公开(公告)号：US10264005B2

公开(公告)日：2019-04-16

申请号：US15403365

申请日：2017-01-11

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Martin Rehak

IPC: H04L29/06

Abstract: Identifying malicious network traffic based on distributed, collaborative sampling includes, at a computing device having connectivity to a network, obtaining a first set of data flows, based on sampling criteria, that represents network traffic between one or more nodes in the network and one or more domains outside of the network, each data flow in the first set of data flows including a plurality of data packets. The first set of data flows is forwarded for correlation with a plurality of other sets of data flows from other networks to generate global intelligence data. Adjusted sampling criteria is generated based on the global intelligence data and a second set of data flows is obtained based on the adjusted sampling criteria.

公开(公告)号：US20180198811A1

公开(公告)日：2018-07-12

申请号：US15403365

申请日：2017-01-11

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Martin Rehak

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F21/00 ,  H04L63/302 ,  H04L2463/121 ,  H04L2463/144

Abstract: Identifying malicious network traffic based on distributed, collaborative sampling includes, at a computing device having connectivity to a network, obtaining a first set of data flows, based on sampling criteria, that represents network traffic between one or more nodes in the network and one or more domains outside of the network, each data flow in the first set of data flows including a plurality of data packets. The first set of data flows is forwarded for correlation with a plurality of other sets of data flows from other networks to generate global intelligence data. Adjusted sampling criteria is generated based on the global intelligence data and a second set of data flows is obtained based on the adjusted sampling criteria.

公开(公告)号：US20240154979A1

公开(公告)日：2024-05-09

申请号：US18416439

申请日：2024-01-18

Applicant: Cisco Technology, Inc.

Inventor： Martin Rehak ,  David McGrew ,  Blake Harrell Anderson ,  Scott William Dunlop

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/166

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.

公开(公告)号：US11038900B2

公开(公告)日：2021-06-15

申请号：US16120580

申请日：2018-09-04

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Martin Rehak ,  Danila Khikhlukha ,  Harshit Nayyar

IPC: H04L29/06

Abstract: In one embodiment, a service receives a plurality of process hashes for processes executed by a plurality of devices. The service receives traffic data indicative of traffic between the plurality of devices and a plurality of remote server domains. The service forms a bipartite graph based on the processes hashes and the traffic data. A node of the graph represents a particular process hash or server domain and an edge between nodes in the graph represents network traffic between a process and a server domain. The service identifies, based on the bipartite graph, a subset of the plurality of processes as exhibiting polymorphic malware behavior. The service causes performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior.

公开(公告)号：US10855698B2

公开(公告)日：2020-12-01

申请号：US15851918

申请日：2017-12-22

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Martin Rehak ,  David McGrew ,  Martin Vejman ,  Tomas Pevny ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  G06F21/53 ,  G06N20/00 ,  H04L12/24 ,  H04L29/08 ,  G06F21/62

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.

公开(公告)号：US20190199739A1

公开(公告)日：2019-06-27

申请号：US15851918

申请日：2017-12-22

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Martin Rehak ,  David McGrew ,  Martin Vejman ,  Tomas Pevny ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  G06F21/53 ,  G06N99/00

CPC classification number: H04L63/1416 ,  G06F21/53 ,  G06F21/6245 ,  G06N20/00 ,  H04L41/145 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1458 ,  H04L63/166 ,  H04L67/02 ,  H04L67/28 ,  H04L69/325

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.

公开(公告)号：US10015192B1

公开(公告)日：2018-07-03

申请号：US14934398

申请日：2015-11-06

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Jan Stiborek ,  Martin Rehak

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/145 ,  H04L63/1416

Abstract: In one embodiment, a method includes creating a set of network related indicators of compromise at a computing device, the set associated with a malicious network operation, identifying at the computing device, samples comprising at least one of the indicators of compromise in the set, creating sub-clusters of the samples at the computing device, and selecting at the computing device, one of the samples from the sub-clusters for additional analysis, wherein results of the analysis provide information for use in malware detection. An apparatus and logic are also disclosed herein.

公开(公告)号：US20170155668A1

公开(公告)日：2017-06-01

申请号：US14955480

申请日：2015-12-01

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Martin Rehak

IPC: H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1416 ,  H04L43/024 ,  H04L63/0236 ,  H04L2463/144

Abstract: Identifying malicious communications by generating data representative of network traffic based on adaptive sampling includes, at a computing device having connectivity to a network, obtaining a set of data flows representing network traffic between one or more nodes in the network and one or more domains outside of the network, wherein each data flow in the set of data flows includes a plurality of data packets. One or more features are extracted from the set of data flows based on statistical measurements of the set of data flows. The set of data flows are adaptively sampled based on at least the one or more features. Then, data representative of the network traffic is generated based on the adaptively sampling to identify malicious communication channels in the network traffic.

公开(公告)号：US20160381183A1

公开(公告)日：2016-12-29

申请号：US14748281

申请日：2015-06-24

Applicant: Cisco Technology, Inc.

Inventor： Jan JUSKO ,  Tomas Pevny ,  Martin Rehak

IPC: H04L29/06 ,  H04L29/08 ,  H04L29/12

CPC classification number: H04L63/1441 ,  H04L43/08 ,  H04L61/2007 ,  H04L63/10 ,  H04L63/101 ,  H04L63/1433 ,  H04L63/1458 ,  H04L67/10 ,  H04L67/42

Abstract: In one embodiment, a method includes receiving client-server connection data for clients and servers, the data including IP addresses corresponding to the servers, for each one of a plurality of IP address pairs performing a statistical test to determine whether the IP addresses in the one IP address pair are related by common clients based on the number of the clients connecting to each of the IP addresses in the one IP address pair, generating a graph including a plurality of vertices and edges, each of the vertices corresponding to a different IP address, each edge corresponding to a different IP address pair determined to be related by common clients in the statistical test, and clustering the vertices yielding clusters, a subset of the IP addresses in one of the clusters providing an indication of the IP addresses of the servers serving a same application.

Abstract translation: 在一个实施例中，一种方法包括为执行统计测试的多个IP地址对中的每一个接收客户机和服务器的客户端 - 服务器连接数据，所述数据包括对应于服务器的IP地址，以确定是否在 一个IP地址对根据连接到一个IP地址对中的每个IP地址的客户端的数量，由公共客户端相关联，生成包括多个顶点和边缘的图形，每个顶点对应于不同的IP 地址，每个边缘对应于在统计测试中确定为由普通客户端相关的不同IP地址对，并且对生成簇的顶点进行聚类，其中一个集群中的一个IP地址的子集提供IP地址的指示 服务于同一应用程序的服务器。

公开(公告)号：US20230231777A1

公开(公告)日：2023-07-20

申请号：US18125955

申请日：2023-03-24

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Martin Rehak ,  Blake Harrell Anderson ,  Sunil Amin

IPC: H04L41/28 ,  H04L9/40 ,  H04W12/12 ,  G06F21/55

CPC classification number: H04L41/28 ,  H04L63/1425 ,  H04L63/1441 ,  H04W12/12 ,  G06F21/55 ,  H04L63/14 ,  H04L67/143

Abstract: In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.