公开(公告)号：US12160429B2

公开(公告)日：2024-12-03

申请号：US18225517

申请日：2023-07-24

Applicant: Cisco Technology, Inc.

Inventor： Petr Somol ,  Martin Kopp ,  Jan Kohout ,  Jan Brabec ,  Marc René Jacques Marie Dupont ,  Cenek Skarda ,  Lukas Bajer ,  Danila Khikhlukha

IPC: H04L9/40 ,  G06N3/045 ,  G06N3/08

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

公开(公告)号：US20240333733A1

公开(公告)日：2024-10-03

申请号：US18127501

申请日：2023-03-28

Applicant: Cisco Technology, Inc.

Inventor： Jan Brabec ,  Radek Starosta

IPC: H04L9/40 ,  G06V10/82

CPC classification number: H04L63/1425 ,  G06V10/82 ,  H04L63/1416 ,  H04L63/1441

Abstract: In some aspects, the techniques described herein relate to a method for detecting malicious emails, the method including: receiving an email, wherein the email is associated with a markup payload; determining, based on the markup payload, text data associated with the email; determining, using the text data and a first machine learning model, a first representation of the email representing text associated with the email; rendering the email to generate image data that represents a rendering of the email; determining, using the image data and a second machine learning model, a second representation of the email that represents at least the rendering of the email; and determining a prediction for the email based on the first representation and the second representation, wherein the prediction represents whether the email is predicted to be malicious based on the first representation and the second representation.

公开(公告)号：US20220191244A1

公开(公告)日：2022-06-16

申请号：US17117942

申请日：2020-12-10

Applicant: Cisco Technology, Inc.

Inventor： Tomas Komarek ,  Jan Brabec ,  Cenek Skarda

IPC: H04L29/06

Abstract: Inverse imbalance subspace searching techniques are used to detect potential malware among samples of network communication data. A large number of samples of network communication data, such as proxy log data and/or network flows, are received and analyzed by a malware detection system. A number of the samples are associated with known malware, while other unlabeled samples are either benign or may be associated with unknown malware. An inverse imbalance subspace search may be performed, in which the sample sets are divided into subsets based on random feature thresholds, and each subset is evaluated based on the ratio of known malware samples to unlabeled samples. Unlabeled samples within subsets having high malware sample ratios may be identified, aggregated, and processed as potential malware.

公开(公告)号：US11245675B2

公开(公告)日：2022-02-08

申请号：US16686364

申请日：2019-11-18

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Martin Kopp ,  Jan Brabec ,  Lukas Bajer

IPC: H04L29/06 ,  H04L12/26

Abstract: In one embodiment, a traffic analysis service obtains telemetry data regarding encrypted traffic associated with a particular device in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic. The service determines, based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device. The service calculates a measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and a set of one or more TLS fingerprints of traffic associated with a second device. The service determines, based on the measure of similarity, that the particular device and the second device were operated by the same user.

公开(公告)号：US20240356969A1

公开(公告)日：2024-10-24

申请号：US18220065

申请日：2023-07-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Brabec ,  Milos Lenoch ,  Tomas Sixta ,  Filip Srajer ,  Radek Starosta

IPC: H04L9/40 ,  G06Q10/107

CPC classification number: H04L63/1483 ,  G06Q10/107

Abstract: Techniques for an email-security system to screen emails, extract information from the emails, analyze the extracted information, assign probability scores to the emails, and classify the email as suspicious or not. A method is disclosed that includes analyzing an email and extracting a first sender attribute and a second sender attribute from the email. Identifying one or more sender-specific models associated with a sending device, and applying one or more sender-specific models to determine a first probability value associated with the first sender attribute that conveys a likelihood that the first sender attribute is a misused sender attribute. Applying one or more sender-specific models to determine a second probability value associated with the second sender attribute is a second misused sender attribute, and determining, by using the first probability value and the second probability value, an overall probability value associated with a likelihood that the email is suspicious or not.

公开(公告)号：US20240333738A1

公开(公告)日：2024-10-03

申请号：US18192236

申请日：2023-03-29

Applicant: Cisco Technology, Inc.

Inventor： Jan Brabec ,  Tomas Sixta

IPC: H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/1416

Abstract: A method to perform the techniques described herein includes receiving a first email from a first sender to a first receiver. The method may include determining a first maliciousness prediction that indicates a first likelihood that the first email is malicious. The method may include determining that the first maliciousness prediction fails to satisfy a maliciousness pattern associated with malicious emails. The method may include receiving a second email from the first sender to the first receiver. The method may include determining that the first email and second email were received within a threshold period of time. The method may include determining an overall maliciousness prediction that indicates an overall likelihood that the first email and second email in combination are malicious. The method may include determining that the overall maliciousness prediction satisfies the maliciousness pattern.

公开(公告)号：US11700234B2

公开(公告)日：2023-07-11

申请号：US17213657

申请日：2021-03-26

Applicant: Cisco Technology, Inc.

Inventor： Marc Dupont ,  Jan Brabec

IPC: H04L29/06 ,  H04L9/40 ,  H04L51/212

CPC classification number: H04L63/0236 ,  H04L51/212 ,  H04L63/20

Abstract: Techniques are described for detecting attacks that employ a display name in an email to impersonate an email sender. A computing infrastructure hosting an email security platform may determine a similarity between the display name and an email address from which the email was received. The email security platform may determine the similarity by comparing a string associated with the display name and a string associated with the sender address. The email security platform may generate a similarity value based on a result of the display name being compared with the sender address. The email security platform may determine that the email includes the display name impersonating a name of the sender, based on the similarity value meeting or exceeding a threshold value indicative of impersonation. The email security platform may delete or quarantine the email from an inbox associated with a user account.

公开(公告)号：US20220239633A1

公开(公告)日：2022-07-28

申请号：US17213657

申请日：2021-03-26

Applicant: Cisco Technology, Inc.

Inventor： Marc Dupont ,  Jan Brabec

IPC: H04L29/06 ,  H04L12/58

Abstract: Techniques are described for detecting attacks that employ a display name in an email to impersonate an email sender. A computing infrastructure hosting an email security platform may determine a similarity between the display name and an email address from which the email was received. The email security platform may determine the similarity by comparing a string associated with the display name and a string associated with the sender address. The email security platform may generate a similarity value based on a result of the display name being compared with the sender address. The email security platform may determine that the email includes the display name impersonating a name of the sender, based on the similarity value meeting or exceeding a threshold value indicative of impersonation. The email security platform may delete or quarantine the email from an inbox associated with a user account.

公开(公告)号：US20190297105A1

公开(公告)日：2019-09-26

申请号：US16437417

申请日：2019-06-11

Applicant: Cisco Technology, Inc.

Inventor： Jan Brabec ,  Lukas Machlica

IPC: H04L29/06 ,  G06N20/00 ,  G06N7/00

Abstract: In one embodiment, a computing device provides a feature vector as input to a random decision forest comprising a plurality of decision trees trained using a training dataset, each decision tree being configured to output a classification label prediction for the input feature vector. For each of the decision trees, the computing device determines a conditional probability of the decision tree based on a true classification label and the classification label prediction from the decision tree for the input feature vector. The computing device generates weightings for the classification label predictions from the decision trees based on the determined conditional probabilities. The computing device applies a final classification label to the feature vector based on the weightings for the classification label predictions from the decision trees.

公开(公告)号：US20190258965A1

公开(公告)日：2019-08-22

申请号：US15901915

申请日：2018-02-22

Applicant: Cisco Technology, Inc.

Inventor： Lukas Machlica ,  Ivan Nikolaev ,  Jan Brabec

IPC: G06N99/00 ,  H04L9/32

Abstract: In one embodiment, a method including accessing a trained classifier, the trained classifier trained based at least on a first data item and including both decision determination information of the first data item and decision explanation information of at least one second data item, the second data item being distinct from the first data item; receiving an item for classification; using the trained classifier to classify the item for classification; and providing item decision information regarding a reason for classifying the item for classification, the item decision information being based on at least a part of the decision explanation information. Other embodiments are also described.