Patents by Inventor Petr Somol
Petr Somol has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240106836Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.Type: ApplicationFiled: July 24, 2023Publication date: March 28, 2024Inventors: Petr Somol, Martin Kopp, Jan Kohout, Jan Brabec, Marc René Jacques Marie Dupont, Cenek Skarda, Lukas Bajer, Danila Khikhlukha
-
Patent number: 11750621Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.Type: GrantFiled: March 26, 2020Date of Patent: September 5, 2023Assignee: Cisco Technology, Inc.Inventors: Petr Somol, Martin Kopp, Jan Kohout, Jan Brabec, Marc René Jacques Marie Dupont, Cenek Skarda, Lukas Bajer, Danila Khikhlukha
-
Publication number: 20220237289Abstract: A malware classification is generated for an input data set with a human-readable explanation of the classification. An input data set having a hierarchical structure is received in a neural network that has an architecture based on a schema determined from a plurality of second input data sets and that is trained to classify received input data sets into one or more of a plurality of classes. An explanation is provided with the output of the neural network, the explanation comprising a subset of at least one input data set that caused the at least one input data set to be classified into a certain class using the schema of the generated neural network. The explanation may further be derived from the statistical contribution of one or more features of the input data set that caused the at least one input data set to be classified into a certain class.Type: ApplicationFiled: January 27, 2021Publication date: July 28, 2022Applicant: Avast Software s.r.o.Inventors: Tomas Pevny, Viliam Lisy, Branislav Bosansky, Michal Pechoucek, Vaclav Smidl, Petr Somol, Jakub Kroustek, Fabrizio Biondi
-
Patent number: 11374944Abstract: In one embodiment, a network security service forms, for each of a plurality of malware classes, a feature vector descriptor for the malware class. The service uses the feature vector descriptors for the malware classes and a symmetric mapping function to generate a training dataset having both positively and negatively labeled feature vectors. The service trains, using the training dataset, an instant threat detector to determine whether telemetry data for a particular traffic flow is within a threshold of similarity to a feature vector descriptor for a new malware class that was not part of the plurality of malware classes.Type: GrantFiled: December 19, 2018Date of Patent: June 28, 2022Assignee: Cisco Technology, Inc.Inventors: Tomas Komarek, Petr Somol
-
Patent number: 11271833Abstract: In one embodiment, a device groups feature vectors representing network traffic flows into bags. The device forms a bag representation of a particular one of the bags by aggregating the feature vectors in the particular bag. The device extends one or more feature vectors in the particular bag with the bag representation. The extended one or more feature vectors are positive examples of a classification label for the network traffic. The device trains a network traffic classifier using training data that comprises the one or more feature vectors extended with the bag representation.Type: GrantFiled: October 23, 2017Date of Patent: March 8, 2022Assignee: Cisco Technology, Inc.Inventors: Tomas Komarek, Martin Vejman, Petr Somol
-
Patent number: 11271954Abstract: Presented herein are techniques for classifying devices as being infected with malware based on learned indicators of compromise. A method includes receiving, at a security analysis device, a set of feature vectors extracted from one or more flows of traffic to domains for a given user in a network during a period of time. The security analysis device analyzes the feature vectors included in the set of feature vectors with a set of operators to generate a set of per-flow vectors for the given user. Based on the set of per-flow vectors for the user, the security analysis device generates a single behavioral vector representative of the given user. The security analysis device classifies a computing device associated with the given user based on the single behavioral vector and at least one of known information or other behavioral vectors for other users.Type: GrantFiled: July 14, 2017Date of Patent: March 8, 2022Assignee: CISCO TECHNOLOGY, INC.Inventors: Tomá{hacek over (s)} Komárek, Petr Somol
-
Publication number: 20210306350Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.Type: ApplicationFiled: March 26, 2020Publication date: September 30, 2021Inventors: Petr Somol, Martin Kopp, Jan Kohout, Jan Brabec, Marc René Jacques Marie Dupont, Cenek Skarda, Lukas Bajer, Danila Khikhlukha
-
Patent number: 11113397Abstract: In one embodiment, a device disassembles an executable file into assembly instructions. The device maps each of the assembly instructions to a fixed length instruction vector using one-hot encoding and an instruction vocabulary and forms vector representations of blocks of a control flow graph for corresponding functions of the executable file by embedding and aggregating bags of the instruction vectors. The device generates, based on the vector representations of the blocks of the control flow graph, a call graph model of the functions in the executable file. The device forms a vector representation of the executable file based in part on the call graph model. The device determines, based on the vector representation of the executable file, whether the executable file is malware.Type: GrantFiled: May 16, 2019Date of Patent: September 7, 2021Assignee: Cisco Technology, Inc.Inventors: Tomas Pevny, Jan Franco̊, Petr Somol
-
Patent number: 10867036Abstract: In one embodiment, a device divides groups of tuples of traffic characteristics of encrypted network traffic into different pairs of the characteristics. Each of the pairs has a corresponding two dimensional (2-D) feature subspace. The device discretizes the 2-D feature subspaces, to form a plurality of bins in each feature subspace. The device assigns the pairs of the traffic characteristics in a particular group of tuples to the bins in the discretized 2-D feature subspaces. The device forms, for each group of tuples, a vector representation of the group of tuples based on the bins in the discretized 2-D feature subspaces to which the pairs of the traffic characteristics from the group are assigned. The vector representations of the groups of tuples are of a fixed dimension. The device uses the vector representations of the groups of tuples to train a machine learning-based traffic classifier.Type: GrantFiled: October 12, 2017Date of Patent: December 15, 2020Assignee: Cisco Technology, Inc.Inventors: Tomas Komarek, Petr Somol
-
Publication number: 20200364334Abstract: In one embodiment, a device disassembles an executable file into assembly instructions. The device maps each of the assembly instructions to a fixed length instruction vector using one-hot encoding and an instruction vocabulary and forms vector representations of blocks of a control flow graph for corresponding functions of the executable file by embedding and aggregating bags of the instruction vectors. The device generates, based on the vector representations of the blocks of the control flow graph, a call graph model of the functions in the executable file. The device forms a vector representation of the executable file based in part on the call graph model. The device determines, based on the vector representation of the executable file, whether the executable file is malware.Type: ApplicationFiled: May 16, 2019Publication date: November 19, 2020Inventors: Tomas Pevny, Jan Francu, Petr Somol
-
Patent number: 10708284Abstract: In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.Type: GrantFiled: July 7, 2017Date of Patent: July 7, 2020Assignee: Cisco Technology, Inc.Inventors: Martin Kopp, Petr Somol, Tomas Pevny, David McGrew
-
Publication number: 20200204569Abstract: In one embodiment, a network security service forms, for each of a plurality of malware classes, a feature vector descriptor for the malware class. The service uses the feature vector descriptors for the malware classes and a symmetric mapping function to generate a training dataset having both positively and negatively labeled feature vectors. The service trains, using the training dataset, an instant threat detector to determine whether telemetry data for a particular traffic flow is within a threshold of similarity to a feature vector descriptor for a new malware class that was not part of the plurality of malware classes.Type: ApplicationFiled: December 19, 2018Publication date: June 25, 2020Inventors: Tomas Komarek, Petr Somol
-
Patent number: 10375143Abstract: Presented herein are techniques for classifying devices as being infected with malware based on learned indicators of compromise. A method includes receiving at a security analysis device, traffic flows from a plurality of entities destined for a plurality of users, aggregating the traffic flows into discrete bags of traffic, wherein the bags of traffic comprise a plurality of flows of traffic for a given user over a predetermined period of time, extracting features from the bags of traffic and aggregating the features into per-flow feature vectors, aggregating the per-flow feature vectors into per-destination domain aggregated vectors, combining the per-destination-domain aggregated vectors into a per-user aggregated vector, and classifying a computing device used by a given user as infected with malware when indicators of compromise detected in the bags of traffic indicate that the per-user aggregated vector for the given user includes suspicious features among the extracted features.Type: GrantFiled: August 26, 2016Date of Patent: August 6, 2019Assignee: Cisco Technology, Inc.Inventors: Tomas Pevny, Petr Somol
-
Patent number: 10320823Abstract: Data is collected from a database arrangement about behavior of observed entities, wherein the collected data includes one or more features associated with the observed entities. A probabilistic model is determined that correlates the one or more features with malicious and/or benign behavior of the observed entities. Data is collected from the database arrangement for unobserved entities that have at least one common feature with at least one of the observed entities. One of the unobserved entities is determined to be a malicious entity based on the at least one common feature and the probabilistic model. Network policies are applied to packets sent from the malicious entity.Type: GrantFiled: September 3, 2015Date of Patent: June 11, 2019Assignee: Cisco Technology, Inc.Inventors: Vojt{hacek over (e)}ch Létal, Tomá{hacek over (s)} Pevný, Petr Somol
-
Publication number: 20190123982Abstract: In one embodiment, a device groups feature vectors representing network traffic flows into bags. The device forms a bag representation of a particular one of the bags by aggregating the feature vectors in the particular bag. The device extends one or more feature vectors in the particular bag with the bag representation. The extended one or more feature vectors are positive examples of a classification label for the network traffic. The device trains a network traffic classifier using training data that comprises the one or more feature vectors extended with the bag representation.Type: ApplicationFiled: October 23, 2017Publication date: April 25, 2019Inventors: Tomas Komarek, Martin Vejman, Petr Somol
-
Publication number: 20190114416Abstract: In one embodiment, a device divides groups of tuples of traffic characteristics of encrypted network traffic into different pairs of the characteristics. Each of the pairs has a corresponding two dimensional (2-D) feature subspace. The device discretizes the 2-D feature subspaces, to form a plurality of bins in each feature subspace. The device assigns the pairs of the traffic characteristics in a particular group of tuples to the bins in the discretized 2-D feature subspaces. The device forms, for each group of tuples, a vector representation of the group of tuples based on the bins in the discretized 2-D feature subspaces to which the pairs of the traffic characteristics from the group are assigned. The vector representations of the groups of tuples are of a fixed dimension. The device uses the vector representations of the groups of tuples to train a machine learning-based traffic classifier.Type: ApplicationFiled: October 12, 2017Publication date: April 18, 2019Inventors: Tomas Komarek, Petr Somol
-
Publication number: 20190020671Abstract: Presented herein are techniques for classifying devices as being infected with malware based on learned indicators of compromise. A method includes receiving, at a security analysis device, a set of feature vectors extracted from one or more flows of traffic to domains for a given user in a network during a period of time. The security analysis device analyzes the feature vectors included in the set of feature vectors with a set of operators to generate a set of per-flow vectors for the given user. Based on the set of per-flow vectors for the user, the security analysis device generates a single behavioral vector representative of the given user. The security analysis device classifies a computing device associated with the given user based on the single behavioral vector and at least one of known information or other behavioral vectors for other users.Type: ApplicationFiled: July 14, 2017Publication date: January 17, 2019Inventors: Tomá{hacek over (s)} Komárek, Petr Somol
-
Publication number: 20190014134Abstract: In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.Type: ApplicationFiled: July 7, 2017Publication date: January 10, 2019Inventors: Martin Kopp, Petr Somol, Tomas Pevny, David McGrew
-
Patent number: 9992216Abstract: Identifying malicious executables by analyzing proxy logs includes, at a server having connectivity to the Internet, retrieving sets of proxy logs from a plurality of proxy servers. Each proxy server of the plurality of proxy servers is associated with a network and generates network traffic logs for one or more nodes included in the network. Then, a set of executables hosted by each of the one or more nodes associated with each of the plurality of proxy servers is determined. Each set of executables is analyzed to detect a specific executable and portions of each of the network traffic logs that are associated with the specific executable are identified. An alert is generated indicating the portions of each of the network traffic logs as likely to be associated with the specific executable.Type: GrantFiled: February 10, 2016Date of Patent: June 5, 2018Assignee: Cisco Technology, Inc.Inventors: Tomas Pevny, Petr Somol
-
Publication number: 20180063163Abstract: Presented herein are techniques for classifying devices as being infected with malware based on learned indicators of compromise. A method includes receiving at a security analysis device, traffic flows from a plurality of entities destined for a plurality of users, aggregating the traffic flows into discrete bags of traffic, wherein the bags of traffic comprise a plurality of flows of traffic for a given user over a predetermined period of time, extracting features from the bags of traffic and aggregating the features into per-flow feature vectors, aggregating the per-flow feature vectors into per-destination domain aggregated vectors, combining the per-destination-domain aggregated vectors into a per-user aggregated vector, and classifying a computing device used by a given user as infected with malware when indicators of compromise detected in the bags of traffic indicate that the per-user aggregated vector for the given user includes suspicious features among the extracted features.Type: ApplicationFiled: August 26, 2016Publication date: March 1, 2018Inventors: Tomas Pevny, Petr Somol