What technology area does this patent fall under?

Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Dec 27 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 9 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Correlating endpoint and network views to identify evasive applications

US11539721B2 · US · B2

Patent metadata
Field	Value
Publication number	US-11539721-B2
Application number	US-202016912471-A
Country	US
Kind code	B2
Filing date	Jun 25, 2020
Priority date	Dec 20, 2017
Publication date	Dec 27, 2022
Grant date	Dec 27, 2022

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: receiving, at a service, traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network, wherein the traffic telemetry data is indicative of one or more of: a user agent parameter of the encrypted traffic, a ciphersuite offered by the endpoint device, a Transport Layer Security (TLS) extension used by the encrypted traffic, sequence of packet lengths and time (SPLT) data regarding the encrypted traffic, sequence of application lengths and time (SALT) data regarding the encrypted traffic, and byte distribution (BD) data regarding the encrypted traffic; analyzing, by the service, the traffic telemetry data to infer an identity of an application on the endpoint device that sent the encrypted traffic; receiving, at the service and from a monitoring agent on the endpoint device, application telemetry data regarding the application; determining, by the service, that the application is evasive malware based on the identity of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device by: determining an identity of the application based on the application telemetry data received from the monitoring agent on the endpoint device, and comparing the identity of the application determined based on the application telemetry data with the identity of the application inferred from the traffic telemetry data; and initiating, by the service, performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware. 2. The method as in claim 1 , wherein the mitigation action comprises at least one of: blocking the encrypted traffic or generating an alert regarding the endpoint device. 3. The method as in claim 1 , wherein the application telemetry data comprises a process hash fingerprint of the application. 4. The method as in claim 1 , further comprising: verifying, by the service, that the identity of the application inferred from the traffic telemetry data is correct based on comparing the identity of the application determined based on the application telemetry data with the identity of the application inferred from the traffic telemetry data. 5. The method as in claim 1 , further comprising: determining, by the service, that the application is evasive malware when the identity of the application determined based on the application telemetry data is inconsistent with the identity of the application inferred from the traffic telemetry data. 6. The method as in claim 1 , wherein receiving, from the monitoring agent on the endpoint device, the application telemetry data regarding the application comprises: sending, by the service, a request to the monitoring agent for the application telemetry data; and receiving, at the service, the application telemetry data, in response to the request. 7. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the one or more network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the one or more processes when executed configured to: receive traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network, wherein the traffic telemetry data is indicative of one or more of: a user agent parameter of the encrypted traffic, a ciphersuite offered by the endpoint device, a Transport Layer Security (TLS) extension used by the encrypted traffic, sequence of packet lengths and time (SPLT) data regarding the encrypted traffic, sequence of application lengths and time (SALT) data regarding the encrypted traffic, and byte distribution (BD) data regarding the encrypted traffic; analyze the traffic telemetry data to infer an identity of an application on the endpoint device that sent the encrypted traffic; receive, from a monitoring agent on the endpoint device, application telemetry data regarding the application; determine that the application is evasive malware based on the identity of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device by: determining an identity of the application based on the application telemetry data received from the monitoring agent on the endpoint device, and comparing the identity of the application determined based on the application telemetry data with the identity of the application inferred from the traffic telemetry data; and initiate performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware. 8. The apparatus as in claim 7 , wherein the mitigation action comprises at least one of: blocking the encrypted traffic or generating an alert regarding the endpoint device. 9. The apparatus as in claim 7 , wherein the application telemetry data comprises a process hash fingerprint of the application. 10. The apparatus as in claim 7 , wherein the one or more processes when executed are further configured to: verify that the identity of the application inferred from the traffic telemetry data is correct based on comparing the identity of the application determined based on the application telemetry data with the identity of the application inferred from the traffic telemetry data. 11. The apparatus as in claim 7 , wherein the one or more processes when executed are further configured to: determine that the application is evasive malware when the identity of the application determined based on the application telemetry data is inconsistent with the identity of the application inferred from the traffic telemetry data. 12. The apparatus as in claim 7 , wherein the apparatus receives, from the monitoring agent on the endpoint device, the application telemetry data regarding the application by: sending a request to the monitoring agent for the application telemetry data; and receiving the application telemetry data, in response to the request. 13. A tangible, non-transitory, computer-readable medium that stores program instructions causing a service to execute a process comprising: receiving, at a service, traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network, wherein the traffic telemetry data is indicative of one or more of: a user agent parameter of the encrypted traffic, a ciphersuite offered by the endpoint device, a Transport Layer Security (TLS) extension used by the encrypted traffic, sequence of packet lengths and time (SPLT) data regarding the encrypted traffic, sequence of application lengths and time (SALT) data regarding the encrypted traffic, and byte distribution (BD) data regarding the encrypted traffic; analyzing, by the service, the traffic telemetry data to infer an identity of an application on the endpoint device that sent the encrypted traffic; receiving, at the service and from a monitoring agent on the endpoint device, application telemetry data regarding the application; determining, by the service, that the application is evasive malware based on the identity of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device by: determining an identity of the application based on the application telemetry data received from the monitoring agent on the endpoint device, and comparing the identity of the application determined based on the application telemetry data with the identity of the appli

Assignees

Cisco Tech Inc

Inventors

Classifications

G06F21/55
Detecting local intrusion or implementing counter-measures · CPC title
H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
G06F21/52
during program execution, e.g. stack integrity {; Preventing unwanted data erasure; Buffer overflow} · CPC title
H04L63/1425
Traffic logging, e.g. anomaly detection · CPC title
H04L63/0876
based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint · CPC title

Patent family

Related publications grouped by family.

View patent family 64902417

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11539721B2 cover?: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the appl…
Who is the assignee on this patent?: Cisco Tech Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Dec 27 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 9 related publications on this page (citations in our corpus or others sharing the same primary CPC).