公开(公告)号：US20180139214A1

公开(公告)日：2018-05-17

申请号：US15353160

申请日：2016-11-16

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06 ,  H04L9/32 ,  G06N99/00

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US09942256B2

公开(公告)日：2018-04-10

申请号：US15496683

申请日：2017-04-25

Applicant: Cisco Technology, Inc.

Inventor： Tomá{hacek over (s)} Komárek ,  Martin Grill ,  Tomá{hacek over (s)} Pevný

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06F17/30185 ,  G06F17/30979 ,  G06N99/005 ,  H04L41/142 ,  H04L41/16 ,  H04L43/00 ,  H04L43/04 ,  H04L61/2514 ,  H04L63/1408

Abstract: Actual traffic logs of network traffic to and from host devices in a network are collected over time. Artificial traffic logs for each of multiple artificial network address translation (NAT) devices are generated from the actual traffic logs. The actual traffic logs and the artificial traffic logs are labeled as being indicative of non-NAT devices and NAT devices, respectively, to produce labeled traffic logs. From the labeled traffic logs for each artificial NAT device and each non-NAT device, respective, correspondingly labeled, network traffic features indicative of whether the device behaves like a NAT device or a non-NAT device are extracted. A classifier device is trained using the network traffic features extracted for each artificial NAT device and each non-NAT device to classify between an actual NAT device and an actual non-NAT device based on further actual traffic logs.

公开(公告)号：US11909760B2

公开(公告)日：2024-02-20

申请号：US17395968

申请日：2021-08-06

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06 ,  H04L9/40 ,  G06N20/00

CPC classification number: H04L63/145 ,  H04L63/0428 ,  H04L63/1408 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US10805377B2

公开(公告)日：2020-10-13

申请号：US15598541

申请日：2017-05-18

Applicant: Cisco Technology, Inc.

Inventor： Martin Grill ,  Jan Kohout ,  Martin Kopp

IPC: H04L29/08 ,  H04W12/06 ,  H04W12/00 ,  H04L29/06 ,  H04L12/26

Abstract: A computing device having connectivity to a network stores one or more existing device models, where each of the one or more existing device models is a representation of a different client device used by a first authenticated user to access the network. The computing device obtains a device sample, which comprises network traffic data that is captured during a period of time and which is generated by a particular client device associated with the authenticated user of the network. The computing device determines, based on one or more relational criteria, whether the device sample should be assigned to one of the one or more existing device models or to an additional device model that has not yet been created. The computing device then determines relative identity of the particular client device based on whether the device sample is assigned to one of the one or more device models or to an additional device model that has not yet been created.

公开(公告)号：US20200244672A1

公开(公告)日：2020-07-30

申请号：US16261682

申请日：2019-01-30

Applicant: Cisco Technology, Inc.

Inventor： Martin Grill ,  Lukas Bajer ,  Martin Kopp ,  Jan Kohout

IPC: H04L29/06

Abstract: In one embodiment, a device in a network obtains log data regarding replication of files stored on an endpoint client to a file replication service. The device tracks, based on the obtained logs, encryption changes to the files that convert the files from unencrypted files to encrypted files. The device determines that the tracked encryption changes to the files are indicative of a ransomware infection on the endpoint client. The device initiates a mitigation action regarding the ransomware infection.

公开(公告)号：US20200120004A1

公开(公告)日：2020-04-16

申请号：US16156020

申请日：2018-10-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Martin Grill ,  Martin Kopp ,  Lukas Bajer

IPC: H04L12/26 ,  H04L12/851

Abstract: In one embodiment, a traffic analysis service obtains telemetry data regarding network traffic associated with a device in a network. The traffic analysis service forms a histogram of frequencies of the traffic features from the telemetry data for the device. The traffic features are indicative of endpoints with which the device communicated. The traffic analysis service associates a device type with the device, by comparing the histogram of the traffic features from the telemetry data to histograms of traffic features associated with other devices. The traffic analysis service initiates, based on the device type associated with the device, an adjustment to treatment of the traffic associated with the device by the network.

公开(公告)号：US20190190928A1

公开(公告)日：2019-06-20

申请号：US15848150

申请日：2017-12-20

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Vincent E. Parla ,  Jan Jusko ,  Martin Grill ,  Martin Vejman

IPC: H04L29/06 ,  G06F21/44 ,  H04L9/32

CPC classification number: H04L63/1416 ,  G06F21/44 ,  G06F21/52 ,  G06F21/55 ,  G06F21/554 ,  H04L9/3242 ,  H04L63/0428 ,  H04L63/0876 ,  H04L63/1425 ,  H04L63/1466

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

公开(公告)号：US10027562B2

公开(公告)日：2018-07-17

申请号：US14485644

申请日：2014-09-12

Applicant: Cisco Technology, Inc.

Inventor： Ivan Nikolaev ,  Martin Grill ,  Jan Jusko

IPC: G06F15/173 ,  H04L12/26 ,  H04L29/06

Abstract: Detecting network services based on network flow data is disclosed. Using a networking device, network flow data is obtained for a plurality of endpoints of a telecommunications network. Each endpoint of the plurality of endpoints is uniquely described by data comprising an IP address, a port, and a communication protocol. For each endpoint of a set of at least one endpoint selected from the plurality of endpoints, a plurality of peers of the endpoint is determined by detecting communication between the endpoint and the plurality of peers based on the network flow data. For each peer of a set of peers selected from the plurality of peers, a difference between a number of peers of the endpoint and a number of peers of said each peer is determined based on the network flow data. It is determined if the endpoint is a service based on the difference determined for each peer of the set of peers. Network management is performed based on the determination of whether the endpoint is a service.

公开(公告)号：US20170230395A1

公开(公告)日：2017-08-10

申请号：US15496683

申请日：2017-04-25

Applicant: Cisco Technology, Inc.

Inventor： Tomás Komárek ,  Martin Grill ,  Tomás Pevny

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06F17/30185 ,  G06F17/30979 ,  G06N99/005 ,  H04L41/142 ,  H04L41/16 ,  H04L43/00 ,  H04L43/04 ,  H04L61/2514 ,  H04L63/1408

Abstract: Actual traffic logs of network traffic to and from host devices in a network are collected over time. Artificial traffic logs for each of multiple artificial network address translation (NAT) devices are generated from the actual traffic logs. The actual traffic logs and the artificial traffic logs are labeled as being indicative of non-NAT devices and NAT devices, respectively, to produce labeled traffic logs. From the labeled traffic logs for each artificial NAT device and each non-NAT device, respective, correspondingly labeled, network traffic features indicative of whether the device behaves like a NAT device or a non-NAT device are extracted. A classifier device is trained using the network traffic features extracted for each artificial NAT device and each non-NAT device to classify between an actual NAT device and an actual non-NAT device based on further actual traffic logs.

公开(公告)号：US09667636B2

公开(公告)日：2017-05-30

申请号：US14696947

申请日：2015-04-27

Applicant: Cisco Technology, Inc.

Inventor： Tomá{hacek over (s)} Komárek ,  Martin Grill ,  Tomá{hacek over (s)} Pevný

IPC: H04L29/06 ,  G06F17/30 ,  G06N99/00 ,  H04L12/26 ,  H04L29/12

CPC classification number: H04L63/1425 ,  G06F17/30185 ,  G06F17/30979 ,  G06N99/005 ,  H04L41/142 ,  H04L41/16 ,  H04L43/00 ,  H04L43/04 ,  H04L61/2514 ,  H04L63/1408

Abstract: Network traffic logs of network traffic to and from host devices connected to a network that were collected over time are accessed. For each host device identified in the logs, a set of network traffic features indicative of whether the host device behaves like a Network Address Translation (NAT) device or an end host device is extracted from the logs for the host device. Each feature has values that vary over time based on the logs. A trained host device behavior classifier classifies the host device as either a NAT device or an end host device based on one or more of the feature values.