公开(公告)号：US09344441B2

公开(公告)日：2016-05-17

申请号：US14485731

申请日：2014-09-14

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Jan Jusko ,  Tomas Pevny ,  Martin Rehak

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/145 ,  H04L63/1466 ,  H04L63/1491 ,  H04L63/164 ,  H04L63/20

Abstract: In one embodiment a method, system and apparatus is described for detecting a malicious network connection, the method system and apparatus including determining, for each connection over a network, if each connection is a persistent connection, if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection, creating a feature vector for the first connection based on the collected statistics, performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections, and reporting detected outliers. Related methods, systems and apparatus are also described.

Abstract translation: 在一个实施例中，描述了一种用于检测恶意网络连接的方法，系统和装置，所述方法系统和装置包括针对网络上的每个连接确定每个连接是否是持久连接，如果作为确定的结果， 确定第一连接是持久连接，收集第一连接的连接统计信息，基于所收集的统计信息创建用于第一连接的特征向量，对具有网络的所有连接的所有连接的所有特征向量进行异常检测 被确定为持续连接，并报告检测到异常值。 还描述了相关方法，系统和装置。

公开(公告)号：US20240106836A1

公开(公告)日：2024-03-28

申请号：US18225517

申请日：2023-07-24

Applicant: Cisco Technology, Inc.

Inventor： Petr Somol ,  Martin Kopp ,  Jan Kohout ,  Jan Brabec ,  Marc René Jacques Marie Dupont ,  Cenek Skarda ,  Lukas Bajer ,  Danila Khikhlukha

IPC: H04L9/40 ,  G06N3/045 ,  G06N3/08

CPC classification number: H04L63/14 ,  G06N3/045 ,  G06N3/08

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

公开(公告)号：US11750621B2

公开(公告)日：2023-09-05

申请号：US16831197

申请日：2020-03-26

Applicant: Cisco Technology, Inc.

Inventor： Petr Somol ,  Martin Kopp ,  Jan Kohout ,  Jan Brabec ,  Marc René Jacques Marie Dupont ,  Cenek Skarda ,  Lukas Bajer ,  Danila Khikhlukha

IPC: H04L9/40 ,  G06N3/08 ,  G06N3/045

CPC classification number: H04L63/14 ,  G06N3/045 ,  G06N3/08

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

公开(公告)号：US11451578B2

公开(公告)日：2022-09-20

申请号：US17029156

申请日：2020-09-23

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L9/40 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  G06N20/20

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20210306350A1

公开(公告)日：2021-09-30

申请号：US16831197

申请日：2020-03-26

Applicant: Cisco Technology, Inc.

Inventor： Petr Somol ,  Martin Kopp ,  Jan Kohout ,  Jan Brabec ,  Marc René Jacques Marie Dupont ,  Cenek Skarda ,  Lukas Bajer ,  Danila Khikhlukha

IPC: H04L29/06 ,  G06N3/08 ,  G06N3/04

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

公开(公告)号：US10425434B2

公开(公告)日：2019-09-24

申请号：US15409746

申请日：2017-01-19

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Tornas Pevny

IPC: H04L29/06 ,  G06F21/55 ,  G06N20/00

Abstract: In one embodiment, a device in a network determines a set of lattice points in a multi-dimensional space constructed using message characteristics of messages exchanged between endpoint nodes in the network. The device uses the lattice points to derive vector representations of communication channels in the network with each of the communication channels being associated with one or more of the exchanged messages. A vector representation of an application in the network is based on one or more of the derived vector representations of one or more channels used to exchange messages associated with the application. The device identifies the application as associated with a first one of the channels by determining a measure of similarity between the first channel and the vector representation of the application that approximates a maximum mean discrepancy (MMD) distance between the message characteristics for the vector representations of the first channel and the application.

公开(公告)号：US10129271B2

公开(公告)日：2018-11-13

申请号：US14723605

申请日：2015-05-28

Applicant: Cisco Technology, Inc.

Inventor： Jan Mrkos ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  H04L29/08 ,  H04L29/12

Abstract: A method of tracking users over network hosts based on behavior includes analyzing data representing behavior of active network hosts during two or more time windows at a computing apparatus having connectivity to a network. Based on the analyzing, a profile is generated for each network host active in the network during the two or more time windows. Similarity between the profiles for the two or more time windows are determined and, based on the similarity, it may be determined that an identity associated with one of the active network hosts during a time window of the two or more time windows has changed.

公开(公告)号：US10079768B2

公开(公告)日：2018-09-18

申请号：US15204061

申请日：2016-07-07

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Tomas Pevny

IPC: G06F21/00 ,  H04L29/06 ,  H04L12/851 ,  H04L12/721 ,  H04L29/08 ,  G06F17/30

CPC classification number: G06F16/24578 ,  H04L63/1425 ,  H04L67/02

Abstract: In one embodiment, a device in a network receives traffic data associated with a particular communication channel between two or more nodes in the network. The device generates a mean map by employing kernel embedding of distributions to the traffic data. The device forms a representation of the communication channel by identifying a set of lattice points that approximate the mean map. The device generates a traffic classifier using the representation of the communication channel. The device uses machine learning to jointly identify the set of lattice points and one or more parameters of the traffic classifier. The device causes the traffic classifier to analyze network traffic sent via the communication channel.

公开(公告)号：US20180176240A1

公开(公告)日：2018-06-21

申请号：US15386006

申请日：2016-12-21

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L9/3263 ,  H04L63/0428 ,  H04L63/0823 ,  H04L63/1416 ,  H04L63/145 ,  H04L63/166

Abstract: In one embodiment, a device in a network receives traffic information regarding one or more secure sessions in the network. The device associates the one or more secure sessions with corresponding certificate validation check traffic indicated by the received traffic information. The device makes a self-signed certificate determination for an endpoint domain of a particular secure session based on whether the particular secure session is associated with certificate validation check traffic. The device causes the self-signed certificate determination for the endpoint domain to be used as input to a malware detector.

公开(公告)号：US20220368720A1

公开(公告)日：2022-11-17

申请号：US17873544

申请日：2022-07-26

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Gril ,  David Mcgrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L9/40 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.