公开(公告)号：US20200162516A1

公开(公告)日：2020-05-21

申请号：US16196184

申请日：2018-11-20

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Moshe Israel ,  Shira Itzhaki ,  Yotam Livny

IPC: H04L29/06 ,  G06F17/30

Abstract: Techniques are provided to automatically generate and apply policy rules for IoT devices. Historical data associated with IoT behaviors is obtained, where the historical data describes the file systems and behavior trends for multiple different IoT devices. Groups of the IoT devices are generated by grouping together devices identified as being common with one another based on similarities between their identified behaviors. Policies are then automatically generated for each group, corresponding to the detected behavior trends. Each policy determines how to subsequently monitor any device categorized as belonging to that policy's group and also how to respond when a device is operating abnormally. After a device is characterized as belonging to a group, that device is monitored to determine whether it conforms with the group's policy. Optionally, mitigation operations may be performed when the device is non-conforming.

公开(公告)号：US20200151326A1

公开(公告)日：2020-05-14

申请号：US16190658

申请日：2018-11-14

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Dotan Patrich ,  Yaakov Garyani ,  Moshe Israel ,  Yotam Livny

IPC: G06F21/55 ,  G06N99/00 ,  G06N5/04

Abstract: Techniques are provided to dynamically generate response actions that may be used to investigate and respond to a security alert. Different prediction models are initially trained using a corpus of training data. This training data is obtained by identifying previous security alerts and then grouping together alert clusters. An analysis is performed to identify which steps were used to respond to the alerts in each group. These steps are fed into a prediction model to train the model. After multiple models are trained and after a new security alert is received, one model is selected to operate on the new alert, where the model is selected because it is identified as being most compatible with the new alert. When the selected model is applied to the new alert, the model generates a set of recommended steps that may be followed to investigate and/or respond to the new alert.

公开(公告)号：US20200045075A1

公开(公告)日：2020-02-06

申请号：US16056052

申请日：2018-08-06

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Ben Kliger ,  Moshe Israel ,  Dotan Patrich ,  Michael Zeev Bargury

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/52 ,  G06K9/62

Abstract: A computing system performs real-time mitigations for unfamiliar threat scenarios by identifying a particular threat scenario for a client system that has not previously experienced the threat scenario and for which a remediation process is unknown. The computing system responds to the unknown threat scenario by generating and providing the client system a mitigation file that includes a predictive set of mitigation processes for responding to the threat scenario. The mitigation file is generated by first generating a threat vector that identifies a plurality of different threat scenario characteristics for the particular threat scenario. Then, a classification model is applied to the threat vector to identify a predictive set of mitigation processes that are determined to be a best fit for the threat vector and that are included in the mitigation file.

公开(公告)号：US20200045018A1

公开(公告)日：2020-02-06

申请号：US16053996

申请日：2018-08-03

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Michael Zeev Bargury ,  Yotam Livny ,  Moshe Israel

IPC: H04L29/06 ,  H04L12/24 ,  G06F11/34 ,  G06F21/52

Abstract: Control policies are configured to automatically update a whitelist and to permit an application, including its associated computing operations, to execute on the computer system. After the application is installed, initialization and execution of the application is triggered. Concurrently, the application's computing operations are recorded and certain control policies, such as a firewall, are paused from being enforced. The recorded computing operations are classified into at least two different categories, where one category includes computing operations associated with the application and where another category includes computing operations that are not associated with the application but that occurred while the application was running. The first category computing operations are then whitelisted so that they are identified as being permissible computing operations by the control policies. Thereafter, the control policies are again enforced thus allowing the application, including its associated computing operations, to execute without being interrupted by the control policies.

公开(公告)号：US20200044911A1

公开(公告)日：2020-02-06

申请号：US16056157

申请日：2018-08-06

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Ben Kliger ,  Moshe Israel ,  Dotan Patrich ,  Michael Zeev Bargury

IPC: H04L12/24 ,  H04L29/06

Abstract: A computing system utilizes crowd sourcing to generate remediation files for systems experiencing alert conditions. During the generation of the remediation files the computing system identifies a plurality of different types of alerts associated with a plurality of different client systems. The computing system also generates a plurality of different client remediation process sets for each type of alert based on a correlation of process proximity and time to the alert conditions and determines which of the plurality of processes are related to the identified alert based on values in a correlation vector. Then, client remediation process sets are created to include the processes that are determined to be related to the identified alert and are clustered together to identify the processes to include in the generated composite remediation file for each type of alert, based on correlations existing between the plurality of different client remediation process sets.

公开(公告)号：US10320833B2

公开(公告)日：2019-06-11

申请号：US15488154

申请日：2017-04-14

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Nir Gafni ,  Josef Weizman

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/60 ,  G06Q50/00

Abstract: A system is provided for detecting creation of malicious user accounts. The system includes a processor, a memory, and an application including instructions configured to: collect data corresponding to creation of new user accounts, where the new user accounts are associated with at least two distinct organizations, at least two distinct subscriptions, or at least two distinct customers, and where each of the new user accounts has a user name; determine properties based on the data and for a group of similar ones of the user names; evaluate the properties of the new user accounts corresponding to the group of similar ones of the user names and determine whether a probability for the new user accounts to be created having the group of similar ones of the user names is less than a predetermined threshold, and generate an alert based on a result of the evaluation of the properties.

公开(公告)号：US11750619B2

公开(公告)日：2023-09-05

申请号：US16913876

申请日：2020-06-26

Applicant: Microsoft Technology Licensing, LLC

Inventor： Naama Kraus ,  Tamer Salman ,  Moshe Israel ,  Moshe Shalala ,  Idan Hen ,  Avihai Dvir ,  Rotem Lurie

IPC: H04L9/40

CPC classification number: H04L63/105 ,  H04L63/102

Abstract: According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to identify a privilege level assigned to a principal over a resource and determine whether the assigned privilege level is to be maintained or modified for the principal over the resource. Based on a determination that the assigned privilege level is to be maintained for the principal, the processor may determine whether access by the principal over the resource is to be limited and based on a determination that access to the resource is to be limited, apply a limited access by the principal over the resource.

公开(公告)号：US11429724B2

公开(公告)日：2022-08-30

申请号：US15924733

申请日：2018-03-19

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC.

Inventor： Michael Zeev Bargury ,  Moshe Israel ,  Ben Kliger ,  Yotam Livny

IPC: G06F21/57 ,  G06N5/02 ,  H04L9/40 ,  G06N20/10 ,  G06N20/20 ,  G06F21/55 ,  G06N5/00 ,  G06N3/02

Abstract: A security service utilizes a machine learning model to detect unused open ports. A security agent on client machines tracks the operating executables and the open ports on a machine. A machine learning model is trained for a specific port number using the more commonly-used executables that run on machines having the port opened from a large and diverse population of machines. The model is then used to determine the ports that an executable is likely to be associated with which is then used to determine if a particular machine has an unused open port.

公开(公告)号：US11159568B2

公开(公告)日：2021-10-26

申请号：US16014892

申请日：2018-06-21

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Ben Kliger ,  Royi Ronen

IPC: H04L29/06

Abstract: Methods, systems, and media are shown for reducing the vulnerability of user accounts to attack that involve creating a rule for a user account that includes a permitted parameter corresponding to a user account activity property, monitoring the account activity of the user account. If it is determined that account activity property is inconsistent with the permitted parameter, then the user account is disabled. An example of a permitted parameter is a permitted time period, such as a start time, an end time, a recurrence definition, a days of the week definition, a start date, an end date, and a number of occurrences definition. Other examples are a physical parameter, such as a permitted geographic location, device, or network, or a permitted usage parameter, such as a permitted application, data access, or domain.

公开(公告)号：US10943009B2

公开(公告)日：2021-03-09

申请号：US16190658

申请日：2018-11-14

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Dotan Patrich ,  Yaakov Garyani ,  Moshe Israel ,  Yotam Livny

IPC: G06F21/55 ,  G06N20/00 ,  G06N5/04

Abstract: Techniques are provided to dynamically generate response actions that may be used to investigate and respond to a security alert. Different prediction models are initially trained using a corpus of training data. This training data is obtained by identifying previous security alerts and then grouping together alert clusters. An analysis is performed to identify which steps were used to respond to the alerts in each group. These steps are fed into a prediction model to train the model. After multiple models are trained and after a new security alert is received, one model is selected to operate on the new alert, where the model is selected because it is identified as being most compatible with the new alert. When the selected model is applied to the new alert, the model generates a set of recommended steps that may be followed to investigate and/or respond to the new alert.