公开(公告)号：US20240356935A1

公开(公告)日：2024-10-24

申请号：US18237282

申请日：2023-08-23

Applicant: Cisco Technology, Inc.

Inventor： Michael Adam Polak ,  Veronika Andrea Polakova ,  Lukas Batrla

IPC: H04L9/40

CPC classification number: H04L63/1416

Abstract: Techniques for identifying malicious threats for investigation using network telemetry data. The techniques include the use weak learner models to analyze data from multiple event sources. The techniques further include aggregating data signals from the weak learner models to generate a high-fidelity data signal of threat sources. The aggregated data signal can be sent to a Security Operation Center to provide a list of nodes with a high likelihood of malicious threats along with convicting evidence to aid in investigating the identified nodes.

公开(公告)号：US20240356934A1

公开(公告)日：2024-10-24

申请号：US18231817

申请日：2023-08-09

Applicant: Cisco Technology, Inc.

Inventor： Cenek Skarda ,  Roman Sushkov ,  Martin Kopp ,  Lukas Batrla

IPC: H04L9/40 ,  H04L41/16

CPC classification number: H04L63/1416 ,  H04L41/16 ,  H04L63/20

Abstract: Techniques described herein for extended detection and response to security anomalies in computing networks can perform automated analysis of anomalies occurring in different telemetry sources in a computer network, in order to synthesize the anomalies into analyst work units that are surfaced for further analysis by security response teams. Anomalies can initially be processed in order to identify and collect extended anomaly data. The extended anomaly data can then be used to group the anomalies according to a multi-stage grouping process which produces analyst work units. The analyst work units can be processed to produce analyst summaries that assist with analysis and response. Furthermore, the analyst work units can be prioritized for further analysis, and analyst interactions with the prioritized analyst work units can be used to influence subsequent anomaly grouping operations.