公开(公告)号：US20180139214A1

公开(公告)日：2018-05-17

申请号：US15353160

申请日：2016-11-16

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06 ,  H04L9/32 ,  G06N99/00

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US11748477B2

公开(公告)日：2023-09-05

申请号：US17382627

申请日：2021-07-22

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul

IPC: G06F21/55 ,  H04L41/16 ,  H04L9/40 ,  G06N20/00 ,  G06F21/56 ,  H04L67/50 ,  G06F9/4401 ,  G06F11/14

CPC classification number: G06F21/554 ,  G06F9/4403 ,  G06F9/4406 ,  G06F11/1435 ,  G06F21/566 ,  G06N20/00 ,  H04L41/16 ,  H04L63/1416 ,  H04L63/1425 ,  H04L67/535

Abstract: In one embodiment, a device in a network tracks traffic features indicated by header information of packets of an encrypted traffic flow over time. The encrypted traffic flow is associated with a particular host in the network. The device detects an operating system start event based on the traffic features and provides data regarding the detected operating system start event as input to a machine learning-based malware detector to determine whether the particular host with which the encrypted traffic flow is associated is infected with malware. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.

公开(公告)号：US11195120B2

公开(公告)日：2021-12-07

申请号：US15892475

申请日：2018-02-09

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul

IPC: G06N20/00 ,  H04L29/06

Abstract: Methods an systems to classify a training dataset of network data as a poisoned training dataset based on a first dataset-level classifier, identify and remove poison samples of the poisoned training dataset based on a sample-level classifier to produce a non-poisoned dataset, training a machine-based model to analyze network traffic based on the modified non-poisoned dataset, and analyze network traffic with the machine-based model.

公开(公告)号：US20210377283A1

公开(公告)日：2021-12-02

申请号：US17395968

申请日：2021-08-06

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US11093609B2

公开(公告)日：2021-08-17

申请号：US16567377

申请日：2019-09-11

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul

IPC: G06F21/55 ,  H04L12/24 ,  H04L29/06 ,  G06N20/00 ,  G06F21/56 ,  G06F9/4401 ,  G06F11/14 ,  H04L29/08

Abstract: In one embodiment, a device in a network tracks changes in a source port or address identifier indicated by network traffic associated with a particular host in the network. The device detects an operating system start event based on the track changes in the source port or address identifier indicated in the traffic data associated with the particular host. The device provides data regarding the detected operating system start event as input to a machine learning-based malware detector. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.

公开(公告)号：US20190236493A1

公开(公告)日：2019-08-01

申请号：US16135756

申请日：2018-09-19

Applicant: Cisco Technology, Inc.

Inventor： Nancy Cam-Winget ,  Subharthi Paul ,  Blake Anderson ,  Saman Taghavi Zargar ,  Oleg Bessonov ,  Robert Frederick Albach ,  Sanjay Kumar Agarwal ,  Mark Steven Knellinger

IPC: G06N99/00 ,  G06K9/62 ,  H04L29/06

CPC classification number: G06N20/00 ,  G06K9/6257 ,  G06K9/6267 ,  G06N5/045 ,  G06N7/005 ,  G06N20/10 ,  G06N20/20 ,  H04L63/1416 ,  H04L67/12 ,  H04L67/34

Abstract: A trained model may be deployed to an Internet-of-Things (IOT) operational environment in order to ingest features and detect events extracted from network traffic. The model may be received and converted into a meta-language representation which is interpretable by a data plane engine. The converted model can then be deployed to the data plane and may extract features from network communications over the data plane. The extracted features may be fed to the deployed model in order to generate event classifications or device state classifications.

公开(公告)号：US20190018955A1

公开(公告)日：2019-01-17

申请号：US15648626

申请日：2017-07-13

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul

IPC: G06F21/55 ,  G06F9/44 ,  H04L29/08 ,  H04L29/06 ,  G06F11/14

CPC classification number: G06F21/554 ,  G06F9/4403 ,  G06F9/4406 ,  G06F11/1435 ,  G06F21/566 ,  G06N20/00 ,  H04L41/16 ,  H04L63/1416 ,  H04L63/1425 ,  H04L67/22

Abstract: In one embodiment, a device in a network tracks changes in a source port or address identifier indicated by network traffic associated with a particular host in the network. The device detects an operating system start event based on the track changes in the source port or address identifier indicated in the traffic data associated with the particular host. The device provides data regarding the detected operating system start event as input to a machine learning-based malware detector. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.

公开(公告)号：US20170180316A1

公开(公告)日：2017-06-22

申请号：US14979042

申请日：2015-12-22

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Jin Teng ,  Subharthi Paul ,  Thilan Niroshaka Ganegedara ,  Xun Wang ,  Saman Taghavi Zargar ,  Jayaraman Iyer

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/0227 ,  G06F17/30377 ,  H04L63/0218 ,  H04L63/105

Abstract: In one embodiment, a method includes receiving capability information from an end host at a centralized security matrix in communication with a firewall and a plurality of end hosts, verifying at the centralized security matrix, a trust level of the end host, assigning at the centralized security matrix, a firewall function to the end host based on the trust level and capability information, and notifying the firewall of the firewall function assigned to the end host. Firewall functions are offloaded from the firewall to the end hosts by the centralized security matrix. An apparatus and logic are also disclosed herein.

公开(公告)号：US11909760B2

公开(公告)日：2024-02-20

申请号：US17395968

申请日：2021-08-06

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06 ,  H04L9/40 ,  G06N20/00

CPC classification number: H04L63/145 ,  H04L63/0428 ,  H04L63/1408 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US11570166B2

公开(公告)日：2023-01-31

申请号：US16851674

申请日：2020-04-17

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul ,  William Michael Hudson, Jr. ,  Philip Ryan Perricone

IPC: H04L9/40 ,  G06F21/55 ,  H04L67/141 ,  H04L9/32

Abstract: In one embodiment, a device in a network observes traffic between a client and a server for an encrypted session. The device makes a determination that a server certificate should be obtained from the server. The device, based on the determination, sends a handshake probe to the server. The device extracts server certificate information from a handshake response from the server that the server sent in response to the handshake probe. The device uses the extracted server certificate information to analyze the traffic between the client and the server.