Patents by Inventor David McGrew

David McGrew has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20180332053
    Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.
    Type: Application
    Filed: May 15, 2017
    Publication date: November 15, 2018
    Inventors: Brian E. Weis, Blake Harrell Anderson, Rashmikant B. Shah, David McGrew
  • Publication number: 20180278629
    Abstract: In one embodiment, a device in a network receives telemetry data regarding a traffic flow in the network. One or more features in the telemetry data are individually compressed. The device extracts the one or more individually compressed features from the received telemetry data. The device performs a lookup of one or more classifier inputs from an index of classifier inputs using the one or more individually compressed features from the received telemetry data. The device classifies the traffic flow by inputting the one or more classifier inputs to a machine learning-based classifier.
    Type: Application
    Filed: March 27, 2017
    Publication date: September 27, 2018
    Inventors: David McGrew, Blake Harrell Anderson
  • Publication number: 20180191748
    Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.
    Type: Application
    Filed: January 5, 2017
    Publication date: July 5, 2018
    Inventors: David McGrew, Blake Harrell Anderson, Ivan Nikolaev
  • Publication number: 20180189677
    Abstract: In one embodiment, a device in a network generates a feature vector based on traffic flow data regarding one or more traffic flows in the network. The device makes a determination as to whether the generated feature vector is already represented in a training dataset dictionary by one or more feature vectors in the dictionary. The device updates the training dataset dictionary based on the determination by one of: adding the generated feature vector to the dictionary when the generated feature vector is not already represented by one or more feature vectors in the dictionary, or incrementing a count associated with a particular feature vector in the dictionary when the generated feature vector is already represented by the particular feature vector in the dictionary. The device generates a training dataset based on the training dataset dictionary for training a machine learning-based traffic flow analyzer.
    Type: Application
    Filed: January 5, 2017
    Publication date: July 5, 2018
    Inventors: Blake Harrell Anderson, David McGrew
  • Publication number: 20180152467
    Abstract: In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.
    Type: Application
    Filed: November 30, 2016
    Publication date: May 31, 2018
    Inventors: Blake Harrell Anderson, David McGrew
  • Publication number: 20180139141
    Abstract: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.
    Type: Application
    Filed: November 17, 2016
    Publication date: May 17, 2018
    Inventors: Michael Joseph Stepanek, Costas Kleopa, David McGrew, Blake Harrell Anderson, Saravanan Radhakrishnan
  • Publication number: 20180139214
    Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.
    Type: Application
    Filed: November 16, 2016
    Publication date: May 17, 2018
    Inventors: Blake Harrell Anderson, David McGrew, Subharthi Paul, Ivan Nikolaev, Martin Grill
  • Publication number: 20180103056
    Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.
    Type: Application
    Filed: October 6, 2016
    Publication date: April 12, 2018
    Inventors: Jan Kohout, Blake Harrell Anderson, Martin Grill, David McGrew, Martin Kopp, Tomas Pevny
  • Publication number: 20180097835
    Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.
    Type: Application
    Filed: October 5, 2016
    Publication date: April 5, 2018
    Inventors: David McGrew, Blake Harrell Anderson, Daniel G. Wing, Flemming Andreasen
  • Patent number: 9894055
    Abstract: An authentication request is generated when a user of a client device attempts to initiate a user session with an application managed by a service provider. An authentication response is generated based on credentials received from the user. The authentication response includes an assertion on behalf of the user. A delivery resource locator for the assertion is rewritten to a resource locator of a proxy in order to redirect the assertion to the proxy. The authentication response is sent to the client device together with the resource locator of the proxy in order to cause the client device to send the assertion to the proxy that decodes the re-written resource locator and sends the assertion to the service provider.
    Type: Grant
    Filed: January 29, 2016
    Date of Patent: February 13, 2018
    Assignee: Cisco Technology, Inc.
    Inventors: Vincent E. Parla, David McGrew, Andrzej Kielbasinski
  • Publication number: 20180007084
    Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.
    Type: Application
    Filed: August 24, 2016
    Publication date: January 4, 2018
    Inventors: K. Tirumaleswar Reddy, Daniel G. Wing, Blake Harrell Anderson, David McGrew
  • Publication number: 20170374089
    Abstract: In one embodiment, a device in a first network receives traffic flow information regarding a plurality of traffic flows in the first network. The device labels the traffic flow information by associating classifier labels to the traffic flow information. The device receives a generic traffic classifier that was trained using a training data set that comprises labeled traffic flow information for a plurality of other networks and excludes the traffic flow information regarding the plurality of traffic flows in the first network. The device acclimates the generic traffic classifier to the first network using the labeled traffic flow information regarding the plurality of traffic flows in the first network.
    Type: Application
    Filed: June 23, 2016
    Publication date: December 28, 2017
    Inventors: Blake Harrell Anderson, David McGrew
  • Publication number: 20170374016
    Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.
    Type: Application
    Filed: June 23, 2016
    Publication date: December 28, 2017
    Inventors: K. Tirumaleswar Reddy, David McGrew, Blake Harrell Anderson, Daniel G. Wing
  • Publication number: 20170374090
    Abstract: In one embodiment, a device in a network receives traffic data regarding one or more traffic flows in the network. The device applies a machine learning classifier to the traffic data. The device determines a priority for the traffic data based in part on an output of the machine learning classifier. The output of the machine learning classifier comprises a probability of the traffic data belonging to a particular class. The device stores the traffic data for a period of time that is a function of the determined priority for the traffic data.
    Type: Application
    Filed: June 23, 2016
    Publication date: December 28, 2017
    Inventors: David McGrew, Blake Harrell Anderson, K. Tirumaleswar Reddy, Prashanth Patil, Daniel G. Wing
  • Patent number: 9781139
    Abstract: Techniques are presented to identify malware communication with domain generation algorithm (DGA) generated domains. Sample domain names are obtained and labeled as DGA domains, non-DGA domains or suspicious domains. A classifier is trained in a first stage based on the sample domain names. Sample proxy logs including proxy logs of DGA domains and proxy logs of non-DGA domains are obtained to train the classifier in a second stage based on the plurality of sample domain names and the plurality of sample proxy logs. Live traffic proxy logs are obtained and the classifier is tested by classifying the live traffic proxy logs as DGA proxy logs, and the classifier is forwarded to a second computing device to identify network communication of a third computing device as malware network communication with DGA domains via a network interface unit of the third computing device based on the trained and tested classifier.
    Type: Grant
    Filed: July 22, 2015
    Date of Patent: October 3, 2017
    Assignee: Cisco Technology, Inc.
    Inventors: Michal Sofka, Lukas Machlica, Karel Bartos, David McGrew
  • Publication number: 20170272456
    Abstract: In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.
    Type: Application
    Filed: June 7, 2017
    Publication date: September 21, 2017
    Inventors: DAVID MCGREW, TITOUAN RIGOUDY
  • Patent number: 9699202
    Abstract: In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.
    Type: Grant
    Filed: May 20, 2015
    Date of Patent: July 4, 2017
    Assignee: Cisco Technology, Inc.
    Inventors: David McGrew, Titouan Rigoudy
  • Patent number: 9674204
    Abstract: A method of providing anti-replay protection, authentication, and encryption with minimal data overhead is provided. A sender uses an arbitrary-length pseudorandom permutation to encrypt messages that include plaintext and successively increasing sequence numbers, to produce ciphertext messages. The sender transmits the ciphertext messages. A receiver receives the ciphertext messages and, for each received ciphertext message, performs the following operations. The receiver decrypts the given ciphertext message to recover plaintext and a candidate sequence number from the message. The receiver determines if the candidate sequence number is in any one of multiple non-contiguous acceptable sequence number windows having respective sequence number ranges that are based on at least one of a highest sequence number previously accepted and a last sequence number that was previously rejected, as established based on processing of previously received ciphertext messages.
    Type: Grant
    Filed: December 9, 2015
    Date of Patent: June 6, 2017
    Assignee: Cisco Technology, Inc.
    Inventors: David McGrew, John Foley
  • Publication number: 20170026390
    Abstract: Techniques are presented to identify malware communication with domain generation algorithm (DGA) generated domains. Sample domain names are obtained and labeled as DGA domains, non-DGA domains or suspicious domains. A classifier is trained in a first stage based on the sample domain names. Sample proxy logs including proxy logs of DGA domains and proxy logs of non-DGA domains are obtained to train the classifier in a second stage based on the plurality of sample domain names and the plurality of sample proxy logs. Live traffic proxy logs are obtained and the classifier is tested by classifying the live traffic proxy logs as DGA proxy logs, and the classifier is forwarded to a second computing device to identify network communication of a third computing device as malware network communication with DGA domains via a network interface unit of the third computing device based on the trained and tested classifier.
    Type: Application
    Filed: July 22, 2015
    Publication date: January 26, 2017
    Inventors: Michal Sofka, Lukas Machlica, Karel Bartos, David McGrew
  • Publication number: 20170019423
    Abstract: A server sends information to a client that allows the client to establish a first key at the client. The server then receives a session ID that has been encrypted using the first key. The first key is then established at the server, which can then decrypt the session ID using the first key. After the server validates the session ID, it determines a second key that is different from the first key. The server then receives the session ID encrypted with the second key, and decrypts the session ID encrypted with the second key.
    Type: Application
    Filed: July 16, 2015
    Publication date: January 19, 2017
    Inventors: James Anil Pramod Kotwal, Christopher Blayne Dreier, David Aaron Wyde, Kellen Mac Arb, David McGrew, Scott Fluhrer