Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

Abstract: In one embodiment, a device in a network receives traffic sent from a first endpoint. The device sends a padding request to the second endpoint indicative of a number of padding bytes. The device receives a padding response from the second endpoint, after sending the padding request to the second endpoint. The device adjusts the received traffic based on the received padding response by adding one or more frames to the received traffic. The device sends the adjusted traffic to the second endpoint.

Abstract: In one embodiment, a device in a network generates a feature vector based on traffic flow data regarding one or more traffic flows in the network. The device makes a determination as to whether the generated feature vector is already represented in a training dataset dictionary by one or more feature vectors in the dictionary. The device updates the training dataset dictionary based on the determination by one of: adding the generated feature vector to the dictionary when the generated feature vector is not already represented by one or more feature vectors in the dictionary, or incrementing a count associated with a particular feature vector in the dictionary when the generated feature vector is already represented by the particular feature vector in the dictionary. The device generates a training dataset based on the training dataset dictionary for training a machine learning-based traffic flow analyzer.

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

Abstract: In one embodiment, a device in a network tracks traffic features indicated by header information of packets of an encrypted traffic flow over time. The encrypted traffic flow is associated with a particular host in the network. The device detects an operating system start event based on the traffic features and provides data regarding the detected operating system start event as input to a machine learning-based malware detector to determine whether the particular host with which the encrypted traffic flow is associated is infected with malware. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.

Abstract: In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

Abstract: In one embodiment, a device in a network intercepts traffic sent from a first endpoint destined for a second endpoint. The device sends a padding request to the second endpoint indicative of a number of padding bytes. The device receives a padding response from the second endpoint, after sending the padding request to the second endpoint. The device adjusts the intercepted traffic based on the received padding response. The device sends the adjusted traffic to the second endpoint.

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

Abstract: In one embodiment, a device in a network tracks changes in a source port or address identifier indicated by network traffic associated with a particular host in the network. The device detects an operating system start event based on the track changes in the source port or address identifier indicated in the traffic data associated with the particular host. The device provides data regarding the detected operating system start event as input to a machine learning-based malware detector. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.

Abstract: In one embodiment, a service receives data regarding administration traffic in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the received data to determine whether the administration traffic is authorized. The service flags the received data as authorized, based on the analysis of the received data. The service uses the data flagged as authorized to distinguish between benign traffic and malicious traffic in the network.

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

Abstract: In one embodiment, a switch in a software-defined network receives a packet sent by an endpoint device via the SDN. The switch makes a copy of the packet based on one or more header fields of the packet matching one or more flow table entries of the switch. The switch forms telemetry data for reporting to a traffic analysis service by applying a metadata filter to the copy of the packet. The metadata filter prevents at least a portion of the copy of the packet from inclusion in the telemetry data. The switch sends the formed telemetry data to the traffic analysis service.

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

Abstract: In one embodiment, a security service classifies traffic telemetry data for traffic between an endpoint device and a server as potentially associated with a particular type of remote access Trojan (RAT). The security service constructs a scan message to elicit a type of server response associated with the particular type of RAT. The security service obtains a server response from the server, by sending the constructed scan message to the server. The security service determines whether the endpoint device is infected with the particular type of RAT, by validating whether the server response from the server matches the type of server response associated with the particular type of RAT.

Abstract: In one embodiment, a device in a network receives telemetry data regarding a traffic flow in the network. One or more features in the telemetry data are individually compressed. The device extracts the one or more individually compressed features from the received telemetry data. The device performs a lookup of one or more classifier inputs from an index of classifier inputs using the one or more individually compressed features from the received telemetry data. The device classifies the traffic flow by inputting the one or more classifier inputs to a machine learning-based classifier.

Abstract: In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.

Abstract: In one embodiment, a telemetry exporter in a network establishes a tunnel between the telemetry exporter and a traffic analysis service. The telemetry exporter obtains packet copies of a plurality of packets sent between devices via the network. The telemetry exporter forms a set of traffic telemetry data by discarding at least a portion of one or more of the packet copies, based on a filter policy. The telemetry exporter applies compression to the formed set of traffic telemetry data. The telemetry exporter sends, via the tunnel, the compressed set of traffic telemetry data to the traffic analysis service for analysis.