Patents by Inventor David McGrew

David McGrew has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 10257214
    Abstract: In one embodiment, a device in a network receives traffic data regarding one or more traffic flows in the network. The device applies a machine learning classifier to the traffic data. The device determines a priority for the traffic data based in part on an output of the machine learning classifier. The output of the machine learning classifier comprises a probability of the traffic data belonging to a particular class. The device stores the traffic data for a period of time that is a function of the determined priority for the traffic data.
    Type: Grant
    Filed: June 23, 2016
    Date of Patent: April 9, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: David McGrew, Blake Harrell Anderson, K. Tirumaleswar Reddy, Prashanth Patil, Daniel G. Wing
  • Publication number: 20190068362
    Abstract: In one embodiment, an apparatus captures a memory dump of a device in a sandbox environment executing a malware sample. The apparatus identifies a cryptographic key based on a particular data structure in the captured memory dump. The apparatus uses the identified cryptographic key to decrypt encrypted traffic sent by the device. The apparatus labels at least a portion of the decrypted traffic sent by the device as benign. The apparatus trains a machine learning-based traffic classifier based on the at least a portion of the decrypted traffic sent by the device and labeled as benign.
    Type: Application
    Filed: August 31, 2017
    Publication date: February 28, 2019
    Inventors: BLAKE HARRELL ANDERSON, Andrew Chi, David McGrew, Scott William Dunlop
  • Publication number: 20190052462
    Abstract: A server sends information to a client that allows the client to establish a first key at the client. The server then receives a session ID that has been encrypted using the first key. The first key is then established at the server, which can then decrypt the session ID using the first key. After the server validates the session ID, it determines a second key that is different from the first key. The server then receives the session ID encrypted with the second key, and decrypts the session ID encrypted with the second key.
    Type: Application
    Filed: October 18, 2018
    Publication date: February 14, 2019
    Inventors: James Anil Pramod Kotwal, Chritopher Blayne Dreier, David Aaron Wyde, Kellen Mac Arb, David McGrew, Scott Fluhrer
  • Patent number: 10205641
    Abstract: A method and related apparatus for performing inspection of flows within a software defined network includes identifying a security appliance within a software defined network, identifying candidate traffic flows flowing in the software defined network to be inspected, selecting one of the candidate traffic flows for security inspection, and communicating with a software defined network controller to cause the one of the candidate traffic flows to be redirected towards the security appliance for inspection or to cause the one of the candidate traffic flows to be copied and a resulting copy thereof forwarded to the security appliance for inspection.
    Type: Grant
    Filed: July 17, 2015
    Date of Patent: February 12, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: David McGrew, Kenneth S. Beck
  • Patent number: 10193907
    Abstract: In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.
    Type: Grant
    Filed: June 7, 2017
    Date of Patent: January 29, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: David McGrew, Titouan Rigoudy
  • Publication number: 20190018955
    Abstract: In one embodiment, a device in a network tracks changes in a source port or address identifier indicated by network traffic associated with a particular host in the network. The device detects an operating system start event based on the track changes in the source port or address identifier indicated in the traffic data associated with the particular host. The device provides data regarding the detected operating system start event as input to a machine learning-based malware detector. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.
    Type: Application
    Filed: July 13, 2017
    Publication date: January 17, 2019
    Inventors: David McGrew, Blake Harrell Anderson, Subharthi Paul
  • Publication number: 20190014134
    Abstract: In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.
    Type: Application
    Filed: July 7, 2017
    Publication date: January 10, 2019
    Inventors: Martin Kopp, Petr Somol, Tomas Pevny, David McGrew
  • Patent number: 10158487
    Abstract: A server sends information to a client that allows the client to establish a first key at the client. The server then receives a session ID that has been encrypted using the first key. The first key is then established at the server, which can then decrypt the session ID using the first key. After the server validates the session ID, it determines a second key that is different from the first key. The server then receives the session ID encrypted with the second key, and decrypts the session ID encrypted with the second key.
    Type: Grant
    Filed: July 16, 2015
    Date of Patent: December 18, 2018
    Assignee: Cisco Technology, Inc.
    Inventors: James Anil Pramod Kotwal, Christopher Blayne Dreier, David Aaron Wyde, Kellen Mac Arb, David McGrew, Scott Fluhrer
  • Publication number: 20180332053
    Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.
    Type: Application
    Filed: May 15, 2017
    Publication date: November 15, 2018
    Inventors: Brian E. Weis, Blake Harrell Anderson, Rashmikant B. Shah, David McGrew
  • Publication number: 20180278629
    Abstract: In one embodiment, a device in a network receives telemetry data regarding a traffic flow in the network. One or more features in the telemetry data are individually compressed. The device extracts the one or more individually compressed features from the received telemetry data. The device performs a lookup of one or more classifier inputs from an index of classifier inputs using the one or more individually compressed features from the received telemetry data. The device classifies the traffic flow by inputting the one or more classifier inputs to a machine learning-based classifier.
    Type: Application
    Filed: March 27, 2017
    Publication date: September 27, 2018
    Inventors: David McGrew, Blake Harrell Anderson
  • Publication number: 20180189677
    Abstract: In one embodiment, a device in a network generates a feature vector based on traffic flow data regarding one or more traffic flows in the network. The device makes a determination as to whether the generated feature vector is already represented in a training dataset dictionary by one or more feature vectors in the dictionary. The device updates the training dataset dictionary based on the determination by one of: adding the generated feature vector to the dictionary when the generated feature vector is not already represented by one or more feature vectors in the dictionary, or incrementing a count associated with a particular feature vector in the dictionary when the generated feature vector is already represented by the particular feature vector in the dictionary. The device generates a training dataset based on the training dataset dictionary for training a machine learning-based traffic flow analyzer.
    Type: Application
    Filed: January 5, 2017
    Publication date: July 5, 2018
    Inventors: Blake Harrell Anderson, David McGrew
  • Publication number: 20180191748
    Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.
    Type: Application
    Filed: January 5, 2017
    Publication date: July 5, 2018
    Inventors: David McGrew, Blake Harrell Anderson, Ivan Nikolaev
  • Publication number: 20180152467
    Abstract: In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.
    Type: Application
    Filed: November 30, 2016
    Publication date: May 31, 2018
    Inventors: Blake Harrell Anderson, David McGrew
  • Publication number: 20180139141
    Abstract: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.
    Type: Application
    Filed: November 17, 2016
    Publication date: May 17, 2018
    Inventors: Michael Joseph Stepanek, Costas Kleopa, David McGrew, Blake Harrell Anderson, Saravanan Radhakrishnan
  • Publication number: 20180139214
    Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.
    Type: Application
    Filed: November 16, 2016
    Publication date: May 17, 2018
    Inventors: Blake Harrell Anderson, David McGrew, Subharthi Paul, Ivan Nikolaev, Martin Grill
  • Publication number: 20180103056
    Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.
    Type: Application
    Filed: October 6, 2016
    Publication date: April 12, 2018
    Inventors: Jan Kohout, Blake Harrell Anderson, Martin Grill, David McGrew, Martin Kopp, Tomas Pevny
  • Publication number: 20180097835
    Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.
    Type: Application
    Filed: October 5, 2016
    Publication date: April 5, 2018
    Inventors: David McGrew, Blake Harrell Anderson, Daniel G. Wing, Flemming Andreasen
  • Patent number: 9894055
    Abstract: An authentication request is generated when a user of a client device attempts to initiate a user session with an application managed by a service provider. An authentication response is generated based on credentials received from the user. The authentication response includes an assertion on behalf of the user. A delivery resource locator for the assertion is rewritten to a resource locator of a proxy in order to redirect the assertion to the proxy. The authentication response is sent to the client device together with the resource locator of the proxy in order to cause the client device to send the assertion to the proxy that decodes the re-written resource locator and sends the assertion to the service provider.
    Type: Grant
    Filed: January 29, 2016
    Date of Patent: February 13, 2018
    Assignee: Cisco Technology, Inc.
    Inventors: Vincent E. Parla, David McGrew, Andrzej Kielbasinski
  • Publication number: 20180007084
    Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.
    Type: Application
    Filed: August 24, 2016
    Publication date: January 4, 2018
    Inventors: K. Tirumaleswar Reddy, Daniel G. Wing, Blake Harrell Anderson, David McGrew
  • Publication number: 20170374016
    Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.
    Type: Application
    Filed: June 23, 2016
    Publication date: December 28, 2017
    Inventors: K. Tirumaleswar Reddy, David McGrew, Blake Harrell Anderson, Daniel G. Wing