公开(公告)号：US20180212992A1

公开(公告)日：2018-07-26

申请号：US15413921

申请日：2017-01-24

Applicant: Cisco Technology, Inc.

Inventor： Ivan Nikolaev ,  Tomas Pevny

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08 ,  G06N99/00

Abstract: In one embodiment, a device in a network identifies an set of services of a domain accessed by a plurality of users in the network. The device generates a service usage model for the domain based on the set of services accessed by the plurality of users. The service usage model models usage of the services of the domain by the plurality of users. The device trains a machine learning-based classifier to analyze traffic in the network using a set of training feature vectors. A particular training feature vector includes data indicative of service usage by one of the users for the domain and the modeled usage of the services of the domain by the plurality of users. The device causes classification of traffic in the network associated with a particular user by the trained machine learning-based classifier.

公开(公告)号：US20180103056A1

公开(公告)日：2018-04-12

申请号：US15286728

申请日：2016-10-06

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L29/06 ,  H04L12/851 ,  H04L12/24 ,  G06N99/00

CPC classification number: H04L63/1441 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  H04L63/0428 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/145 ,  H04L63/168

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20180013681A1

公开(公告)日：2018-01-11

申请号：US15204061

申请日：2016-07-07

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Tomas Pevny

IPC: H04L12/851 ,  H04L29/06 ,  H04L12/721 ,  H04L29/08 ,  G06F17/30

CPC classification number: H04L47/2441 ,  G06F17/3053 ,  H04L45/38 ,  H04L63/1425 ,  H04L67/02

Abstract: In one embodiment, a device in a network receives traffic data associated with a particular communication channel between two or more nodes in the network. The device generates a mean map by employing kernel embedding of distributions to the traffic data. The device forms a representation of the communication channel by identifying a set of lattice points that approximate the mean map. The device generates a traffic classifier using the representation of the communication channel. The device uses machine learning to jointly identify the set of lattice points and one or more parameters of the traffic classifier. The device causes the traffic classifier to analyze network traffic sent via the communication channel.

公开(公告)号：US09813442B2

公开(公告)日：2017-11-07

申请号：US15421447

申请日：2017-02-01

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Tomas Pevny ,  Martin Rehak

IPC: G08B23/00 ,  G06F12/16 ,  G06F12/14 ,  G06F11/00 ,  H04L29/06 ,  H04L29/12 ,  H04L29/08 ,  H04L12/26

CPC classification number: H04L63/1441 ,  H04L43/08 ,  H04L61/2007 ,  H04L63/10 ,  H04L63/101 ,  H04L63/1433 ,  H04L63/1458 ,  H04L67/10 ,  H04L67/42

Abstract: In one embodiment, a method includes receiving client-server connection data for clients and servers, the data including IP addresses corresponding to the servers, for each one of a plurality of IP address pairs performing a statistical test to determine whether the IP addresses in the one IP address pair are related by common clients based on the number of the clients connecting to each of the IP addresses in the one IP address pair, generating a graph including a plurality of vertices and edges, each of the vertices corresponding to a different IP address, each edge corresponding to a different IP address pair determined to be related by common clients in the statistical test, and clustering the vertices yielding clusters, a subset of the IP addresses in one of the clusters providing an indication of the IP addresses of the servers serving a same application.

公开(公告)号：US09531742B2

公开(公告)日：2016-12-27

申请号：US15095076

申请日：2016-04-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Jan Jusko ,  Tomas Pevny ,  Martin Rehak

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/145 ,  H04L63/1466 ,  H04L63/1491 ,  H04L63/164 ,  H04L63/20

Abstract: In one embodiment a method, system and apparatus is described for detecting a malicious network connection, the method system and apparatus including determining, for each connection over a network, if each connection is a persistent connection, if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection, creating a feature vector for the first connection based on the collected statistics, performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections, and reporting detected outliers. Related methods, systems and apparatus are also described.

公开(公告)号：US11936683B2

公开(公告)日：2024-03-19

申请号：US17873544

申请日：2022-07-26

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L9/40 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  G06N20/20

CPC classification number: H04L63/1441 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  H04L63/0428 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/145 ,  H04L63/168 ,  G06N20/20

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US11113397B2

公开(公告)日：2021-09-07

申请号：US16413880

申请日：2019-05-16

Applicant: Cisco Technology, Inc.

Inventor： Tomas Pevny ,  Jan Franco̊ ,  Petr Somol

IPC: G06F21/00 ,  G06F21/56 ,  G06N3/08

Abstract: In one embodiment, a device disassembles an executable file into assembly instructions. The device maps each of the assembly instructions to a fixed length instruction vector using one-hot encoding and an instruction vocabulary and forms vector representations of blocks of a control flow graph for corresponding functions of the executable file by embedding and aggregating bags of the instruction vectors. The device generates, based on the vector representations of the blocks of the control flow graph, a call graph model of the functions in the executable file. The device forms a vector representation of the executable file based in part on the call graph model. The device determines, based on the vector representation of the executable file, whether the executable file is malware.

公开(公告)号：US10855698B2

公开(公告)日：2020-12-01

申请号：US15851918

申请日：2017-12-22

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Martin Rehak ,  David McGrew ,  Martin Vejman ,  Tomas Pevny ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  G06F21/53 ,  G06N20/00 ,  H04L12/24 ,  H04L29/08 ,  G06F21/62

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.

公开(公告)号：US10805338B2

公开(公告)日：2020-10-13

申请号：US15286728

申请日：2016-10-06

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/24 ,  H04L12/851

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20190199739A1

公开(公告)日：2019-06-27

申请号：US15851918

申请日：2017-12-22

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Martin Rehak ,  David McGrew ,  Martin Vejman ,  Tomas Pevny ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  G06F21/53 ,  G06N99/00

CPC classification number: H04L63/1416 ,  G06F21/53 ,  G06F21/6245 ,  G06N20/00 ,  H04L41/145 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1458 ,  H04L63/166 ,  H04L67/02 ,  H04L67/28 ,  H04L69/325

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.