What technology area does this patent fall under?

Primary CPC classification H04L63/0428. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Feb 08 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Device detection in network telemetry with TLS fingerprinting

US11245675B2 · US · B2

Patent metadata
Field	Value
Publication number	US-11245675-B2
Application number	US-201916686364-A
Country	US
Kind code	B2
Filing date	Nov 18, 2019
Priority date	Nov 18, 2019
Publication date	Feb 8, 2022
Grant date	Feb 8, 2022

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

In one embodiment, a traffic analysis service obtains telemetry data regarding encrypted traffic associated with a particular device in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic. The service determines, based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device. The service calculates a measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and a set of one or more TLS fingerprints of traffic associated with a second device. The service determines, based on the measure of similarity, that the particular device and the second device were operated by the same user.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: obtaining, by a traffic analysis service, telemetry data regarding encrypted traffic associated with a particular device in a network from an intermediary device through which the encrypted traffic flows between the particular device and another endpoint in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic; determining, by the service and based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device; calculating, by the service, a measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and a set of one or more TLS fingerprints of traffic associated with a second device; and determining, by the service and based on the measure of similarity, that the particular device and the second device were operated by the same user. 2. The method as in claim 1 , wherein the TLS features of the traffic session comprise at least one of: a ciphersuite or TLS version. 3. The method as in claim 1 , wherein calculating the measure of similarity comprises: calculating a Jaccard similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and the set of one or more TLS fingerprints of traffic associated with the second device. 4. The method as in claim 1 , further comprising: determining, based on the measure of similarity and timing information for the traffic associated with the particular device and for the traffic associated with the second device, that the particular device is the second device. 5. The method as in claim 4 , further comprising: using, by the service, a behavioral model for the second device to determine whether the telemetry data regarding encrypted traffic associated with a particular device is anomalous. 6. The method as in claim 1 , further comprising: associating an Internet Protocol (IP) address of the second device with an IP address of the particular device. 7. The method as in claim 1 , wherein calculating the measure of similarity comprises: calculating a histogram-based measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and the set of one or more TLS fingerprints of traffic associated with the second device. 8. The method as in claim 1 , wherein calculating the measure of similarity comprises: modeling a probability of the set of one or more TLS fingerprints for the traffic associated with the particular device given the set of one or more TLS fingerprints of traffic associated with the second device. 9. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to: obtain telemetry data regarding encrypted traffic associated with a particular device in a network from an intermediary device through which the encrypted traffic flows between the particular device and another endpoint in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic; determine, based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device; calculate a measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and a set of one or more TLS fingerprints of traffic associated with a second device; and determine, based on the measure of similarity, that the particular device and the second device were operated by the same user. 10. The apparatus as in claim 9 , wherein the TLS features of the traffic session comprise at least one of: a ciphersuite or TLS version. 11. The apparatus as in claim 9 , wherein the apparatus calculates the measure of similarity by: calculating a Jaccard similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and the set of one or more TLS fingerprints of traffic associated with the second device. 12. The apparatus as in claim 9 , wherein the process when executed is further configured to: determine, based on the measure of similarity and timing information for the traffic associated with the particular device and for the traffic associated with the second device, that the particular device is the second device. 13. The apparatus as in claim 12 , wherein the process when executed is further configured to: use a behavioral model for the second device to determine whether the telemetry data regarding encrypted traffic associated with a particular device is anomalous. 14. The apparatus as in claim 12 , wherein the process when executed is further configured to: associate an Internet Protocol (IP) address of the second device with an IP address of the particular device. 15. The apparatus as in claim 9 , wherein the apparatus calculates the measure of similarity by: calculating a histogram-based measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and the set of one or more TLS fingerprints of traffic associated with the second device. 16. The apparatus as in claim 9 , wherein the apparatus calculates the measure of similarity by: modeling a probability of the set of one or more TLS fingerprints for the traffic associated with the particular device given the set of one or more TLS fingerprints of traffic associated with the second device. 17. A tangible, non-transitory, computer-readable medium storing program instructions that cause a traffic analysis service to execute a procedure comprising: obtaining, by the traffic analysis service, telemetry data regarding encrypted traffic associated with a particular device in a network from an intermediary device through which the encrypted traffic flows between the particular device and another endpoint in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic; determining, by the service and based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device; calculating, by the service, a measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and a set of one or more TLS fingerprints of traffic associated with a second device; and determining, by the service and based on the measure of similarity, that the particular device and the second device were operated by the same user. 18. The computer-readable medium as in claim 17 , wherein the TLS features of the traffic session comprise at least one of: a ciphersuite or TLS version. 19. The computer-readable medium as in claim 17 , wherein the procedure further comprises: determining, based on the measure of similarity and timing information for the traffic associated with the particular device and for the traffic associated with the second device, that the particular device is the second device. 20. The computer-readable medium as in claim 17 , wherein the procedure further comprises: using, by the service, a behavioral model for the second device to det

Assignees

Cisco Tech Inc

Inventors

Classifications

H04L43/08
Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters · CPC title
H04L63/0428Primary
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
H04L41/12Primary
Discovery or management of network topologies · CPC title
H04L63/166
at the transport layer · CPC title
H04L63/0876
based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint · CPC title

Patent family

Related publications grouped by family.

View patent family 75908956

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11245675B2 cover?: In one embodiment, a traffic analysis service obtains telemetry data regarding encrypted traffic associated with a particular device in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic. The service determines, based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with t…
Who is the assignee on this patent?: Cisco Tech Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/0428. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Feb 08 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).

How to read this patent

Abstract

First claim

Assignees

Inventors

Classifications

Patent family

External sources

Related patents

Systems and Methods to Fingerprint and Classify Application Behaviors Using Telemetry

Statistical fingerprinting of network traffic

Leveraging point inferences on http transactions for https malware detection

Bot detection in an edge network using Transport Layer Security (TLS) fingerprint

Os start event detection, os fingerprinting, and device tracking using enhanced data features

Client device tracking

Device identification based on deep fingerprint inspection

Frequently asked questions