公开(公告)号：US20210360004A1

公开(公告)日：2021-11-18

申请号：US17360910

申请日：2021-06-28

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  ANDREW ZAWADOWSKIY ,  DONOVAN O'HARA ,  SARAVANAN RADHAKRISHNAN ,  TOMAS PEVNY ,  DANIEL G. WING

IPC: H04L29/06

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

公开(公告)号：US20160352761A1

公开(公告)日：2016-12-01

申请号：US14820265

申请日：2015-08-06

Applicant: Cisco Technology, Inc.

Inventor： DAVID MCGREW ,  ANDREW ZAWADOWSKIY ,  DONOVAN O'HARA ,  SARAVANAN RADHAKRISHNAN ,  TOMAS PEVNY ,  DANIEL G. WING

IPC: H04L29/06

CPC classification number: H04L63/145 ,  H04L63/1408 ,  H04L63/166 ,  H04L69/16 ,  H04L2463/121

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

Abstract translation: 一种方法包括在网络基础设施设备处接收分组流，使用网络基础设施设备和分组的第一子集来确定第一子集对应于第一数据报，并确定第一数据报的第一长度 确定使用所述网络基础设施设备和所述分组的第二子集，所述第二子集对应于在所述第一数据报之后接收到的第二数据报，并且确定所述第二数据报的第二长度，使用所述网络基础设施 设备，第一数据报的第一到达时间与第二数据报的第二到达时间之间的持续时间值，发送到与网络基础设施设备分开的收集器设备，第一长度，第二长度和持续时间 价值分析。

公开(公告)号：US20160021122A1

公开(公告)日：2016-01-21

申请号：US14331486

申请日：2014-07-15

Applicant: Cisco Technology, Inc.

Inventor： TOMAS PEVNY

IPC: H04L29/06

CPC classification number: H04L63/1425

Abstract: In an embodiment, the method comprises receiving network performance data for a computer network; receiving, from an intrusion detection system, network anomaly data indicating a plurality of anomalies that have occurred in the computer network; based, at least in part, on the network performance data and the network anomaly data, generating feature data; for each anomaly of the plurality of anomalies, using the feature data to determine a minimal set of features that distinguishes the anomaly from non-anomalies in the plurality of anomalies, and creating a mapping of the anomaly to the minimal set of features; based at least in part on the mapping, generating explanation rules for the plurality of anomalies; for a particular anomaly, identifying a particular rule of the explanation rules that is associated with the particular anomaly, and generating explanation data for the particular anomaly based upon the particular rule.

Abstract translation: 在一个实施例中，该方法包括：接收计算机网络的网络性能数据; 从入侵检测系统接收指示在计算机网络中发生的多个异常的网络异常数据; 至少部分地基于网络性能数据和网络异常数据，生成特征数据; 对于所述多个异常的每个异常，使用所述特征数据来确定将所述异常与所述多个异常中的非异常区分开的特征的最小集合，以及创建所述异常与最小特征集的映射; 至少部分地基于映射，生成多个异常的解释规则; 针对特定异常，识别与特定异常相关联的解释规则的特定规则，以及基于特定规则为特定异常生成解释数据。

公开(公告)号：US20190230095A1

公开(公告)日：2019-07-25

申请号：US16370853

申请日：2019-03-29

Applicant: Cisco Technology, Inc.

Inventor： DAVID MCGREW ,  ANDREW ZAWADOWSKIY ,  DONOVAN O'HARA ,  SARAVANAN RADHAKRISHNAN ,  TOMAS PEVNY ,  DANIEL G. WING

IPC: H04L29/06

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

公开(公告)号：US20160036844A1

公开(公告)日：2016-02-04

申请号：US14879425

申请日：2015-10-09

Applicant: Cisco Technology, Inc.

Inventor： MARTIN KOPP ,  TOMAS PEVNY

IPC: H04L29/06 ,  G06N5/04 ,  G06N99/00 ,  G06F17/30

CPC classification number: H04L63/1425 ,  G06F17/30327 ,  G06N5/045 ,  G06N99/005 ,  H04L63/1416

Abstract: In an embodiment, the method comprises receiving an identification of an anomaly associated with a false positive identification of a security threat by the intrusion detection system, wherein a first set of feature data identifies features of the anomaly; creating a plurality of training sets each comprising identifications of a plurality of samples of network communications; for the anomaly and each training set of the plurality of training sets, training a decision tree that is stored in digital memory of the security analysis computer; based at least in part on the plurality of trained decision trees, extracting a set of features that distinguish the anomaly from the plurality of samples; generating one or more rules associated with the anomaly from the extracted set of features and causing programming the security analysis computer with the one or more rules.

Abstract translation: 在一个实施例中，该方法包括接收与入侵检测系统的安全威胁的假阳性识别相关联的异常的标识，其中第一组特征数据识别异常的特征; 创建多个训练集合，每个训练集合包括网络通信的多个样本的标识; 对于多个训练集的异常和每个训练集合，训练存储在安全分析计算机的数字存储器中的决策树; 至少部分地基于所述多个经过训练的决策树，提取区分所述异常与所述多个样本的一组特征; 从所提取的特征集合生成与所述异常相关联的一个或多个规则，并且使所述安全分析计算机对所述一个或多个规则进行编程。