公开(公告)号：US20240028701A1

公开(公告)日：2024-01-25

申请号：US18084177

申请日：2022-12-19

Applicant: Cisco Technology, Inc.

Inventor： Andrew Zawadowskiy ,  Vincent E. Parla ,  Thomas Szigeti ,  Oleg Bessonov ,  Ashok Krishnaji Moghe

IPC: G06F21/51

CPC classification number: G06F21/51 ,  G06F2221/033

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining an observation phase for a process or application on a computing device. During the observation phase, CPU telemetry is determined and used to generate a control flow directed graph. After the control flow directed graph is generated, a monitoring phase may be entered where transfers of instruction pointers are monitored based on the control flow directed graph to identify invalid transfers.

公开(公告)号：US11677650B2

公开(公告)日：2023-06-13

申请号：US17487100

申请日：2021-09-28

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery ,  Andrew Zawadowskiy

IPC: G06F15/173 ,  H04L43/0882 ,  H04L43/0811 ,  H04L43/062 ,  H04L41/22 ,  H04L67/1023 ,  H04L67/1008 ,  H04L67/561 ,  G06F15/16

CPC classification number: H04L43/0882 ,  H04L41/22 ,  H04L43/062 ,  H04L43/0811 ,  H04L67/1008 ,  H04L67/1023 ,  H04L67/561

Abstract: In one embodiment, a monitoring engine obtains mesh flow data for traffic flows between nodes in a service mesh. The monitoring engine associates the mesh flow data with network traffic between an endpoint device and an edge of the service mesh. The monitoring engine identifies, based on the mesh flow data, a particular container workload associated with the traffic flows. The monitoring engine provides an indication that the particular container workload is associated with the network traffic between the endpoint device and the edge of the service mesh.

公开(公告)号：US10305928B2

公开(公告)日：2019-05-28

申请号：US14820265

申请日：2015-08-06

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Andrew Zawadowskiy ,  Donovan O'Hara ,  Saravanan Radhakrishnan ,  Tomas Pevny ,  Daniel G. Wing

IPC: H04L29/06

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

公开(公告)号：US20160261562A1

公开(公告)日：2016-09-08

申请号：US15156646

申请日：2016-05-17

Applicant: Cisco Technology, Inc.

Inventor： Todd Short ,  Andrew Zawadowskiy ,  Antonio Martin ,  Vincent E. Parla

IPC: H04L29/06 ,  H04L12/721 ,  H04L29/08

CPC classification number: H04L63/0227 ,  H04L45/306 ,  H04L45/566 ,  H04L63/0245 ,  H04L63/08 ,  H04L63/10 ,  H04L67/02

Abstract: A method for providing authoritative application-based routing and an improved application firewall, as well as a method for application classification, is described. The first embodiment, which provides a method for authoritative application-based routing, comprises tagging packets with an application identifier, and pushing the tagged packets to the network to enable the application identifier to be used in routing and priority decisions. In the second embodiment, a method for improving application firewall comprises using the application identifier to minimize the amount of processing required by the firewall when analyzing packet information.

公开(公告)号：US09148442B2

公开(公告)日：2015-09-29

申请号：US14458096

申请日：2014-08-12

Applicant: Cisco Technology, Inc.

Inventor： Jeffrey A Kraemer ,  Andrew Zawadowskiy ,  Philip J. S Gladstone

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/56

CPC classification number: H04L63/1416 ,  G06F21/554 ,  G06F21/56 ,  H04L63/14 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/20

Abstract: A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack.

Abstract translation: 系统在计算机系统中插入至少一个通知标识符。 所述至少一个通知标识符提供与计算机系统相关联的执行信息。 系统从至少一个通知标识符接收执行信息，执行信息识别与计算机系统上的业务流相关联的细节。 然后，系统基于由至少一个通知标识符提供的执行信息提供的确定性链路来生成签名。 该签名用于通过至少一次攻击来防止对计算机系统的进一步损坏。

公开(公告)号：US12231456B2

公开(公告)日：2025-02-18

申请号：US18361405

申请日：2023-07-28

Applicant: Cisco Technology, Inc.

Inventor： Andrew Zawadowskiy ,  Oleg Bessonov ,  Vincent Parla

IPC: G06F21/31 ,  G06F11/34 ,  G06F16/334 ,  G06F16/34 ,  G06F16/901 ,  G06F21/55 ,  G06F21/56 ,  G06F21/57 ,  H04L9/40

Abstract: A system and method are provided for generating a cybersecurity behavioral graph from a log files and/or other telemetry data, which can be unstructured or semi-structured data. The log files are applied to a machine learning (ML) model (e.g., a large language model (LLM)) that generates/extract from the log files entities and relationships between said entities. The entities and relationships can be constrained using a cybersecurity ontology or schema to ensure that the results are meaningful to a cybersecurity context. A graph is then generated by mapping the extracted entities to nodes in the graph and the relationships to edges connecting nodes. To more efficiently extract the entities and relationships from the data file, an LLM is used to generate regular expressions for the format of the log files. Once generated, the regular expressions can rapidly parse the log files to extract the entities and relationships.

公开(公告)号：US20250021348A1

公开(公告)日：2025-01-16

申请号：US18221833

申请日：2023-07-13

Applicant: Cisco Technology, Inc.

Inventor： Ashok Krishnaji Moghe ,  Andrew Zawadowskiy ,  Oleg Bessonov

IPC: G06F9/448

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on observing and generating a control flow directed graph. The techniques and systems include determining an observation phase for a process or application on a computing device. During the observation phase, CPU telemetry is determined and used to generate a control flow directed graph. After the control flow directed graph is generated, a hash table associated with frequently traversed execution paths is generated. A monitoring phase may be entered where transfers of instruction pointers are monitored based on the control flow directed graph to identify invalid transfers. The frequently traversed execution paths may be identified based on the hash table and be identified as valid if the hash value corresponds to the table.

公开(公告)号：US11902168B2

公开(公告)日：2024-02-13

申请号：US17357461

申请日：2021-06-24

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Andrew Zawadowskiy ,  Oleg Bessonov ,  Hendrikus G. P. Bosch

IPC: H04L47/24

CPC classification number: H04L47/24

Abstract: A method of defining priority of a number of data packets within a queue includes generating a policy. The policy defines a first multiplexed channel of a plurality of multiplexed channels. The first multiplexed channel having a first priority. The policy also defines a second multiplexed channel of the plurality of multiplexed channels. The second multiplexed channel having a second priority. The first priority is defined as being of a higher priority relative to the second priority. The method further includes receiving the number of data packets over the plurality of multiplexed channels associated with a session based at least in part on the policy.

公开(公告)号：US20240028724A1

公开(公告)日：2024-01-25

申请号：US18198244

申请日：2023-05-16

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Andrew Zawadowskiy ,  Thomas Szigeti ,  Oleg Bessonov ,  Ashok Krishnaji Moghe

IPC: G06F21/56 ,  G06F21/55

CPC classification number: G06F21/566 ,  G06F21/552

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on observing and generating a control flow directed graph. The techniques and systems include determining an observation phase for a process or application on a computing device. During the observation phase, CPU telemetry is determined and used to generate a control flow directed graph. After the control flow directed graph is generated, a monitoring phase may be entered where transfers of instruction pointers are monitored based on the control flow directed graph to identify invalid transfers. Transition to the monitoring phase may be based on determining a confidence score in the observed control flow directed graph and causing the transition when the confidence score is above a threshold.

公开(公告)号：US20240028712A1

公开(公告)日：2024-01-25

申请号：US18084147

申请日：2022-12-19

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Andrew Zawadowskiy ,  Oleg Bessonov ,  Thomas Szigeti ,  Ashok Krishnaji Moghe

IPC: G06F21/55 ,  G06F21/54 ,  G06F21/53

CPC classification number: G06F21/552 ,  G06F21/54 ,  G06F21/53

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining telemetry representing execution of a process on a computing system and accessing a learned control flow diagram graph for the process. A transfer of an instruction pointer is determined based on the telemetry and a validity of the transfer is determined based on the learned control flow directed graph. If invalid, then an action to terminate the process is determined, otherwise the action may be allowed to execute when valid.