公开(公告)号：US11979430B2

公开(公告)日：2024-05-07

申请号：US18100502

申请日：2023-01-23

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N5/04 ,  G06N20/00

CPC classification number: H04L63/1458 ,  G06N5/04 ,  G06N20/00 ,  H04L63/0428

Abstract: In one embodiment, a telemetry exporter in a network establishes a tunnel between the telemetry exporter and a traffic analysis service. The telemetry exporter obtains packet copies of a plurality of packets sent between devices via the network. The telemetry exporter forms a set of traffic telemetry data by discarding at least a portion of one or more of the packet copies, based on a filter policy. The telemetry exporter applies compression to the formed set of traffic telemetry data. The telemetry exporter sends, via the tunnel, the compressed set of traffic telemetry data to the traffic analysis service for analysis.

公开(公告)号：US11936683B2

公开(公告)日：2024-03-19

申请号：US17873544

申请日：2022-07-26

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L9/40 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  G06N20/20

CPC classification number: H04L63/1441 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  H04L63/0428 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/145 ,  H04L63/168 ,  G06N20/20

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US11909741B2

公开(公告)日：2024-02-20

申请号：US17330641

申请日：2021-05-26

Applicant: Cisco Technology, Inc.

Inventor： Brian E. Weis ,  Blake Harrell Anderson ,  Rashmikant B. Shah ,  David McGrew

IPC: H04L29/06 ,  G06N99/00 ,  H04L9/40 ,  G06N20/00

CPC classification number: H04L63/104 ,  G06N20/00 ,  H04L63/20

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

公开(公告)号：US11888900B2

公开(公告)日：2024-01-30

申请号：US16857607

申请日：2020-04-24

Applicant: Cisco Technology, Inc.

Inventor： Matthew Scott Robertson ,  David McGrew ,  Timothy David Keanini ,  Sunil Amin ,  Ellie Marie Daw

IPC: H04L29/06 ,  H04L9/40 ,  H04L9/08 ,  H04L9/32 ,  H04L9/06

CPC classification number: H04L63/20 ,  H04L9/088 ,  H04L9/0825 ,  H04L9/0844 ,  H04L9/3268 ,  H04L63/105 ,  H04L9/0643

Abstract: In one embodiment, a service receives captured traffic flow data regarding a traffic flow sent via a network between a first device assigned to a first network zone and a second device assigned to a second network zone. The service identifies, from the captured traffic flow data, one or more cryptographic parameters of the traffic flow. The service determines whether the one or more cryptographic parameters of the traffic flow satisfy an inter-zone policy associated with the first and second network zones. The service causes performance of a mitigation action in the network when the one or more cryptographic parameters of the traffic flow do not satisfy the inter-zone policy associated with the first and second network zones.

公开(公告)号：US11843632B2

公开(公告)日：2023-12-12

申请号：US18096143

申请日：2023-01-12

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N20/00

CPC classification number: H04L63/1458 ,  G06N20/00 ,  H04L63/1425 ,  H04L2463/144

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

公开(公告)号：US11539721B2

公开(公告)日：2022-12-27

申请号：US16912471

申请日：2020-06-25

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Vincent E. Parla ,  Jan Jusko ,  Martin Grill ,  Martin Vejman

IPC: H04L29/06 ,  H04L9/40 ,  G06F21/55 ,  H04L9/32 ,  G06F21/44 ,  G06F21/52

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

公开(公告)号：US20220385462A1

公开(公告)日：2022-12-01

申请号：US17335194

申请日：2021-06-01

Applicant: Cisco Technology, Inc.

Inventor： Chirag Shroff ,  David McGrew

IPC: H04L9/08 ,  H04L9/32

Abstract: According to certain embodiments, a method comprises receiving an encrypted value from a trust anchor. The encrypted value is received by a hardware component, and the encrypted value is associated with a posture assessment in which the trust anchor determines whether the hardware component is authorized to run on a product. The method further comprises obtaining a random value (K) based on decrypting the encrypted value. The decrypting uses a long-term key associated with the hardware component. The method further comprises communicating an encrypted response to the trust anchor. The encrypted response is encrypted using the random value (K). The encrypted response enables the trust anchor to determine whether the hardware component is authorized to run on the product.

公开(公告)号：US20220200914A1

公开(公告)日：2022-06-23

申请号：US17694060

申请日：2022-03-14

Applicant: Cisco Technology, Inc.

Inventor： Michael Joseph Stepanek ,  Costas Kleopa ,  David McGrew ,  Blake Harrell Anderson ,  Saravanan Radhakrishnan

IPC: H04L47/2441 ,  H04L47/2483 ,  H04L47/25 ,  H04L47/2475 ,  H04L49/35 ,  H04L9/40 ,  H04W12/12 ,  H04W12/122 ,  H04W12/128

Abstract: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

公开(公告)号：US20220078208A1

公开(公告)日：2022-03-10

申请号：US17531063

申请日：2021-11-19

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Keith Richard Schomburg ,  Michael Scott Dorsey ,  Constantinos Kleopa

IPC: H04L29/06

Abstract: In one embodiment, a device obtains one or more packets of a traffic session in a network. The device determines, for a particular packet of the one or more packets that match a filter, a fingerprint for the particular packet. The device identifies a plurality of traffic sessions whose packets match the fingerprint, wherein each of the plurality of traffic sessions is associated with at least one process. The device updates a process with the traffic session by applying a classifier to the plurality of traffic sessions.

公开(公告)号：US20210400011A1

公开(公告)日：2021-12-23

申请号：US17466370

申请日：2021-09-03

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing

IPC: H04L29/12 ,  H04L29/08 ,  H04L29/06

Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.