公开(公告)号：US20220360606A1

公开(公告)日：2022-11-10

申请号：US17307677

申请日：2021-05-04

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew

IPC: H04L29/06 ,  G06K9/62

Abstract: Techniques and mechanisms for using passively collected network data to automatically generate a fingerprint prevalence database without the need for endpoint ground truth. The process first clusters all observations with the same fingerprint string and similar source and destination context. The process then annotates each cluster with descriptive information and uses a rule-based system to derive an informative name from that descriptive information, e.g., “winnt amp client” or “cross-platform browser”. Optionally, the learned database may be augmented by a user to clarify custom process labels. Additionally, the generated database may be used to report the inferred processes in the same way as databases generated with endpoint ground truth.

公开(公告)号：US20220255868A1

公开(公告)日：2022-08-11

申请号：US17727087

申请日：2022-04-22

Applicant: Cisco Technology, Inc.

Inventor： Michael Joseph Stepanek ,  Costas Kleopa ,  David McGrew ,  Blake Harrell Anderson ,  Saravanan Radhakrishnan

IPC: H04L47/2441 ,  H04L9/40 ,  H04W12/122 ,  H04L47/2483 ,  H04W12/128 ,  H04L47/2475 ,  H04L47/25 ,  H04L49/35 ,  H04W12/12

Abstract: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

公开(公告)号：US11310246B2

公开(公告)日：2022-04-19

申请号：US16100361

申请日：2018-08-10

Applicant: Cisco Technology, Inc.

Inventor： Martin Rehak ,  David McGrew ,  Blake Harrell Anderson ,  Scott William Dunlop

IPC: H04L29/06

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.

公开(公告)号：US20220094529A1

公开(公告)日：2022-03-24

申请号：US17543427

申请日：2021-12-06

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Andrew Chi ,  David McGrew ,  Scott William Dunlop

IPC: H04L9/08 ,  H04L29/06 ,  H04W72/04 ,  G06N5/02

Abstract: In one embodiment, an apparatus captures a memory dump of a device in a sandbox environment executing a malware sample. The apparatus identifies a cryptographic key based on a particular data structure in the captured memory dump. The apparatus uses the identified cryptographic key to decrypt encrypted traffic sent by the device. The apparatus labels at least a portion of the decrypted traffic sent by the device as benign. The apparatus trains a machine learning-based traffic classifier based on the at least a portion of the decrypted traffic sent by the device and labeled as benign.

公开(公告)号：US11272268B2

公开(公告)日：2022-03-08

申请号：US17389537

申请日：2021-07-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew ,  Alison Kendler

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/08 ,  H04Q9/02 ,  H04Q9/00 ,  H04L9/30

Abstract: In one embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the flow without decrypting the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, creating a classification response, and using the classification response to modify processing of the flow. In another embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the first plurality of packets associated with the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, and using the output of the classifier to modify processing of the flow.

公开(公告)号：US20220038494A1

公开(公告)日：2022-02-03

申请号：US17395264

申请日：2021-08-05

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

公开(公告)号：US20210360336A1

公开(公告)日：2021-11-18

申请号：US17389537

申请日：2021-07-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew ,  Alison Kendler

IPC: H04Q9/02 ,  H04L29/06 ,  H04Q9/00 ,  H04L9/30

Abstract: In one embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the flow without decrypting the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, creating a classification response, and using the classification response to modify processing of the flow. In another embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the first plurality of packets associated with the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, and using the output of the classifier to modify processing of the flow.

公开(公告)号：US20210357815A1

公开(公告)日：2021-11-18

申请号：US17386020

申请日：2021-07-27

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: G06N20/00 ,  H04L29/06

Abstract: In one embodiment, a device in a network generates a feature vector based on traffic flow data regarding one or more traffic flows in the network. The device makes a determination as to whether the generated feature vector is already represented in a training dataset dictionary by one or more feature vectors in the dictionary. The device updates the training dataset dictionary based on the determination by one of: adding the generated feature vector to the dictionary when the generated feature vector is not already represented by one or more feature vectors in the dictionary, or incrementing a count associated with a particular feature vector in the dictionary when the generated feature vector is already represented by the particular feature vector in the dictionary. The device generates a training dataset based on the training dataset dictionary for training a machine learning-based traffic flow analyzer.

公开(公告)号：US20210349996A1

公开(公告)日：2021-11-11

申请号：US17382627

申请日：2021-07-22

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul

IPC: G06F21/55 ,  H04L12/24 ,  H04L29/06 ,  G06N20/00 ,  G06F21/56 ,  G06F9/4401 ,  G06F11/14 ,  H04L29/08

Abstract: In one embodiment, a device in a network tracks traffic features indicated by header information of packets of an encrypted traffic flow over time. The encrypted traffic flow is associated with a particular host in the network. The device detects an operating system start event based on the traffic features and provides data regarding the detected operating system start event as input to a machine learning-based malware detector to determine whether the particular host with which the encrypted traffic flow is associated is infected with malware. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.

公开(公告)号：US11165819B2

公开(公告)日：2021-11-02

申请号：US16906302

申请日：2020-06-19

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.