Patents by Inventor David McGrew

David McGrew has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Malware classification and attribution through server fingerprinting using server certificate data
    Patent number: 10686831
    Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.
    Type: Grant
    Filed: November 16, 2016
    Date of Patent: June 16, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: Blake Harrell Anderson, David McGrew, Subharthi Paul, Ivan Nikolaev, Martin Grill
  • Cryptographic security audit using network service zone locking
    Patent number: 10673901
    Abstract: In one embodiment, a service receives captured traffic flow data regarding a traffic flow sent via a network between a first device assigned to a first network zone and a second device assigned to a second network zone. The service identifies, from the captured traffic flow data, one or more cryptographic parameters of the traffic flow. The service determines whether the one or more cryptographic parameters of the traffic flow satisfy an inter-zone policy associated with the first and second network zones. The service causes performance of a mitigation action in the network when the one or more cryptographic parameters of the traffic flow do not satisfy the inter-zone policy associated with the first and second network zones.
    Type: Grant
    Filed: December 27, 2017
    Date of Patent: June 2, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: Matthew Scott Robertson, David McGrew, Timothy David Keanini, Sunil Amin, Ellie Marie Daw
  • Semi-active probing framework to gather threat intelligence for encrypted traffic and learn about devices
    Patent number: 10666640
    Abstract: In one embodiment, a device in a network observes traffic between a client and a server for an encrypted session. The device makes a determination that a server certificate should be obtained from the server. The device, based on the determination, sends a handshake probe to the server. The device extracts server certificate information from a handshake response from the server that the server sent in response to the handshake probe. The device uses the extracted server certificate information to analyze the traffic between the client and the server.
    Type: Grant
    Filed: December 20, 2017
    Date of Patent: May 26, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: David McGrew, Blake Harrell Anderson, Subharthi Paul, William Michael Hudson, Jr., Philip Ryan Perricone
  • UNSTRUCTURED DATA SENSITIVITY INFERENCE FOR FILE MOVEMENT TRACKING IN A NETWORK
    Publication number: 20200159947
    Abstract: In one embodiment, a traffic analysis service that monitors a network obtains file metadata regarding an electronic file. The traffic analysis service determines a sensitivity score for the electronic file based on the file metadata. The traffic analysis service detects the electronic file within traffic in the network. The traffic analysis service causes performance of a mitigation action regarding the detection of the electronic file within the traffic, based on the sensitivity score of the electronic file.
    Type: Application
    Filed: November 20, 2018
    Publication date: May 21, 2020
    Inventors: Chris Allen Shenefiel, Robert Waitman, David McGrew, Blake Harrell Anderson
  • UTILIZING SERVICE TAGGING FOR ENCRYPTED FLOW CLASSIFICATION
    Publication number: 20200127966
    Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.
    Type: Application
    Filed: December 20, 2019
    Publication date: April 23, 2020
    Inventors: K. Tirumaleswar Reddy, David McGrew, Blake Harrell Anderson, Daniel G. Wing
  • TRIGGERING TARGETED SCANNING TO DETECT RATS AND OTHER MALWARE
    Publication number: 20200120107
    Abstract: In one embodiment, a security service classifies traffic telemetry data for traffic between an endpoint device and a server as potentially associated with a particular type of remote access Trojan (RAT). The security service constructs a scan message to elicit a type of server response associated with the particular type of RAT. The security service obtains a server response from the server, by sending the constructed scan message to the server. The security service determines whether the endpoint device is infected with the particular type of RAT, by validating whether the server response from the server matches the type of server response associated with the particular type of RAT.
    Type: Application
    Filed: December 14, 2018
    Publication date: April 16, 2020
    Inventors: David McGrew, Blake Harrell Anderson, Julien Thomas Piet
  • PASSIVE DECRYPTION OF ENCRYPTED TRAFFIC TO GENERATE MORE ACCURATE MACHINE LEARNING TRAINING DATA
    Publication number: 20200106604
    Abstract: In one embodiment, an apparatus captures a memory dump of a device in a sandbox environment executing a malware sample. The apparatus identifies a cryptographic key based on a particular data structure in the captured memory dump. The apparatus uses the identified cryptographic key to decrypt encrypted traffic sent by the device. The apparatus labels at least a portion of the decrypted traffic sent by the device as benign. The apparatus trains a machine learning-based traffic classifier based on the at least a portion of the decrypted traffic sent by the device and labeled as benign.
    Type: Application
    Filed: December 3, 2019
    Publication date: April 2, 2020
    Inventors: Blake Harrell Anderson, Andrew Chi, David McGrew, Scott William Dunlop
  • IDENTIFYING AND USING DNS CONTEXTUAL FLOWS
    Publication number: 20200067972
    Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.
    Type: Application
    Filed: October 31, 2019
    Publication date: February 27, 2020
    Inventors: David McGrew, Blake Harrell Anderson, Daniel G. Wing, Flemming Andreasen
  • ENDPOINT-ASSISTED INSPECTION OF ENCRYPTED NETWORK TRAFFIC
    Publication number: 20200053103
    Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.
    Type: Application
    Filed: August 10, 2018
    Publication date: February 13, 2020
    Inventors: Martin Rehak, David McGrew, Blake Harrell Anderson, Scott William Dunlop
  • Utilizing service tagging for encrypted flow classification
    Patent number: 10554614
    Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.
    Type: Grant
    Filed: June 23, 2016
    Date of Patent: February 4, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: K. Tirumaleswar Reddy, David McGrew, Blake Harrell Anderson, Daniel G. Wing
  • Passive decryption on encrypted traffic to generate more accurate machine learning training data
    Patent number: 10536268
    Abstract: In one embodiment, an apparatus captures a memory dump of a device in a sandbox environment executing a malware sample. The apparatus identifies a cryptographic key based on a particular data structure in the captured memory dump. The apparatus uses the identified cryptographic key to decrypt encrypted traffic sent by the device. The apparatus labels at least a portion of the decrypted traffic sent by the device as benign. The apparatus trains a machine learning-based traffic classifier based on the at least a portion of the decrypted traffic sent by the device and labeled as benign.
    Type: Grant
    Filed: August 31, 2017
    Date of Patent: January 14, 2020
    Assignee: Cisco Technology, Inc.
    Inventors: Blake Harrell Anderson, Andrew Chi, David McGrew, Scott William Dunlop
  • OS START EVENT DETECTION, OS FINGERPRINTING, AND DEVICE TRACKING USING ENHANCED DATA FEATURES
    Publication number: 20200004958
    Abstract: In one embodiment, a device in a network tracks changes in a source port or address identifier indicated by network traffic associated with a particular host in the network. The device detects an operating system start event based on the track changes in the source port or address identifier indicated in the traffic data associated with the particular host. The device provides data regarding the detected operating system start event as input to a machine learning-based malware detector. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.
    Type: Application
    Filed: September 11, 2019
    Publication date: January 2, 2020
    Inventors: David McGrew, Blake Harrell Anderson, Subharthi Paul
  • Identifying and using DNS contextual flows
    Patent number: 10505970
    Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.
    Type: Grant
    Filed: October 5, 2016
    Date of Patent: December 10, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: David McGrew, Blake Harrell Anderson, Daniel G. Wing, Flemming Andreasen
  • DETECTING TARGETED DATA EXFILTRATION IN ENCRYPTED TRAFFIC
    Publication number: 20190349403
    Abstract: In one embodiment, a service that monitors a network obtains file characteristic data of a file stored on a first endpoint in the network. The service infers characteristics of encrypted content within encrypted traffic in the network between the first endpoint and a second endpoint, by applying a machine learning-based classifier to traffic data regarding the encrypted traffic session. The service compares the file characteristic data of the file to the inferred content characteristics of the encrypted content within the encrypted traffic, to detect the file within the encrypted traffic. The service enforces a network policy in the network, based on the detection of the file within the encrypted traffic.
    Type: Application
    Filed: June 25, 2018
    Publication date: November 14, 2019
    Inventors: Blake Harrell Anderson, Chris Allen Shenefiel, David McGrew, Robert M. Waitman
  • OS start event detection, OS fingerprinting, and device tracking using enhanced data features
    Patent number: 10452846
    Abstract: In one embodiment, a device in a network tracks changes in a source port or address identifier indicated by network traffic associated with a particular host in the network. The device detects an operating system start event based on the track changes in the source port or address identifier indicated in the traffic data associated with the particular host. The device provides data regarding the detected operating system start event as input to a machine learning-based malware detector. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.
    Type: Grant
    Filed: July 13, 2017
    Date of Patent: October 22, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: David McGrew, Blake Harrell Anderson, Subharthi Paul
  • MACHINE LEARNING-BASED TRAFFIC CLASSIFICATION USING COMPRESSED NETWORK TELEMETRY DATA
    Publication number: 20190312894
    Abstract: In one embodiment, a device in a network receives telemetry data regarding a traffic flow in the network. One or more features in the telemetry data are individually compressed. The device extracts the one or more individually compressed features from the received telemetry data. The device performs a lookup of one or more classifier inputs from an index of classifier inputs using the one or more individually compressed features from the received telemetry data. The device classifies the traffic flow by inputting the one or more classifier inputs to a machine learning-based classifier.
    Type: Application
    Filed: June 24, 2019
    Publication date: October 10, 2019
    Inventors: David McGrew, Blake Harrell Anderson
  • ASSOCIATING A USER IDENTIFIER DETECTED FROM WEB TRAFFIC WITH A CLIENT ADDRESS
    Publication number: 20190312893
    Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.
    Type: Application
    Filed: June 5, 2019
    Publication date: October 10, 2019
    Inventors: David McGrew, Blake Harrell Anderson, Ivan Nikolaev
  • DETECTING DATASET POISONING ATTACKS INDEPENDENT OF A LEARNING ALGORITHM
    Publication number: 20190251479
    Abstract: Methods an systems to classify a training dataset of network data as a poisoned training dataset based on a first dataset-level classifier, identify and remove poison samples of the poisoned training dataset based on a sample-level classifier to produce a non-poisoned dataset, training a machine-based model to analyze network traffic based on the modified non-poisoned dataset, and analyze network traffic with the machine-based model.
    Type: Application
    Filed: February 9, 2018
    Publication date: August 15, 2019
    Inventors: Blake Harrell Anderson, David McGrew, Subharthi Paul
  • ENCRYPTED TRAFFIC ANALYTICS OVER A MULTI-PATH TCP CONNECTION
    Publication number: 20190245868
    Abstract: Methods and systems to estimate encrypted multi-path TCP (MPTCP) network traffic include restricting traffic in a first direction (e.g., uplink) to a single path, and estimating traffic of multiple subflows of a second direction (e.g., downlink) based on traffic over the single path of the first direction. The estimating may be based on, without limitation, acknowledgment information of the single path, a sequence of acknowledgment numbers of the single path, an unencrypted initial packet sent over the single path as part of a secure tunnel setup procedure, TCP header information of the unencrypted initial packet (e.g., sequence number, acknowledgment packet, and/or acknowledgment packet length), and/or metadata of packets of the single path (e.g., regarding cryptographic algorithms, Diffie-Helman groups, and/or certificate related data).
    Type: Application
    Filed: February 8, 2018
    Publication date: August 8, 2019
    Inventors: Santosh Ramrao Patil, Gangadharan Byju Pularikkal, David McGrew, Blake Harrell Anderson, Madhusudan Nanjanagud
  • LEVERAGING POINT INFERENCES ON HTTP TRANSACTIONS FOR HTTPS MALWARE DETECTION
    Publication number: 20190245866
    Abstract: In one embodiment, a traffic analysis service receives captured traffic data regarding a Transport Layer Security (TLS) connection between a client and a server. The traffic analysis service applies a first machine learning-based classifier to TLS records from the traffic data, to identify a set of the TLS records that include Hypertext Transfer Protocol (HTTP) header information. The traffic analysis service estimates one or more HTTP transaction labels for the connection by applying a second machine learning-based classifier to the identified set of TLS records that include HTTP header information. The traffic analysis service augments the captured traffic data with the one or more HTTP transaction labels. The traffic analysis service causes performance of a network security function based on the augmented traffic data.
    Type: Application
    Filed: February 6, 2018
    Publication date: August 8, 2019
    Inventors: Blake Harrell Anderson, David McGrew