公开(公告)号：US20240333747A1

公开(公告)日：2024-10-03

申请号：US18360676

申请日：2023-07-27

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Andrew Zawadowskiy ,  Blake Anderson ,  Hugo Mike Latapie ,  Oleg Bessonov ,  David Arthur McGrew ,  Michael Roytman ,  Tian Bu ,  William Michael Hudson, JR. ,  Nancy Cam-Winget

IPC: H04L9/40

CPC classification number: H04L63/1433 ,  H04L63/145

Abstract: In one aspect, a method includes creating a polymorphic variant of a sample of malware, analyzing the polymorphic variant of the sample of malware by a security management service to determine if the polymorphic variant of the sample of malware evades detection by the security management service, when the security management service fails to detect the polymorphic variant during the analysis of the polymorphic variant, detonating the polymorphic variant in a virtualized environment to identify characterizations of the polymorphic variant, and training the security management service to detect the polymorphic variant based on the characterizations.

公开(公告)号：US20240330481A1

公开(公告)日：2024-10-03

申请号：US18494521

申请日：2023-10-25

Applicant: Cisco Technology, Inc.

Inventor： Michael Roytman ,  Vincent Parla ,  Andrew Zawadowskiy ,  William Michael Hudson, JR.

IPC: G06F21/57 ,  G06F21/31 ,  G06F21/55

CPC classification number: G06F21/577 ,  G06F21/31 ,  G06F21/552

Abstract: A system and method are provided for predicting the method of exploitation and impact/scope of software vulnerabilities, thereby enabling improved remediation of the software vulnerabilities. A machine learning (ML) method receives threat-intelligence information of the software vulnerabilities and generates a threat vector based on a security category and a data or schema category of the software vulnerability. The ML method can include a first portion constrained to predict a first intermediary result corresponding to the security category of the software vulnerability. The ML method can include a second portion constrained to predict a second intermediary result corresponding to the data or schema category of the software vulnerability.

公开(公告)号：US20240330365A1

公开(公告)日：2024-10-03

申请号：US18361405

申请日：2023-07-28

Applicant: Cisco Technology, Inc.

Inventor： Andrew Zawadowskiy ,  Oleg Bessonov ,  Vincent Parla

IPC: G06F16/901 ,  G06F11/34

CPC classification number: G06F16/9024 ,  G06F11/3476

Abstract: A system and method are provided for generating a cybersecurity behavioral graph from a log files and/or other telemetry data, which can be unstructured or semi-structured data. The log files are applied to a machine learning (ML) model (e.g., a large language model (LLM)) that generates/extract from the log files entities and relationships between said entities. The entities and relationships can be constrained using a cybersecurity ontology or schema to ensure that the results are meaningful to a cybersecurity context. A graph is then generated by mapping the extracted entities to nodes in the graph and the relationships to edges connecting nodes. To more efficiently extract the entities and relationships from the data file, an LLM is used to generate regular expressions for the format of the log files. Once generated, the regular expressions can rapidly parse the log files to extract the entities and relationships.

公开(公告)号：US11093605B2

公开(公告)日：2021-08-17

申请号：US16150679

申请日：2018-10-03

Applicant: Cisco Technology, Inc.

Inventor： Andrew Zawadowskiy ,  Vincent E. Parla ,  Alok Mittal

IPC: G06F11/00 ,  G06F21/54 ,  G06F21/56 ,  G06F9/30 ,  G06F9/38 ,  G06F21/64

Abstract: In one example embodiment, a computing device has a processor that executes a processor instruction stream that causes the processor to perform one or more operations for the computing device. The computing device generates one or more trace data packets including a first instruction pointer of the processor instruction stream, a second instruction pointer of the processor instruction stream subsequent to the first instruction pointer, and a string of characters derived from instructions associated with a control flow transfer between the first instruction pointer of the processor instruction stream and the second instruction pointer of the processor instruction stream. The computing device determines whether the one or more trace data packets are consistent with a secure processor instruction stream known or determined to be secure from malicious processor instructions and, if not, generates an indication that the processor instruction stream is not secure.

公开(公告)号：US10027626B2

公开(公告)日：2018-07-17

申请号：US15156646

申请日：2016-05-17

Applicant: Cisco Technology, Inc.

Inventor： Todd Short ,  Andrew Zawadowskiy ,  Antonio Martin ,  Vincent E. Parla

IPC: H04L29/06 ,  H04L12/721 ,  H04L12/725 ,  H04L29/08

Abstract: A method for providing authoritative application-based routing and an improved application firewall, as well as a method for application classification, is described. The first embodiment, which provides a method for authoritative application-based routing, comprises tagging packets with an application identifier, and pushing the tagged packets to the network to enable the application identifier to be used in routing and priority decisions. In the second embodiment, a method for improving application firewall comprises using the application identifier to minimize the amount of processing required by the firewall when analyzing packet information.

公开(公告)号：US20130312104A1

公开(公告)日：2013-11-21

申请号：US13949173

申请日：2013-07-23

Applicant: Cisco Technology Inc.

Inventor： Jeffrey A. Kraemer ,  Andrew Zawadowskiy ,  Philip J. S. Gladstone

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/554 ,  G06F21/56 ,  H04L63/14 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/20

Abstract: A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack.

Abstract translation: 系统在计算机系统中插入至少一个通知标识符。 所述至少一个通知标识符提供与计算机系统相关联的执行信息。 系统从至少一个通知标识符接收执行信息，执行信息识别与计算机系统上的业务流相关联的细节。 然后，系统基于由至少一个通知标识符提供的执行信息提供的确定性链路来生成签名。 该签名用于通过至少一次攻击来防止对计算机系统的进一步损坏。

公开(公告)号：US20250168188A1

公开(公告)日：2025-05-22

申请号：US19029102

申请日：2025-01-17

Applicant: Cisco Technology, Inc.

Inventor： Andrew Zawadowskiy ,  Oleg Bessonov ,  Vincent Parla

IPC: H04L9/40 ,  G06F11/34 ,  G06F16/334 ,  G06F16/34 ,  G06F16/901 ,  G06F21/31 ,  G06F21/55 ,  G06F21/56 ,  G06F21/57

Abstract: A system and method are provided for generating a cybersecurity behavioral graph from a log files and/or other telemetry data, which can be unstructured or semi-structured data. The log files are applied to a machine learning (ML) model (e.g., a large language model (LLM)) that generates/extract from the log files entities and relationships between said entities. The entities and relationships can be constrained using a cybersecurity ontology or schema to ensure that the results are meaningful to a cybersecurity context. A graph is then generated by mapping the extracted entities to nodes in the graph and the relationships to edges connecting nodes. To more efficiently extract the entities and relationships from the data file, an LLM is used to generate regular expressions for the format of the log files. Once generated, the regular expressions can rapidly parse the log files to extract the entities and relationships.

公开(公告)号：US20240028742A1

公开(公告)日：2024-01-25

申请号：US18084045

申请日：2022-12-19

Applicant: Cisco Technology, Inc.

Inventor： Andrew Zawadowskiy ,  Vincent E. Parla ,  Oleg Bessonov

IPC: G06F21/57 ,  G06F8/75 ,  G06F8/41

CPC classification number: G06F21/577 ,  G06F8/75 ,  G06F8/433 ,  G06F2221/033

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining a learned control flow diagram for a process on a computing system and monitoring execution of the process on the computing system using the control flow diagram. An unobserved transition is determined based on the learned control flow diagram and the unobserved transition is classified as safe or unsafe based on a monitoring component analysis. An action is performed based on the safety classification and the learned control flow diagram.

公开(公告)号：US20240028709A1

公开(公告)日：2024-01-25

申请号：US18084065

申请日：2022-12-19

Applicant: Cisco Technology, Inc.

Inventor： Andrew Zawadowskiy ,  Oleg Bessonov ,  Vincent E. Parla

IPC: G06F21/54 ,  G06F21/55

CPC classification number: G06F21/54 ,  G06F21/552

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining a learned control flow directed graph for a process executed on the computing system. A system call is identified during execution of the process as well as a predetermined number of transitions leading to the system call. A validity of the transitions leading the system call is determined based on the learned control flow directed graph and the computing system may perform an action based on the validity.

公开(公告)号：US11057420B2

公开(公告)日：2021-07-06

申请号：US16370853

申请日：2019-03-29

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Andrew Zawadowskiy ,  Donovan O'Hara ,  Saravanan Radhakrishnan ,  Tomas Pevny ,  Daniel G. Wing

IPC: H04L29/06

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.