公开(公告)号：US20250023852A1

公开(公告)日：2025-01-16

申请号：US18901354

申请日：2024-09-30

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla

IPC: H04L9/40 ,  H04L12/46

Abstract: Techniques for routing service mesh traffic based on whether the traffic is encrypted or unencrypted are described herein. The techniques may include receiving, from a first node of a cloud-based network, traffic that is to be sent to a second node of the cloud-based network and determining whether the traffic is encrypted or unencrypted. If it is determined that the traffic is encrypted, the traffic may be sent to the second node via a service mesh of the cloud-based platform. Alternatively, or additionally, if it is determined that the traffic is unencrypted, the traffic may be sent to the second node via an encrypted tunnel. In some examples, the techniques may be performed at least partially by a program running on the first node of the cloud-based network, such as an extended Berkeley Packet Filter (eBPF) program, and the like.

公开(公告)号：US20240430338A1

公开(公告)日：2024-12-26

申请号：US18829034

申请日：2024-09-09

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla

IPC: H04L67/561 ,  H04L9/40 ,  H04L12/46 ,  H04L45/00 ,  H04L45/42 ,  H04L61/103 ,  H04L61/4511 ,  H04L67/02 ,  H04L67/101 ,  H04L67/1012 ,  H04L67/141 ,  H04L67/562

Abstract: Techniques for managing migrations of QUIC connection session(s) across proxy nodes, data centers, and/or private application nodes are described herein. A global key-value datastore, accessible by proxy nodes and/or application nodes, may store mappings between a first QUIC connection, associated with a proxy node and a client device, on the frontend of the proxy node and a second QUIC connection, associated with the proxy node and an application node, on the backend of the proxy node. With the global key-value datastore being accessible by the proxy nodes, when a proxy node receives a QUIC packet on the front end or the back end, the proxy node may determine where to map this connection to on the opposite end. Additionally, with the global key-value datastore being accessible to the application nodes, when an application node receives a QUIC packet, the application node may determine the client device associated with the connection.

公开(公告)号：US12101257B2

公开(公告)日：2024-09-24

申请号：US17681079

申请日：2022-02-25

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery ,  Doron Levari

IPC: H04L47/12 ,  H04L67/141 ,  H04L67/148

CPC classification number: H04L47/12 ,  H04L67/141 ,  H04L67/148

Abstract: Techniques for scaling additional capacity for secure access solutions and other workloads of enterprise edge networks in and out of a cloud-computing network based on demand. The techniques may include determining that a capacity associated with a secure access node of an enterprise edge network meets or exceeds a threshold capacity. Based at least in part on the capacity meeting or exceeding the threshold capacity, the techniques may include causing a facsimile of the secure access node to be spun up on a cloud-computing network that is remote from the enterprise edge network. In this way, new connection requests received from client devices can be redirected to the facsimile of the secure access node. Additionally, or alternatively, one or more existing connections between client devices and the secure access node may be migrated to the facsimile of the secure access node in the cloud.

公开(公告)号：US20240291883A1

公开(公告)日：2024-08-29

申请号：US18428321

申请日：2024-01-31

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla

IPC: H04L67/02 ,  H04L67/2871

CPC classification number: H04L67/02 ,  H04L67/2871

Abstract: Techniques for determining a preferred HTTP protocol for communication between a client device and a server over a network are described. A first type of HTTP probe is transmitted over a network from a client device to a server. A second type of HTTP probe is transmitted over a network from the client device to the server. If either the first type of HTTP probe response or the second type of HTTP probe response, the type of the HTTP probe response received is the preferred communication protocol. If the first type of HTTP probe response and the second type of HTTP probe response is received, a type of HTTP probe response received first is the preferred communication protocol. The client device communicates with the server over the network using the preferred communication protocol.

公开(公告)号：US20240080308A1

公开(公告)日：2024-03-07

申请号：US18389417

申请日：2023-11-14

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla

IPC: H04L9/40 ,  H04L12/46

CPC classification number: H04L63/0485 ,  H04L12/4633 ,  H04L63/0236 ,  H04L63/166

Abstract: Techniques for routing service mesh traffic based on whether the traffic is encrypted or unencrypted are described herein. The techniques may include receiving, from a first node of a cloud-based network, traffic that is to be sent to a second node of the cloud-based network and determining whether the traffic is encrypted or unencrypted. If it is determined that the traffic is encrypted, the traffic may be sent to the second node via a service mesh of the cloud-based platform. Alternatively, or additionally, if it is determined that the traffic is unencrypted, the traffic may be sent to the second node via an encrypted tunnel. In some examples, the techniques may be performed at least partially by a program running on the first node of the cloud-based network, such as an extended Berkeley Packet Filter (eBPF) program, and the like.

公开(公告)号：US20240031394A1

公开(公告)日：2024-01-25

申请号：US18084093

申请日：2022-12-19

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Thomas Szigeti

IPC: H04L9/40

CPC classification number: H04L63/1433 ,  H04L63/1425 ,  H04L63/1416

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining a learned control flow directed graph for a process executed on the computing system. A vulnerability may be determined or identified within the process as well as a software bill of materials for the process. A code portion of the process associated with the vulnerability is determined based on the software bill of materials. A tainted control flow directed graph is generated based on the code portion and excluded from the learned control flow directed graph. The adjusted control flow directed graph may be used to prevent execution of the vulnerability.

公开(公告)号：US20240028741A1

公开(公告)日：2024-01-25

申请号：US18084007

申请日：2022-12-19

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Thomas Szigeti

IPC: G06F21/57 ,  G06F8/41

CPC classification number: G06F21/577 ,  G06F8/433 ,  G06F2221/033

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include receiving a report of a first anomaly based on real-time control flow graph diagram monitoring of an application at a first system and receiving a second report of a second anomaly from a second system. An exploit report may be generated by providing the first report and the second report to a machine learning model trained to output information related to an exploit based on input reports, and subsequently to provide the output information to a cloud-based reporting tool.

公开(公告)号：US20240028708A1

公开(公告)日：2024-01-25

申请号：US18083838

申请日：2022-12-19

Applicant: Cisco Technology, Inc.

Inventor： Andrew Zawadowskiy ,  Vincent E. Parla ,  Oleg Bessonov

IPC: G06F21/54 ,  G06F21/55

CPC classification number: G06F21/54 ,  G06F21/552

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining a learned control flow directed graph for executable code of an application by observing executions of transitions during an observation period and determining destinations of indirect transfers based on the learned control flow directed graph. Next a disassembly of the executable code is determined based on the learned control flow directed graph, the destinations of the transfers, and the executable code.

公开(公告)号：US20240022521A1

公开(公告)日：2024-01-18

申请号：US17866932

申请日：2022-07-18

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L47/726 ,  H04L47/11 ,  H04L47/70 ,  H04L47/74

CPC classification number: H04L47/726 ,  H04L47/11 ,  H04L47/827 ,  H04L47/745

Abstract: Techniques for migrating on-premises and/or cloud-based workloads to follow a network session as it potentially migrates, due to multipathing techniques, across multiple edge and/or cloud datacenters. The techniques may include determining, by a controller of a network, that a traffic flow between an endpoint device and a workload has migrated to a different path of a multipath flow such that the traffic flow terminates at a different termination point than the workload. Based at least in part on determining that the traffic flow has migrated, the controller may cause a migration of a state of the workload to a location associated with the different termination point. That is, the controller may cause the workload to be migrated in its current state, which may be specific to the endpoint device, to follow the traffic flow.

公开(公告)号：US11863631B1

公开(公告)日：2024-01-02

申请号：US18113256

申请日：2023-02-23

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla

IPC: G06F15/16 ,  H04L67/141 ,  H04L9/40 ,  H04L67/146

CPC classification number: H04L67/141 ,  H04L63/0272 ,  H04L67/146

Abstract: Techniques for creating in/out App Connectors for secure access solutions without the need for STUN, TURN, and/or a long-lived control plane component. The techniques may include, among other things, establishing, by an App Connector associated with a workload hosted by an enterprise network, a pool of idle sessions between the App Connector and a termination node associated with the enterprise network. The techniques may also include determining, by the App Connector, that a first idle session of the pool of idle sessions has been consumed by the termination node to establish a communication session for a client device to communicate with the workload. Based at least in part on determining that the first idle session has been consumed, the techniques may include establishing, by the App Connector, a second idle session to be added to the pool of idle sessions between the App Connector and the termination node.