公开(公告)号：US10320916B2

公开(公告)日：2019-06-11

申请号：US15365432

申请日：2016-11-30

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Wei-Jen Hsu ,  Biswaranjan Panda ,  Jayaraman Iyer ,  Bhaskar Bhupalam ,  Pranav Bhargava

IPC: H04L29/08 ,  H04L29/06 ,  H04N5/76 ,  H04L12/801 ,  H04N21/647 ,  H04N21/2343 ,  H04N21/8358

Abstract: User equipments can download a video file by instantiating multiple video requests, each request specifying different parts of the video file. If each video request initiates a separate transmission control protocol (TCP) session, which is the case with an hypertext transfer protocol (HTTP) partial get request, then a network device in a communications network would be oblivious of contextual information, which indicates that the TCP sessions download different portions of the same video file. This disclosure provides systems and methods for correlating multiple TCP sessions so that a network device in a communications network can be aware of the contextual information.

公开(公告)号：US10021070B2

公开(公告)日：2018-07-10

申请号：US14979042

申请日：2015-12-22

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Jin Teng ,  Subharthi Paul ,  Thilan Niroshaka Ganegedara ,  Xun Wang ,  Saman Taghavi Zargar ,  Jayaraman Iyer

IPC: G06F17/00 ,  H04L29/06 ,  G06F17/30

CPC classification number: H04L63/0227 ,  G06F16/2379 ,  H04L63/0218 ,  H04L63/105

Abstract: In one embodiment, a method includes receiving capability information from an end host at a centralized security matrix in communication with a firewall and a plurality of end hosts, verifying at the centralized security matrix, a trust level of the end host, assigning at the centralized security matrix, a firewall function to the end host based on the trust level and capability information, and notifying the firewall of the firewall function assigned to the end host. Firewall functions are offloaded from the firewall to the end hosts by the centralized security matrix. An apparatus and logic are also disclosed herein.

公开(公告)号：US20150264575A1

公开(公告)日：2015-09-17

申请号：US14722925

申请日：2015-05-27

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Parviz Yegani ,  Jayaraman Iyer ,  Venkateshwara Sastry

IPC: H04W12/08 ,  H04L29/06 ,  H04L29/08 ,  H04W12/06

CPC classification number: H04W12/08 ,  G06Q20/102 ,  H04L12/14 ,  H04L12/1403 ,  H04L41/0893 ,  H04L41/5029 ,  H04L41/5061 ,  H04L45/50 ,  H04L47/10 ,  H04L47/14 ,  H04L47/15 ,  H04L47/70 ,  H04L47/724 ,  H04L47/805 ,  H04L47/824 ,  H04L61/2015 ,  H04L63/08 ,  H04L63/0892 ,  H04L63/102 ,  H04L63/162 ,  H04L65/1006 ,  H04L65/1016 ,  H04L67/141 ,  H04L69/14 ,  H04L69/24 ,  H04W8/26 ,  H04W12/06 ,  H04W28/18 ,  H04W36/0033 ,  H04W36/12 ,  H04W36/14 ,  H04W48/14 ,  H04W60/00 ,  H04W80/04 ,  H04W80/10 ,  H04W92/02

Abstract: In one embodiment, during an authentication process between a network device and an access terminal, an authentication message for access to the network is received. The network device is configured to allow access to an IP network. The network device determines one or more capabilities of the access terminal from the authentication message. An action is then performed based on the one or more capabilities of the access terminal. The action may include using the capabilities to set up a session with the access terminal. Also, the network device may send its own capabilities to the access terminal in an authentication response. Accordingly, a capability negotiation between the access terminal and network device may be provided during an authentication process. This may facilitate a faster session setup as capabilities are exchanged during authentication can be used in the configuration of the session.

Abstract translation: 在一个实施例中，在网络设备和接入终端之间的认证处理期间，接收到用于接入网络的认证消息。 网络设备被配置为允许访问IP网络。 网络设备从认证消息确定接入终端的一个或多个能力。 然后基于接入终端的一个或多个能力来执行动作。 该动作可以包括使用与接入终端建立会话的能力。 此外，网络设备可以在认证响应中向接入终端发送其自己的能力。 因此，可以在认证处理期间提供接入终端和网络设备之间的能力协商。 这可以促进更快的会话建立，因为在认证期间交换能力可以在会话的配置中使用。

公开(公告)号：US11412000B2

公开(公告)日：2022-08-09

申请号：US16741794

申请日：2020-01-14

Applicant: Cisco Technology, Inc.

Inventor： Michel Khouderchah ,  Jayaraman Iyer ,  Kent K. Leung ,  Jianxin Wang ,  Donovan O'Hara ,  Saman Taghavi Zargar ,  Subharthi Paul

IPC: H04L9/40 ,  H04L67/02 ,  H04L41/22

Abstract: Presented herein are methodologies for implementing application security. A method includes generating an extraction vector based on a plurality of application security rules to be enforced, transmitting the extraction vector to a first agent operating on a first network device and to a second agent operating on a second network device; receiving, separately, from the first agent and from the second agent, first metadata generated by the first agent and second metadata generated by the second agent by the agents applying the extraction vector to network traffic passing, respectively, through the first network device and the second network device. The first metadata includes a transaction ID assigned by the first agent, and the second metadata includes the same transaction ID. The method further includes correlating the first metadata with the second metadata based on the transaction ID to construct a transactional service graph for the network traffic.

公开(公告)号：US11233742B2

公开(公告)日：2022-01-25

申请号：US16674693

申请日：2019-11-05

Applicant: Cisco Technology, Inc.

Inventor： Samir Dilipkumar Saklikar ,  Jayaraman Iyer ,  Robin Edgard Martherus ,  Morteza Ansari ,  Jyoti Verma

IPC: H04L12/813 ,  H04L12/24 ,  H04L12/26 ,  H04L29/08

Abstract: One or more lower-level attributes of a first network policy are translated to one or more higher-level attributes of the first network policy, and one or more lower-level attributes of a second network policy are translated to one or more higher-level attributes of the second network policy. The first network policy controls how first network traffic is handled, and the second network policy controls how second network traffic is handled. The one or more higher-level attributes of the first network policy are compared with the one or more higher-level attributes of the second network policy. Based on the comparing, it is determined whether the first network traffic and the second network traffic are handled in a functionally equivalent manner. If not, the first network policy is dynamically updated to generate an updated first network policy that causes the first network traffic to be handled in the functionally equivalent manner.

公开(公告)号：US11095670B2

公开(公告)日：2021-08-17

申请号：US16030116

申请日：2018-07-09

Applicant: Cisco Technology, Inc.

Inventor： Subharthi Paul ,  Saman Taghavi Zargar ,  Jayaraman Iyer ,  Hari Shankar

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/08

Abstract: In one example embodiment, a network management device generates a first script defining a first function for detecting a first customizable network event in a sequence of customizable network events indicative of a security threat to a network. The network management device activates the first script at a first network device in the network so as to cause the first network device to execute the first function for detecting the first customizable network event, and obtains, from the first network device, one or more indications that the first network device has detected the first customizable network event. Based on the one or more indications, the network management device determines whether to activate a second script defining a second function for detecting a second customizable network event in the sequence at a second network device in the network capable of detecting the second customizable network event.

公开(公告)号：US20200014713A1

公开(公告)日：2020-01-09

申请号：US16030116

申请日：2018-07-09

Applicant: Cisco Technology, Inc.

Inventor： Subharthi Paul ,  Saman Taghavi Zargar ,  Jayaraman Iyer ,  Hari Shankar

IPC: H04L29/06 ,  H04L12/24

Abstract: In one example embodiment, a network management device generates a first script defining a first function for detecting a first customizable network event in a sequence of customizable network events indicative of a security threat to a network. The network management device activates the first script at a first network device in the network so as to cause the first network device to execute the first function for detecting the first customizable network event, and obtains, from the first network device, one or more indications that the first network device has detected the first customizable network event. Based on the one or more indications, the network management device determines whether to activate a second script defining a second function for detecting a second customizable network event in the sequence at a second network device in the network capable of detecting the second customizable network event.

公开(公告)号：US20190260776A1

公开(公告)日：2019-08-22

申请号：US15898915

申请日：2018-02-19

Applicant: Cisco Technology, Inc.

Inventor： Saman Taghavi Zargar ,  Subharthi Paul ,  Prashanth Patil ,  Jayaraman Iyer ,  Hari Shankar

IPC: H04L29/06 ,  H04L12/24 ,  G06N99/00

Abstract: In one embodiment, a centralized controller maintains a plurality of hierarchical behavioral modules of a behavioral model, and distributes initial behavioral modules to data plane entities to cause them to apply the initial behavioral modules to data plane traffic. The centralized controller may then receive data from a particular data plane entity based on its having applied the initial behavioral modules to its data plane traffic. The centralized controller then distributes subsequent behavioral modules to the particular data plane entity to cause it to apply the subsequent behavioral modules to the data plane traffic, the subsequent behavioral modules selected based on the previously received data from the particular data plane entity. The centralized controller may then iteratively receive data from the particular data plane entity and distribute subsequently selected behavioral modules until an attack determination is made on the data plane traffic of the particular data plane entity.

公开(公告)号：US09923771B2

公开(公告)日：2018-03-20

申请号：US14156124

申请日：2014-01-15

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Jigar Shah ,  Peter Zhu ,  Jayaraman Iyer ,  Bhaskar Bhupalam

IPC: G06F15/16 ,  H04L12/24 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L41/0893 ,  H04L65/4084 ,  H04L65/60 ,  H04L65/605 ,  H04L67/322

Abstract: A system includes a media optimizer that adaptively generates and transmits a modified manifest file based on an original manifest file corresponding to an associated media asset from a content provider in response to a media content request from a client for the associated media asset. The original manifest file specifies bitrates. The media optimizer extracts parameters associated with the media content request and applies bitrate policies based on the extracted parameters to adaptively modify the original manifest file to generate the modified manifest file. The media optimizer is further configured to transmit the modified manifest file to the client for selection by the client of a bitrate associated with delivery of the associated media asset.

公开(公告)号：US20160295295A1

公开(公告)日：2016-10-06

申请号：US15186447

申请日：2016-06-18

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Sanjay Dixit ,  Biswaranjan Panda ,  Jayaraman Iyer ,  Bhaskar Bhupalam

IPC: H04N21/61 ,  H04N21/647 ,  H04W28/02 ,  H04L29/06

CPC classification number: H04N21/6131 ,  H04L65/4084 ,  H04L65/602 ,  H04L67/32 ,  H04L69/04 ,  H04L69/161 ,  H04N21/64738 ,  H04N21/64784 ,  H04W28/0273 ,  H04W28/0289

Abstract: Systems and methods are used for receiving a video request from a user equipment for video to be downloaded; determining a link bandwidth status associated with the user equipment; in response to the link bandwidth status associated with the user equipment, determining whether to implement one or more additional processing functions associated with the video delivery; during the video delivery, repeating the determining such that the one or more additional processing functions associated with the video delivery can be implemented or not implemented at different times during the video delivery. These processing functions can include transrating, HTTP optimization, TCP optimization, and video pacing.