Patents by Inventor Martin Vejman
Martin Vejman has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20230129786Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.Type: ApplicationFiled: December 23, 2022Publication date: April 27, 2023Inventors: Blake Harrell Anderson, David McGrew, Vincent E. Parla, Jan Jusko, Martin Grill, Martin Vejman
-
Patent number: 11539721Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.Type: GrantFiled: June 25, 2020Date of Patent: December 27, 2022Assignee: Cisco Technology, Inc.Inventors: Blake Harrell Anderson, David McGrew, Vincent E. Parla, Jan Jusko, Martin Grill, Martin Vejman
-
Patent number: 11271833Abstract: In one embodiment, a device groups feature vectors representing network traffic flows into bags. The device forms a bag representation of a particular one of the bags by aggregating the feature vectors in the particular bag. The device extends one or more feature vectors in the particular bag with the bag representation. The extended one or more feature vectors are positive examples of a classification label for the network traffic. The device trains a network traffic classifier using training data that comprises the one or more feature vectors extended with the bag representation.Type: GrantFiled: October 23, 2017Date of Patent: March 8, 2022Assignee: Cisco Technology, Inc.Inventors: Tomas Komarek, Martin Vejman, Petr Somol
-
Patent number: 11233703Abstract: Techniques for enriching encrypted traffic analytics are presented. In one embodiment, a method includes obtaining telemetry data for one or more domains within a network. The telemetry data includes both encrypted traffic analytics information and traffic flow information associated with the network traffic. For each domain of the one or more domains, the method also includes generating a model comprising a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature. The method includes generating a database comprising generated models for each of the domains and obtaining telemetry data for a target domain that includes traffic flow information, but does not include encrypted traffic analytics information. At least one encrypted traffic analytics feature of the target domain is determined based on a plurality of traffic flow information features of the target domain using the database.Type: GrantFiled: November 20, 2018Date of Patent: January 25, 2022Assignee: CISCO TECHNOLOGY, INC.Inventors: Martin Vejman, Lukas Machlica
-
Patent number: 11201877Abstract: In one embodiment, a device obtains telemetry data for a plurality of encrypted traffic flows observed in a network. The device clusters the flows into observed flow clusters, based on one or more flow-level features of the obtained telemetry data, as well as malware-related traffic telemetry data into malware-related flow clusters. The observed and malware-related telemetry data are indicative of sequence of packet lengths and times (SPLT) information for the traffic flows. The device samples sets of flows from the observed and malware-related flow clusters, with each set including at least one flow from an observed flow cluster and at least one flow from a malware-related flow cluster. The device trains a deep learning neural network to determine whether a particular encrypted traffic flow is malware-related, by using the SPLT information for the sampled sets of traffic flows as input to an input layer of neurons of the deep network.Type: GrantFiled: December 11, 2018Date of Patent: December 14, 2021Assignee: Cisco Technology, Inc.Inventors: Karel Bartos, Martin Vejman
-
Patent number: 10855698Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.Type: GrantFiled: December 22, 2017Date of Patent: December 1, 2020Assignee: Cisco Technology, Inc.Inventors: Blake Harrell Anderson, Martin Rehak, David McGrew, Martin Vejman, Tomas Pevny, Martin Grill, Jan Kohout
-
Publication number: 20200329059Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.Type: ApplicationFiled: June 25, 2020Publication date: October 15, 2020Inventors: Blake Harrell Anderson, David McGrew, Vincent E. Parla, Jan Jusko, Martin Grill, Martin Vejman
-
Patent number: 10735441Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.Type: GrantFiled: December 20, 2017Date of Patent: August 4, 2020Assignee: Cisco Technology, Inc.Inventors: Blake Harrell Anderson, David McGrew, Vincent E. Parla, Jan Jusko, Martin Grill, Martin Vejman
-
Publication number: 20200236131Abstract: In one embodiment, an encrypted traffic analytics service captures telemetry data regarding encrypted network traffic associated with a first endpoint device in a network. The encrypted traffic analytics service receives, from the first endpoint device, an indication that a security agent executed on the first endpoint device has detected malware on the first endpoint device. The encrypted traffic analytics service constructs one or more patterns of encrypted traffic using the captured telemetry data from a time period associated with the received indication. The encrypted traffic analytics service uses the one or more patterns of encrypted traffic to detect malware on a second endpoint device by comparing the one or more patterns of encrypted traffic to telemetry data regarding encrypted network traffic associated with the second endpoint device.Type: ApplicationFiled: January 18, 2019Publication date: July 23, 2020Inventors: Martin Vejman, Karel Bartos, Vitek Zlamal
-
Publication number: 20200186547Abstract: In one embodiment, a device obtains telemetry data for a plurality of encrypted traffic flows observed in a network. The device clusters the flows into observed flow clusters, based on one or more flow-level features of the obtained telemetry data, as well as malware-related traffic telemetry data into malware-related flow clusters. The observed and malware-related telemetry data are indicative of sequence of packet lengths and times (SPLT) information for the traffic flows. The device samples sets of flows from the observed and malware-related flow clusters, with each set including at least one flow from an observed flow cluster and at least one flow from a malware-related flow cluster. The device trains a deep learning neural network to determine whether a particular encrypted traffic flow is malware-related, by using the SPLT information for the sampled sets of traffic flows as input to an input layer of neurons of the deep network.Type: ApplicationFiled: December 11, 2018Publication date: June 11, 2020Inventors: Karel Bartos, Martin Vejman
-
Publication number: 20200162339Abstract: Techniques for enriching encrypted traffic analytics are presented. In one embodiment, a method includes obtaining telemetry data for one or more domains within a network. The telemetry data includes both encrypted traffic analytics information and traffic flow information associated with the network traffic. For each domain of the one or more domains, the method also includes generating a model comprising a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature. The method includes generating a database comprising generated models for each of the domains and obtaining telemetry data for a target domain that includes traffic flow information, but does not include encrypted traffic analytics information. At least one encrypted traffic analytics feature of the target domain is determined based on a plurality of traffic flow information features of the target domain using the database.Type: ApplicationFiled: November 20, 2018Publication date: May 21, 2020Inventors: Martin Vejman, Lukas Machlica
-
Patent number: 10523691Abstract: Systems described herein preemptively detect newly registered network domains that are likely to be malicious before network behavior of the domains is actually observed. A network security device (e.g., a router) receives domain registration data that associates network domains with keys and generating a graph representing the domain registration data. Each edge of the graph connects a vertex representing a domain and a vertex representing a registration attribute (e.g., a registrant email address). The network security device identifies a connected component of the graph that meets a graph robustness threshold. The network security device determines whether a domain of the connected component whose behavior has not yet been observed is malicious using a predictive model based on existing maliciousness labels for other domains of the connected component.Type: GrantFiled: January 6, 2017Date of Patent: December 31, 2019Assignee: Cisco Technology, Inc.Inventors: Martin Vejman, Lukas Machlica
-
Patent number: 10375096Abstract: In one embodiment, a device in a network receives domain information from a plurality of traffic flows in the network. The device identifies a particular address from the plurality of traffic flows as part of an onion routing system based on the received domain information. The device distinguishes the particular address during analysis of the traffic flows by a traffic flow analyzer that includes a domain generation algorithm (DGA)-based traffic classifier. The device detects a malicious traffic flow from among the plurality of traffic flows using the traffic flow analyzer. The device causes performance of a mitigation action based on the detected malicious traffic flow.Type: GrantFiled: December 8, 2016Date of Patent: August 6, 2019Assignee: Cisco Technology, Inc.Inventors: Lukas Machlica, Martin Vejman
-
Publication number: 20190199739Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.Type: ApplicationFiled: December 22, 2017Publication date: June 27, 2019Inventors: Blake Harrell Anderson, Martin Rehak, David McGrew, Martin Vejman, Tomas Pevny, Martin Grill, Jan Kohout
-
Publication number: 20190190928Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.Type: ApplicationFiled: December 20, 2017Publication date: June 20, 2019Inventors: Blake Harrell Anderson, David McGrew, Vincent E. Parla, Jan Jusko, Martin Grill, Martin Vejman
-
Publication number: 20190123982Abstract: In one embodiment, a device groups feature vectors representing network traffic flows into bags. The device forms a bag representation of a particular one of the bags by aggregating the feature vectors in the particular bag. The device extends one or more feature vectors in the particular bag with the bag representation. The extended one or more feature vectors are positive examples of a classification label for the network traffic. The device trains a network traffic classifier using training data that comprises the one or more feature vectors extended with the bag representation.Type: ApplicationFiled: October 23, 2017Publication date: April 25, 2019Inventors: Tomas Komarek, Martin Vejman, Petr Somol
-
Publication number: 20180198805Abstract: Systems described herein preemptively detect newly registered network domains that are likely to be malicious before network behavior of the domains is actually observed. A network security device (e.g., a router) receives domain registration data that associates network domains with keys and generating a graph representing the domain registration data. Each edge of the graph connects a vertex representing a domain and a vertex representing a registration attribute (e.g., a registrant email address). The network security device identifies a connected component of the graph that meets a graph robustness threshold. The network security device determines whether a domain of the connected component whose behavior has not yet been observed is malicious using a predictive model based on existing maliciousness labels for other domains of the connected component.Type: ApplicationFiled: January 6, 2017Publication date: July 12, 2018Inventors: Martin VEJMAN, Lukas MACHLICA
-
Publication number: 20180167404Abstract: In one embodiment, a device in a network receives domain information from a plurality of traffic flows in the network. The device identifies a particular address from the plurality of traffic flows as part of an onion routing system based on the received domain information. The device distinguishes the particular address during analysis of the traffic flows by a traffic flow analyzer that includes a domain generation algorithm (DGA)-based traffic classifier. The device detects a malicious traffic flow from among the plurality of traffic flows using the traffic flow analyzer. The device causes performance of a mitigation action based on the detected malicious traffic flow.Type: ApplicationFiled: December 8, 2016Publication date: June 14, 2018Inventors: Lukas Machlica, Martin Vejman