公开(公告)号：US11412000B2

公开(公告)日：2022-08-09

申请号：US16741794

申请日：2020-01-14

Applicant: Cisco Technology, Inc.

Inventor： Michel Khouderchah ,  Jayaraman Iyer ,  Kent K. Leung ,  Jianxin Wang ,  Donovan O'Hara ,  Saman Taghavi Zargar ,  Subharthi Paul

IPC: H04L9/40 ,  H04L67/02 ,  H04L41/22

Abstract: Presented herein are methodologies for implementing application security. A method includes generating an extraction vector based on a plurality of application security rules to be enforced, transmitting the extraction vector to a first agent operating on a first network device and to a second agent operating on a second network device; receiving, separately, from the first agent and from the second agent, first metadata generated by the first agent and second metadata generated by the second agent by the agents applying the extraction vector to network traffic passing, respectively, through the first network device and the second network device. The first metadata includes a transaction ID assigned by the first agent, and the second metadata includes the same transaction ID. The method further includes correlating the first metadata with the second metadata based on the transaction ID to construct a transactional service graph for the network traffic.

公开(公告)号：US20210349996A1

公开(公告)日：2021-11-11

申请号：US17382627

申请日：2021-07-22

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul

IPC: G06F21/55 ,  H04L12/24 ,  H04L29/06 ,  G06N20/00 ,  G06F21/56 ,  G06F9/4401 ,  G06F11/14 ,  H04L29/08

Abstract: In one embodiment, a device in a network tracks traffic features indicated by header information of packets of an encrypted traffic flow over time. The encrypted traffic flow is associated with a particular host in the network. The device detects an operating system start event based on the traffic features and provides data regarding the detected operating system start event as input to a machine learning-based malware detector to determine whether the particular host with which the encrypted traffic flow is associated is infected with malware. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.

公开(公告)号：US11095670B2

公开(公告)日：2021-08-17

申请号：US16030116

申请日：2018-07-09

Applicant: Cisco Technology, Inc.

Inventor： Subharthi Paul ,  Saman Taghavi Zargar ,  Jayaraman Iyer ,  Hari Shankar

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/08

Abstract: In one example embodiment, a network management device generates a first script defining a first function for detecting a first customizable network event in a sequence of customizable network events indicative of a security threat to a network. The network management device activates the first script at a first network device in the network so as to cause the first network device to execute the first function for detecting the first customizable network event, and obtains, from the first network device, one or more indications that the first network device has detected the first customizable network event. Based on the one or more indications, the network management device determines whether to activate a second script defining a second function for detecting a second customizable network event in the sequence at a second network device in the network capable of detecting the second customizable network event.

公开(公告)号：US20200014713A1

公开(公告)日：2020-01-09

申请号：US16030116

申请日：2018-07-09

Applicant: Cisco Technology, Inc.

Inventor： Subharthi Paul ,  Saman Taghavi Zargar ,  Jayaraman Iyer ,  Hari Shankar

IPC: H04L29/06 ,  H04L12/24

Abstract: In one example embodiment, a network management device generates a first script defining a first function for detecting a first customizable network event in a sequence of customizable network events indicative of a security threat to a network. The network management device activates the first script at a first network device in the network so as to cause the first network device to execute the first function for detecting the first customizable network event, and obtains, from the first network device, one or more indications that the first network device has detected the first customizable network event. Based on the one or more indications, the network management device determines whether to activate a second script defining a second function for detecting a second customizable network event in the sequence at a second network device in the network capable of detecting the second customizable network event.

公开(公告)号：US20200004958A1

公开(公告)日：2020-01-02

申请号：US16567377

申请日：2019-09-11

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul

IPC: G06F21/55 ,  G06F9/4401 ,  G06F11/14 ,  H04L29/06 ,  H04L29/08

Abstract: In one embodiment, a device in a network tracks changes in a source port or address identifier indicated by network traffic associated with a particular host in the network. The device detects an operating system start event based on the track changes in the source port or address identifier indicated in the traffic data associated with the particular host. The device provides data regarding the detected operating system start event as input to a machine learning-based malware detector. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.

公开(公告)号：US10452846B2

公开(公告)日：2019-10-22

申请号：US15648626

申请日：2017-07-13

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul

IPC: G06F21/55 ,  G06F9/4401 ,  G06F11/14 ,  H04L29/06 ,  H04L29/08 ,  H04L12/24 ,  G06F21/56 ,  G06N20/00

Abstract: In one embodiment, a device in a network tracks changes in a source port or address identifier indicated by network traffic associated with a particular host in the network. The device detects an operating system start event based on the track changes in the source port or address identifier indicated in the traffic data associated with the particular host. The device provides data regarding the detected operating system start event as input to a machine learning-based malware detector. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.

公开(公告)号：US20190260776A1

公开(公告)日：2019-08-22

申请号：US15898915

申请日：2018-02-19

Applicant: Cisco Technology, Inc.

Inventor： Saman Taghavi Zargar ,  Subharthi Paul ,  Prashanth Patil ,  Jayaraman Iyer ,  Hari Shankar

IPC: H04L29/06 ,  H04L12/24 ,  G06N99/00

Abstract: In one embodiment, a centralized controller maintains a plurality of hierarchical behavioral modules of a behavioral model, and distributes initial behavioral modules to data plane entities to cause them to apply the initial behavioral modules to data plane traffic. The centralized controller may then receive data from a particular data plane entity based on its having applied the initial behavioral modules to its data plane traffic. The centralized controller then distributes subsequent behavioral modules to the particular data plane entity to cause it to apply the subsequent behavioral modules to the data plane traffic, the subsequent behavioral modules selected based on the previously received data from the particular data plane entity. The centralized controller may then iteratively receive data from the particular data plane entity and distribute subsequently selected behavioral modules until an attack determination is made on the data plane traffic of the particular data plane entity.

公开(公告)号：US20190251479A1

公开(公告)日：2019-08-15

申请号：US15892475

申请日：2018-02-09

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul

IPC: G06N99/00 ,  H04L29/06

CPC classification number: G06N20/00 ,  H04L63/1425 ,  H04L63/1441

Abstract: Methods an systems to classify a training dataset of network data as a poisoned training dataset based on a first dataset-level classifier, identify and remove poison samples of the poisoned training dataset based on a sample-level classifier to produce a non-poisoned dataset, training a machine-based model to analyze network traffic based on the modified non-poisoned dataset, and analyze network traffic with the machine-based model.

公开(公告)号：US20190190961A1

公开(公告)日：2019-06-20

申请号：US15848645

申请日：2017-12-20

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul ,  William Michael Hudson, JR. ,  Philip Ryan Perricone

IPC: H04L29/06

Abstract: In one embodiment, a device in a network observes traffic between a client and a server for an encrypted session. The device makes a determination that a server certificate should be obtained from the server. The device, based on the determination, sends a handshake probe to the server. The device extracts server certificate information from a handshake response from the server that the server sent in response to the handshake probe. The device uses the extracted server certificate information to analyze the traffic between the client and the server.