Patents by Inventor Martin REHAK
Martin REHAK has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20180198811Abstract: Identifying malicious network traffic based on distributed, collaborative sampling includes, at a computing device having connectivity to a network, obtaining a first set of data flows, based on sampling criteria, that represents network traffic between one or more nodes in the network and one or more domains outside of the network, each data flow in the first set of data flows including a plurality of data packets. The first set of data flows is forwarded for correlation with a plurality of other sets of data flows from other networks to generate global intelligence data. Adjusted sampling criteria is generated based on the global intelligence data and a second set of data flows is obtained based on the adjusted sampling criteria.Type: ApplicationFiled: January 11, 2017Publication date: July 12, 2018Inventors: Karel Bartos, Martin Rehak
-
Patent number: 10015192Abstract: In one embodiment, a method includes creating a set of network related indicators of compromise at a computing device, the set associated with a malicious network operation, identifying at the computing device, samples comprising at least one of the indicators of compromise in the set, creating sub-clusters of the samples at the computing device, and selecting at the computing device, one of the samples from the sub-clusters for additional analysis, wherein results of the analysis provide information for use in malware detection. An apparatus and logic are also disclosed herein.Type: GrantFiled: November 6, 2015Date of Patent: July 3, 2018Assignee: Cisco Technology, Inc.Inventors: Jan Stiborek, Martin Rehak
-
Patent number: 9888020Abstract: In an embodiment, a method, performed by processors of a computing device for creating and storing clusters of incident data records based on behavioral characteristic values in the records and origin characteristic values in the records, the method comprising: receiving a plurality of input incident data records comprising sets of attribute values; identifying two or more first incident data records that have a particular behavioral characteristic value; using a malicious incident behavioral data table that maps sets of behavioral characteristic values to identifiers of malicious acts in the network, and a plurality of comparison operations using the malicious incident behavioral data table and the two or more first incident data records, determining whether any of the two or more first incident data records are malicious; and if so, creating a similarity behavioral cluster record that includes the two or more first incident data records.Type: GrantFiled: August 8, 2016Date of Patent: February 6, 2018Assignee: Cisco Technology, Inc.Inventors: Karel Bartos, Martin Rehak, Michal Sofka
-
Patent number: 9813442Abstract: In one embodiment, a method includes receiving client-server connection data for clients and servers, the data including IP addresses corresponding to the servers, for each one of a plurality of IP address pairs performing a statistical test to determine whether the IP addresses in the one IP address pair are related by common clients based on the number of the clients connecting to each of the IP addresses in the one IP address pair, generating a graph including a plurality of vertices and edges, each of the vertices corresponding to a different IP address, each edge corresponding to a different IP address pair determined to be related by common clients in the statistical test, and clustering the vertices yielding clusters, a subset of the IP addresses in one of the clusters providing an indication of the IP addresses of the servers serving a same application.Type: GrantFiled: February 1, 2017Date of Patent: November 7, 2017Assignee: Cisco Technology, Inc.Inventors: Jan Jusko, Tomas Pevny, Martin Rehak
-
Publication number: 20170295187Abstract: In one embodiment, a security device identifies, from monitored network traffic of one or more users, one or more suspicious domain names as candidate domains, the one or more suspicious domain names identified based on an occurrence of linguistic units used in discovered domain names within the monitored network traffic. The security device may then determine one or more features of the candidate domains, and confirms certain domains of the candidate domains as malicious domains using a parameterized classifier against the one or more features.Type: ApplicationFiled: April 6, 2016Publication date: October 12, 2017Inventors: Jiri Havelka, Michal Sofka, Martin Rehák
-
Publication number: 20170155668Abstract: Identifying malicious communications by generating data representative of network traffic based on adaptive sampling includes, at a computing device having connectivity to a network, obtaining a set of data flows representing network traffic between one or more nodes in the network and one or more domains outside of the network, wherein each data flow in the set of data flows includes a plurality of data packets. One or more features are extracted from the set of data flows based on statistical measurements of the set of data flows. The set of data flows are adaptively sampled based on at least the one or more features. Then, data representative of the network traffic is generated based on the adaptively sampling to identify malicious communication channels in the network traffic.Type: ApplicationFiled: December 1, 2015Publication date: June 1, 2017Inventors: Karel Bartos, Martin Rehak
-
Publication number: 20170142151Abstract: In one embodiment, a method includes receiving client-server connection data for clients and servers, the data including IP addresses corresponding to the servers, for each one of a plurality of IP address pairs performing a statistical test to determine whether the IP addresses in the one IP address pair are related by common clients based on the number of the clients connecting to each of the IP addresses in the one IP address pair, generating a graph including a plurality of vertices and edges, each of the vertices corresponding to a different IP address, each edge corresponding to a different IP address pair determined to be related by common clients in the statistical test, and clustering the vertices yielding clusters, a subset of the IP addresses in one of the clusters providing an indication of the IP addresses of the servers serving a same application.Type: ApplicationFiled: February 1, 2017Publication date: May 18, 2017Inventors: Jan JUSKO, Tomas Pevny, Martin Rehak
-
Patent number: 9596321Abstract: In one embodiment, a method includes receiving client-server connection data for clients and servers, the data including IP addresses corresponding to the servers, for each one of a plurality of IP address pairs performing a statistical test to determine whether the IP addresses in the one IP address pair are related by common clients based on the number of the clients connecting to each of the IP addresses in the one IP address pair, generating a graph including a plurality of vertices and edges, each of the vertices corresponding to a different IP address, each edge corresponding to a different IP address pair determined to be related by common clients in the statistical test, and clustering the vertices yielding clusters, a subset of the IP addresses in one of the clusters providing an indication of the IP addresses of the servers serving a same application.Type: GrantFiled: June 24, 2015Date of Patent: March 14, 2017Assignee: Cisco Technology, Inc.Inventors: Jan Jusko, Tomas Pevny, Martin Rehak
-
Publication number: 20160381183Abstract: In one embodiment, a method includes receiving client-server connection data for clients and servers, the data including IP addresses corresponding to the servers, for each one of a plurality of IP address pairs performing a statistical test to determine whether the IP addresses in the one IP address pair are related by common clients based on the number of the clients connecting to each of the IP addresses in the one IP address pair, generating a graph including a plurality of vertices and edges, each of the vertices corresponding to a different IP address, each edge corresponding to a different IP address pair determined to be related by common clients in the statistical test, and clustering the vertices yielding clusters, a subset of the IP addresses in one of the clusters providing an indication of the IP addresses of the servers serving a same application.Type: ApplicationFiled: June 24, 2015Publication date: December 29, 2016Inventors: Jan JUSKO, Tomas Pevny, Martin Rehak
-
Patent number: 9531742Abstract: In one embodiment a method, system and apparatus is described for detecting a malicious network connection, the method system and apparatus including determining, for each connection over a network, if each connection is a persistent connection, if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection, creating a feature vector for the first connection based on the collected statistics, performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections, and reporting detected outliers. Related methods, systems and apparatus are also described.Type: GrantFiled: April 10, 2016Date of Patent: December 27, 2016Assignee: Cisco Technology, Inc.Inventors: Jan Kohout, Jan Jusko, Tomas Pevny, Martin Rehak
-
Publication number: 20160344757Abstract: In an embodiment, a method, performed by processors of a computing device for creating and storing clusters of incident data records based on behavioral characteristic values in the records and origin characteristic values in the records, the method comprising: receiving a plurality of input incident data records comprising sets of attribute values; identifying two or more first incident data records that have a particular behavioral characteristic value; using a malicious incident behavioral data table that maps sets of behavioral characteristic values to identifiers of malicious acts in the network, and a plurality of comparison operations using the malicious incident behavioral data table and the two or more first incident data records, determining whether any of the two or more first incident data records are malicious; and if so, creating a similarity behavioral cluster record that includes the two or more first incident data records.Type: ApplicationFiled: August 8, 2016Publication date: November 24, 2016Inventors: KAREL BARTOS, MARTIN REHAK, MICHAL SOFKA
-
Patent number: 9432393Abstract: In an embodiment, a method, performed by processors of a computing device for creating and storing clusters of incident data records based on behavioral characteristic values in the records and origin characteristic values in the records, the method comprising: receiving a plurality of input incident data records comprising sets of attribute values; identifying two or more first incident data records that have a particular behavioral characteristic value; using a malicious incident behavioral data table that maps sets of behavioral characteristic values to identifiers of malicious acts in the network, and a plurality of comparison operations using the malicious incident behavioral data table and the two or more first incident data records, determining whether any of the two or more first incident data records are malicious; and if so, creating a similarity behavioral cluster record that includes the two or more first incident data records.Type: GrantFiled: February 3, 2015Date of Patent: August 30, 2016Assignee: Cisco Technology, Inc.Inventors: Karel Bartos, Martin Rehak, Michal Sofka
-
Publication number: 20160226904Abstract: In an embodiment, a method, performed by processors of a computing device for creating and storing clusters of incident data records based on behavioral characteristic values in the records and origin characteristic values in the records, the method comprising: receiving a plurality of input incident data records comprising sets of attribute values; identifying two or more first incident data records that have a particular behavioral characteristic value; using a malicious incident behavioral data table that maps sets of behavioral characteristic values to identifiers of malicious acts in the network, and a plurality of comparison operations using the malicious incident behavioral data table and the two or more first incident data records, determining whether any of the two or more first incident data records are malicious; and if so, creating a similarity behavioral cluster record that includes the two or more first incident data records.Type: ApplicationFiled: February 3, 2015Publication date: August 4, 2016Inventors: KAREL BARTOS, MARTIN REHAK, MICHAL SOFKA
-
Publication number: 20160226902Abstract: In one embodiment a method, system and apparatus is described for detecting a malicious network connection, the method system and apparatus including determining, for each connection over a network, if each connection is a persistent connection, if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection, creating a feature vector for the first connection based on the collected statistics, performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections, and reporting detected outliers. Related methods, systems and apparatus are also described.Type: ApplicationFiled: April 10, 2016Publication date: August 4, 2016Inventors: Jan KOHOUT, Jan JUSKO, Tomas PEVNY, Martin REHAK
-
Patent number: 9344441Abstract: In one embodiment a method, system and apparatus is described for detecting a malicious network connection, the method system and apparatus including determining, for each connection over a network, if each connection is a persistent connection, if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection, creating a feature vector for the first connection based on the collected statistics, performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections, and reporting detected outliers. Related methods, systems and apparatus are also described.Type: GrantFiled: September 14, 2014Date of Patent: May 17, 2016Assignee: Cisco Technology, Inc.Inventors: Jan Kohout, Jan Jusko, Tomas Pevny, Martin Rehak
-
Publication number: 20160080404Abstract: In one embodiment a method, system and apparatus is described for detecting a malicious network connection, the method system and apparatus including determining, for each connection over a network, if each connection is a persistent connection, if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection, creating a feature vector for the first connection based on the collected statistics, performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections, and reporting detected outliers. Related methods, systems and apparatus are also described.Type: ApplicationFiled: September 14, 2014Publication date: March 17, 2016Inventors: Jan KOHOUT, Jan JUSKO, Tomas PEVNY, Martin REHAK