是服务。 基于确定端点是否是服务来执行网络管理。