公开(公告)号：US20160344768A1

公开(公告)日：2016-11-24

申请号：US14717127

申请日：2015-05-20

Applicant: Cisco Technology, Inc.

Inventor： DAVID MCGREW ,  TITOUAN RIGOUDY

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/1425 ,  H04L63/1483

Abstract: In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.

Abstract translation: 在一个实施例中，中央计算机执行数据处理方法。 中央计算机从入侵传感器接收遥测数据。 中央计算机将认证记录存储在主机数据库中。 每个认证记录基于遥测数据，并且包括公钥证书的指纹和发送者计算机的主机标识符。 中央计算机接收由第一个入侵传感器发送的可疑记录。 可疑记录具有第一特定公钥证书和可疑发送者的第一特定主机标识符的第一特定指纹。 从主机数据库，中央计算机搜索与可疑记录的第一特定主机标识符相同的主机标识符的匹配记录和与可疑记录的第一特定指纹相同的指纹。 当没有找到匹配的记录时，中央计算机会生成入侵警报。

公开(公告)号：US20170272456A1

公开(公告)日：2017-09-21

申请号：US15616514

申请日：2017-06-07

Applicant: Cisco Technology, Inc.

Inventor： DAVID MCGREW ,  TITOUAN RIGOUDY

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/552 ,  H04L63/1425 ,  H04L63/1483

Abstract: In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.