公开(公告)号：US20240187444A1

公开(公告)日：2024-06-06

申请号：US18441414

申请日：2024-02-14

Applicant: Cisco Technology, Inc.

Inventor： Jan KOHOUT ,  Blake Harrell ANDERSON ,  Martin GRILL ,  David MCGREW ,  Martin KOPP ,  Tomas PEVNY

IPC: H04L9/40 ,  G06N20/00 ,  G06N20/20 ,  H04L41/0686 ,  H04L47/2441

CPC classification number: H04L63/1441 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  H04L63/0428 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/145 ,  H04L63/168 ,  G06N20/20

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20220232034A1

公开(公告)日：2022-07-21

申请号：US17715284

申请日：2022-04-07

Applicant: Cisco Technology, Inc.

Inventor： David MCGREW ,  Blake Harrell ANDERSON ,  Daniel G. WING

IPC: H04L9/40 ,  H04L61/4511

Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.