公开(公告)号：US20160344768A1

公开(公告)日：2016-11-24

申请号：US14717127

申请日：2015-05-20

Applicant: Cisco Technology, Inc.

Inventor： DAVID MCGREW ,  TITOUAN RIGOUDY

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/1425 ,  H04L63/1483

Abstract: In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.

Abstract translation: 在一个实施例中，中央计算机执行数据处理方法。 中央计算机从入侵传感器接收遥测数据。 中央计算机将认证记录存储在主机数据库中。 每个认证记录基于遥测数据，并且包括公钥证书的指纹和发送者计算机的主机标识符。 中央计算机接收由第一个入侵传感器发送的可疑记录。 可疑记录具有第一特定公钥证书和可疑发送者的第一特定主机标识符的第一特定指纹。 从主机数据库，中央计算机搜索与可疑记录的第一特定主机标识符相同的主机标识符的匹配记录和与可疑记录的第一特定指纹相同的指纹。 当没有找到匹配的记录时，中央计算机会生成入侵警报。

公开(公告)号：US20190230095A1

公开(公告)日：2019-07-25

申请号：US16370853

申请日：2019-03-29

Applicant: Cisco Technology, Inc.

Inventor： DAVID MCGREW ,  ANDREW ZAWADOWSKIY ,  DONOVAN O'HARA ,  SARAVANAN RADHAKRISHNAN ,  TOMAS PEVNY ,  DANIEL G. WING

IPC: H04L29/06

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

公开(公告)号：US20170272456A1

公开(公告)日：2017-09-21

申请号：US15616514

申请日：2017-06-07

Applicant: Cisco Technology, Inc.

Inventor： DAVID MCGREW ,  TITOUAN RIGOUDY

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/552 ,  H04L63/1425 ,  H04L63/1483

Abstract: In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.

公开(公告)号：US20160352761A1

公开(公告)日：2016-12-01

申请号：US14820265

申请日：2015-08-06

Applicant: Cisco Technology, Inc.

Inventor： DAVID MCGREW ,  ANDREW ZAWADOWSKIY ,  DONOVAN O'HARA ,  SARAVANAN RADHAKRISHNAN ,  TOMAS PEVNY ,  DANIEL G. WING

IPC: H04L29/06

CPC classification number: H04L63/145 ,  H04L63/1408 ,  H04L63/166 ,  H04L69/16 ,  H04L2463/121

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

Abstract translation: 一种方法包括在网络基础设施设备处接收分组流，使用网络基础设施设备和分组的第一子集来确定第一子集对应于第一数据报，并确定第一数据报的第一长度 确定使用所述网络基础设施设备和所述分组的第二子集，所述第二子集对应于在所述第一数据报之后接收到的第二数据报，并且确定所述第二数据报的第二长度，使用所述网络基础设施 设备，第一数据报的第一到达时间与第二数据报的第二到达时间之间的持续时间值，发送到与网络基础设施设备分开的收集器设备，第一长度，第二长度和持续时间 价值分析。