公开(公告)号：US11057420B2

公开(公告)日：2021-07-06

申请号：US16370853

申请日：2019-03-29

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Andrew Zawadowskiy ,  Donovan O'Hara ,  Saravanan Radhakrishnan ,  Tomas Pevny ,  Daniel G. Wing

IPC: H04L29/06

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

公开(公告)号：US10708284B2

公开(公告)日：2020-07-07

申请号：US15643573

申请日：2017-07-07

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Petr Somol ,  Tomas Pevny ,  David McGrew

IPC: H04L29/06 ,  G06N99/00 ,  G06F3/01 ,  G06N20/00 ,  G06N20/20 ,  G06N5/04

Abstract: In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.

公开(公告)号：US10079768B2

公开(公告)日：2018-09-18

申请号：US15204061

申请日：2016-07-07

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Tomas Pevny

IPC: G06F21/00 ,  H04L29/06 ,  H04L12/851 ,  H04L12/721 ,  H04L29/08 ,  G06F17/30

CPC classification number: G06F16/24578 ,  H04L63/1425 ,  H04L67/02

Abstract: In one embodiment, a device in a network receives traffic data associated with a particular communication channel between two or more nodes in the network. The device generates a mean map by employing kernel embedding of distributions to the traffic data. The device forms a representation of the communication channel by identifying a set of lattice points that approximate the mean map. The device generates a traffic classifier using the representation of the communication channel. The device uses machine learning to jointly identify the set of lattice points and one or more parameters of the traffic classifier. The device causes the traffic classifier to analyze network traffic sent via the communication channel.

公开(公告)号：US09973520B2

公开(公告)日：2018-05-15

申请号：US14331486

申请日：2014-07-15

Applicant: Cisco Technology, Inc.

Inventor： Tomas Pevny

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  H04L29/06

CPC classification number: H04L63/1425

Abstract: In an embodiment, the method comprises receiving network performance data for a computer network; receiving, from an intrusion detection system, network anomaly data indicating a plurality of anomalies that have occurred in the computer network; based, at least in part, on the network performance data and the network anomaly data, generating feature data; for each anomaly of the plurality of anomalies, using the feature data to determine a minimal set of features that distinguishes the anomaly from non-anomalies in the plurality of anomalies, and creating a mapping of the anomaly to the minimal set of features; based at least in part on the mapping, generating explanation rules for the plurality of anomalies; for a particular anomaly, identifying a particular rule of the explanation rules that is associated with the particular anomaly, and generating explanation data for the particular anomaly based upon the particular rule.

公开(公告)号：US20180063161A1

公开(公告)日：2018-03-01

申请号：US15244486

申请日：2016-08-23

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Tomas Pevny

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/55 ,  H04L63/1441

Abstract: Rapidly detecting network threats with targeted detectors includes, at a computing device having connectivity to a network, determining features of background network traffic. Features are also extracted from a particular type of network threat. A characteristic of the particular type of network threat that best differentiates the features of the particular type of network threat from the features of the background network traffic is determined. A targeted detector for the particular type of network threat is created based on the characteristic and an action is applied to particular incoming network traffic identified by the targeted detector as being associated with the particular type of network threat.

公开(公告)号：US20170142151A1

公开(公告)日：2017-05-18

申请号：US15421447

申请日：2017-02-01

Applicant: Cisco Technology, Inc.

Inventor： Jan JUSKO ,  Tomas Pevny ,  Martin Rehak

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/26 ,  H04L29/12

CPC classification number: H04L63/1441 ,  H04L43/08 ,  H04L61/2007 ,  H04L63/10 ,  H04L63/101 ,  H04L63/1433 ,  H04L63/1458 ,  H04L67/10 ,  H04L67/42

Abstract: In one embodiment, a method includes receiving client-server connection data for clients and servers, the data including IP addresses corresponding to the servers, for each one of a plurality of IP address pairs performing a statistical test to determine whether the IP addresses in the one IP address pair are related by common clients based on the number of the clients connecting to each of the IP addresses in the one IP address pair, generating a graph including a plurality of vertices and edges, each of the vertices corresponding to a different IP address, each edge corresponding to a different IP address pair determined to be related by common clients in the statistical test, and clustering the vertices yielding clusters, a subset of the IP addresses in one of the clusters providing an indication of the IP addresses of the servers serving a same application.

公开(公告)号：US09596321B2

公开(公告)日：2017-03-14

申请号：US14748281

申请日：2015-06-24

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Tomas Pevny ,  Martin Rehak

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  H04L29/06 ,  H04L29/12 ,  H04L29/08

CPC classification number: H04L63/1441 ,  H04L43/08 ,  H04L61/2007 ,  H04L63/10 ,  H04L63/101 ,  H04L63/1433 ,  H04L63/1458 ,  H04L67/10 ,  H04L67/42

Abstract: In one embodiment, a method includes receiving client-server connection data for clients and servers, the data including IP addresses corresponding to the servers, for each one of a plurality of IP address pairs performing a statistical test to determine whether the IP addresses in the one IP address pair are related by common clients based on the number of the clients connecting to each of the IP addresses in the one IP address pair, generating a graph including a plurality of vertices and edges, each of the vertices corresponding to a different IP address, each edge corresponding to a different IP address pair determined to be related by common clients in the statistical test, and clustering the vertices yielding clusters, a subset of the IP addresses in one of the clusters providing an indication of the IP addresses of the servers serving a same application.

Abstract translation: 在一个实施例中，一种方法包括为执行统计测试的多个IP地址对中的每一个接收客户机和服务器的客户端 - 服务器连接数据，所述数据包括对应于服务器的IP地址，以确定是否在 一个IP地址对根据连接到一个IP地址对中的每个IP地址的客户端的数量，由公共客户端相关联，生成包括多个顶点和边缘的图形，每个顶点对应于不同的IP 地址，每个边缘对应于在统计测试中确定为由普通客户端相关的不同IP地址对，并且对生成簇的顶点进行聚类，其中一个集群中的一个IP地址的子集提供IP地址的指示 服务于同一应用程序的服务器。

公开(公告)号：US20220368720A1

公开(公告)日：2022-11-17

申请号：US17873544

申请日：2022-07-26

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Gril ,  David Mcgrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L9/40 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20210006589A1

公开(公告)日：2021-01-07

申请号：US17029156

申请日：2020-09-23

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/24 ,  H04L12/851

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US10375143B2

公开(公告)日：2019-08-06

申请号：US15248252

申请日：2016-08-26

Applicant: Cisco Technology, Inc.

Inventor： Tomas Pevny ,  Petr Somol

IPC: H04L29/06 ,  H04L29/08

Abstract: Presented herein are techniques for classifying devices as being infected with malware based on learned indicators of compromise. A method includes receiving at a security analysis device, traffic flows from a plurality of entities destined for a plurality of users, aggregating the traffic flows into discrete bags of traffic, wherein the bags of traffic comprise a plurality of flows of traffic for a given user over a predetermined period of time, extracting features from the bags of traffic and aggregating the features into per-flow feature vectors, aggregating the per-flow feature vectors into per-destination domain aggregated vectors, combining the per-destination-domain aggregated vectors into a per-user aggregated vector, and classifying a computing device used by a given user as infected with malware when indicators of compromise detected in the bags of traffic indicate that the per-user aggregated vector for the given user includes suspicious features among the extracted features.