公开(公告)号：US20210344573A1

公开(公告)日：2021-11-04

申请号：US17376924

申请日：2021-07-15

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Martin Rehak ,  Blake Harrell Anderson ,  Sunil Amin

IPC: H04L12/24 ,  H04L29/06 ,  H04W12/12 ,  G06F21/55

Abstract: In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.

公开(公告)号：US11075820B2

公开(公告)日：2021-07-27

申请号：US15848101

申请日：2017-12-20

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Martin Rehak ,  Blake Harrell Anderson ,  Sunil Amin

IPC: H04L12/24 ,  H04L29/06 ,  H04W12/12 ,  G06F21/55 ,  H04L29/08

Abstract: In one embodiment, a service receives data regarding administration traffic in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the received data to determine whether the administration traffic is authorized. The service flags the received data as authorized, based on the analysis of the received data. The service uses the data flagged as authorized to distinguish between benign traffic and malicious traffic in the network.

公开(公告)号：US20180219890A1

公开(公告)日：2018-08-02

申请号：US15421969

申请日：2017-02-01

Applicant: Cisco Technology, Inc.

Inventor： Martin Rehak

IPC: H04L29/06 ,  G06N5/04 ,  G06F17/30

CPC classification number: H04L63/1425 ,  G06N5/04 ,  H04L67/02

Abstract: Access logs associated with user requests for a web-based resource are monitored. Parameter(s) that index records of the web-based resource are identified. A baseline distribution(s) of values of the parameter(s) are generated and, based on the baseline distribution(s), a baseline entropy of the parameter(s) is calculated. A distribution(s) of values of the parameters associated with user requests made by a particular user is generated and, based on the distribution(s), an entropy of the parameter(s) associated with the user requests is calculated. The entropy is compared to the baseline entropy. If a difference between the baseline entropy and the entropy exceeds a threshold, it is determined that the particular user poses a security threat to the web-based resource.

公开(公告)号：US09888020B2

公开(公告)日：2018-02-06

申请号：US15231118

申请日：2016-08-08

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Martin Rehak ,  Michal Sofka

IPC: G06F11/00 ,  H04L29/06 ,  G06F21/56 ,  G06F21/55 ,  G06F17/30

CPC classification number: H04L63/1416 ,  G06F17/30598 ,  G06F21/55 ,  G06F21/566 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441

Abstract: In an embodiment, a method, performed by processors of a computing device for creating and storing clusters of incident data records based on behavioral characteristic values in the records and origin characteristic values in the records, the method comprising: receiving a plurality of input incident data records comprising sets of attribute values; identifying two or more first incident data records that have a particular behavioral characteristic value; using a malicious incident behavioral data table that maps sets of behavioral characteristic values to identifiers of malicious acts in the network, and a plurality of comparison operations using the malicious incident behavioral data table and the two or more first incident data records, determining whether any of the two or more first incident data records are malicious; and if so, creating a similarity behavioral cluster record that includes the two or more first incident data records.

公开(公告)号：US09813442B2

公开(公告)日：2017-11-07

申请号：US15421447

申请日：2017-02-01

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Tomas Pevny ,  Martin Rehak

IPC: G08B23/00 ,  G06F12/16 ,  G06F12/14 ,  G06F11/00 ,  H04L29/06 ,  H04L29/12 ,  H04L29/08 ,  H04L12/26

CPC classification number: H04L63/1441 ,  H04L43/08 ,  H04L61/2007 ,  H04L63/10 ,  H04L63/101 ,  H04L63/1433 ,  H04L63/1458 ,  H04L67/10 ,  H04L67/42

Abstract: In one embodiment, a method includes receiving client-server connection data for clients and servers, the data including IP addresses corresponding to the servers, for each one of a plurality of IP address pairs performing a statistical test to determine whether the IP addresses in the one IP address pair are related by common clients based on the number of the clients connecting to each of the IP addresses in the one IP address pair, generating a graph including a plurality of vertices and edges, each of the vertices corresponding to a different IP address, each edge corresponding to a different IP address pair determined to be related by common clients in the statistical test, and clustering the vertices yielding clusters, a subset of the IP addresses in one of the clusters providing an indication of the IP addresses of the servers serving a same application.

公开(公告)号：US09531742B2

公开(公告)日：2016-12-27

申请号：US15095076

申请日：2016-04-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Jan Jusko ,  Tomas Pevny ,  Martin Rehak

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/145 ,  H04L63/1466 ,  H04L63/1491 ,  H04L63/164 ,  H04L63/20

Abstract: In one embodiment a method, system and apparatus is described for detecting a malicious network connection, the method system and apparatus including determining, for each connection over a network, if each connection is a persistent connection, if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection, creating a feature vector for the first connection based on the collected statistics, performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections, and reporting detected outliers. Related methods, systems and apparatus are also described.

公开(公告)号：US20240205244A1

公开(公告)日：2024-06-20

申请号：US18592137

申请日：2024-02-29

Applicant: Cisco Technology, Inc.

Inventor： Martin Rehak ,  David McGrew ,  Blake Harrell Anderson ,  Scott William Dunlop

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/166

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.

公开(公告)号：US11936533B2

公开(公告)日：2024-03-19

申请号：US18125955

申请日：2023-03-24

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Martin Rehak ,  Blake Harrell Anderson ,  Sunil Amin

IPC: H04L41/28 ,  G06F21/55 ,  H04L9/40 ,  H04W12/12 ,  H04L67/143

CPC classification number: H04L41/28 ,  G06F21/55 ,  H04L63/14 ,  H04L63/1425 ,  H04L63/1441 ,  H04W12/12 ,  H04L63/20 ,  H04L67/143

Abstract: In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.

公开(公告)号：US11916932B2

公开(公告)日：2024-02-27

申请号：US17722131

申请日：2022-04-15

Applicant: Cisco Technology, Inc.

Inventor： Martin Rehak ,  David McGrew ,  Blake Harrell Anderson ,  Scott William Dunlop

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/166

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.

公开(公告)号：US20220239678A1

公开(公告)日：2022-07-28

申请号：US17722131

申请日：2022-04-15

Applicant: Cisco Technology, Inc.

Inventor： Martin Rehak ,  David McGrew ,  Blake Harrell Anderson ,  Scott William Dunlop

IPC: H04L9/40

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.