公开(公告)号：US11245675B2

公开(公告)日：2022-02-08

申请号：US16686364

申请日：2019-11-18

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Martin Kopp ,  Jan Brabec ,  Lukas Bajer

IPC: H04L29/06 ,  H04L12/26

Abstract: In one embodiment, a traffic analysis service obtains telemetry data regarding encrypted traffic associated with a particular device in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic. The service determines, based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device. The service calculates a measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and a set of one or more TLS fingerprints of traffic associated with a second device. The service determines, based on the measure of similarity, that the particular device and the second device were operated by the same user.

公开(公告)号：US10855698B2

公开(公告)日：2020-12-01

申请号：US15851918

申请日：2017-12-22

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Martin Rehak ,  David McGrew ,  Martin Vejman ,  Tomas Pevny ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  G06F21/53 ,  G06N20/00 ,  H04L12/24 ,  H04L29/08 ,  G06F21/62

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.

公开(公告)号：US10805338B2

公开(公告)日：2020-10-13

申请号：US15286728

申请日：2016-10-06

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/24 ,  H04L12/851

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20190199739A1

公开(公告)日：2019-06-27

申请号：US15851918

申请日：2017-12-22

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Martin Rehak ,  David McGrew ,  Martin Vejman ,  Tomas Pevny ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  G06F21/53 ,  G06N99/00

CPC classification number: H04L63/1416 ,  G06F21/53 ,  G06F21/6245 ,  G06N20/00 ,  H04L41/145 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1458 ,  H04L63/166 ,  H04L67/02 ,  H04L67/28 ,  H04L69/325

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.

公开(公告)号：US20180205750A1

公开(公告)日：2018-07-19

申请号：US15409746

申请日：2017-01-19

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Tornas Pevny

IPC: H04L29/06

Abstract: In one embodiment, a device in a network determines a set of lattice points in a multi-dimensional space constructed using message characteristics of messages exchanged between endpoint nodes in the network. The device uses the lattice points to derive vector representations of communication channels in the network with each of the communication channels being associated with one or more of the exchanged messages. A vector representation of an application in the network is based on one or more of the derived vector representations of one or more channels used to exchange messages associated with the application. The device identifies the application as associated with a first one of the channels by determining a measure of similarity between the first channel and the vector representation of the application that approximates a maximum mean discrepancy (MMD) distance between the message characteristics for the vector representations of the first channel and the application.

公开(公告)号：US20180063174A1

公开(公告)日：2018-03-01

申请号：US15247036

申请日：2016-08-25

Applicant: Cisco Technology, Inc.

Inventor： Martin Grill ,  Jan Kohout ,  Martin Kopp ,  Thomas Pevny

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/1425 ,  H04L61/1511 ,  H04L63/0236 ,  H04L63/1441 ,  H04L63/164 ,  H04L67/02

Abstract: Detecting illegitimate typosquatting with Internet Protocol (IP) information includes, at a computing device having connectivity to a network, obtaining a list of domains and filtering the list to generate a list of monitored domain strings. IP information is passively determined for domains associated with each of the monitored domain strings. A domain requested in network traffic for the network is identified as a candidate typosquatting domain and the candidate typosquatting domain is determined to be an illegitimate typosquatting domain based at least on the IP information. An action is initiated related to the illegitimate typosquatting domain.

公开(公告)号：US20160352760A1

公开(公告)日：2016-12-01

申请号：US14723605

申请日：2015-05-28

Applicant: Cisco Technology, Inc.

Inventor： Jan Mrkos ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  H04L29/12 ,  H04L29/08

CPC classification number: H04L63/1416 ,  H04L61/103 ,  H04L61/2015 ,  H04L63/0281 ,  H04L63/1425 ,  H04L67/02 ,  H04L67/22 ,  H04L67/303

Abstract: A method of tracking users over network hosts based on behavior includes analyzing data representing behavior of active network hosts during two or more time windows at a computing apparatus having connectivity to a network. Based on the analyzing, a profile is generated for each network host active in the network during the two or more time windows. Similarity between the profiles for the two or more time windows are determined and, based on the similarity, it may be determined that an identity associated with one of the active network hosts during a time window of the two or more time windows has changed.

Abstract translation: 基于行为跟踪网络主机上的用户的方法包括分析表示在具有到网络的连接性的计算设备的两个或更多个时间窗口期间活动网络主机的行为的数据。 基于分析，在两个或更多个时间窗口期间，为在网络中活动的每个网络主机生成简档。 确定两个或更多个时间窗口的简档之间的相似性，并且基于相似性，可以确定在两个或更多个时间窗口的时间窗口期间与一个活动网络主机相关联的身份已经改变。