公开(公告)号：US20200322382A1

公开(公告)日：2020-10-08

申请号：US16788999

申请日：2020-02-12

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Nancy Cam-Winget ,  Donovan O'Hara ,  Richard Lee Barnes, II

IPC: H04L29/06

Abstract: A non-transitory computer readable medium comprising instructions stored thereon, the instructions effective to cause at least one processor to: establish trustworthiness of an application installed on a endpoint, the established trustworthiness is sufficient for an enterprise security infrastructure to treat the application installed on the endpoint and the endpoint as a trusted application and a trusted endpoint; negotiate with the trusted endpoint to determine a traffic inspection method for traffic flows originating at the trusted application that is destined for a service, the traffic inspection method is determined based on at least the trusted application, and the service; and instruct the trusted application of the determined traffic inspection method.

公开(公告)号：US10515391B2

公开(公告)日：2019-12-24

申请号：US14034819

申请日：2013-09-24

Applicant: Cisco Technology, Inc.

Inventor： David Stephenson ,  Esteban Raul Torres ,  Joseph Salowey ,  Chetin Ersoy ,  Nancy Cam-Winget

IPC: G06Q30/02 ,  H04W4/21 ,  H04W4/23 ,  H04L29/06 ,  H04W12/12 ,  H04W48/14 ,  H04W12/10

Abstract: In an example embodiment, an apparatus comprising a transceiver configured to send and receive data and logic coupled to the transceiver. The logic is configured to determine from a signal received by the transceiver whether an associated device sending the signal supports a protocol for advertising available services. The logic is configured to send a request for available services from the associated device via the transceiver responsive to determining the associated device supports the protocol. The logic is configured to receive a response to the request via the transceiver, the response comprising at least one service advertisement and a signature. The logic is configured to validate the response by confirming the signature.

公开(公告)号：US20190356694A1

公开(公告)日：2019-11-21

申请号：US15984637

申请日：2018-05-21

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Prashanth Patil ,  Flemming Andreasen ,  Nancy Cam-Winget ,  Hari Shankar

IPC: H04L29/06

Abstract: Techniques are presented herein for engagement and disengagement of Transport Layer Security proxy services with encrypted handshaking. In one embodiment, a first initial message of a first encrypted handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message includes first key exchange information for encrypting the first encrypted handshaking procedure. A copy of the first initial message is stored at the proxy device. A second initial message of a second encrypted handshaking procedure for a second secure communication session between the proxy device and the second device is sent from the proxy device to the second device. The second initial message includes second key exchange information for encrypting the second encrypted handshaking procedure. The proxy device determines, based on the second encrypted handshaking procedure, whether to remain engaged or to disengage.

公开(公告)号：US20190308589A1

公开(公告)日：2019-10-10

申请号：US15948134

申请日：2018-04-09

Applicant: Cisco Technology, Inc.

Inventor： David A. Maluf ,  Nancy Cam-Winget ,  Andrew Michael McPhee

IPC: B60R25/34 ,  G06N5/04 ,  G06F17/50 ,  B60R25/10 ,  B60R25/104

Abstract: In one embodiment, a processor of a vehicle predicts a state of the vehicle using a behavioral model. The model is configured to predict the state based in part on one or more state variables that are available from one or more sub-systems of the vehicle and indicative of one or more physical characteristics of the vehicle. The processor computes a representation of a difference between the predicted state of the vehicle and a measured state of the vehicle indicated by one or more state variables available from the one or more sub-systems of the vehicle. The processor detects a malicious intrusion of the vehicle based on the computed representation of the difference between the predicted and measured states of the vehicle exceeding a defined threshold. The processor initiates performance of a mitigation action for the detected intrusion, in response to detecting the malicious intrusion of the vehicle.

公开(公告)号：US10320613B1

公开(公告)日：2019-06-11

申请号：US15057283

申请日：2016-03-01

Applicant: Cisco Technology, Inc.

Inventor： Nancy Cam-Winget ,  Dieter Derek Weber ,  Srikanth Ranganamyna

IPC: H04L12/24 ,  H04L12/873 ,  H04L12/751

Abstract: In one embodiment, a device in a network loads a selectable lexicon. The device receives a command that uses the loaded lexicon. The device interprets the command using the loaded lexicon. The device generates a configuration for one or more network nodes in the network based on the interpreted command. The device causes the one or more network nodes to implement the configuration.

公开(公告)号：US20180316681A1

公开(公告)日：2018-11-01

申请号：US15498192

申请日：2017-04-26

Applicant: Cisco Technology, Inc.

Inventor： Jazib Frahim ,  Haseeb Sarwar Niazi ,  Hazim Hashim Dahir ,  Aamer Saeed Akhter ,  Nancy Cam-Winget ,  Aun Raza

IPC: H04L29/06

CPC classification number: H04L63/101 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/102 ,  H04L63/20

Abstract: In one embodiment, a gateway device receives, from a centralized broker device, a data-access policy for a given computer network, the data-access policy defining which of one or more accessing entities are granted access to specific elements of data within the given computer network. When the gateway device then receives, from a particular accessing entity, a request for one or more particular elements of data from within the given computer network, it may determine, based on the data-access policy, whether the particular accessing entity has been granted access to each of the one or more particular elements of data of the request. As such, the gateway device may prevent access for the particular accessing entity to any of the one or more particular elements of the data request to which the particular accessing entity has not been granted access.

公开(公告)号：US09876824B2

公开(公告)日：2018-01-23

申请号：US14930159

申请日：2015-11-02

Applicant: Cisco Technology, Inc.

Inventor： Nancy Cam-Winget ,  Allan Thomson ,  Pok Wong ,  Vanaja Ravi

IPC: H04L29/00 ,  H04L29/06 ,  G06F21/30 ,  G06F21/62 ,  G06F9/54

CPC classification number: H04L63/20 ,  G06F9/542 ,  G06F21/30 ,  G06F21/6218 ,  H04L63/08 ,  H04L63/105 ,  H04L63/107

Abstract: Presented herein are techniques for adding a secure control layer to a distributed communication fabric that supports publish-subscribe (pub-sub) and direct query (synchronization) communication. The secure control layer is configured to perform policy-based authentication techniques to securely manage the exchange of data/information within the communication fabric and enable registration/discovery of new capabilities.

公开(公告)号：US09378274B2

公开(公告)日：2016-06-28

申请号：US13913623

申请日：2013-06-10

Applicant: Cisco Technology, Inc.

Inventor： Allan Thomson ,  Nancy Cam-Winget ,  Vanaja Ravi ,  Pok Wong

IPC: G06F17/30

CPC classification number: G06F17/30699 ,  G06F17/30867 ,  G06F17/3089

Abstract: Presented herein are object filtering techniques that optimize the communication of information over an infrastructure that supports publish-subscribe (pub-sub) and direct query (synchronization) communication. In the object filtering techniques, a single information publisher can share that information in an associated object graph with many different consumers over the infrastructure without sharing the entire object graph.

Abstract translation: 这里提出的是通过支持发布订阅（pub-sub）和直接查询（同步）通信的基础设施优化信息通信的对象过滤技术。 在对象过滤技术中，单个信息发布者可以在相关对象图中与基础架构上的许多不同的消费者共享该信息，而不共享整个对象图。

公开(公告)号：US09356928B2

公开(公告)日：2016-05-31

申请号：US14572075

申请日：2014-12-16

Applicant: Cisco Technology, Inc.

Inventor： Nathan Sowatskey ,  Nancy Cam-Winget ,  Susan E. Thomson ,  David Jones ,  Morteza Ansari ,  Klaas Wierenga ,  Joseph Salowey

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  H04L63/08

Abstract: Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device, to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the identity provider device. The identity provider device uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server.

Abstract translation: 提供了用于验证客户端设备的主体以访问软件即服务（SaaS）服务器的技术。 网络接入设备从客户端设备接收建立网络会话的请求，并将主体，客户端设备和网络会话的身份信息传送到会话目录数据库。 发送请求以访问SaaS服务器上的应用程序。 如果它不包含识别主题的身份断言，则将请求重定向到身份提供者设备，以向主题提供身份声明服务。 网络会话标识符被网络接入设备插入到请求中，该请求被转发给身份提供者设备。 身份提供者设备使用网络会话标识符来查询会话目录数据库，以获得要用于SaaS服务器的对象的安全断言的身份信息。

公开(公告)号：US20160072843A1

公开(公告)日：2016-03-10

申请号：US14930159

申请日：2015-11-02

Applicant: Cisco Technology, Inc.

Inventor： Nancy Cam-Winget ,  Allan Thomson ,  Pok Wong ,  Vanaja Ravi

IPC: H04L29/06

CPC classification number: H04L63/20 ,  G06F9/542 ,  G06F21/30 ,  G06F21/6218 ,  H04L63/08 ,  H04L63/105 ,  H04L63/107

Abstract: Presented herein are techniques for adding a secure control layer to a distributed communication fabric that supports publish-subscribe (pub-sub) and direct query (synchronization) communication. The secure control layer is configured to perform policy-based authentication techniques to securely manage the exchange of data/information within the communication fabric and enable registration/discovery of new capabilities.

Abstract translation: 这里提出的技术是将安全控制层添加到支持发布订阅（pub-sub）和直接查询（同步）通信的分布式通信结构中。 安全控制层被配置为执行基于策略的认证技术以安全地管理通信结构内的数据/信息的交换并且启用新功能的注册/发现。