公开(公告)号：US11310205B2

公开(公告)日：2022-04-19

申请号：US16288628

申请日：2019-02-28

Applicant: Cisco Technology, Inc.

Inventor： Constantinos Kleopa ,  Michael Joseph Stepanek ,  Silviu Dorin Minut ,  Carter Ryan Waxman

IPC: H04L29/06 ,  H04L12/851 ,  G06N20/00 ,  H04L12/24 ,  H04L12/859 ,  H04L47/2441 ,  H04L47/2483 ,  H04L41/16 ,  H04L47/2475

Abstract: In one embodiment, a traffic analysis service identifies a client in a network having an associated traffic flow that was blocked by a firewall. The traffic analysis service obtains traffic telemetry data regarding one or more subsequent traffic flows associated with the identified client that are subsequent to the blocked flow. The traffic analysis service uses a machine learning-based classifier to determine that the identified client is exhibiting evasive network behavior, based on the obtained traffic telemetry data. The traffic analysis service initiates a mitigation action in the network, based on the determination that the identified client is exhibiting evasive network behavior.

公开(公告)号：US20200322275A1

公开(公告)日：2020-10-08

申请号：US16910380

申请日：2020-06-24

Applicant: Cisco Technology, Inc.

Inventor： Michael Joseph Stepanek ,  Costas Kleopa ,  David McGrew ,  Blake Harrell Anderson ,  Saravanan Radhakrishnan

IPC: H04L12/851 ,  H04L12/825 ,  H04L12/859 ,  H04L12/931 ,  H04L29/06 ,  H04W12/12

Abstract: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

公开(公告)号：US20190251259A1

公开(公告)日：2019-08-15

申请号：US15896980

申请日：2018-02-14

Applicant: Cisco Technology, Inc.

Inventor： Michael Joseph Stepanek ,  Mohammad Masud Hasan ,  Costas Kleopa ,  Shravan Rangaraju

IPC: G06F21/56 ,  G06F21/55 ,  H04L29/06

CPC classification number: G06F21/566 ,  G06F21/552 ,  G06F21/554 ,  H04L63/145

Abstract: In one embodiment, a computing device collects ransomware behavioral data of known ransomware, the ransomware behavioral data based on one or more file writing features, and trains a ransomware classifier with the ransomware behavioral data to detect ransomware. The computing device may then share the ransomware classifier with a detection device to cause the detection device to behaviorally detect ransomware based on applying the ransomware classifier to monitored file writing activities. In another embodiment, in response to behaviorally detecting ransomware, based on applying the ransomware classifier to monitored file writing activities, the detection device may then perform one or more ransomware mitigation measures in response to behaviorally detecting ransomware.