Patents by Inventor TOMAS PEVNY
TOMAS PEVNY has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11936683Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.Type: GrantFiled: July 26, 2022Date of Patent: March 19, 2024Assignee: CISCO TECHNOLOGY, INC.Inventors: Jan Kohout, Blake Harrell Anderson, Martin Grill, David McGrew, Martin Kopp, Tomas Pevny
-
Patent number: 11700275Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.Type: GrantFiled: June 28, 2021Date of Patent: July 11, 2023Assignee: Cisco Technology, Inc.Inventors: David McGrew, Andrew Zawadowskiy, Donovan O'Hara, Saravanan Radhakrishnan, Tomas Pevny, Daniel G. Wing
-
Publication number: 20230104673Abstract: A malware classification system provides improved confidence in explanations of neural network classification outputs using methods such as weighting or masking when training the neural network to train the network on a sample resembling or including the explanation. The explanation in some examples comprises a subset of a hierarchical input vector that is responsible for the neural network's classification output. In another example the neural network has an inner portion inner portion configured to reduce the weight of elements of the output not significantly contributing to the explanation of the output, such as by reducing the weight of as many such outputs to zero as is practical in generating the desired output.Type: ApplicationFiled: October 1, 2021Publication date: April 6, 2023Applicant: Avast Software s.r.o.Inventor: Tomas Pevny
-
Publication number: 20220368720Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.Type: ApplicationFiled: July 26, 2022Publication date: November 17, 2022Inventors: Jan Kohout, Blake Harrell Anderson, Martin Gril, David Mcgrew, Martin Kopp, Tomas Pevny
-
Patent number: 11451578Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.Type: GrantFiled: September 23, 2020Date of Patent: September 20, 2022Assignee: Cisco Technology, Inc.Inventors: Jan Kohout, Blake Harrell Anderson, Martin Grill, David McGrew, Martin Kopp, Tomas Pevny
-
Publication number: 20220237289Abstract: A malware classification is generated for an input data set with a human-readable explanation of the classification. An input data set having a hierarchical structure is received in a neural network that has an architecture based on a schema determined from a plurality of second input data sets and that is trained to classify received input data sets into one or more of a plurality of classes. An explanation is provided with the output of the neural network, the explanation comprising a subset of at least one input data set that caused the at least one input data set to be classified into a certain class using the schema of the generated neural network. The explanation may further be derived from the statistical contribution of one or more features of the input data set that caused the at least one input data set to be classified into a certain class.Type: ApplicationFiled: January 27, 2021Publication date: July 28, 2022Applicant: Avast Software s.r.o.Inventors: Tomas Pevny, Viliam Lisy, Branislav Bosansky, Michal Pechoucek, Vaclav Smidl, Petr Somol, Jakub Kroustek, Fabrizio Biondi
-
Publication number: 20210360004Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.Type: ApplicationFiled: June 28, 2021Publication date: November 18, 2021Inventors: David McGrew, ANDREW ZAWADOWSKIY, DONOVAN O'HARA, SARAVANAN RADHAKRISHNAN, TOMAS PEVNY, DANIEL G. WING
-
Patent number: 11113397Abstract: In one embodiment, a device disassembles an executable file into assembly instructions. The device maps each of the assembly instructions to a fixed length instruction vector using one-hot encoding and an instruction vocabulary and forms vector representations of blocks of a control flow graph for corresponding functions of the executable file by embedding and aggregating bags of the instruction vectors. The device generates, based on the vector representations of the blocks of the control flow graph, a call graph model of the functions in the executable file. The device forms a vector representation of the executable file based in part on the call graph model. The device determines, based on the vector representation of the executable file, whether the executable file is malware.Type: GrantFiled: May 16, 2019Date of Patent: September 7, 2021Assignee: Cisco Technology, Inc.Inventors: Tomas Pevny, Jan FrancoĢ, Petr Somol
-
Patent number: 11057420Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.Type: GrantFiled: March 29, 2019Date of Patent: July 6, 2021Assignee: Cisco Technology, Inc.Inventors: David McGrew, Andrew Zawadowskiy, Donovan O'Hara, Saravanan Radhakrishnan, Tomas Pevny, Daniel G. Wing
-
Patent number: 10904271Abstract: In one embodiment, a device analyzes network traffic data using a clustering process, to identify a cluster of addresses associated with the network traffic data for which the associated network traffic has similar behavioral characteristics. The device calculates a set of rankings for the cluster by comparing the cluster to different sets of malicious addresses. The device aggregates the set of rankings into a final ranking by setting the rankings in the set as current rankings and iteratively calculating an average of any subset of the current rankings that comprises correlated rankings. The calculated average replaces the rankings in the subset as a current ranking. When none of the current rankings are correlated, the device performs an aggregation across all of the current rankings to form the final ranking. The device provides data indicative of the cluster for review by a supervisor, based on the final ranking.Type: GrantFiled: October 20, 2017Date of Patent: January 26, 2021Assignee: Cisco Technology, Inc.Inventors: Jan Jusko, Jan Stiborek, Tomas Pevny
-
Publication number: 20210006589Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.Type: ApplicationFiled: September 23, 2020Publication date: January 7, 2021Inventors: Jan Kohout, Blake Harrell Anderson, Martin Grill, David McGrew, Martin Kopp, Tomas Pevny
-
Patent number: 10855698Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.Type: GrantFiled: December 22, 2017Date of Patent: December 1, 2020Assignee: Cisco Technology, Inc.Inventors: Blake Harrell Anderson, Martin Rehak, David McGrew, Martin Vejman, Tomas Pevny, Martin Grill, Jan Kohout
-
Publication number: 20200364334Abstract: In one embodiment, a device disassembles an executable file into assembly instructions. The device maps each of the assembly instructions to a fixed length instruction vector using one-hot encoding and an instruction vocabulary and forms vector representations of blocks of a control flow graph for corresponding functions of the executable file by embedding and aggregating bags of the instruction vectors. The device generates, based on the vector representations of the blocks of the control flow graph, a call graph model of the functions in the executable file. The device forms a vector representation of the executable file based in part on the call graph model. The device determines, based on the vector representation of the executable file, whether the executable file is malware.Type: ApplicationFiled: May 16, 2019Publication date: November 19, 2020Inventors: Tomas Pevny, Jan Francu, Petr Somol
-
Patent number: 10805338Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.Type: GrantFiled: October 6, 2016Date of Patent: October 13, 2020Assignee: Cisco Technology, Inc.Inventors: Jan Kohout, Blake Harrell Anderson, Martin Grill, David McGrew, Martin Kopp, Tomas Pevny
-
Patent number: 10785247Abstract: In one embodiment, a device in a network identifies an set of services of a domain accessed by a plurality of users in the network. The device generates a service usage model for the domain based on the set of services accessed by the plurality of users. The service usage model models usage of the services of the domain by the plurality of users. The device trains a machine learning-based classifier to analyze traffic in the network using a set of training feature vectors. A particular training feature vector includes data indicative of service usage by one of the users for the domain and the modeled usage of the services of the domain by the plurality of users. The device causes classification of traffic in the network associated with a particular user by the trained machine learning-based classifier.Type: GrantFiled: January 24, 2017Date of Patent: September 22, 2020Assignee: Cisco Technology, Inc.Inventors: Ivan Nikolaev, Tomas Pevny
-
Patent number: 10708284Abstract: In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.Type: GrantFiled: July 7, 2017Date of Patent: July 7, 2020Assignee: Cisco Technology, Inc.Inventors: Martin Kopp, Petr Somol, Tomas Pevny, David McGrew
-
Patent number: 10491614Abstract: Detecting illegitimate typosquatting with Internet Protocol (IP) information includes, at a computing device having connectivity to a network, obtaining a list of domains and filtering the list to generate a list of monitored domain strings. IP information is passively determined for domains associated with each of the monitored domain strings. A domain requested in network traffic for the network is identified as a candidate typosquatting domain and the candidate typosquatting domain is determined to be an illegitimate typosquatting domain based at least on the IP information. An action is initiated related to the illegitimate typosquatting domain.Type: GrantFiled: August 25, 2016Date of Patent: November 26, 2019Assignee: Cisco Technology, Inc.Inventors: Martin Grill, Jan Kohout, Martin Kopp, Tomas Pevny
-
Patent number: 10375143Abstract: Presented herein are techniques for classifying devices as being infected with malware based on learned indicators of compromise. A method includes receiving at a security analysis device, traffic flows from a plurality of entities destined for a plurality of users, aggregating the traffic flows into discrete bags of traffic, wherein the bags of traffic comprise a plurality of flows of traffic for a given user over a predetermined period of time, extracting features from the bags of traffic and aggregating the features into per-flow feature vectors, aggregating the per-flow feature vectors into per-destination domain aggregated vectors, combining the per-destination-domain aggregated vectors into a per-user aggregated vector, and classifying a computing device used by a given user as infected with malware when indicators of compromise detected in the bags of traffic indicate that the per-user aggregated vector for the given user includes suspicious features among the extracted features.Type: GrantFiled: August 26, 2016Date of Patent: August 6, 2019Assignee: Cisco Technology, Inc.Inventors: Tomas Pevny, Petr Somol
-
Publication number: 20190230095Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.Type: ApplicationFiled: March 29, 2019Publication date: July 25, 2019Inventors: DAVID MCGREW, ANDREW ZAWADOWSKIY, DONOVAN O'HARA, SARAVANAN RADHAKRISHNAN, TOMAS PEVNY, DANIEL G. WING
-
Publication number: 20190199739Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.Type: ApplicationFiled: December 22, 2017Publication date: June 27, 2019Inventors: Blake Harrell Anderson, Martin Rehak, David McGrew, Martin Vejman, Tomas Pevny, Martin Grill, Jan Kohout