公开(公告)号：US11936683B2

公开(公告)日：2024-03-19

申请号：US17873544

申请日：2022-07-26

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L9/40 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  G06N20/20

CPC classification number: H04L63/1441 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  H04L63/0428 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/145 ,  H04L63/168 ,  G06N20/20

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US11539721B2

公开(公告)日：2022-12-27

申请号：US16912471

申请日：2020-06-25

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Vincent E. Parla ,  Jan Jusko ,  Martin Grill ,  Martin Vejman

IPC: H04L29/06 ,  H04L9/40 ,  G06F21/55 ,  H04L9/32 ,  G06F21/44 ,  G06F21/52

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

公开(公告)号：US10979451B2

公开(公告)日：2021-04-13

申请号：US15896421

申请日：2018-02-14

Applicant: Cisco Technology, Inc.

Inventor： Lukas Machlica ,  Ivan Nikolaev ,  Karel Bartos ,  Martin Grill

IPC: G06F21/55 ,  G06F21/56 ,  H04L29/06 ,  H04L29/12

Abstract: In one embodiment, a security device in a computer network detects potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect abnormally high DNS requests made by a host attempting to locate a command and control (C&C) server in the computer network. The server device also detects potential DGA communications activity based on applying a hostname-based classifier for DGA domains associated with any server internet protocol (IP) address in a data stream from the host. The security device may then correlate the potential DGA searching activity with the potential DGA communications activity, and identifies DGA performing malware based on the correlating, accordingly.

公开(公告)号：US10855698B2

公开(公告)日：2020-12-01

申请号：US15851918

申请日：2017-12-22

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Martin Rehak ,  David McGrew ,  Martin Vejman ,  Tomas Pevny ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  G06F21/53 ,  G06N20/00 ,  H04L12/24 ,  H04L29/08 ,  G06F21/62

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.

公开(公告)号：US10805338B2

公开(公告)日：2020-10-13

申请号：US15286728

申请日：2016-10-06

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/24 ,  H04L12/851

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20190199739A1

公开(公告)日：2019-06-27

申请号：US15851918

申请日：2017-12-22

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Martin Rehak ,  David McGrew ,  Martin Vejman ,  Tomas Pevny ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  G06F21/53 ,  G06N99/00

CPC classification number: H04L63/1416 ,  G06F21/53 ,  G06F21/6245 ,  G06N20/00 ,  H04L41/145 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1458 ,  H04L63/166 ,  H04L67/02 ,  H04L67/28 ,  H04L69/325

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.

公开(公告)号：US20180063174A1

公开(公告)日：2018-03-01

申请号：US15247036

申请日：2016-08-25

Applicant: Cisco Technology, Inc.

Inventor： Martin Grill ,  Jan Kohout ,  Martin Kopp ,  Thomas Pevny

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/1425 ,  H04L61/1511 ,  H04L63/0236 ,  H04L63/1441 ,  H04L63/164 ,  H04L67/02

Abstract: Detecting illegitimate typosquatting with Internet Protocol (IP) information includes, at a computing device having connectivity to a network, obtaining a list of domains and filtering the list to generate a list of monitored domain strings. IP information is passively determined for domains associated with each of the monitored domain strings. A domain requested in network traffic for the network is identified as a candidate typosquatting domain and the candidate typosquatting domain is determined to be an illegitimate typosquatting domain based at least on the IP information. An action is initiated related to the illegitimate typosquatting domain.

公开(公告)号：US09654484B2

公开(公告)日：2017-05-16

申请号：US14448637

申请日：2014-07-31

Applicant: Cisco Technology, Inc.

Inventor： Martin Grill ,  Ivan Nikolaev

IPC: H04L29/00 ,  H04L29/06 ,  H04L29/08 ,  H04L29/12

CPC classification number: H04L63/1416 ,  H04L61/1511 ,  H04L63/145 ,  H04L67/104 ,  H04L2463/144

Abstract: Detecting DGA-based malware is disclosed. In an embodiment, a number of domain name server requests originating from a particular host among a plurality of hosts is determined. The number of domain name server requests are directed to one or more domain name servers. A number of internet protocol addresses contacted by the particular host is determined. Based on the number of domain name server requests and the number of internet protocol addresses contacted existence of malware on the particular host is determined.

公开(公告)号：US20160352760A1

公开(公告)日：2016-12-01

申请号：US14723605

申请日：2015-05-28

Applicant: Cisco Technology, Inc.

Inventor： Jan Mrkos ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  H04L29/12 ,  H04L29/08

CPC classification number: H04L63/1416 ,  H04L61/103 ,  H04L61/2015 ,  H04L63/0281 ,  H04L63/1425 ,  H04L67/02 ,  H04L67/22 ,  H04L67/303

Abstract: A method of tracking users over network hosts based on behavior includes analyzing data representing behavior of active network hosts during two or more time windows at a computing apparatus having connectivity to a network. Based on the analyzing, a profile is generated for each network host active in the network during the two or more time windows. Similarity between the profiles for the two or more time windows are determined and, based on the similarity, it may be determined that an identity associated with one of the active network hosts during a time window of the two or more time windows has changed.

Abstract translation: 基于行为跟踪网络主机上的用户的方法包括分析表示在具有到网络的连接性的计算设备的两个或更多个时间窗口期间活动网络主机的行为的数据。 基于分析，在两个或更多个时间窗口期间，为在网络中活动的每个网络主机生成简档。 确定两个或更多个时间窗口的简档之间的相似性，并且基于相似性，可以确定在两个或更多个时间窗口的时间窗口期间与一个活动网络主机相关联的身份已经改变。

公开(公告)号：US20160315952A1

公开(公告)日：2016-10-27

申请号：US14696947

申请日：2015-04-27

Applicant: Cisco Technology, Inc.

Inventor： Tomás Komárek ,  Martin Grill ,  Tomás Pevný

IPC: H04L29/06 ,  G06F17/30 ,  G06N99/00 ,  H04L29/12

CPC classification number: H04L63/1425 ,  G06F17/30185 ,  G06F17/30979 ,  G06N99/005 ,  H04L41/142 ,  H04L41/16 ,  H04L43/00 ,  H04L43/04 ,  H04L61/2514 ,  H04L63/1408

Abstract: Network traffic logs of network traffic to and from host devices connected to a network that were collected over time are accessed. For each host device identified in the logs, a set of network traffic features indicative of whether the host device behaves like a Network Address Translation (NAT) device or an end host device is extracted from the logs for the host device. Each feature has values that vary over time based on the logs. A trained host device behavior classifier classifies the host device as either a NAT device or an end host device based on one or more of the feature values.

Abstract translation: 访问连接到网络的主机设备的网络流量的网络流量日志，这些网络流量记录随时间被收集。 对于在日志中标识的每个主机设备，指示主机设备是否像主机设备的日志中提取主机设备的行为类似于网络地址转换（NAT）设备或终端主机设备的一组网络流量特征。 每个功能的值都会根据日志随时间而变化。 经过训练的主机设备行为分类器基于一个或多个特征值将主机设备分类为NAT设备或终端主机设备。