公开(公告)号：US20190124094A1

公开(公告)日：2019-04-25

申请号：US15789022

申请日：2017-10-20

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Jan Stiborek ,  Tomas Pevny

IPC: H04L29/06

Abstract: In one embodiment, a device analyzes network traffic data using a clustering process, to identify a cluster of addresses associated with the network traffic data for which the associated network traffic has similar behavioral characteristics. The device calculates a set of rankings for the cluster by comparing the cluster to different sets of malicious addresses. The device aggregates the set of rankings into a final ranking by setting the rankings in the set as current rankings and iteratively calculating an average of any subset of the current rankings that comprises correlated rankings. The calculated average replaces the rankings in the subset as a current ranking. When none of the current rankings are correlated, the device performs an aggregation across all of the current rankings to form the final ranking. The device provides data indicative of the cluster for review by a supervisor, based on the final ranking.

公开(公告)号：US09992216B2

公开(公告)日：2018-06-05

申请号：US15040285

申请日：2016-02-10

Applicant: Cisco Technology, Inc.

Inventor： Tomas Pevny ,  Petr Somol

IPC: H04L29/06 ,  G06F21/53 ,  G06F21/55

CPC classification number: H04L63/1425 ,  G06F21/53 ,  G06F21/552 ,  H04L63/0281 ,  H04L63/1416 ,  H04L63/1433

Abstract: Identifying malicious executables by analyzing proxy logs includes, at a server having connectivity to the Internet, retrieving sets of proxy logs from a plurality of proxy servers. Each proxy server of the plurality of proxy servers is associated with a network and generates network traffic logs for one or more nodes included in the network. Then, a set of executables hosted by each of the one or more nodes associated with each of the plurality of proxy servers is determined. Each set of executables is analyzed to detect a specific executable and portions of each of the network traffic logs that are associated with the specific executable are identified. An alert is generated indicating the portions of each of the network traffic logs as likely to be associated with the specific executable.

公开(公告)号：US20180063163A1

公开(公告)日：2018-03-01

申请号：US15248252

申请日：2016-08-26

Applicant: Cisco Technology, Inc.

Inventor： Tomas Pevny ,  Petr Somol

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L67/02 ,  H04L63/1425

Abstract: Presented herein are techniques for classifying devices as being infected with malware based on learned indicators of compromise. A method includes receiving at a security analysis device, traffic flows from a plurality of entities destined for a plurality of users, aggregating the traffic flows into discrete bags of traffic, wherein the bags of traffic comprise a plurality of flows of traffic for a given user over a predetermined period of time, extracting features from the bags of traffic and aggregating the features into per-flow feature vectors, aggregating the per-flow feature vectors into per-destination domain aggregated vectors, combining the per-destination-domain aggregated vectors into a per-user aggregated vector, and classifying a computing device used by a given user as infected with malware when indicators of compromise detected in the bags of traffic indicate that the per-user aggregated vector for the given user includes suspicious features among the extracted features.

公开(公告)号：US20170230388A1

公开(公告)日：2017-08-10

申请号：US15040285

申请日：2016-02-10

Applicant: Cisco Technology, Inc.

Inventor： Tomas Pevny ,  Petr Somol

IPC: H04L29/06 ,  G06F21/53

CPC classification number: H04L63/1425 ,  G06F21/53 ,  G06F21/552 ,  H04L63/0281 ,  H04L63/1416 ,  H04L63/1433

Abstract: Identifying malicious executables by analyzing proxy logs includes, at a server having connectivity to the Internet, retrieving sets of proxy logs from a plurality of proxy servers. Each proxy server of the plurality of proxy servers is associated with a network and generates network traffic logs for one or more nodes included in the network. Then, a set of executables hosted by each of the one or more nodes associated with each of the plurality of proxy servers is determined. Each set of executables is analyzed to detect a specific executable and portions of each of the network traffic logs that are associated with the specific executable are identified. An alert is generated indicating the portions of each of the network traffic logs as likely to be associated with the specific executable.

公开(公告)号：US20160381183A1

公开(公告)日：2016-12-29

申请号：US14748281

申请日：2015-06-24

Applicant: Cisco Technology, Inc.

Inventor： Jan JUSKO ,  Tomas Pevny ,  Martin Rehak

IPC: H04L29/06 ,  H04L29/08 ,  H04L29/12

CPC classification number: H04L63/1441 ,  H04L43/08 ,  H04L61/2007 ,  H04L63/10 ,  H04L63/101 ,  H04L63/1433 ,  H04L63/1458 ,  H04L67/10 ,  H04L67/42

Abstract: In one embodiment, a method includes receiving client-server connection data for clients and servers, the data including IP addresses corresponding to the servers, for each one of a plurality of IP address pairs performing a statistical test to determine whether the IP addresses in the one IP address pair are related by common clients based on the number of the clients connecting to each of the IP addresses in the one IP address pair, generating a graph including a plurality of vertices and edges, each of the vertices corresponding to a different IP address, each edge corresponding to a different IP address pair determined to be related by common clients in the statistical test, and clustering the vertices yielding clusters, a subset of the IP addresses in one of the clusters providing an indication of the IP addresses of the servers serving a same application.

Abstract translation: 在一个实施例中，一种方法包括为执行统计测试的多个IP地址对中的每一个接收客户机和服务器的客户端 - 服务器连接数据，所述数据包括对应于服务器的IP地址，以确定是否在 一个IP地址对根据连接到一个IP地址对中的每个IP地址的客户端的数量，由公共客户端相关联，生成包括多个顶点和边缘的图形，每个顶点对应于不同的IP 地址，每个边缘对应于在统计测试中确定为由普通客户端相关的不同IP地址对，并且对生成簇的顶点进行聚类，其中一个集群中的一个IP地址的子集提供IP地址的指示 服务于同一应用程序的服务器。

公开(公告)号：US20160112442A1

公开(公告)日：2016-04-21

申请号：US14519160

申请日：2014-10-21

Applicant: Cisco Technology, Inc. ,  Czech Technical University

Inventor： Gustav SOUREK ,  Karel Bartos ,  Filip Zelezny ,  Tomas Pevny ,  Petr Somol

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/1416 ,  H04L67/10

Abstract: In one embodiment, a system includes a processor to receive network flows, for each of one of a plurality of event-types, compare each one of the network flows to a flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria, for each one of the event-types, for each one of the network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow to a proto-event of the one-event type, test different combinations of the network flows assigned to the proto-event of the one event-type against aggregation criteria of the one event-type to determine if one combination of the network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the network flows of the proto-event. Related apparatus and methods are also described.

Abstract translation: 在一个实施例中，系统包括处理器，用于为多个事件类型中的一个事件类型中的每一个接收网络流，将每个网络流中的每一个与一个事件类型的流特定标准进行比较，以确定一个 网络流满足针对每个事件类型的流特定标准，对于满足一个事件类型的流特定标准的每个网络流，将一个网络流分配给一个事件类型的原始事件 一事件类型，测试分配给一个事件类型的原始事件的网络流的不同组合，以反映一种事件类型的聚合标准，以确定分配给原始事件的网络流的一个组合是否为 一个事件类型满足一个事件类型的聚合标准，并从原始事件的网络流中识别一个事件类型的事件。 还描述了相关装置和方法。