<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - Encrypted Visibility Engine</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/encrypted-visibility-engine.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2026-08-02T09:00:00+10:00</updated><entry><title>From Joy to Mercury and EVE: Following Cisco's Network Fingerprinting Work</title><link href="https://www.peakhour.io/blog/from-joy-to-mercury-and-eve/" rel="alternate"></link><published>2026-08-02T09:00:00+10:00</published><updated>2026-08-02T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-08-02:/blog/from-joy-to-mercury-and-eve/</id><summary type="html">&lt;p&gt;Cisco's open-source collectors, fingerprinting research and Encrypted Visibility Engine form a clear lineage, but they are not interchangeable parts of one public system.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Cisco's network fingerprinting work is often compressed into a neat product story: Joy became Mercury, and Mercury became the Encrypted Visibility Engine. There is a real lineage here, but that sentence hides more than it explains.&lt;/p&gt;
&lt;p&gt;Joy and Mercury are public software projects. Network Protocol Fingerprinting is a representation. The 2020 destination-context paper describes a classification system and the data needed to support it. EVE is a Cisco Secure Firewall capability backed by Cisco's operational data and machine-learning systems.&lt;/p&gt;
&lt;p&gt;Those pieces share ideas, authors and engineering history. They are not four names for the same thing.&lt;/p&gt;
&lt;h2&gt;Joy started with flow records, then looked inside them&lt;/h2&gt;
&lt;p&gt;Cisco released &lt;a href="https://github.com/cisco/joy"&gt;Joy&lt;/a&gt; as a BSD-licensed tool for collecting network flow and &lt;em&gt;intraflow&lt;/em&gt; data from live traffic or PCAP files. Its basic unit was recognisable to anyone who had worked with NetFlow or IPFIX: a flow with addresses, ports and counters. Joy then added observations from within that flow.&lt;/p&gt;
&lt;p&gt;Those observations included packet lengths and arrival times, byte distributions, TLS record sequences, visible TLS handshake fields, DNS data and selected HTTP fields. It wrote the results as JSON so researchers could feed them into analysis tools without building a packet parser first.&lt;/p&gt;
&lt;p&gt;That breadth matters. Joy was not originally just a ClientHello hash generator. It was a network-research instrument for asking what could still be learned from traffic when the application payload was encrypted.&lt;/p&gt;
&lt;p&gt;The research around Joy shows how Cisco used it. The 2016 paper &lt;a href="https://arxiv.org/abs/1607.01639"&gt;Deciphering Malware's Use of TLS (without Decryption)&lt;/a&gt; combined conventional flow measurements, packet-length and timing sequences, byte distributions and visible TLS handshake features. Its authors were interested in malware detection and family attribution, but they were also explicit about dataset bias. A sandbox operating system or its default TLS library could become an accidental shortcut for the classifier.&lt;/p&gt;
&lt;p&gt;In 2017, &lt;a href="https://arxiv.org/abs/1706.08003"&gt;OS Fingerprinting: New Techniques and a Study of Information Gain and Obfuscation&lt;/a&gt; used an extended Joy collector to record features from TCP SYN packets, TLS ClientHello messages and HTTP requests. The study combined evidence across protocols and sessions rather than expecting one handshake to provide a definitive operating-system label.&lt;/p&gt;
&lt;p&gt;The enduring idea was broader than any one model: retain useful network observations, join them to trustworthy labels where possible, and test what the combined evidence can support.&lt;/p&gt;
&lt;h2&gt;Mercury narrowed and hardened the collection path&lt;/h2&gt;
&lt;p&gt;The Joy repository now directs readers to Mercury for Cisco's more recent fingerprinting tools and data. &lt;a href="https://github.com/cisco/mercury"&gt;Mercury&lt;/a&gt; carries forward the packet-metadata and JSON-output model, but it is a separate implementation with a stronger focus on fast capture, protocol fingerprints and online analysis.&lt;/p&gt;
&lt;p&gt;The public repository contains a C++ application and library, along with the portable Python implementation &lt;code&gt;pmercury&lt;/code&gt;. Mercury can read PCAPs or live traffic, identify supported protocols and emit selected metadata. On Linux, its native collector uses the kernel's &lt;code&gt;AF_PACKET&lt;/code&gt; &lt;code&gt;TPACKETv3&lt;/code&gt; path and multiple workers. The repository describes use in some production applications, while still asking users to treat the open software as beta.&lt;/p&gt;
&lt;p&gt;Mercury also makes a useful boundary visible in its JSON:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;packet
  -&amp;gt; protocol metadata
  -&amp;gt; fingerprint object
  -&amp;gt; optional destination-context analysis
  -&amp;gt; analysis object
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The fingerprint is an observation. The analysis is an inference made from that observation and other data. They should not be collapsed into one label.&lt;/p&gt;
&lt;h2&gt;NPF is the representation, not the classifier&lt;/h2&gt;
&lt;p&gt;Mercury's fingerprints use Cisco's Network Protocol Fingerprinting format. NPF selects characteristic fields from an initial protocol message, normalises values that should not distinguish implementations, and writes the retained structure as a tree of hexadecimal byte strings.&lt;/p&gt;
&lt;p&gt;A full TLS fingerprint can therefore be inspected. Its &lt;code&gt;tls/2&lt;/code&gt; prefix identifies the protocol and rule version; parentheses and brackets preserve the selected tree structure and sorting decisions. Mercury can also use a compact hash nickname when fixed-length storage is more useful than inspection.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://github.com/cisco/mercury/blob/main/doc/npf.md"&gt;draft NPF specification&lt;/a&gt; covers more than TLS. It documents rules for protocols including QUIC, TCP, HTTP, SSH, STUN and OpenVPN. This is one point at which the Joy heritage remains visible: the project treats protocol evidence as a network-wide problem, not solely as a way to name TLS clients.&lt;/p&gt;
&lt;p&gt;Our guide to &lt;a href="/learning/fingerprinting/what-is-cisco-mercury-fingerprinting/"&gt;Cisco Mercury fingerprinting&lt;/a&gt; separates the collector, NPF representation, knowledge base and classifier in more detail. &lt;a href="/learning/fingerprinting/inside-mercury-npf-fingerprint/"&gt;Inside a Mercury NPF fingerprint&lt;/a&gt; works through the full notation.&lt;/p&gt;
&lt;h2&gt;The 2020 paper made the attribution problem explicit&lt;/h2&gt;
&lt;p&gt;A fingerprint is useful for grouping similar protocol implementations. It is often a poor application name.&lt;/p&gt;
&lt;p&gt;Blake Anderson and David McGrew quantified that problem in &lt;a href="https://arxiv.org/abs/2009.01939"&gt;Accurate TLS Fingerprinting Using Destination Context and Knowledge Bases&lt;/a&gt;. TLS libraries are shared. Common fingerprints can map to tens or hundreds of processes. A dictionary that assigns one process name to one fingerprint will therefore produce convincing-looking false positives.&lt;/p&gt;
&lt;p&gt;The paper added three destination features to the TLS fingerprint: destination address, destination port and the TLS server name, when present. A weighted naive Bayes classifier used those features and prevalence counts from a labelled knowledge base to rank candidate processes.&lt;/p&gt;
&lt;p&gt;The knowledge base was the difficult part. The researchers joined network observations to endpoint process data, generated fresh knowledge bases daily and merged them into an operational view. They also used malware-sandbox observations. The paper describes billions of connections, a changing population of fingerprints and destinations, and the need to discard stale data.&lt;/p&gt;
&lt;p&gt;Its reported results were strong, including a process-family F1 score above 0.99 and high precision and recall for the malware task. Those figures belong to the paper's datasets and evaluation. They are not an accuracy guarantee for a Mercury installation downloaded from GitHub.&lt;/p&gt;
&lt;p&gt;The authors also documented important limits: their endpoint data was dominated by desktop Windows and macOS systems, mobile and IoT coverage was absent, and most data came from one enterprise. They wrote that a site could build a custom knowledge base if it had suitable endpoint ground truth and network monitoring, but acknowledged the significant initial investment.&lt;/p&gt;
&lt;p&gt;That is the operational lesson. A classifier is not made current by having a good fingerprint format. It stays current through labelled collection, joining, curation, expiry and evaluation.&lt;/p&gt;
&lt;p&gt;For a closer reading, see &lt;a href="/learning/fingerprinting/destination-context-tls-attribution/"&gt;how destination context changes TLS attribution&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;EVE puts the research into a firewall product&lt;/h2&gt;
&lt;p&gt;Cisco describes its Encrypted Visibility Engine as work based on that earlier destination-context research. EVE first appeared in &lt;a href="https://www.cisco.com/c/en/us/td/docs/security/firepower/710/relnotes/firepower-release-notes-710/features.html"&gt;Secure Firewall 7.1&lt;/a&gt; as a disabled-by-default experimental beta for visibility only; it did not enforce actions and Cisco warned that it could produce false positives. The &lt;a href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72.html"&gt;7.2 release notes&lt;/a&gt; say EVE began working with QUIC and allowed high-confidence process assignments to feed application policy. &lt;a href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/730/threat-defense-release-notes-73.html"&gt;Version 7.3&lt;/a&gt; specifically added HTTP/3 and SMB-over-QUIC detection, along with indication-of-compromise events for unsafe applications.&lt;/p&gt;
&lt;p&gt;In Cisco's account of &lt;a href="https://blogs.cisco.com/security/how-eve-detects-malicious-uses-of-trustworthy-cloud-services"&gt;how EVE detects malicious use of trustworthy cloud services&lt;/a&gt;, the runtime inputs have the same recognisable shape:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;an NPF representing client-side protocol characteristics; and&lt;/li&gt;
&lt;li&gt;server context such as address, port and domain name.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;EVE uses machine learning over Cisco's labelled data to estimate the client process and detect suspicious encrypted traffic without decrypting its payload. Cisco says its training data is refreshed daily with network samples joined to endpoint ground truth, with additional malicious observations from Cisco Secure Malware Analytics.&lt;/p&gt;
&lt;p&gt;This is the clearest public link from NPF and the 2020 paper to the commercial system. It is also where careful wording matters most.&lt;/p&gt;
&lt;p&gt;The public Mercury repository is not a source release of the complete EVE service. Building Mercury does not provide Cisco's continuously collected production dataset, its current models, Secure Firewall integration, Talos context or product policy behaviour. Conversely, the fact that EVE uses NPF does not mean every detail of its current implementation is present in the open repository or frozen at the method described in the 2020 paper.&lt;/p&gt;
&lt;p&gt;Open code, published research and a maintained security product have different release cycles and different evidence behind them.&lt;/p&gt;
&lt;h2&gt;What the lineage actually establishes&lt;/h2&gt;
&lt;p&gt;There is a coherent progression:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;Joy
  broad flow and intraflow metadata for research

Mercury + NPF
  faster collection and versioned, multi-protocol fingerprints

2020 destination-context system
  fingerprints joined to destinations and endpoint labels

EVE
  Cisco-maintained classification in Secure Firewall
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This is a lineage of ideas and systems, not a promise that each box is a drop-in edition of the next one.&lt;/p&gt;
&lt;p&gt;Joy established a practical way to collect visible evidence around encrypted flows. Mercury made protocol fingerprinting a more explicit and efficient part of that collection. NPF gave those fingerprints a structured, versioned form. The destination-context work showed why labelled, continuously refreshed context was necessary for process attribution. EVE operationalised those ideas inside a commercial firewall environment with data and integrations that do not ship with the public collector.&lt;/p&gt;
&lt;p&gt;That history also explains why Cisco's branch of fingerprinting developed differently from JA3 and JA4. A portable hash is useful for logging and exchange. Cisco's work kept returning to a harder question: what additional evidence, labels and maintenance are required before a network observation can support a process assessment?&lt;/p&gt;
&lt;p&gt;Neither approach turns a handshake into identity. Our &lt;a href="/blog/two-lineages-tls-fingerprinting/"&gt;two lineages of TLS fingerprinting&lt;/a&gt; article places Cisco's work alongside JA3 and JA4. The reproducible &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;one ClientHello, three fingerprints lab&lt;/a&gt; shows the format differences without relying on any vendor classification database.&lt;/p&gt;</content><category term="Security"></category><category term="Cisco Joy"></category><category term="Cisco Mercury"></category><category term="Encrypted Visibility Engine"></category><category term="TLS Fingerprinting"></category><category term="Network Fingerprinting"></category><category term="Encrypted Traffic"></category></entry></feed>