On June 30, 2026 the USPTO issued US12671698B2, assigned to Cisco Technology, Inc. and titled “Detecting and alerting on domain fronting within a network.” The label first: this is a granted patent, not a pending application. Its independent claims have been examined and allowed, and the rights they define are enforceable at the scope the claims set. With that fixed, the question worth asking is what independent claim 1 actually covers.

Claim 1 is a method claim, and it is built as an ordered pipeline. It begins by collecting, from one or more devices within a network, Domain Name System (DNS) response data for a domain name associated with a plurality of network sites of a service provider. From that data it generates a baseline of the IP addresses of the servers or hosting providers that serve the domain. It then receives network data for traffic destined to the domain and identifies connections whose destination IP address is atypical relative to the baseline. For such a connection it performs a DNS query to a DNS server the endpoint previously used, obtains the expected IP addresses, and — when the observed destination is not among them — determines the connection is correlated with domain fronting and generates an alert. Every limitation is load-bearing: the baseline, the atypical-address test, the confirming DNS query, the not-in-expected-set condition, and the alert.

A method for detecting and alerting on domain fronting, the method comprising: collecting, from one or more devices within a network, Domain Name System (DNS) response data associated with a domain name associated with plurality of network sites of a service provider of the network; generating, based at least in part on the DNS response data, a baseline indicating Internet Protocol (IP) addresses for one or more servers or hosting providers utilized to host the domain name; receiving network data associated with network traffic destined for the domain name; identifying, based at least in part on the baseline and the network traffic, one or more connections having a destination IP address that is atypical relative to other connections to the one or more servers or hosting providers; performing a DNS query to a DNS server previously used by an endpoint associated with the connection to obtain expected IP addresses for the domain name; determining, based in part on the destination IP address for the connection not being included in the expected IP addresses, that the one or more connections are correlated with domain fronting; and generating, based at least in part on the determining, an alert.— Detecting and alerting on domain fronting within a network, US12671698B2

The CPC class points at intrusion detection, not cryptography

The classification situates the grant. Its main class, H04L 63/1416, sits within H04L 63 (network architecture and protocols for security) and specifically covers monitoring a network for detecting attacks or intrusions; the record also carries H04L 63/1425 for anomaly-based detection and H04L 63/0236 for packet filtering by network address. That placement is consistent with the claim: the contribution is not a new cipher or key-exchange primitive — which would land in the H04L 9/ cryptographic-mechanism classes — but a detection method that reasons about where encrypted sessions go. The claim never inspects plaintext; it operates on DNS resolutions, IP addresses, and connection metadata, treating an out-of-profile destination as the observable signal.

What the dependent claims add

The dependents narrow and instrument the method. Claim 18 specifies that the baseline is generated as a histogram of IP addresses, associated autonomous systems, and DNS fields — a concrete statistical construction of “where the domain normally resolves.” Claim 3 enumerates the network-data fields (IP address, domain name, round-trip time, time-to-live). Claim 5 recites using intelligence feeds to set a severity level for the alert, and claim 6 lists the conditions that can trigger it, including that a connection reaches a hosting provider different from the one normally associated with the domain, or a provider known to support domain fronting, together with round-trip-time and time-to-live signals. Claim 7 extends the method from detection to response: determining a connection is to a provider that supports fronting and then blocking it. These are the levers that separate a bare detection step from an operational alerting-and-mitigation flow.

The patent also asserts the same invention in three statutory forms. Claim 1 is the method; independent claim 8 is a system with processors and computer-readable media performing the same operations; independent claim 15 is a non-transitory computer-readable medium storing instructions for them. The system dependents track the method’s: claim 12, for instance, frames the atypical destination as “suspicious activity” identified by determining that a connection uses a hosting provider or server that is atypical. This method/system/medium trio is the standard way a single inventive concept is written to read onto software, an apparatus, and stored code alike — here, all three anchored to the same baseline-and-confirm detection logic.

Where it sits in the drop

Among Cisco’s June 30 security grants, this record is the traffic-detection entry. It is adjacent to US12671643B2, directed to evaluating anomaly-detection mechanisms by correlating detector outputs over time, and to US12670434B2, which claims converting hierarchical JSON into fixed-length feature vectors to train multiple-instance-learning models for cybersecurity. US12671677B2 is directed to bidirectional data obfuscation within unsecured runtime environments, and US12670239B2 claims authenticating printed circuit boards via a woven-glass marker structure read by an on-board security chip — a hardware-trust filing rather than a network one. The domain-fronting grant is distinguished within the group by locating its claimed contribution at the DNS-and-destination layer: it detects an evasive session by what it resolves to, not by what it carries.

What claim 1 covers, on the face of the granted record, is a method for detecting domain fronting by baselining a domain’s normal resolutions, flagging an atypical destination, confirming it against a fresh DNS query, and alerting. Because the patent is granted, that scope is now fixed and enforceable as written — the reading here is of the allowed claim language, and where a term such as “atypical” or “correlated with domain fronting” is drawn in practice is a matter of the claim construction the words support.