公开(公告)号：US20220129540A1

公开(公告)日：2022-04-28

申请号：US17077592

申请日：2020-10-22

Applicant: Cisco Technology, Inc.

Inventor： Akram Ismail Sheriff ,  Timothy David Keanini

IPC: G06F21/52 ,  G06F21/56 ,  G06N20/00

Abstract: Runtime security threats are detected and analyzed for serverless functions developed for hybrid clouds or other cloud-based deployment environments. One or more serverless functions may be received and executed within a container instance executing in a controlled and monitored environment. The execution of the serverless functions is monitored, using a monitoring layer in the controlled environment to capture runtime data including container application context statistics, serverless function input and output data, and runtime parameter snapshots of the serverless functions. Execution data associated with the serverless functions may be analyzed and provided to various supervised and/or unsupervised machine-learning models configured to detect and analyze runtime security threats.

公开(公告)号：US20210377157A1

公开(公告)日：2021-12-02

申请号：US16890241

申请日：2020-06-02

Applicant: Cisco Technology, Inc.

Inventor： Li Zhao ,  Chuanwei Li ,  Lele Zhang ,  Haibo Dong ,  Akram Ismail Sheriff

IPC: H04L12/707 ,  H04L12/751 ,  H04W28/10 ,  H04L12/803

Abstract: Techniques for distributed sub-controller permission for control of data-traffic flow within software-defined networking (SDN) mesh networks to limit control plane traffic of the network are described herein. A technique described herein includes a network node of a data-traffic path of an SDN mesh network obtaining SDN sub-controller permission from a border controller of the SDN mesh network. Further, the technique includes suppression of data traffic from sibling and children nodes of data-traffic path allied nodes to the data-traffic path allied nodes. The data-traffic path allied nodes include network nodes that are part of the data-traffic path of the SDN mesh network. Further still, the technique includes the transmission of data across the data-traffic path.

公开(公告)号：US20250005184A1

公开(公告)日：2025-01-02

申请号：US18345254

申请日：2023-06-30

Applicant: Cisco Technology, Inc.

Inventor： Rajiv Asati ,  Akram Ismail Sheriff

IPC: G06F21/62 ,  G06F9/54

Abstract: A method to protect data in a database. The method includes detecting an actual flow path for an API call between a source node and a destination node, determining whether the actual flow path for the API call deviates from an expected flow path for the API call, and in response to determining that the actual flow path for the API call deviates from the expected flow path by a predetermined threshold, denying access to data sought by the API call at the destination node.

公开(公告)号：US20240305603A1

公开(公告)日：2024-09-12

申请号：US18647322

申请日：2024-04-26

Applicant: Cisco Technology, Inc.

Inventor： Thomas Szigeti ,  David John Zacks ,  Akram Ismail Sheriff ,  Guy Keinan ,  Walter T. Hulick, JR.

IPC: H04L61/4511

CPC classification number: H04L61/4511

Abstract: Methods are provided in which a domain name system (DNS) service obtains a lookup request for information about a source of a traffic flow being transmitted to a network resource external of a service cluster and performs, based on the lookup request, a lookup operation for a microservice that is the source of the traffic flow, among a plurality of microservices of the service cluster registered with the DNS service. The methods further include providing information about the microservice based on the lookup operation. The information includes at least a name of the microservice for visibility of the microservice external of the service cluster.

公开(公告)号：US11985107B2

公开(公告)日：2024-05-14

申请号：US18163979

申请日：2023-02-03

Applicant: Cisco Technology, Inc.

Inventor： Thomas Szigeti ,  David John Zacks ,  Akram Ismail Sheriff ,  Guy Keinan ,  Walter T. Hulick, Jr.

IPC: H04L61/4511

CPC classification number: H04L61/4511

Abstract: Methods are provided in which a domain name system (DNS) service obtains a lookup request for information about a source of a traffic flow being transmitted to a network resource external of a service cluster and performs, based on the lookup request, a lookup operation for a microservice that is the source of the traffic flow, among a plurality of microservices of the service cluster registered with the DNS service. The methods further include providing information about the microservice based on the lookup operation. The information includes at least a name of the microservice for visibility of the microservice external of the service cluster.

公开(公告)号：US11811648B2

公开(公告)日：2023-11-07

申请号：US17903615

申请日：2022-09-06

Applicant: Cisco Technology, Inc.

Inventor： Li Zhao ,  Chuanwei Li ,  Lele Zhang ,  Haibo Dong ,  Akram Ismail Sheriff

IPC: H04L45/24 ,  H04L45/02 ,  H04L47/122 ,  H04W28/10 ,  H04W84/18

CPC classification number: H04L45/24 ,  H04L45/02 ,  H04L47/122 ,  H04W28/10 ,  H04W84/18

Abstract: Techniques for distributed sub-controller permission for control of data-traffic flow within software-defined networking (SDN) mesh networks to limit control plane traffic of the network are described herein. A technique described herein includes a network node of a data-traffic path of an SDN mesh network obtaining SDN sub-controller permission from a border controller of the SDN mesh network. Further, the technique includes suppression of data traffic from sibling and children nodes of data-traffic path allied nodes to the data-traffic path allied nodes. The data-traffic path allied nodes include network nodes that are part of the data-traffic path of the SDN mesh network. Further still, the technique includes the transmission of data across the data-traffic path.

公开(公告)号：US11770251B2

公开(公告)日：2023-09-26

申请号：US17016046

申请日：2020-09-09

Applicant: Cisco Technology, Inc.

Inventor： Nagendra Kumar Nainar ,  Carlos M. Pignataro ,  Akram Ismail Sheriff

IPC: H04L29/06 ,  H04L9/32 ,  G06F9/50 ,  H04L9/06

CPC classification number: H04L9/3213 ,  G06F9/5072 ,  H04L9/0656 ,  H04L9/3268

Abstract: Techniques and mechanisms for providing continuous integrity validation-based control plane communication in a container-orchestration system, e.g., the Kubernetes platform. A worker node generates a nonce and forwards the nonce to a master node while requesting an attestation token. Using the nonce, the master node generates the attestation token and replies back to the worker node with the attestation token. The worker node validates the attestation token with a CA server to ensure that the master node is not compromised. The worker node sends its authentication credentials to the master node. The master node generates a nonce and forwards the nonce to the worker node while requesting an attestation token. Using the nonce, the worker node generates the attestation token and replies back to the master node with the attestation token. The master node validates the attestation token with the CA server to ensure that the worker node is not compromised.

公开(公告)号：US20230254379A1

公开(公告)日：2023-08-10

申请号：US17667890

申请日：2022-02-09

Applicant: Cisco Technology, Inc.

Inventor： Carlos M. Pignataro ,  Nagendra Kumar Nainar ,  David John Zacks ,  John Matthew Swartz ,  Akram Ismail Sheriff

IPC: H04L67/141

CPC classification number: H04L67/141

Abstract: Presented herein are techniques to facilitate infrastructure and policy orchestration in a shared workspace network environment. In one example, a method may include obtaining, by a service broker, a reservation request from a consumer network for a consumer, wherein the reservation request seeks a reservation to reserve, at least in part, at least one workspace device for the consumer for a workspace for a particular day and a particular time period; based on determining that the at least one workspace device is available, providing a response to the consumer network that includes a first indicator for identifying the reservation of the workspace and at least one second indicator identifying the at least one workspace device; and upon receiving a session request from the consumer network that includes the second indicator, establishing a management tunnel to interconnect the consumer network and the at least one workspace device via the service broker.

公开(公告)号：US20220103570A1

公开(公告)日：2022-03-31

申请号：US17035065

申请日：2020-09-28

Applicant: Cisco Technology, Inc.

Inventor： Nagendra Kumar Nainar ,  Carlos M. Pignataro ,  Akram Ismail Sheriff

IPC: H04L29/06 ,  H04L9/32 ,  H04L12/707 ,  H04L12/715 ,  H04L12/741

Abstract: Techniques and mechanisms for providing integrity verified paths using only integrity validated pods of nodes. A network service mesh (NSM) associated with a first pod may locally generate a nonce and provide the nonce to the first pod, where the request includes a request for an attestation token. Using the nonce, the first pod may generate the attestation token and reply back to the NSM. The NSM may generate a second request for an attestation token and forward it to a NSE pod, where the request includes a second locally generated nonce generated by the NSM. The NSE pod may generate the second attestation token using the second nonce and reply back to the NSM. The NSM may then have the attestation tokens verified or validated by a certificate authority (CA) server. The NSM may thus instantiate an integrity verified path between the first pod and the NSE pod.

公开(公告)号：US11811784B2

公开(公告)日：2023-11-07

申请号：US17832159

申请日：2022-06-03

Applicant: Cisco Technology, Inc.

Inventor： Nagendra Kumar Nainar ,  Carlos M. Pignataro ,  Akram Ismail Sheriff

IPC: H04L9/32 ,  H04L9/40 ,  H04L45/00

CPC classification number: H04L63/126 ,  H04L9/3213 ,  H04L9/3265 ,  H04L45/22 ,  H04L45/46 ,  H04L45/54

Abstract: Techniques and mechanisms for providing integrity verified paths using only integrity validated pods of nodes. A network service mesh (NSM) associated with a first pod may locally generate a nonce and provide the nonce to the first pod, where the request includes a request for an attestation token. Using the nonce, the first pod may generate the attestation token and reply back to the NSM. The NSM may generate a second request for an attestation token and forward it to a NSE pod, where the request includes a second locally generated nonce generated by the NSM. The NSE pod may generate the second attestation token using the second nonce and reply back to the NSM. The NSM may then have the attestation tokens verified or validated by a certificate authority (CA) server. The NSM may thus instantiate an integrity verified path between the first pod and the NSE pod.