公开(公告)号：US11025654B2

公开(公告)日：2021-06-01

申请号：US16450164

申请日：2019-06-24

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson

IPC: H04L29/06 ,  H04L12/851 ,  G06N20/00 ,  H04L29/08

Abstract: In one embodiment, a device in a network receives telemetry data regarding a traffic flow in the network. One or more features in the telemetry data are individually compressed. The device extracts the one or more individually compressed features from the received telemetry data. The device performs a lookup of one or more classifier inputs from an index of classifier inputs using the one or more individually compressed features from the received telemetry data. The device classifies the traffic flow by inputting the one or more classifier inputs to a machine learning-based classifier.

公开(公告)号：US10728280B2

公开(公告)日：2020-07-28

申请号：US15245886

申请日：2016-08-24

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

公开(公告)号：US20200159947A1

公开(公告)日：2020-05-21

申请号：US16196035

申请日：2018-11-20

Applicant: Cisco Technology, Inc.

Inventor： Chris Allen Shenefiel ,  Robert Waitman ,  David McGrew ,  Blake Harrell Anderson

IPC: G06F21/62 ,  G06N20/00

Abstract: In one embodiment, a traffic analysis service that monitors a network obtains file metadata regarding an electronic file. The traffic analysis service determines a sensitivity score for the electronic file based on the file metadata. The traffic analysis service detects the electronic file within traffic in the network. The traffic analysis service causes performance of a mitigation action regarding the detection of the electronic file within the traffic, based on the sensitivity score of the electronic file.

公开(公告)号：US20200067972A1

公开(公告)日：2020-02-27

申请号：US16669831

申请日：2019-10-31

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing ,  Flemming Andreasen

IPC: H04L29/06 ,  H04L29/12

Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.

公开(公告)号：US20190312894A1

公开(公告)日：2019-10-10

申请号：US16450164

申请日：2019-06-24

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/851

Abstract: In one embodiment, a device in a network receives telemetry data regarding a traffic flow in the network. One or more features in the telemetry data are individually compressed. The device extracts the one or more individually compressed features from the received telemetry data. The device performs a lookup of one or more classifier inputs from an index of classifier inputs using the one or more individually compressed features from the received telemetry data. The device classifies the traffic flow by inputting the one or more classifier inputs to a machine learning-based classifier.

公开(公告)号：US20190245866A1

公开(公告)日：2019-08-08

申请号：US15889392

申请日：2018-02-06

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/145 ,  G06N20/00 ,  H04L41/14 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/166 ,  H04L67/02 ,  H04L67/42 ,  H04L69/326

Abstract: In one embodiment, a traffic analysis service receives captured traffic data regarding a Transport Layer Security (TLS) connection between a client and a server. The traffic analysis service applies a first machine learning-based classifier to TLS records from the traffic data, to identify a set of the TLS records that include Hypertext Transfer Protocol (HTTP) header information. The traffic analysis service estimates one or more HTTP transaction labels for the connection by applying a second machine learning-based classifier to the identified set of TLS records that include HTTP header information. The traffic analysis service augments the captured traffic data with the one or more HTTP transaction labels. The traffic analysis service causes performance of a network security function based on the augmented traffic data.

公开(公告)号：US10375090B2

公开(公告)日：2019-08-06

申请号：US15469716

申请日：2017-03-27

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson

IPC: H04L29/06 ,  H04L12/851 ,  G06N20/00 ,  H04L29/08

Abstract: In one embodiment, a device in a network receives telemetry data regarding a traffic flow in the network. One or more features in the telemetry data are individually compressed. The device extracts the one or more individually compressed features from the received telemetry data. The device performs a lookup of one or more classifier inputs from an index of classifier inputs using the one or more individually compressed features from the received telemetry data. The device classifies the traffic flow by inputting the one or more classifier inputs to a machine learning-based classifier.

公开(公告)号：US10348745B2

公开(公告)日：2019-07-09

申请号：US15399003

申请日：2017-01-05

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Ivan Nikolaev

IPC: G06F21/55 ,  H04L29/06 ,  H04L29/08 ,  H04L29/12

Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.

公开(公告)号：US20190199753A1

公开(公告)日：2019-06-27

申请号：US15854879

申请日：2017-12-27

Applicant: Cisco Technology, Inc.

Inventor： Matthew Scott Robertson ,  David McGrew ,  Timothy David Keanini ,  Sunil Amin ,  Ellie Marie Daw

IPC: H04L29/06

Abstract: In one embodiment, a service receives captured traffic flow data regarding a traffic flow sent via a network between a first device assigned to a first network zone and a second device assigned to a second network zone. The service identifies, from the captured traffic flow data, one or more cryptographic parameters of the traffic flow. The service determines whether the one or more cryptographic parameters of the traffic flow satisfy an inter-zone policy associated with the first and second network zones. The service causes performance of a mitigation action in the network when the one or more cryptographic parameters of the traffic flow do not satisfy the inter-zone policy associated with the first and second network zones.

公开(公告)号：US20190190794A1

公开(公告)日：2019-06-20

申请号：US15848101

申请日：2017-12-20

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Martin Rehak ,  Blake Harrell Anderson ,  Sunil Amin

IPC: H04L12/24 ,  H04L29/06

CPC classification number: H04L41/28 ,  G06F21/55 ,  H04L63/14 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20 ,  H04L67/143 ,  H04W12/12

Abstract: In one embodiment, a service receives data regarding administration traffic in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the received data to determine whether the administration traffic is authorized. The service flags the received data as authorized, based on the analysis of the received data. The service uses the data flagged as authorized to distinguish between benign traffic and malicious traffic in the network.