公开(公告)号：US20170374016A1

公开(公告)日：2017-12-28

申请号：US15191172

申请日：2016-06-23

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing

IPC: H04L29/12 ,  H04L29/08 ,  H04L12/721 ,  H04L29/06

CPC classification number: H04L61/1511 ,  H04L47/2433 ,  H04L61/1541 ,  H04L63/0428 ,  H04L67/322 ,  H04L69/22

Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.

公开(公告)号：US12301593B2

公开(公告)日：2025-05-13

申请号：US17861583

申请日：2022-07-11

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Ivan Nikolaev

IPC: G06F21/55 ,  H04L9/40 ,  H04L29/06 ,  H04L67/02 ,  H04L67/50 ,  H04L69/00 ,  H04L61/4523 ,  H04L101/365 ,  H04W12/72

Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.

公开(公告)号：US12126653B2

公开(公告)日：2024-10-22

申请号：US17107350

申请日：2020-11-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Chris Allen Shenefiel ,  David McGrew ,  Robert M. Waitman

IPC: H04L9/40 ,  G06N20/00

CPC classification number: H04L63/20 ,  H04L63/10 ,  H04L63/1416 ,  H04L63/166 ,  G06N20/00 ,  H04L63/145 ,  H04L63/1458

Abstract: In one embodiment, a service that monitors a network obtains file characteristic data of a file stored on a first endpoint in the network. The service infers characteristics of encrypted content within encrypted traffic in the network between the first endpoint and a second endpoint, by applying a machine learning-based classifier to traffic data regarding the encrypted traffic session. The service compares the file characteristic data of the file to the inferred content characteristics of the encrypted content within the encrypted traffic, to detect the file within the encrypted traffic. The service enforces a network policy in the network, based on the detection of the file within the encrypted traffic.

公开(公告)号：US20240259422A1

公开(公告)日：2024-08-01

申请号：US18535021

申请日：2023-12-11

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N20/00

CPC classification number: H04L63/1458 ,  G06N20/00 ,  H04L63/1425 ,  H04L2463/144

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

公开(公告)号：US11909760B2

公开(公告)日：2024-02-20

申请号：US17395968

申请日：2021-08-06

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06 ,  H04L9/40 ,  G06N20/00

CPC classification number: H04L63/145 ,  H04L63/0428 ,  H04L63/1408 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：USRE49684E1

公开(公告)日：2023-10-03

申请号：US17463337

申请日：2021-08-31

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N20/00 ,  H04L67/01 ,  H04L41/14 ,  H04L67/02 ,  H04L69/326

CPC classification number: H04L63/145 ,  G06N20/00 ,  H04L63/1425 ,  H04L63/166 ,  H04L41/14 ,  H04L63/1441 ,  H04L67/01 ,  H04L67/02 ,  H04L69/326

Abstract: In one embodiment, a traffic analysis service receives captured traffic data regarding a Transport Layer Security (TLS) connection between a client and a server. The traffic analysis service applies a first machine learning-based classifier to TLS records from the traffic data, to identify a set of the TLS records that include Hypertext Transfer Protocol (HTTP) header information. The traffic analysis service estimates one or more HTTP transaction labels for the connection by applying a second machine learning-based classifier to the identified set of TLS records that include HTTP header information. The traffic analysis service augments the captured traffic data with the one or more HTTP transaction labels. The traffic analysis service causes performance of a network security function based on the augmented traffic data.

公开(公告)号：US11632309B2

公开(公告)日：2023-04-18

申请号：US17376924

申请日：2021-07-15

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Martin Rehak ,  Blake Harrell Anderson ,  Sunil Amin

IPC: H04L41/28 ,  H04L9/40 ,  H04W12/12 ,  G06F21/55 ,  H04L67/143

Abstract: In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.

公开(公告)号：US11611579B2

公开(公告)日：2023-03-21

申请号：US17715284

申请日：2022-04-07

Applicant: Cisco Technology, Inc.

Inventor： David Mcgrew ,  Blake Harrell Anderson ,  Daniel G. Wing ,  Flemming Andreasen

IPC: H04L9/40 ,  H04L61/4511

Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.

公开(公告)号：US11601370B2

公开(公告)日：2023-03-07

申请号：US17727087

申请日：2022-04-22

Applicant: Cisco Technology, Inc.

Inventor： Michael Joseph Stepanek ,  Costas Kleopa ,  David McGrew ,  Blake Harrell Anderson ,  Saravanan Radhakrishnan

IPC: H04L12/851 ,  H04L47/2441 ,  H04L47/2483 ,  H04L47/25 ,  H04L47/2475 ,  H04L49/35 ,  H04L9/40 ,  H04W12/12 ,  H04W12/122 ,  H04W12/128

Abstract: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

公开(公告)号：US20230029656A1

公开(公告)日：2023-02-02

申请号：US17390319

申请日：2021-07-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Andrew Chi ,  David Arthur McGrew ,  Saran Singh Ahluwalia

IPC: H04L12/911 ,  G06N20/00 ,  H04L29/08 ,  H04L12/26

Abstract: Techniques and mechanisms for identifying unmanaged cloud resources with endpoint and network logs and attributing the identified cloud resources to an entity of an enterprise that owns the cloud resources. The process collects data from sources, e.g., endpoint and network logs, with respect to traffic in a computer network and based at least in part on the data, extracts relationships related to the traffic. The process applies rules to the relationships to extract destinations in the computer network that provide cloud resources in a cloud environment, wherein the cloud resources are owned by an enterprise. One or more users or business entities of the enterprise are identified as accessing the cloud resources.