公开(公告)号：US20140006639A1

公开(公告)日：2014-01-02

申请号：US13736161

申请日：2013-01-08

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Daniel G. Wing ,  Pål-Erik S. Martinsen ,  Herbert M. Wildfeuer ,  Jan Wegger ,  Geir Sandbakken ,  Greg Hakonsen

IPC: H04L12/56

CPC classification number: H04L65/601 ,  H04L45/74 ,  H04L61/2514 ,  H04L61/2575 ,  H04L65/4092 ,  H04L65/605 ,  H04L65/80

Abstract: A STUN message is received at a router device in a network from a client device in the network along a network path. The STUN message is evaluated for information that indicates to the router device to modify media that is subsequently sent along the network path. If the evaluating indicates that the router device is to modify the media, the media is modified in accordance with information in the STUN message that indicates attributes of the network.

Abstract translation: 在来自网络中的客户端设备的网络中的路由器设备沿着网络路径接收到STUN消息。 评估STUN消息，以向路由器设备指示修改随后沿着网络路径发送的媒体的信息。 如果评估指示路由器设备要修改媒体，则根据指示网络属性的STUN消息中的信息修改媒体。

公开(公告)号：US11303664B2

公开(公告)日：2022-04-12

申请号：US16669831

申请日：2019-10-31

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing ,  Flemming Andreasen

IPC: H04L29/06 ,  H04L29/12 ,  H04L61/4511

Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.

公开(公告)号：US10554614B2

公开(公告)日：2020-02-04

申请号：US15191172

申请日：2016-06-23

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing

IPC: H04L29/12 ,  H04L29/08 ,  H04L29/06

Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.

公开(公告)号：US10305934B2

公开(公告)日：2019-05-28

申请号：US15165032

申请日：2016-05-26

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel G. Wing

IPC: H04L29/06 ,  H04L29/08 ,  H04L29/12

Abstract: A local network element on an enterprise network caches Domain Name System (DNS) responses in association with user identifiers in accordance with a DNS-based access control policy. The network element receives a DNS request from a first endpoint device. The DNS request includes a domain name to resolve. The network element forwards the DNS request to a domain name server along with a first user identifier associated with the first endpoint device. The network element receives a DNS response from the domain name server. The DNS response includes a network address associated with the domain name, as well as the first user identifier and at least one other user identifier. The network element stores the network address in a DNS cache as a cached DNS response for the domain name. The cached DNS response is stored in association with the first user identifier and the other user identifier(s).

公开(公告)号：US10230694B2

公开(公告)日：2019-03-12

申请号：US15211259

申请日：2016-07-15

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel G. Wing ,  Ram Mohan Ravindranath

IPC: H04L29/06 ,  H04N21/2347 ,  H04N21/266 ,  H04N21/643 ,  H04N21/4405 ,  H04N7/14 ,  H04N7/15

Abstract: A media distribution network device connects to an online collaborative session between a first participant network device, a second participant network device, and a security participant network device. The security participant network device is configured to decrypt packets of the online collaborative session to apply security polices to the packets. An encrypted packet is received at the media distribution network device. The encrypted packet is received from the first participant network device containing data to be distributed as part of the online collaborative session. The encrypted packet is distributed to the security participant network device prior to distributing the encrypted packet to the second participant network device.

公开(公告)号：US10178181B2

公开(公告)日：2019-01-08

申请号：US14328094

申请日：2014-07-10

Applicant: Cisco Technology, Inc.

Inventor： Eitan Ben-Nun ,  Michael Zayats ,  Daniel G. Wing ,  Kirtesh Patil ,  Jaideep Padhye ,  Manohar B. Hungund ,  Saravanan Agasaveeran

IPC: H04L29/06 ,  H04L29/08

Abstract: An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol.

公开(公告)号：US09992091B2

公开(公告)日：2018-06-05

申请号：US14953861

申请日：2015-11-30

Applicant: Cisco Technology, Inc.

Inventor： Pål-Erik Martinsen ,  Daniel G. Wing

IPC: H04L12/26

CPC classification number: H04L43/0864 ,  H04L41/12 ,  H04L41/142 ,  H04L41/16 ,  H04L43/10

Abstract: In one embodiment, a device in a network receives privatized network trace data that comprises round trip time information for hops along a communication path. The device groups the trace data into a plurality of network segments based on the round trip time information. The device calculates a segment trip time metric for one or more of the network segments based on the round trip time information associated with the one or more network segments.

公开(公告)号：US20180109555A1

公开(公告)日：2018-04-19

申请号：US15297241

申请日：2016-10-19

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Daniel G. Wing ,  Flemming Stig Andreasen ,  Michael David Geller

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  G06F21/554 ,  G06F2221/2111 ,  H04W4/70 ,  H04W12/12

Abstract: In one embodiment, a primary server receives, from a client device, a first request to mitigate an external attack on the client device. The primary server sends, to a plurality of secondary servers, a second request to mitigate the external attack, wherein each one of the plurality of secondary servers has associated mitigation resources, and receives from at least one of the plurality of secondary servers an indication that it has mitigation resources capable of mitigating the external attack. The primary server sends, to the client device, a list including the secondary servers having mitigation resources capable of mitigating the attack, and receives, from the client device, an indication that a subset of the list is selected to mitigate the external attack. In response, the primary server sends a request for mitigation services to one of the secondary servers in the subset selected to mitigate the external attack.

公开(公告)号：US20180041524A1

公开(公告)日：2018-02-08

申请号：US15226758

申请日：2016-08-02

Applicant: CISCO TECHNOLOGY, INC.

Inventor： K. Tirumaleswar Reddy ,  Carlos M. Pignataro ,  James Guichard ,  Daniel G. Wing ,  Michael D. Geller

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/53 ,  H04L45/306 ,  H04L63/1458 ,  H04L67/2804 ,  H04L69/22

Abstract: Aspects of the embodiments are directed to a service classifier configured for steering cloned traffic through a service function chain. The service classifier is configured to create a cloned data packet by creating a copy of a data packet; activate a mirror bit in a network service header (NSH) of the cloned data packet, the mirror bit identifying the cloned packet to a service function forwarder network element as a cloned packet; and transmit the cloned packet to the service function forwarder network element.

公开(公告)号：US09843505B2

公开(公告)日：2017-12-12

申请号：US14724635

申请日：2015-05-28

Applicant: CISCO TECHNOLOGY, INC.

Inventor： K. Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel G. Wing ,  Ram Mohan Ravindranath ,  William C. VerSteeg ,  Charles U. Eckel

IPC: H04L12/721 ,  H04L12/851 ,  H04L12/46 ,  H04L29/06 ,  H04L12/725

CPC classification number: H04L45/38 ,  H04L12/4633 ,  H04L45/302

Abstract: A computer-implemented method includes sending a first request message to a first server associated with a first access network indicative of a request for an indication of whether the first server is configured to support prioritization of tunneled traffic, receiving a first response message from the first server indicative of whether the first server is configured to support prioritization of tunneled traffic, establishing one or more first tunnels with a security service when the first response message is indicative that the first server is configured to support prioritization of tunneled traffic, sending first flow characteristics and a first tunnel identifier to the first server; and receiving the first flow characteristics for each first tunnel from the first server at a first network controller. The first network controller is configured to apply a quality of service policy within the first access network for each tunnel in accordance with the flow characteristics.