公开(公告)号：US20180026993A1

公开(公告)日：2018-01-25

申请号：US15214905

申请日：2016-07-20

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Andrey Zawadowskiy ,  Donovan O'Hara

IPC: H04L29/06

CPC classification number: H04L63/1425

Abstract: A method is disclosed in which a system compares a first set of reports characterizing network traffic flows originating from an endpoint device with a second set of reports characterizing network traffic flows originating from the endpoint device and stored at an external network device to determine whether the first set and second set of reports characterizing network traffic flows originating from an endpoint device are different. In response to determining that the first and second reports characterizing network traffic flows are different, the system identifies the network traffic flows originating from the endpoint device and reported by an external network device, but not reported by the endpoint device, as possibly indicative of malware and forwards the network traffic flows originating from the endpoint device to an analyzer for further processing. Thus, an observed difference between network traffic flows originating from an endpoint device and stored at the endpoint device and network traffic flows originating from the endpoint device and stored on an external network device are compared to detect the presence of malware residing on the endpoint device.

公开(公告)号：US10187414B2

公开(公告)日：2019-01-22

申请号：US15214905

申请日：2016-07-20

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Andrey Zawadowskiy ,  Donovan O'Hara

IPC: H04L29/06

Abstract: A method is disclosed in which a system compares a first set of reports characterizing network traffic flows originating from an endpoint device with a second set of reports characterizing network traffic flows originating from the endpoint device and stored at an external network device to determine whether the first set and second set of reports characterizing network traffic flows originating from an endpoint device are different. In response to determining that the first and second reports characterizing network traffic flows are different, the system identifies the network traffic flows originating from the endpoint device and reported by an external network device, but not reported by the endpoint device, as possibly indicative of malware and forwards the network traffic flows originating from the endpoint device to an analyzer for further processing. Thus, an observed difference between network traffic flows originating from an endpoint device and stored at the endpoint device and network traffic flows originating from the endpoint device and stored on an external network device are compared to detect the presence of malware residing on the endpoint device.