公开(公告)号：US20240356935A1

公开(公告)日：2024-10-24

申请号：US18237282

申请日：2023-08-23

Applicant: Cisco Technology, Inc.

Inventor： Michael Adam Polak ,  Veronika Andrea Polakova ,  Lukas Batrla

IPC: H04L9/40

CPC classification number: H04L63/1416

Abstract: Techniques for identifying malicious threats for investigation using network telemetry data. The techniques include the use weak learner models to analyze data from multiple event sources. The techniques further include aggregating data signals from the weak learner models to generate a high-fidelity data signal of threat sources. The aggregated data signal can be sent to a Security Operation Center to provide a list of nodes with a high likelihood of malicious threats along with convicting evidence to aid in investigating the identified nodes.

公开(公告)号：US20250141893A1

公开(公告)日：2025-05-01

申请号：US18385591

申请日：2023-10-31

Applicant: Cisco Technology, Inc.

Inventor： Michael Adam Polak ,  Martin Kopp ,  Vojtech Outrata

IPC: H04L9/40 ,  G06N20/00

Abstract: Techniques described herein can perform obfuscation detection on command lines used at computing devices in a network. In response to detecting obfuscation in a command line, the disclosed techniques can output a notification for use in connection with network security analysis. The command line obfuscation detection techniques include pre-processing command line input data and converting command lines into token groups. The token groups are then provided as an input to a natural language processor or other machine learned model, which is trained to identify obfuscation probabilities associated with token groups can corresponding command lines. A notification is generated to trigger further analysis in response to an obfuscation probability exceeding a threshold obfuscation probability.

公开(公告)号：US20240356962A1

公开(公告)日：2024-10-24

申请号：US18368392

申请日：2023-09-14

Applicant: Cisco Technology, Inc.

Inventor： Jaroslav Hlavac ,  Martin Kopp ,  Michael Adam Polak

IPC: H04L9/40

CPC classification number: H04L63/1441 ,  H04L63/1416

Abstract: Techniques and architecture are described for automated threat response and remediation of incidents generated by single or multiple security products. The techniques and architecture provide a framework for automated threat response and remediation of incidents generated by single or multiple security products, especially for extended detection and response (XDR) systems. In particular, the techniques and architecture provide for an automated threat response that is handled by an auto-analyst engine emulating security analysts' steps during incident response and remediation. The automated threat response automatically confirms or disapproves of detection verdicts thereby reducing false positives that analysts usually have to deal with. If any actions are needed from a security analyst, a concise report of actions taken, gathered information and recommended next steps are provided by the automated threat response, significantly reducing the time and resources needed to resolve an incident.