Patents by Inventor David McGrew

David McGrew has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • PRIVACY ENHANCING MAN-IN-THE-MIDDLE
    Publication number: 20210105301
    Abstract: In one embodiment, a device in a network intercepts traffic sent from a first endpoint destined for a second endpoint. The device sends a padding request to the second endpoint indicative of a number of padding bytes. The device receives a padding response from the second endpoint, after sending the padding request to the second endpoint. The device adjusts the intercepted traffic based on the received padding response. The device sends the adjusted traffic to the second endpoint.
    Type: Application
    Filed: October 7, 2019
    Publication date: April 8, 2021
    Inventors: Blake Harrell Anderson, David McGrew
  • Leveraging synthetic traffic data samples for flow classifier training
    Patent number: 10904275
    Abstract: In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.
    Type: Grant
    Filed: November 30, 2016
    Date of Patent: January 26, 2021
    Assignee: Cisco Technology, Inc.
    Inventors: Blake Harrell Anderson, David McGrew
  • TLS FINGERPRINTING FOR PROCESS IDENTIFICATION
    Publication number: 20210021641
    Abstract: In one embodiment, a device obtains telemetry data regarding an encrypted traffic session in a network. The telemetry data includes Transport Layer Security (TLS) features of the traffic session and auxiliary information indicative of a destination address of the traffic session, a destination port of the traffic session, or a server name associated with the traffic session. The device retrieves, using the obtained telemetry data, a plurality of candidate processes from a TLS fingerprint database that relates processes with telemetry data from encrypted traffic sessions initiated by those processes. The device uses a probabilistic model to assign probabilities to each of the plurality of candidate processes. The device identifies one of the plurality of candidate processes as having initiated the encrypted traffic session based on its assigned probability.
    Type: Application
    Filed: July 16, 2019
    Publication date: January 21, 2021
    Inventors: Blake Harrell Anderson, David McGrew, Keith Richard Schomburg
  • Adapting classifier parameters for improved network traffic classification using distinct private training data sets
    Patent number: 10897474
    Abstract: In one embodiment, a device in a first network receives traffic flow information regarding a plurality of traffic flows in the first network. The device labels the traffic flow information by associating classifier labels to the traffic flow information. The device receives a generic traffic classifier that was trained using a training data set that comprises labeled traffic flow information for a plurality of other networks and excludes the traffic flow information regarding the plurality of traffic flows in the first network. The device acclimates the generic traffic classifier to the first network using the labeled traffic flow information regarding the plurality of traffic flows in the first network.
    Type: Grant
    Filed: June 23, 2016
    Date of Patent: January 19, 2021
    Assignee: Cisco Technology, Inc.
    Inventors: Blake Harrell Anderson, David McGrew
  • ANALYZING ENCRYPTED TRAFFIC BEHAVIOR USING CONTEXTUAL TRAFFIC DATA
    Publication number: 20210006589
    Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.
    Type: Application
    Filed: September 23, 2020
    Publication date: January 7, 2021
    Inventors: Jan Kohout, Blake Harrell Anderson, Martin Grill, David McGrew, Martin Kopp, Tomas Pevny
  • Detecting targeted data exfiltration in encrypted traffic
    Patent number: 10868834
    Abstract: In one embodiment, a service that monitors a network obtains file characteristic data of a file stored on a first endpoint in the network. The service infers characteristics of encrypted content within encrypted traffic in the network between the first endpoint and a second endpoint, by applying a machine learning-based classifier to traffic data regarding the encrypted traffic session. The service compares the file characteristic data of the file to the inferred content characteristics of the encrypted content within the encrypted traffic, to detect the file within the encrypted traffic. The service enforces a network policy in the network, based on the detection of the file within the encrypted traffic.
    Type: Grant
    Filed: June 25, 2018
    Date of Patent: December 15, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: Blake Harrell Anderson, Chris Allen Shenefiel, David McGrew, Robert M. Waitman
  • AUTOMATIC RETRAINING OF MACHINE LEARNING MODELS TO DETECT DDOS ATTACKS
    Publication number: 20200389489
    Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.
    Type: Application
    Filed: June 19, 2020
    Publication date: December 10, 2020
    Inventors: K. Tirumaleswar Reddy, Daniel G. Wing, Blake Harrell Anderson, David McGrew
  • Leveraging endpoint and network environment inferences for malware traffic classification
    Patent number: 10855698
    Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.
    Type: Grant
    Filed: December 22, 2017
    Date of Patent: December 1, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: Blake Harrell Anderson, Martin Rehak, David McGrew, Martin Vejman, Tomas Pevny, Martin Grill, Jan Kohout
  • CORRELATING ENDPOINT AND NETWORK VIEWS TO IDENTIFY EVASIVE APPLICATIONS
    Publication number: 20200329059
    Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.
    Type: Application
    Filed: June 25, 2020
    Publication date: October 15, 2020
    Inventors: Blake Harrell Anderson, David McGrew, Vincent E. Parla, Jan Jusko, Martin Grill, Martin Vejman
  • Leveraging point inferences on HTTP transactions for HTTPS malware detection
    Patent number: 10805341
    Abstract: In one embodiment, a traffic analysis service receives captured traffic data regarding a Transport Layer Security (TLS) connection between a client and a server. The traffic analysis service applies a first machine learning-based classifier to TLS records from the traffic data, to identify a set of the TLS records that include Hypertext Transfer Protocol (HTTP) header information. The traffic analysis service estimates one or more HTTP transaction labels for the connection by applying a second machine learning-based classifier to the identified set of TLS records that include HTTP header information. The traffic analysis service augments the captured traffic data with the one or more HTTP transaction labels. The traffic analysis service causes performance of a network security function based on the augmented traffic data.
    Type: Grant
    Filed: February 6, 2018
    Date of Patent: October 13, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: Blake Harrell Anderson, David McGrew
  • Analyzing encrypted traffic behavior using contextual traffic data
    Patent number: 10805338
    Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.
    Type: Grant
    Filed: October 6, 2016
    Date of Patent: October 13, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: Jan Kohout, Blake Harrell Anderson, Martin Grill, David McGrew, Martin Kopp, Tomas Pevny
  • ON-BOX BEHAVIOR-BASED TRAFFIC CLASSIFICATION
    Publication number: 20200322275
    Abstract: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.
    Type: Application
    Filed: June 24, 2020
    Publication date: October 8, 2020
    Inventors: Michael Joseph Stepanek, Costas Kleopa, David McGrew, Blake Harrell Anderson, Saravanan Radhakrishnan
  • MALWARE CLASSIFICATION AND ATTRIBUTION THROUGH SERVER FINGERPRINTING USING SERVER CERTIFICATE DATA
    Publication number: 20200267164
    Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.
    Type: Application
    Filed: May 8, 2020
    Publication date: August 20, 2020
    Inventors: Blake Harrell Anderson, David McGrew, Subharthi Paul, Ivan Nikolaev, Martin Grill
  • CRYPTOGRAPHIC SECURITY AUDIT USING NETWORK SERVICE ZONE LOCKING
    Publication number: 20200252435
    Abstract: In one embodiment, a service receives captured traffic flow data regarding a traffic flow sent via a network between a first device assigned to a first network zone and a second device assigned to a second network zone. The service identifies, from the captured traffic flow data, one or more cryptographic parameters of the traffic flow. The service determines whether the one or more cryptographic parameters of the traffic flow satisfy an inter-zone policy associated with the first and second network zones. The service causes performance of a mitigation action in the network when the one or more cryptographic parameters of the traffic flow do not satisfy the inter-zone policy associated with the first and second network zones.
    Type: Application
    Filed: April 24, 2020
    Publication date: August 6, 2020
    Inventors: Matthew Scott Robertson, David McGrew, Timothy David Keanini, Sunil Amin, Ellie Marie Daw
  • Correlating endpoint and network views to identify evasive applications
    Patent number: 10735441
    Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.
    Type: Grant
    Filed: December 20, 2017
    Date of Patent: August 4, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: Blake Harrell Anderson, David McGrew, Vincent E. Parla, Jan Jusko, Martin Grill, Martin Vejman
  • SEMI-ACTIVE PROBING FRAMEWORK TO GATHER THREAT INTELLIGENCE FOR ENCRYPTED TRAFFIC AND LEARN ABOUT DEVICES
    Publication number: 20200244648
    Abstract: In one embodiment, a device in a network observes traffic between a client and a server for an encrypted session. The device makes a determination that a server certificate should be obtained from the server. The device, based on the determination, sends a handshake probe to the server. The device extracts server certificate information from a handshake response from the server that the server sent in response to the handshake probe. The device uses the extracted server certificate information to analyze the traffic between the client and the server.
    Type: Application
    Filed: April 17, 2020
    Publication date: July 30, 2020
    Inventors: David McGrew, Blake Harrell Anderson, Subharthi Paul, William Michael Hudson, JR., Philip Ryan Perricone
  • On-box behavior-based traffic classification
    Patent number: 10728158
    Abstract: In one embodiment, a networking device in a network detects a traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.
    Type: Grant
    Filed: April 9, 2019
    Date of Patent: July 28, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: Michael Joseph Stepanek, Costas Kleopa, David McGrew, Blake Harrell Anderson, Saravanan Radhakrishnan
  • Automatic retraining of machine learning models to detect DDoS attacks
    Patent number: 10728280
    Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.
    Type: Grant
    Filed: August 24, 2016
    Date of Patent: July 28, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: K. Tirumaleswar Reddy, Daniel G. Wing, Blake Harrell Anderson, David McGrew
  • Private-learned IDS
    Patent number: 10708284
    Abstract: In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.
    Type: Grant
    Filed: July 7, 2017
    Date of Patent: July 7, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: Martin Kopp, Petr Somol, Tomas Pevny, David McGrew
  • Malware classification and attribution through server fingerprinting using server certificate data
    Patent number: 10686831
    Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.
    Type: Grant
    Filed: November 16, 2016
    Date of Patent: June 16, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: Blake Harrell Anderson, David McGrew, Subharthi Paul, Ivan Nikolaev, Martin Grill