公开(公告)号：US12231456B2

公开(公告)日：2025-02-18

申请号：US18361405

申请日：2023-07-28

Applicant: Cisco Technology, Inc.

Inventor： Andrew Zawadowskiy ,  Oleg Bessonov ,  Vincent Parla

IPC: G06F21/31 ,  G06F11/34 ,  G06F16/334 ,  G06F16/34 ,  G06F16/901 ,  G06F21/55 ,  G06F21/56 ,  G06F21/57 ,  H04L9/40

Abstract: A system and method are provided for generating a cybersecurity behavioral graph from a log files and/or other telemetry data, which can be unstructured or semi-structured data. The log files are applied to a machine learning (ML) model (e.g., a large language model (LLM)) that generates/extract from the log files entities and relationships between said entities. The entities and relationships can be constrained using a cybersecurity ontology or schema to ensure that the results are meaningful to a cybersecurity context. A graph is then generated by mapping the extracted entities to nodes in the graph and the relationships to edges connecting nodes. To more efficiently extract the entities and relationships from the data file, an LLM is used to generate regular expressions for the format of the log files. Once generated, the regular expressions can rapidly parse the log files to extract the entities and relationships.

公开(公告)号：US20250021348A1

公开(公告)日：2025-01-16

申请号：US18221833

申请日：2023-07-13

Applicant: Cisco Technology, Inc.

Inventor： Ashok Krishnaji Moghe ,  Andrew Zawadowskiy ,  Oleg Bessonov

IPC: G06F9/448

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on observing and generating a control flow directed graph. The techniques and systems include determining an observation phase for a process or application on a computing device. During the observation phase, CPU telemetry is determined and used to generate a control flow directed graph. After the control flow directed graph is generated, a hash table associated with frequently traversed execution paths is generated. A monitoring phase may be entered where transfers of instruction pointers are monitored based on the control flow directed graph to identify invalid transfers. The frequently traversed execution paths may be identified based on the hash table and be identified as valid if the hash value corresponds to the table.

公开(公告)号：US11902168B2

公开(公告)日：2024-02-13

申请号：US17357461

申请日：2021-06-24

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Andrew Zawadowskiy ,  Oleg Bessonov ,  Hendrikus G. P. Bosch

IPC: H04L47/24

CPC classification number: H04L47/24

Abstract: A method of defining priority of a number of data packets within a queue includes generating a policy. The policy defines a first multiplexed channel of a plurality of multiplexed channels. The first multiplexed channel having a first priority. The policy also defines a second multiplexed channel of the plurality of multiplexed channels. The second multiplexed channel having a second priority. The first priority is defined as being of a higher priority relative to the second priority. The method further includes receiving the number of data packets over the plurality of multiplexed channels associated with a session based at least in part on the policy.

公开(公告)号：US20240028724A1

公开(公告)日：2024-01-25

申请号：US18198244

申请日：2023-05-16

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Andrew Zawadowskiy ,  Thomas Szigeti ,  Oleg Bessonov ,  Ashok Krishnaji Moghe

IPC: G06F21/56 ,  G06F21/55

CPC classification number: G06F21/566 ,  G06F21/552

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on observing and generating a control flow directed graph. The techniques and systems include determining an observation phase for a process or application on a computing device. During the observation phase, CPU telemetry is determined and used to generate a control flow directed graph. After the control flow directed graph is generated, a monitoring phase may be entered where transfers of instruction pointers are monitored based on the control flow directed graph to identify invalid transfers. Transition to the monitoring phase may be based on determining a confidence score in the observed control flow directed graph and causing the transition when the confidence score is above a threshold.

公开(公告)号：US20240028712A1

公开(公告)日：2024-01-25

申请号：US18084147

申请日：2022-12-19

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Andrew Zawadowskiy ,  Oleg Bessonov ,  Thomas Szigeti ,  Ashok Krishnaji Moghe

IPC: G06F21/55 ,  G06F21/54 ,  G06F21/53

CPC classification number: G06F21/552 ,  G06F21/54 ,  G06F21/53

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining telemetry representing execution of a process on a computing system and accessing a learned control flow diagram graph for the process. A transfer of an instruction pointer is determined based on the telemetry and a validity of the transfer is determined based on the learned control flow directed graph. If invalid, then an action to terminate the process is determined, otherwise the action may be allowed to execute when valid.

公开(公告)号：US20190236493A1

公开(公告)日：2019-08-01

申请号：US16135756

申请日：2018-09-19

Applicant: Cisco Technology, Inc.

Inventor： Nancy Cam-Winget ,  Subharthi Paul ,  Blake Anderson ,  Saman Taghavi Zargar ,  Oleg Bessonov ,  Robert Frederick Albach ,  Sanjay Kumar Agarwal ,  Mark Steven Knellinger

IPC: G06N99/00 ,  G06K9/62 ,  H04L29/06

CPC classification number: G06N20/00 ,  G06K9/6257 ,  G06K9/6267 ,  G06N5/045 ,  G06N7/005 ,  G06N20/10 ,  G06N20/20 ,  H04L63/1416 ,  H04L67/12 ,  H04L67/34

Abstract: A trained model may be deployed to an Internet-of-Things (IOT) operational environment in order to ingest features and detect events extracted from network traffic. The model may be received and converted into a meta-language representation which is interpretable by a data plane engine. The converted model can then be deployed to the data plane and may extract features from network communications over the data plane. The extracted features may be fed to the deployed model in order to generate event classifications or device state classifications.