公开(公告)号：US20200076832A1

公开(公告)日：2020-03-05

申请号：US16120580

申请日：2018-09-04

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Martin Rehak ,  Danila Khikhlukha ,  Harshit Nayyar

IPC: H04L29/06

Abstract: In one embodiment, a service receives a plurality of process hashes for processes executed by a plurality of devices. The service receives traffic data indicative of traffic between the plurality of devices and a plurality of remote server domains. The service forms a bipartite graph based on the processes hashes and the traffic data. A node of the graph represents a particular process hash or server domain and an edge between nodes in the graph represents network traffic between a process and a server domain. The service identifies, based on the bipartite graph, a subset of the plurality of processes as exhibiting polymorphic malware behavior. The service causes performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior.

公开(公告)号：US20190190794A1

公开(公告)日：2019-06-20

申请号：US15848101

申请日：2017-12-20

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Martin Rehak ,  Blake Harrell Anderson ,  Sunil Amin

IPC: H04L12/24 ,  H04L29/06

CPC classification number: H04L41/28 ,  G06F21/55 ,  H04L63/14 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20 ,  H04L67/143 ,  H04W12/12

Abstract: In one embodiment, a service receives data regarding administration traffic in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the received data to determine whether the administration traffic is authorized. The service flags the received data as authorized, based on the analysis of the received data. The service uses the data flagged as authorized to distinguish between benign traffic and malicious traffic in the network.

公开(公告)号：US09432393B2

公开(公告)日：2016-08-30

申请号：US14612623

申请日：2015-02-03

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Martin Rehak ,  Michal Sofka

IPC: G06F11/00 ,  H04L29/06 ,  G06F21/56

CPC classification number: H04L63/1416 ,  G06F17/30598 ,  G06F21/55 ,  G06F21/566 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441

Abstract: In an embodiment, a method, performed by processors of a computing device for creating and storing clusters of incident data records based on behavioral characteristic values in the records and origin characteristic values in the records, the method comprising: receiving a plurality of input incident data records comprising sets of attribute values; identifying two or more first incident data records that have a particular behavioral characteristic value; using a malicious incident behavioral data table that maps sets of behavioral characteristic values to identifiers of malicious acts in the network, and a plurality of comparison operations using the malicious incident behavioral data table and the two or more first incident data records, determining whether any of the two or more first incident data records are malicious; and if so, creating a similarity behavioral cluster record that includes the two or more first incident data records.

Abstract translation: 在一个实施例中，一种由计算设备的处理器执行的方法，用于基于记录中的行为特征值和记录中的原始特征值来创建和存储事件数据记录簇，所述方法包括：接收多个输入事件数据 包括属性值集合的记录; 识别具有特定行为特征值的两个或更多个第一事件数据记录; 使用将行为特征值集合映射到网络中的恶意行为的标识符的恶意事件行为数据表，以及使用恶意事件行为数据表和两个或更多个第一事件数据记录的多个比较操作，确定是否存在 两个或多个第一事件数据记录是恶意的; 如果是，则创建包括两个或更多个第一事件数据记录的相似性行为集群记录。

公开(公告)号：US09344441B2

公开(公告)日：2016-05-17

申请号：US14485731

申请日：2014-09-14

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Jan Jusko ,  Tomas Pevny ,  Martin Rehak

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/145 ,  H04L63/1466 ,  H04L63/1491 ,  H04L63/164 ,  H04L63/20

Abstract: In one embodiment a method, system and apparatus is described for detecting a malicious network connection, the method system and apparatus including determining, for each connection over a network, if each connection is a persistent connection, if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection, creating a feature vector for the first connection based on the collected statistics, performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections, and reporting detected outliers. Related methods, systems and apparatus are also described.

Abstract translation: 在一个实施例中，描述了一种用于检测恶意网络连接的方法，系统和装置，所述方法系统和装置包括针对网络上的每个连接确定每个连接是否是持久连接，如果作为确定的结果， 确定第一连接是持久连接，收集第一连接的连接统计信息，基于所收集的统计信息创建用于第一连接的特征向量，对具有网络的所有连接的所有连接的所有特征向量进行异常检测 被确定为持续连接，并报告检测到异常值。 还描述了相关方法，系统和装置。