公开(公告)号：US10536482B2

公开(公告)日：2020-01-14

申请号：US15469539

申请日：2017-03-26

Applicant: Microsoft Technology Licensing, LLC

Inventor： Yuri Gabaev ,  Elad Iwanir ,  Gal Tamir

IPC: H04L29/06 ,  G06F21/52

Abstract: Described technologies automatically detect computing system security attacks. Departure of occurrence distributions, which are based on leading digit(s) of digital item occurrence data, from model distributions that correspond to particular data sources, indicates a presence likelihood for particular attack types. Some model distributions exhibit Benford's Phenomenon. Described mechanisms detect security attack types such as ransomware, bitcoin mining, and others, using particular corresponding data sources such as file extensions, processor statistics, etc. Mechanisms detect security attacks without a captured baseline of healthy normal behavior, and without relying on malware code signatures. When an item occurrence distribution departs from a model distribution by at least a predefined degree, the technology electronically raises a security attack alert. Then countermeasures may be asserted for a possible type X security attack on the computing system. Countermeasures may include more computationally intensive tests for determining the precise extent or precise nature of an attack, for instance.

公开(公告)号：US10425443B2

公开(公告)日：2019-09-24

申请号：US15182331

申请日：2016-06-14

Applicant: Microsoft Technology Licensing, LLC.

Inventor： Royi Ronen ,  Hani Neuvirth-Telem ,  Shai Baruch Nahum ,  Yuri Gabaev ,  Oleg Yanovsky ,  Vlad Korsunsky ,  Tomer Teller ,  Hanan Shteingart

IPC: G06F12/14 ,  H04L29/06 ,  G06F21/56

Abstract: Detecting a volumetric attack on a computer network with fewer false positives and while also requiring fewer processing resources is provided. The systems and methods described herein use observations taken at the network level to observe network traffic to form a predictive model for future traffic. When the network's future traffic sufficiently exceeds the predictive model, the monitoring systems and methods will indicate to the network to take security measures. The traffic to the network may be observed in subsets, corresponding to various groupings of sources, destinations, and protocols so that security measures may be targeted to that subset without affecting other machines in the network.

公开(公告)号：US20170359372A1

公开(公告)日：2017-12-14

申请号：US15182331

申请日：2016-06-14

Applicant: Microsoft Technology Licensing, LLC.

Inventor： Royi Ronen ,  Hani Neuvirth-Telem ,  Shai Baruch Nahum ,  Yuri Gabaev ,  Oleg Yanovsky ,  Vlad Korsunsky ,  Tomer Teller ,  Hanan Shteingart

IPC: H04L29/06

Abstract: Detecting a volumetric attack on a computer network with fewer false positives and while also requiring fewer processing resources is provided. The systems and methods described herein use observations taken at the network level to observe network traffic to form a predictive model for future traffic. When the network's future traffic sufficiently exceeds the predictive model, the monitoring systems and methods will indicate to the network to take security measures. The traffic to the network may be observed in subsets, corresponding to various groupings of sources, destinations, and protocols so that security measures may be targeted to that subset without affecting other machines in the network.