公开(公告)号：US11196546B2

公开(公告)日：2021-12-07

申请号：US16701373

申请日：2019-12-03

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Andrew Chi ,  David McGrew ,  Scott William Dunlop

IPC: H04L29/06 ,  H04W72/04 ,  H04L9/08 ,  G06N5/02

Abstract: In one embodiment, an apparatus captures a memory dump of a device in a sandbox environment executing a malware sample. The apparatus identifies a cryptographic key based on a particular data structure in the captured memory dump. The apparatus uses the identified cryptographic key to decrypt encrypted traffic sent by the device. The apparatus labels at least a portion of the decrypted traffic sent by the device as benign. The apparatus trains a machine learning-based traffic classifier based on the at least a portion of the decrypted traffic sent by the device and labeled as benign.

公开(公告)号：US20210194894A1

公开(公告)日：2021-06-24

申请号：US16724746

申请日：2019-12-23

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06

Abstract: In one embodiment, a switch in a software-defined network receives a packet sent by an endpoint device via the SDN. The switch makes a copy of the packet based on one or more header fields of the packet matching one or more flow table entries of the switch. The switch forms telemetry data for reporting to a traffic analysis service by applying a metadata filter to the copy of the packet. The metadata filter prevents at least a portion of the copy of the packet from inclusion in the telemetry data. The switch sends the formed telemetry data to the traffic analysis service.

公开(公告)号：US11018866B2

公开(公告)日：2021-05-25

申请号：US16163885

申请日：2018-10-18

Applicant: Cisco Technology, Inc.

Inventor： James Anil Pramod Kotwal ,  Christopher Blayne Dreier ,  David Aaron Wyde ,  Kellen Mac Arb ,  David McGrew ,  Scott Fluhrer

IPC: H04L9/08 ,  H04L9/32 ,  H04L29/06

Abstract: A server sends information to a client that allows the client to establish a first key at the client. The server then receives a session ID that has been encrypted using the first key. The first key is then established at the server, which can then decrypt the session ID using the first key. After the server validates the session ID, it determines a second key that is different from the first key. The server then receives the session ID encrypted with the second key, and decrypts the session ID encrypted with the second key.

公开(公告)号：US20210112102A1

公开(公告)日：2021-04-15

申请号：US17107350

申请日：2020-11-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Chris Allen Shenefiel ,  David McGrew ,  Robert M. Waitman

IPC: H04L29/06

Abstract: In one embodiment, a service that monitors a network obtains file characteristic data of a file stored on a first endpoint in the network. The service infers characteristics of encrypted content within encrypted traffic in the network between the first endpoint and a second endpoint, by applying a machine learning-based classifier to traffic data regarding the encrypted traffic session. The service compares the file characteristic data of the file to the inferred content characteristics of the encrypted content within the encrypted traffic, to detect the file within the encrypted traffic. The service enforces a network policy in the network, based on the detection of the file within the encrypted traffic.

公开(公告)号：US10904275B2

公开(公告)日：2021-01-26

申请号：US15364933

申请日：2016-11-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  H04L29/06 ,  G06N20/00 ,  H04L12/24 ,  H04L12/851

Abstract: In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.

公开(公告)号：US20210021641A1

公开(公告)日：2021-01-21

申请号：US16512474

申请日：2019-07-16

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Keith Richard Schomburg

IPC: H04L29/06 ,  G06K9/62

Abstract: In one embodiment, a device obtains telemetry data regarding an encrypted traffic session in a network. The telemetry data includes Transport Layer Security (TLS) features of the traffic session and auxiliary information indicative of a destination address of the traffic session, a destination port of the traffic session, or a server name associated with the traffic session. The device retrieves, using the obtained telemetry data, a plurality of candidate processes from a TLS fingerprint database that relates processes with telemetry data from encrypted traffic sessions initiated by those processes. The device uses a probabilistic model to assign probabilities to each of the plurality of candidate processes. The device identifies one of the plurality of candidate processes as having initiated the encrypted traffic session based on its assigned probability.

公开(公告)号：US10855698B2

公开(公告)日：2020-12-01

申请号：US15851918

申请日：2017-12-22

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Martin Rehak ,  David McGrew ,  Martin Vejman ,  Tomas Pevny ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  G06F21/53 ,  G06N20/00 ,  H04L12/24 ,  H04L29/08 ,  G06F21/62

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.

公开(公告)号：US10805338B2

公开(公告)日：2020-10-13

申请号：US15286728

申请日：2016-10-06

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/24 ,  H04L12/851

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20200322275A1

公开(公告)日：2020-10-08

申请号：US16910380

申请日：2020-06-24

Applicant: Cisco Technology, Inc.

Inventor： Michael Joseph Stepanek ,  Costas Kleopa ,  David McGrew ,  Blake Harrell Anderson ,  Saravanan Radhakrishnan

IPC: H04L12/851 ,  H04L12/825 ,  H04L12/859 ,  H04L12/931 ,  H04L29/06 ,  H04W12/12

Abstract: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

公开(公告)号：US20200252435A1

公开(公告)日：2020-08-06

申请号：US16857607

申请日：2020-04-24

Applicant: Cisco Technology, Inc.

Inventor： Matthew Scott Robertson ,  David McGrew ,  Timothy David Keanini ,  Sunil Amin ,  Ellie Marie Daw

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32

Abstract: In one embodiment, a service receives captured traffic flow data regarding a traffic flow sent via a network between a first device assigned to a first network zone and a second device assigned to a second network zone. The service identifies, from the captured traffic flow data, one or more cryptographic parameters of the traffic flow. The service determines whether the one or more cryptographic parameters of the traffic flow satisfy an inter-zone policy associated with the first and second network zones. The service causes performance of a mitigation action in the network when the one or more cryptographic parameters of the traffic flow do not satisfy the inter-zone policy associated with the first and second network zones.