公开(公告)号：US20180332053A1

公开(公告)日：2018-11-15

申请号：US15595016

申请日：2017-05-15

Applicant: Cisco Technology, Inc.

Inventor： Brian E. Weis ,  Blake Harrell Anderson ,  Rashmikant B. Shah ,  David McGrew

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/126 ,  G06N99/005 ,  H04L63/04 ,  H04L63/08 ,  H04L63/104

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

公开(公告)号：US20180103056A1

公开(公告)日：2018-04-12

申请号：US15286728

申请日：2016-10-06

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L29/06 ,  H04L12/851 ,  H04L12/24 ,  G06N99/00

CPC classification number: H04L63/1441 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  H04L63/0428 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/145 ,  H04L63/168

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20170374089A1

公开(公告)日：2017-12-28

申请号：US15191129

申请日：2016-06-23

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  H04L29/12 ,  H04L12/833 ,  H04L12/851 ,  H04L29/08 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06N20/00 ,  H04L47/2483 ,  H04L47/31 ,  H04L63/145 ,  H04L63/1458

Abstract: In one embodiment, a device in a first network receives traffic flow information regarding a plurality of traffic flows in the first network. The device labels the traffic flow information by associating classifier labels to the traffic flow information. The device receives a generic traffic classifier that was trained using a training data set that comprises labeled traffic flow information for a plurality of other networks and excludes the traffic flow information regarding the plurality of traffic flows in the first network. The device acclimates the generic traffic classifier to the first network using the labeled traffic flow information regarding the plurality of traffic flows in the first network.

公开(公告)号：US20170026390A1

公开(公告)日：2017-01-26

申请号：US14806236

申请日：2015-07-22

Applicant: Cisco Technology, Inc.

Inventor： Michal Sofka ,  Lukas Machlica ,  Karel Bartos ,  David McGrew

IPC: H04L29/06 ,  G06F17/27 ,  G06N99/00 ,  H04L29/12

CPC classification number: H04L63/1416 ,  G06F21/566 ,  G06N99/005 ,  H04L61/1511 ,  H04L61/303 ,  H04L63/0281 ,  H04L63/1425 ,  H04L2463/144

Abstract: Techniques are presented to identify malware communication with domain generation algorithm (DGA) generated domains. Sample domain names are obtained and labeled as DGA domains, non-DGA domains or suspicious domains. A classifier is trained in a first stage based on the sample domain names. Sample proxy logs including proxy logs of DGA domains and proxy logs of non-DGA domains are obtained to train the classifier in a second stage based on the plurality of sample domain names and the plurality of sample proxy logs. Live traffic proxy logs are obtained and the classifier is tested by classifying the live traffic proxy logs as DGA proxy logs, and the classifier is forwarded to a second computing device to identify network communication of a third computing device as malware network communication with DGA domains via a network interface unit of the third computing device based on the trained and tested classifier.

Abstract translation: 提出技术来识别与域生成算法（DGA）生成域的恶意软件通信。 获取样品域名并标记为DGA域，非DGA域或可疑域。 分类器在第一阶段根据样本域名进行培训。 获得包括DGA域的代理日志和非DGA域的代理日志的示例代理日志，以在第二阶段中基于多个示例域名和多个示例代理日志来训练分类器。 获取实时流量代理日志，并通过将实时流量代理日志分类为DGA代理日志来测试分类器，并将分类器转发到第二计算设备，以将第三计算设备的网络通信识别为与DGA域的恶意软件网络通信，通过 基于经过训练和测试的分类器的第三计算设备的网络接口单元。

公开(公告)号：US20170019423A1

公开(公告)日：2017-01-19

申请号：US14800813

申请日：2015-07-16

Applicant: Cisco Technology, Inc.

Inventor： James Anil Pramod Kotwal ,  Christopher Blayne Dreier ,  David Aaron Wyde ,  Kellen Mac Arb ,  David McGrew ,  Scott Fluhrer

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08

CPC classification number: H04L9/32 ,  H04L9/0819 ,  H04L9/0869 ,  H04L9/3226 ,  H04L63/06 ,  H04L63/1441 ,  H04L63/168 ,  H04L2463/082

Abstract: A server sends information to a client that allows the client to establish a first key at the client. The server then receives a session ID that has been encrypted using the first key. The first key is then established at the server, which can then decrypt the session ID using the first key. After the server validates the session ID, it determines a second key that is different from the first key. The server then receives the session ID encrypted with the second key, and decrypts the session ID encrypted with the second key.

Abstract translation: 服务器向客户端发送信息，允许客户端在客户端建立第一个密钥。 然后，服务器接收使用第一个密钥加密的会话ID。 然后在服务器上建立第一个密钥，然后可以使用第一个密钥解密会话ID。 在服务器验证会话ID后，它确定与第一个密钥不同的第二个密钥。 然后，服务器接收用第二密钥加密的会话ID，并解密用第二密钥加密的会话ID。

公开(公告)号：US09306936B2

公开(公告)日：2016-04-05

申请号：US14532131

申请日：2014-11-04

Applicant: Cisco Technology, Inc.

Inventor： Kunal Patel ,  Yixin Sun ,  Puneet Gupta ,  Vinod Arjun ,  David McGrew

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0823 ,  H04L9/321 ,  H04L9/3263 ,  H04L63/0428 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/164

Abstract: Techniques are provided for obtaining first and second digital certificates from a certificate authority database for establishing a secure exchange between network devices. The first digital certificate contains identity information of a first network device, and the second digital certificate contains classification information of the first network device. In one embodiment, a secure key exchange is initiated with the second network device, and the first and second digital certificates are transmitted as a part of the secure key exchange to the second network device. In another embodiment, the first and second digital certificates are received by an intermediate network device. The first digital certificate is encrypted and is not evaluated by the intermediate network device. The second digital certificate is evaluated for classification information of the first network device. Source information associated with the first network device is stored, and encrypted traffic is processed between the network devices.

Abstract translation: 提供了用于从认证机构数据库获得第一和第二数字证书以建立网络设备之间的安全交换的技术。 第一数字证书包含第一网络设备的身份信息，第二数字证书包含第一网络设备的分类信息。 在一个实施例中，与第二网络设备一起发起安全密钥交换，并且将第一和第二数字证书作为安全密钥交换的一部分被发送到第二网络设备。 在另一个实施例中，第一和第二数字证书由中间网络设备接收。 第一个数字证书是加密的，不被中间网络设备评估。 对第一个网络设备的分类信息进行第二个数字证书的评估。 存储与第一网络设备相关联的源信息，并且在网络设备之间处理加密流量。

公开(公告)号：US09237015B2

公开(公告)日：2016-01-12

申请号：US14056038

申请日：2013-10-17

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  John Foley

IPC: H04L9/32 ,  H04L9/30 ,  H04L29/06

CPC classification number: H04L63/123 ,  H04L9/30 ,  H04L63/0435 ,  H04L63/1466

Abstract: A method of providing anti-replay protection, authentication, and encryption with minimal data overhead is provided. A sender uses an arbitrary-length pseudorandom permutation to encrypt messages that include plaintext and successively increasing sequence numbers, to produce ciphertext messages. The sender transmits the ciphertext messages. A receiver receives the ciphertext messages and, for each received ciphertext message, performs the following operations. The receiver decrypts the given ciphertext message to recover plaintext and a candidate sequence number from the message. The receiver determines if the candidate sequence number is in any one of multiple acceptable sequence number windows having respective sequence number ranges that are based on at least one of a highest sequence number previously accepted and a last sequence number that was previously rejected, as established based on processing of previously received ciphertext messages.

Abstract translation: 提供了一种以最少数据开销提供反重放保护，认证和加密的方法。 发送方使用任意长度的伪随机排列来加密包括明文和连续增加的序列号的消息，以产生密文消息。 发送方发送密文消息。 接收者接收密文消息，对于每个收到的密文消息，执行以下操作。 接收机解密给定的密文消息，从消息中恢复明文和候选序列号。 接收机确定候选序列号是否在具有各自序列号范围的多个可接受的序列号窗口中的任何一个中，其具有基于先前被接受的最高序列号和先前拒绝的最后序列号中的至少一个， 对先前接收的密文消息进行处理。

公开(公告)号：US20150033014A1

公开(公告)日：2015-01-29

申请号：US14056038

申请日：2013-10-17

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  John Foley

IPC: H04L9/30

CPC classification number: H04L63/123 ,  H04L9/30 ,  H04L63/0435 ,  H04L63/1466

Abstract: A method of providing anti-replay protection, authentication, and encryption with minimal data overhead is provided. A sender uses an arbitrary-length pseudorandom permutation to encrypt messages that include plaintext and successively increasing sequence numbers, to produce ciphertext messages. The sender transmits the ciphertext messages. A receiver receives the ciphertext messages and, for each received ciphertext message, performs the following operations. The receiver decrypts the given ciphertext message to recover plaintext and a candidate sequence number from the message. The receiver determines if the candidate sequence number is in any one of multiple acceptable sequence number windows having respective sequence number ranges that are based on at least one of a highest sequence number previously accepted and a last sequence number that was previously rejected, as established based on processing of previously received ciphertext messages.

Abstract translation: 提供了一种以最少数据开销提供反重放保护，认证和加密的方法。 发送方使用任意长度的伪随机排列来加密包括明文和连续增加的序列号的消息，以产生密文消息。 发送方发送密文消息。 接收者接收密文消息，对于每个收到的密文消息，执行以下操作。 接收机解密给定的密文消息，从消息中恢复明文和候选序列号。 接收机确定候选序列号是否在具有各自序列号范围的多个可接受的序列号窗口中的任何一个中，其具有基于先前被接受的最高序列号和先前拒绝的最后序列号中的至少一个， 对先前接收的密文消息进行处理。

公开(公告)号：US12244640B2

公开(公告)日：2025-03-04

申请号：US18535021

申请日：2023-12-11

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

公开(公告)号：US20240154979A1

公开(公告)日：2024-05-09

申请号：US18416439

申请日：2024-01-18

Applicant: Cisco Technology, Inc.

Inventor： Martin Rehak ,  David McGrew ,  Blake Harrell Anderson ,  Scott William Dunlop

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/166

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.