US 12,438,892 B2
Correlating endpoint and network views to identify evasive applications
Blake Harrell Anderson, Chapel Hill, NC (US); David McGrew, Poolesville, MD (US); Vincent E. Parla, North Hampton, NH (US); Jan Jusko, Prague (CZ); Martin Grill, Prague (CZ); and Martin Vejman, Litomysl (CZ)
Assigned to Cisco Technology, Inc., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on Dec. 23, 2022, as Appl. No. 18/088,284.
Application 18/088,284 is a continuation of application No. 16/912,471, filed on Jun. 25, 2020, granted, now 11,539,721.
Application 16/912,471 is a continuation of application No. 15/848,150, filed on Dec. 20, 2017, granted, now 10,735,441, issued on Aug. 4, 2020.
Prior Publication US 2023/0129786 A1, Apr. 27, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); G06F 21/44 (2013.01); G06F 21/52 (2013.01); G06F 21/55 (2013.01); H04L 9/32 (2006.01); H04L 9/40 (2022.01)
CPC H04L 63/1416 (2013.01) [G06F 21/44 (2013.01); G06F 21/52 (2013.01); G06F 21/554 (2013.01); H04L 9/3242 (2013.01); H04L 63/0876 (2013.01); H04L 63/1425 (2013.01); H04L 63/1466 (2013.01); G06F 21/55 (2013.01); H04L 63/0428 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
extracting, at a service, one or more Transport Layer Security (TLS)-based features from encrypted traffic sent by an endpoint device in a network;
analyzing, by the service, the one or more extracted TLS-based features to infer an identity of an application on the endpoint device that sent the encrypted traffic;
receiving, at the service and from a monitoring agent on the endpoint device, application telemetry data regarding the application;
determining, by the service, that the application is malware based on the identity of the application inferred from the one or more extracted TLS-based features and on the application telemetry data received from the monitoring agent on the endpoint device by:
determining an identity of the application based on the application telemetry data received from the monitoring agent on the endpoint device, and
comparing the identity of the application determined based on the application telemetry data with the identity of the application inferred from the one or more extracted TLS-based features; and
initiating, by the service, performance of a mitigation action in the network, after determining that the application on the endpoint device is malware.