公开(公告)号：US20190260775A1

公开(公告)日：2019-08-22

申请号：US15898789

申请日：2018-02-19

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Vojtech Franc ,  Vit Zlamal

IPC: H04L29/06 ,  G06F21/56

Abstract: In one embodiment, a security device in a computer network determines a plurality of values for a plurality of features from samples of known malware, and computes one or more significant values out of the plurality of values, where each of the one or more significant values occurs across greater than a significance threshold of the samples. The security device may then determine feature values for samples of unlabeled traffic, and declares one or more particular samples of unlabeled traffic as synthetic malicious flow samples in response to all feature values for each synthetic malicious flow sample matching a respective one of the significant values for each corresponding respective feature. The security device may then use the samples of known malware and the synthetic malicious flow samples for model-based malware detection.

公开(公告)号：US09985982B1

公开(公告)日：2018-05-29

申请号：US14977444

申请日：2015-12-21

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Karel Bartos ,  Michal Sofka ,  Vojtech Franc ,  Jiri Havelka

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F21/566 ,  H04L63/20

Abstract: In one embodiment, a method includes receiving at a security analysis device a plurality of indicators of compromise (IOCs) associated with an entity, sorting at the security analysis device, the IOCs based on a time of occurrence of each of the IOCs, creating a representation of transitions between the IOCs at the security analysis device, and generating at the security analysis device, a feature vector based on the representation of transitions. The feature vector is configured for use by a classifier in identifying malicious entities. An apparatus and logic are also disclosed herein.

公开(公告)号：US20170316342A1

公开(公告)日：2017-11-02

申请号：US15143792

申请日：2016-05-02

Applicant: Cisco Technology, Inc.

Inventor： Vojtech Franc ,  Karel Bartos ,  Michal Sofka

IPC: G06N99/00 ,  G06F17/11

CPC classification number: G06N20/00 ,  G06F17/11 ,  G06F21/552 ,  G06N20/10 ,  H04L63/1425

Abstract: In one embodiment, a learning machine device initializes thresholds of a data representation of one or more data features, the thresholds specifying a first number of pre-defined bins (e.g., uniform and equidistant bins). Next, adjacent bins of the pre-defined bins having substantially similar weights may be reciprocally merged, the merging resulting in a second number of refined bins that is less than the first number. Notably, while merging, the device also learns weights of a linear decision rule associated with the one or more data features. Accordingly, a data-driven representation for a data-driven classifier may be established based on the refined bins and learned weights.

公开(公告)号：US10917421B2

公开(公告)日：2021-02-09

申请号：US15898789

申请日：2018-02-19

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Vojtech Franc ,  Vit Zlamal

IPC: G06F21/56 ,  G06F21/55 ,  H04L29/06

Abstract: In one embodiment, a security device in a computer network determines a plurality of values for a plurality of features from samples of known malware, and computes one or more significant values out of the plurality of values, where each of the one or more significant values occurs across greater than a significance threshold of the samples. The security device may then determine feature values for samples of unlabeled traffic, and declares one or more particular samples of unlabeled traffic as synthetic malicious flow samples in response to all feature values for each synthetic malicious flow sample matching a respective one of the significant values for each corresponding respective feature. The security device may then use the samples of known malware and the synthetic malicious flow samples for model-based malware detection.

公开(公告)号：US09923912B2

公开(公告)日：2018-03-20

申请号：US14960086

申请日：2015-12-04

Applicant: Cisco Technology, Inc.

Inventor： Vojtech Franc ,  Michal Sofka ,  Karel Bartos

IPC: H04L29/06 ,  G06F21/53

CPC classification number: H04L63/1425 ,  G06F21/53 ,  H04L63/0281

Abstract: Techniques are presented that identify malware network communications between a computing device and a server utilizing a detector process. Network traffic records are classified as either malware or legitimate network traffic records and divided into groups of classified network traffic records associated with network communications between the computing device and the server for a predetermined period of time. A group of classified network traffic records is labeled as malicious when at least one of the classified network traffic records in the group is malicious and as legitimate when none of the classified network traffic records in the group is malicious to obtain a labeled group of classified network traffic records. A detector process is trained on individual classified network traffic records in the labeled group of classified network traffic records and network communication between the computing device and the server is identified as malware network communication utilizing the detector process.

公开(公告)号：US20170063893A1

公开(公告)日：2017-03-02

申请号：US14960086

申请日：2015-12-04

Applicant: Cisco Technology, Inc.

Inventor： Vojtech Franc ,  Michal Sofka ,  Karel Bartos

IPC: H04L29/06 ,  G06F21/53

CPC classification number: H04L63/1425 ,  G06F21/53 ,  H04L63/0281

Abstract: Techniques are presented that identify malware network communications between a computing device and a server utilizing a detector process. Network traffic records are classified as either malware or legitimate network traffic records and divided into groups of classified network traffic records associated with network communications between the computing device and the server for a predetermined period of time. A group of classified network traffic records is labeled as malicious when at least one of the classified network traffic records in the group is malicious and as legitimate when none of the classified network traffic records in the group is malicious to obtain a labeled group of classified network traffic records. A detector process is trained on individual classified network traffic records in the labeled group of classified network traffic records and network communication between the computing device and the server is identified as malware network communication utilizing the detector process.

Abstract translation: 提出了使用检测器过程识别计算设备和服务器之间的恶意软件网络通信的技术。 网络流量记录被分类为恶意软件或合法网络流量记录，并且在预定时间段内被划分为与计算设备和服务器之间的网络通信相关联的分类网络流量记录的组。 当组中分类的网络流量记录中的至少一个是恶意的，并且当该组中的分类网络流量记录中的任何一个都不是恶意以获得分类网络的标记的组时，一组分类的网络流量记录被标记为恶意的 交通记录。 对分类网络业务记录的标记组中的各个分类网络业务记录进行检测处理，并且利用检测器处理将计算设备与服务器之间的网络通信识别为恶意软件网络通信。