&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
          function printpage()
          {
          window.print()
          }
        </script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=11909760.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 11,909,760 B2</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Malware classification and attribution through server fingerprinting using server certificate data</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Blake Harrell Anderson,  Chapel Hill, NC (US);  David McGrew,  Poolesville, MD (US);  Subharthi Paul,  San Jose, CA (US);  Ivan Nikolaev,  Prague (CZ); and  Martin Grill,  Prague (CZ)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  CISCO TECHNOLOGY, INC.,  San Jose, CA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  Cisco Technology, Inc.,  San Jose, CA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Aug.  6, 2021, as Appl. No. 17/395,968.</b></td>
          </tr>
          <tr>
            <td colspan="3" class="table_data" align="center"><b>Application 17/395,968 is a continuation of application No. 16/869,726, filed on May   8, 2020, granted, now 11,108,810.</b></td>
          </tr>
          <tr>
            <td colspan="3" class="table_data" align="center"><b>Application 16/869,726 is a continuation of application No. 15/353,160, filed on Nov.  16, 2016, granted, now 10,686,831, issued on Jun.  16, 2020.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Prior Publication US 2021/0377283 A1, Dec.  2, 2021</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>This patent is subject to a terminal disclaimer.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>H04L 29/06</b></i> (2006.01); <i><b>H04L 9/40</b></i> (2022.01); <i><b>G06N 20/00</b></i> (2019.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>H04L 63/145</b></i> (2013.01)&#xa0;[<i><b>H04L 63/0428</b></i> (2013.01); <i><b>H04L 63/1408</b></i> (2013.01); <i>G06N 20/00</i> (2019.01)]</td>
            <td class="table_data" align="right"><b>20 Claims</b></td>
          </tr>
        </table>
        <center><img src="US11909760-20240220-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A method comprising:<div class="claim_text">obtaining, by a device in a network, certificate data of a presently encrypted traffic flow sent from a client node in the network to a remote server, wherein the certificate data of the encrypted traffic flow is passively intercepted by an intermediary device between the client node and the remote server without a man-in-the-middle;</div>
                <div class="claim_text">determining, by the device, one or more data features from the certificate data of the encrypted traffic flow;</div>
                <div class="claim_text">determining, by the device, one or more flow characteristics of the encrypted traffic flow;</div>
                <div class="claim_text">performing, by the device, a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data of the encrypted traffic flow and the one or more flow characteristics of the encrypted traffic flow, wherein the machine learning-based classifier assesses the certificate data of the encrypted traffic flow without decrypting the encrypted traffic flow; and</div>
                <div class="claim_text">causing, by the device, performance of a network action based on a result of the classification of the application.</div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>