Malicious encrypted traffic inhibitor
US-2017223032-A1 · Aug 3, 2017 · US
Network telemetry with byte distribution and cryptographic protocol data elements
US10362373B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10362373-B2 |
| Application number | US-201615083586-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 29, 2016 |
| Priority date | Jan 7, 2016 |
| Publication date | Jul 23, 2019 |
| Grant date | Jul 23, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In one embodiment, a method includes receiving a flow including a plurality of bytes, each byte having one of a plurality of byte values, determining a byte value distribution metric based on a number of instances of each of the plurality of byte values in the flow, and transmitting telemetry data regarding the flow, the telemetry data including the byte value distribution metric.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: at a device configured to operate in a network and including one or more processors and non-transitory memory: receiving an encrypted flow including a plurality of bytes, each of the bytes having one of a plurality of byte values; determining a byte value distribution metric based on a number of instances of each of the plurality of byte values in the encrypted flow, wherein the byte value distribution metric includes a probability distribution comprising a respective plurality of byte value probabilities corresponding to the plurality of byte values; classifying, by a machine learning classifier, the encrypted flow as at least one of a benign flow, a malicious flow, a tunneled flow or a direct flow based on the byte value distribution metric; and transmitting, via the network, telemetry data regarding the encrypted flow for receipt at a system in order to cause a remedial action to be performed at the system based on the telemetry data, the telemetry data including the byte value distribution metric and the classified encrypted flow. 2. The method of claim 1 , wherein the byte value probabilities are derived from a normalization of the number of instances of each of the plurality of byte values in the encrypted flow. 3. The method of claim 1 , wherein the byte value distribution metric includes a byte value entropy metric. 4. The method of claim 3 , wherein the byte value entropy metric includes Shannon's entropy of the probability distribution. 5. The method of claim 1 , wherein each one of the byte value probabilities are based on the number of instances of any of two or more of the plurality of byte values in the encrypted flow. 6. The method of claim 1 , wherein the encrypted flow includes a plurality of packets and each of the plurality of packets includes a subset of the plurality of bytes. 7. The method of claim 6 , wherein the telemetry data further includes at least one of a source IP address of the encrypted flow, a destination IP address of the encrypted flow, a start time of the encrypted flow, a stop time of the encrypted flow, a protocol associated with the encrypted flow, a number of the plurality of bytes, or a number of the plurality of packets. 8. The method of claim 1 , wherein the telemetry data further includes cryptographic protocol data. 9. The method of claim 8 , wherein the cryptographic protocol data includes at least one of a Transport Layer Security (TLS) version number, one or more ciphersuites offered by a source device, a ciphersuite selected by a destination device, a TLS sequence of record lengths and times, a record type, a handshake type, an extension type, a size of a cryptographic key, or one or more supported elliptical curves and supported point formats. 10. A system comprising: a network interface configured to interface with a network; one or more processors coupled to the network interface; and a non-transitory memory comprising instructions that when executed cause the one or more processors to perform operations comprising: receiving, via the network interface, an encrypted flow including a plurality of bytes, each of the bytes having one of a plurality of byte values; determining from the encrypted flow a byte value distribution metric comprising an array of values, each array value being based on a number of instances of two or more byte values of a defined set of byte values associated with a respective element of the array, wherein the byte value distribution metric includes a probability distribution comprising a respective plurality of byte value probabilities corresponding to the plurality of byte values; classifying, by a machine learning classifier, the encrypted flow as a benign flow, a malicious flow, a tunneled flow or a direct flow based on the byte value distribution metric; and transmitting, via the network interface, telemetry data regarding the encrypted flow for receipt at a system in order to cause a remedial action to be performed at the system based on the telemetry data, the telemetry data including the byte value distribution metric and the classified encrypted flow.
Assignees
Inventors
Classifications
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
Arrangements in telecontrol or telemetry systems for selectively calling a substation from a main station, in which substation desired apparatus is selected for applying a control signal thereto or for obtaining measured values therefrom · CPC title
using a wired architecture · CPC title
- H04L63/0428Primary
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
- H04L63/166Primary
at the transport layer · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10362373B2 cover?
- In one embodiment, a method includes receiving a flow including a plurality of bytes, each byte having one of a plurality of byte values, determining a byte value distribution metric based on a number of instances of each of the plurality of byte values in the flow, and transmitting telemetry data regarding the flow, the telemetry data including the byte value distribution metric.
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0428. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 23 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).