-
公开(公告)号:US11038900B2
公开(公告)日:2021-06-15
申请号:US16120580
申请日:2018-09-04
Applicant: Cisco Technology, Inc.
Inventor: Jan Jusko , Martin Rehak , Danila Khikhlukha , Harshit Nayyar
IPC: H04L29/06
Abstract: In one embodiment, a service receives a plurality of process hashes for processes executed by a plurality of devices. The service receives traffic data indicative of traffic between the plurality of devices and a plurality of remote server domains. The service forms a bipartite graph based on the processes hashes and the traffic data. A node of the graph represents a particular process hash or server domain and an edge between nodes in the graph represents network traffic between a process and a server domain. The service identifies, based on the bipartite graph, a subset of the plurality of processes as exhibiting polymorphic malware behavior. The service causes performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior.
-
公开(公告)号:US20190124094A1
公开(公告)日:2019-04-25
申请号:US15789022
申请日:2017-10-20
Applicant: Cisco Technology, Inc.
Inventor: Jan Jusko , Jan Stiborek , Tomas Pevny
IPC: H04L29/06
Abstract: In one embodiment, a device analyzes network traffic data using a clustering process, to identify a cluster of addresses associated with the network traffic data for which the associated network traffic has similar behavioral characteristics. The device calculates a set of rankings for the cluster by comparing the cluster to different sets of malicious addresses. The device aggregates the set of rankings into a final ranking by setting the rankings in the set as current rankings and iteratively calculating an average of any subset of the current rankings that comprises correlated rankings. The calculated average replaces the rankings in the subset as a current ranking. When none of the current rankings are correlated, the device performs an aggregation across all of the current rankings to form the final ranking. The device provides data indicative of the cluster for review by a supervisor, based on the final ranking.
-
公开(公告)号:US20160080236A1
公开(公告)日:2016-03-17
申请号:US14485644
申请日:2014-09-12
Applicant: Cisco Technology, Inc.
Inventor: Ivan Nikolaev , Martin Grill , Jan Jusko
CPC classification number: H04L43/026 , H04L63/14
Abstract: Detecting network services based on network flow data is disclosed. Using a networking device, network flow data is obtained for a plurality of endpoints of a telecommunications network. Each endpoint of the plurality of endpoints is uniquely described by data comprising an IP address, a port, and a communication protocol. For each endpoint of a set of at least one endpoint selected from the plurality of endpoints, a plurality of peers of the endpoint is determined by detecting communication between the endpoint and the plurality of peers based on the network flow data. For each peer of a set of peers selected from the plurality of peers, a difference between a number of peers of the endpoint and a number of peers of said each peer is determined based on the network flow data. It is determined if the endpoint is a service based on the difference determined for each peer of the set of peers. Network management is performed based on the determination of whether the endpoint is a service.
Abstract translation: 公开了基于网络流数据检测网络服务。 使用网络设备,获得电信网络的多个端点的网络流数据。 多个端点的每个端点由包括IP地址,端口和通信协议的数据唯一地描述。 对于从多个端点中选择的至少一个端点的集合的每个端点,通过基于网络流数据检测端点与多个对等体之间的通信来确定端点的多个对等端。 对于从多个对等体中选择的一组对等体的每个对等体,基于网络流数据确定端点的对等端的数量与所述每个对等体的对等体的数量之间的差。 基于为对等体集合中的每个对等体确定的差异来确定端点是否是服务。 基于确定端点是否是服务来执行网络管理。
-
公开(公告)号:US20230129786A1
公开(公告)日:2023-04-27
申请号:US18088284
申请日:2022-12-23
Applicant: Cisco Technology, Inc.
Inventor: Blake Harrell Anderson , David McGrew , Vincent E. Parla , Jan Jusko , Martin Grill , Martin Vejman
Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.
-
Patent Agency Ranking
公开(公告)号:US11451561B2
公开(公告)日:2022-09-20
申请号:US16131146
申请日:2018-09-14
Applicant: Cisco Technology, inc.
Inventor: Jan Jusko , Danila Khikhlukha , Harshit Nayyar
Abstract: In one embodiment, a device obtains execution records regarding executions of a plurality of binaries. The execution records comprise command line arguments used during the execution. The device determines measures of similarity between the executions of the binaries based on their command line arguments. The device clusters the executions into clusters based on the determined measures of similarity. The device flags the command line arguments for a particular one of the clusters as an indicator of compromise for malware, based on at least one of the binaries associated with the particular cluster being malware.
-
公开(公告)号:US10904271B2
公开(公告)日:2021-01-26
申请号:US15789022
申请日:2017-10-20
Applicant: Cisco Technology, Inc.
Inventor: Jan Jusko , Jan Stiborek , Tomas Pevny
IPC: H04L29/06
Abstract: In one embodiment, a device analyzes network traffic data using a clustering process, to identify a cluster of addresses associated with the network traffic data for which the associated network traffic has similar behavioral characteristics. The device calculates a set of rankings for the cluster by comparing the cluster to different sets of malicious addresses. The device aggregates the set of rankings into a final ranking by setting the rankings in the set as current rankings and iteratively calculating an average of any subset of the current rankings that comprises correlated rankings. The calculated average replaces the rankings in the subset as a current ranking. When none of the current rankings are correlated, the device performs an aggregation across all of the current rankings to form the final ranking. The device provides data indicative of the cluster for review by a supervisor, based on the final ranking.
-
公开(公告)号:US20200092306A1
公开(公告)日:2020-03-19
申请号:US16131146
申请日:2018-09-14
Applicant: Cisco Technology, Inc.
Inventor: Jan Jusko , Danila Khikhlukha , Harshit Nayyar
Abstract: In one embodiment, a device obtains execution records regarding executions of a plurality of binaries. The execution records comprise command line arguments used during the execution. The device determines measures of similarity between the executions of the binaries based on their command line arguments. The device clusters the executions into clusters based on the determined measures of similarity. The device flags the command line arguments for a particular one of the clusters as an indicator of compromise for malware, based on at least one of the binaries associated with the particular cluster being malware.
-
公开(公告)号:US20200076832A1
公开(公告)日:2020-03-05
申请号:US16120580
申请日:2018-09-04
Applicant: Cisco Technology, Inc.
Inventor: Jan Jusko , Martin Rehak , Danila Khikhlukha , Harshit Nayyar
IPC: H04L29/06
Abstract: In one embodiment, a service receives a plurality of process hashes for processes executed by a plurality of devices. The service receives traffic data indicative of traffic between the plurality of devices and a plurality of remote server domains. The service forms a bipartite graph based on the processes hashes and the traffic data. A node of the graph represents a particular process hash or server domain and an edge between nodes in the graph represents network traffic between a process and a server domain. The service identifies, based on the bipartite graph, a subset of the plurality of processes as exhibiting polymorphic malware behavior. The service causes performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior.
-
公开(公告)号:US09344441B2
公开(公告)日:2016-05-17
申请号:US14485731
申请日:2014-09-14
Applicant: Cisco Technology, Inc.
Inventor: Jan Kohout , Jan Jusko , Tomas Pevny , Martin Rehak
IPC: H04L29/06
CPC classification number: H04L63/1425 , H04L63/1408 , H04L63/1441 , H04L63/145 , H04L63/1466 , H04L63/1491 , H04L63/164 , H04L63/20
Abstract: In one embodiment a method, system and apparatus is described for detecting a malicious network connection, the method system and apparatus including determining, for each connection over a network, if each connection is a persistent connection, if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection, creating a feature vector for the first connection based on the collected statistics, performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections, and reporting detected outliers. Related methods, systems and apparatus are also described.
Abstract translation: 在一个实施例中,描述了一种用于检测恶意网络连接的方法,系统和装置,所述方法系统和装置包括针对网络上的每个连接确定每个连接是否是持久连接,如果作为确定的结果, 确定第一连接是持久连接,收集第一连接的连接统计信息,基于所收集的统计信息创建用于第一连接的特征向量,对具有网络的所有连接的所有连接的所有特征向量进行异常检测 被确定为持续连接,并报告检测到异常值。 还描述了相关方法,系统和装置。
-
-
-
-
-
-
-
-
Search Results
19
records
(took 0.018 seconds)
