公开(公告)号：US09282040B2

公开(公告)日：2016-03-08

申请号：US14255701

申请日：2014-04-17

Applicant: CISCO TECHNOLOGY, INC.

Inventor： K. Tirumaleswar Reddy ,  Ram Mohan Ravindranath ,  Muthu Arul Mozhi Perumal ,  Daniel G. Wing ,  William C. VerSteeg

IPC: H04L12/801 ,  H04L12/911 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L47/10 ,  H04L47/2441 ,  H04L47/70 ,  H04L63/0263 ,  H04L63/10 ,  H04L65/60 ,  H04L65/80 ,  H04L67/10

Abstract: Modern day user applications leverages new communication technologies such as WebRTC, WebEx, and Jabber allow devices to connect and exchange media content including audio streams, video streams, and data stream/channels. The present disclosure describes mechanisms for a Port Control Protocol (PCP) server to provide feedback to PCP clients to enforce certain policies on the transport of such media content for a network. A policy may include a traffic handling policy for enforcing differentiated quality of service characteristics for different types of media streams. Another policy may include a security policy ensuring a data files being transmitted over a data channel from one endpoint travels to a security application via a relay element before the packets reaches another endpoint. The mechanisms are transparent to the endpoints, and advantageously preserve the user experience for these user applications.

Abstract translation: 现代用户应用程序利用WebRTC，WebEx和Jabber等新型通信技术，允许设备连接和交换包括音频流，视频流和数据流/频道在内的媒体内容。 本公开描述了端口控制协议（PCP）服务器向PCP客户端提供反馈以对网络上的这种媒体内容的传输执行某些策略的机制。 策略可以包括用于为不同类型的媒体流实施差异化服务质量特征的流量处理策略。 另一策略可以包括安全策略，以确保在分组到达另一端点之前通过数据信道从一个端点传送数据文件经由中继元件传播到安全应用。 这些机制对端点是透明的，并且有利地保留这些用户应用的用户体验。

公开(公告)号：US20150249606A1

公开(公告)日：2015-09-03

申请号：US14194348

申请日：2014-02-28

Applicant: CISCO TECHNOLOGY, INC.

Inventor： K. Tirumaleswar Reddy ,  Ram Mohan Ravindranath ,  Muthu Arul Mozhi Perumal ,  Daniel G. Wing ,  William C. VerSteeg

IPC: H04L12/801 ,  H04L12/911

CPC classification number: H04L47/10 ,  H04L47/2441 ,  H04L47/70 ,  H04L63/0263 ,  H04L63/10 ,  H04L65/60 ,  H04L65/80 ,  H04L67/10

Abstract: Modern day user applications leverages new communication technologies such as WebRTC, WebEx, and Jabber allow devices to connect and exchange media content including audio streams, video streams, and data stream/channels. The present disclosure describes mechanisms for a Port Control Protocol (PCP) server to provide feedback to PCP clients to enforce certain policies on the transport of such media content for a network. A policy may include a traffic handling policy for enforcing differentiated quality of service characteristics for different types of media streams. Another policy may include a security policy ensuring a data files being transmitted over a data channel from one endpoint travels to a security application via a relay element before the packets reaches another endpoint. The mechanisms are transparent to the endpoints, and advantageously preserve the user experience for these user applications.

Abstract translation: 现代用户应用程序利用WebRTC，WebEx和Jabber等新型通信技术，允许设备连接和交换包括音频流，视频流和数据流/频道在内的媒体内容。 本公开描述了端口控制协议（PCP）服务器向PCP客户端提供反馈以对网络上的这种媒体内容的传输执行某些策略的机制。 策略可以包括用于为不同类型的媒体流实施差异化服务质量特征的流量处理策略。 另一策略可以包括安全策略，以确保在分组到达另一端点之前通过数据信道从一个端点传送数据文件经由中继元件传播到安全应用。 这些机制对端点是透明的，并且有利地保留这些用户应用的用户体验。

公开(公告)号：US20140237539A1

公开(公告)日：2014-08-21

申请号：US13773157

申请日：2013-02-21

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Daniel G. Wing ,  Srinivas Chivukula ,  Tirumaleswar Reddy ,  Prashanth Patil

IPC: H04L29/06

CPC classification number: H04L63/08 ,  H04L61/2514 ,  H04L63/20 ,  H04L67/02 ,  H04L67/146 ,  H04L69/161 ,  H04L69/22

Abstract: In one implementation, identity based security features and policies are applied to endpoint devices behind an intermediary device, such as a network address translation device. The access network switch authenticates an endpoint based on a user identity and a credential. A hypertext transfer protocol (HTTP) packet is generated or modified to include the user identity in an inline header. The HTTP packet including the user identity is sent to a policy enforcement device to look up one or more policies for the endpoint. The access switch receives traffic from the policy enforcement device that is filtered according the user identity. Subsequent TCP connections may also include identity information within the TCP USER_HINT option in a synchronization packet thus allowing identity propagation for other applications and protocols.

Abstract translation: 在一个实现中，基于身份的安全特征和策略被应用于中间设备（例如网络地址转换设备）之后的端点设备。 接入网络交换机根据用户身份和证书认证端点。 生成或修改超文本传输​​协议（HTTP）包以将用户身份包括在内联头部中。 包括用户身份的HTTP分组被发送到策略执行设备以查找端点的一个或多个策略。 接入交换机从根据用户身份过滤的策略执行设备接收流量。 后续TCP连接还可以包括同步分组中的TCP USER_HINT选项内的身份信息，从而允许其他应用和协议的身份传播。

公开(公告)号：US11711336B2

公开(公告)日：2023-07-25

申请号：US17466370

申请日：2021-09-03

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing

IPC: H04L61/4511 ,  H04L9/40 ,  H04L61/4541 ,  H04L67/61 ,  H04L69/22 ,  H04L47/2425

CPC classification number: H04L61/4511 ,  H04L61/4541 ,  H04L63/0428 ,  H04L67/61 ,  H04L47/2433 ,  H04L69/22

Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.

公开(公告)号：US20230146962A1

公开(公告)日：2023-05-11

申请号：US18096143

申请日：2023-01-12

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N20/00

CPC classification number: H04L63/1458 ,  H04L63/1425 ,  G06N20/00 ,  H04L2463/144

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

公开(公告)号：US11057420B2

公开(公告)日：2021-07-06

申请号：US16370853

申请日：2019-03-29

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Andrew Zawadowskiy ,  Donovan O'Hara ,  Saravanan Radhakrishnan ,  Tomas Pevny ,  Daniel G. Wing

IPC: H04L29/06

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

公开(公告)号：US20190288945A1

公开(公告)日：2019-09-19

申请号：US16434523

申请日：2019-06-07

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Ram Mohan Ravindranath ,  Muthu Arul Mozhi Perumal ,  Daniel G. Wing ,  William C. VerSteeg

IPC: H04L12/801 ,  H04L29/06 ,  H04L29/08 ,  H04L12/851 ,  H04L12/911

Abstract: Modern day user applications leverages new communication technologies such as WebRTC, WebEx, and Jabber allow devices to connect and exchange media content including audio streams, video streams, and data stream/channels. The present disclosure describes mechanisms for a Port Control Protocol (PCP) server to provide feedback to PCP clients to enforce certain policies on the transport of such media content for a network. A policy may include a traffic handling policy for enforcing differentiated quality of service characteristics for different types of media streams. Another policy may include a security policy ensuring a data files being transmitted over a data channel from one endpoint travels to a security application via a relay element before the packets reaches another endpoint. The mechanisms are transparent to the endpoints, and advantageously preserve the user experience for these user applications.

公开(公告)号：US10382480B2

公开(公告)日：2019-08-13

申请号：US15292503

申请日：2016-10-13

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Daniel G. Wing ,  Carlos M. Pignataro

IPC: H04L29/06 ,  H04W12/08 ,  H04W4/70

Abstract: Presented herein are techniques for remediating a distributed denial of service attack. A methodology includes, at a network device, such as a constrained resource Internet of Things (IoT) device, receiving from an authorization server cryptographic material sufficient to validate and decrypt tokens carried in packets, detecting a denial of service attack that employs packets containing invalid tokens, and in response to detecting the denial of service attack, signaling a remediation server for assistance to remediate the denial of service attack, and sending to the remediation server the cryptographic material over a secure communication channel such that the remediation server enables validation and decryption of tokens carried in packets, subsequent to detection of the denial of service attack, that are destined for the network device.

公开(公告)号：US10305931B2

公开(公告)日：2019-05-28

申请号：US15297241

申请日：2016-10-19

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Daniel G. Wing ,  Flemming Stig Andreasen ,  Michael David Geller

IPC: G06F7/04 ,  H04L29/06 ,  G06F21/55 ,  H04W12/12 ,  H04W4/70

Abstract: In one embodiment, a primary server receives, from a client device, a first request to mitigate an external attack on the client device. The primary server sends, to a plurality of secondary servers, a second request to mitigate the external attack, wherein each one of the plurality of secondary servers has associated mitigation resources, and receives from at least one of the plurality of secondary servers an indication that it has mitigation resources capable of mitigating the external attack. The primary server sends, to the client device, a list including the secondary servers having mitigation resources capable of mitigating the attack, and receives, from the client device, an indication that a subset of the list is selected to mitigate the external attack. In response, the primary server sends a request for mitigation services to one of the secondary servers in the subset selected to mitigate the external attack.

公开(公告)号：US10050870B2

公开(公告)日：2018-08-14

申请号：US15013027

申请日：2016-02-02

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel G. Wing ,  James Neil Guichard

IPC: H04L12/707 ,  H04L12/741 ,  H04L12/851 ,  H04L12/801

Abstract: A service classifier network device receives a subflow and identifies that the subflow is one of at least two subflows in a multipath data flow. Related data packets are sent from a source node to a destination node in the multipath data flow. The service classifier generates a multipath flow identifier and encapsulates the subflow with a header to produce an encapsulated first subflow. The header identifies a service function path and includes metadata with the multipath flow identifier.