公开(公告)号：US12254123B2

公开(公告)日：2025-03-18

申请号：US17335245

申请日：2021-06-01

Applicant: Cisco Technology, Inc.

Inventor： Chirag Shroff ,  David McGrew

IPC: G06F21/73 ,  G06F7/58 ,  G06F21/72

Abstract: According to certain embodiments, a method comprises performing a posture assessment at a trust anchor in order to determine whether a hardware component is authorized to run on a product. Performing the posture assessment comprises determining a random value (K), encrypting the random value (K) using a long-term key associated with the hardware component in order to yield an encrypted value, communicating the encrypted value to the hardware component, and receiving, from the hardware component, a message encrypted using the random value (K). The message comprises an identifier associated with the hardware component. Performing the posture assessment further comprises determining whether the hardware component is authorized to run on the product based at least in part on the identifier associated with the hardware component. The method further comprises performing an action that depends on whether the hardware component is authorized to run on the product.

公开(公告)号：US11816219B2

公开(公告)日：2023-11-14

申请号：US17335156

申请日：2021-06-01

Applicant: Cisco Technology, Inc.

Inventor： Chirag Shroff ,  David McGrew

IPC: H04L9/32 ,  G06F21/76 ,  G06F21/44 ,  G06F21/57 ,  H04L9/08

CPC classification number: G06F21/57 ,  H04L9/0869 ,  G06F2221/034

Abstract: According to certain embodiments, a method comprises performing a posture assessment at a trust anchor in order to determine whether a hardware component is authorized to run on a product. Performing the posture assessment comprises determining a random value (K), encrypting the random value (K) using a long-term key associated with the hardware component in order to yield an encrypted value, communicating the encrypted value to the hardware component, and determining whether the hardware component is authorized to run on the product based at least in part on whether the trust anchor receives, from the hardware component, a response encrypted using the random value (K). The method further comprises allowing or preventing the hardware component from running on the product based on whether the hardware component is authorized to run on the product.

公开(公告)号：US11783076B2

公开(公告)日：2023-10-10

申请号：US17860217

申请日：2022-07-08

Applicant: Cisco Technology, Inc.

Inventor： Chris Allen Shenefiel ,  Robert Waitman ,  David McGrew ,  Blake Harrell Anderson

IPC: G06F21/62 ,  G06N20/00

CPC classification number: G06F21/6218 ,  G06N20/00

Abstract: In one embodiment, a traffic analysis service that monitors a network obtains file metadata regarding an electronic file. The traffic analysis service determines a sensitivity score for the electronic file based on the file metadata. The traffic analysis service detects the electronic file within traffic in the network. The traffic analysis service causes performance of a mitigation action regarding the detection of the electronic file within the traffic, based on the sensitivity score of the electronic file.

公开(公告)号：US11748477B2

公开(公告)日：2023-09-05

申请号：US17382627

申请日：2021-07-22

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul

IPC: G06F21/55 ,  H04L41/16 ,  H04L9/40 ,  G06N20/00 ,  G06F21/56 ,  H04L67/50 ,  G06F9/4401 ,  G06F11/14

CPC classification number: G06F21/554 ,  G06F9/4403 ,  G06F9/4406 ,  G06F11/1435 ,  G06F21/566 ,  G06N20/00 ,  H04L41/16 ,  H04L63/1416 ,  H04L63/1425 ,  H04L67/535

Abstract: In one embodiment, a device in a network tracks traffic features indicated by header information of packets of an encrypted traffic flow over time. The encrypted traffic flow is associated with a particular host in the network. The device detects an operating system start event based on the traffic features and provides data regarding the detected operating system start event as input to a machine learning-based malware detector to determine whether the particular host with which the encrypted traffic flow is associated is infected with malware. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.

公开(公告)号：US20230231777A1

公开(公告)日：2023-07-20

申请号：US18125955

申请日：2023-03-24

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Martin Rehak ,  Blake Harrell Anderson ,  Sunil Amin

IPC: H04L41/28 ,  H04L9/40 ,  H04W12/12 ,  G06F21/55

CPC classification number: H04L41/28 ,  H04L63/1425 ,  H04L63/1441 ,  H04W12/12 ,  G06F21/55 ,  H04L63/14 ,  H04L67/143

Abstract: In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.

公开(公告)号：US11695792B2

公开(公告)日：2023-07-04

申请号：US17142533

申请日：2021-01-06

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/24 ,  H04L12/851 ,  H04L9/40 ,  H04L41/16 ,  H04L47/2441

CPC classification number: H04L63/1425 ,  G06N20/00 ,  H04L41/16 ,  H04L47/2441 ,  H04L63/1458 ,  H04L63/306 ,  H04L2463/141 ,  H04L2463/144

Abstract: In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.

公开(公告)号：US20220345470A1

公开(公告)日：2022-10-27

申请号：US17861583

申请日：2022-07-11

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Ivan Nikolaev

IPC: H04L9/40 ,  H04L67/02 ,  H04L69/00 ,  H04L67/50

Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.

公开(公告)号：US11303664B2

公开(公告)日：2022-04-12

申请号：US16669831

申请日：2019-10-31

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing ,  Flemming Andreasen

IPC: H04L29/06 ,  H04L29/12 ,  H04L61/4511

Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.

公开(公告)号：US11195120B2

公开(公告)日：2021-12-07

申请号：US15892475

申请日：2018-02-09

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul

IPC: G06N20/00 ,  H04L29/06

Abstract: Methods an systems to classify a training dataset of network data as a poisoned training dataset based on a first dataset-level classifier, identify and remove poison samples of the poisoned training dataset based on a sample-level classifier to produce a non-poisoned dataset, training a machine-based model to analyze network traffic based on the modified non-poisoned dataset, and analyze network traffic with the machine-based model.

公开(公告)号：US20210377283A1

公开(公告)日：2021-12-02

申请号：US17395968

申请日：2021-08-06

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.