公开(公告)号：US10911479B2

公开(公告)日：2021-02-02

申请号：US16056052

申请日：2018-08-06

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Ben Kliger ,  Moshe Israel ,  Dotan Patrich ,  Michael Zeev Bargury

IPC: H04L29/06 ,  G06F21/52 ,  G06F21/55 ,  G06K9/62

Abstract: A computing system performs real-time mitigations for unfamiliar threat scenarios by identifying a particular threat scenario for a client system that has not previously experienced the threat scenario and for which a remediation process is unknown. The computing system responds to the unknown threat scenario by generating and providing the client system a mitigation file that includes a predictive set of mitigation processes for responding to the threat scenario. The mitigation file is generated by first generating a threat vector that identifies a plurality of different threat scenario characteristics for the particular threat scenario. Then, a classification model is applied to the threat vector to identify a predictive set of mitigation processes that are determined to be a best fit for the threat vector and that are included in the mitigation file.

公开(公告)号：US10911478B2

公开(公告)日：2021-02-02

申请号：US15637515

申请日：2017-06-29

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Dotan Patrich ,  Vlad Korsunsky ,  Maya Maimon ,  Moshe Israel ,  Oran Brill ,  Tomer Teller

IPC: H04L29/06 ,  G06F21/55 ,  H04L12/26 ,  G06F21/57 ,  G06F21/62 ,  G06F21/31

Abstract: Methods are provided for building and tuning a correlation data structure. The correlation data structure includes relationship correlations with relationship scores that reflect the level of correlation between alert conditions and feature set events that occurred in a machine. Each relationship correlation further includes a time of influence associated with the times of occurrence for each alert condition and corresponding feature set event. The correlation data structure is built and tuned using sourcing to leverage the alert conditions and feature set events on each machine for all machines in the network. Methods are also provided to use the correlation data structure to monitor the machines in a network, detect feature set events, and detect if alert conditions correlated with those feature set events are likely to occur. The methods further provide for mitigating those alert conditions.

公开(公告)号：US10764299B2

公开(公告)日：2020-09-01

申请号：US15637410

申请日：2017-06-29

Applicant: Microsoft Technology Licensing, LLC

Inventor： Ben Kliger ,  Efim Hudis ,  Moshe Israel ,  Steven J. Lieberman ,  Mark Wahl

IPC: H04L29/06 ,  G06F21/50 ,  G06F21/60

Abstract: An access configuration for an access control manager is generated. Access data including users, resources, and actions the users performed on the resources is received into a matrix. Clusters of the matrix are formed to produce ranges of the users and ranges of the resources having selected permission levels based on the actions. Administrator-modifiable security groups are created based on the ranges of users and administrator-modifiable resources groups based on the ranges of resources.

公开(公告)号：US20190281064A1

公开(公告)日：2019-09-12

申请号：US15917315

申请日：2018-03-09

Applicant: Microsoft Technology Licensing, LLC

Inventor： Dotan Patrich ,  Ram Haim Pliskin ,  Tomer Koren ,  Moshe Israel ,  Hani Hana Neuvirth ,  Josef Weizman

IPC: H04L29/06

Abstract: Systems, methods, and apparatuses are provided for restricting access to a web resource. Website access information is obtained by monitoring accesses to a plurality of websites for each access, which may include a network identifier of an access requestor, a website identifier, and an access time for each request. Based on at least the website access information, it may be determined that a particular access requestor has accessed a number of different websites in a given time period. As a result, the particular access requestor may be classified as a web robot. A request to permit access to a web resource is received by the particular access requestor. In response to receiving the request to permit access to the web resource, the particular access requestor is prevented from accessing the web resource and/or a notification is generated that the particular access requestor is attempting to access the web resource.

公开(公告)号：US20180302430A1

公开(公告)日：2018-10-18

申请号：US15488154

申请日：2017-04-14

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Nir GAFNI ,  Josef WEIZMAN

IPC: H04L29/06

CPC classification number: H04L63/1441 ,  G06F21/604 ,  G06F2221/2117 ,  G06Q50/01 ,  H04L63/105 ,  H04L2463/121

Abstract: A system is provided for detecting creation of malicious user accounts. The system includes a processor, a memory, and an application including instructions configured to: collect data corresponding to creation of new user accounts, where the new user accounts are associated with at least two distinct organizations, at least two distinct subscriptions, or at least two distinct customers, and where each of the new user accounts has a user name; determine properties based on the data and for a group of similar ones of the user names; evaluate the properties of the new user accounts corresponding to the group of similar ones of the user names and determine whether a probability for the new user accounts to be created having the group of similar ones of the user names is less than a predetermined threshold, and generate an alert based on a result of the evaluation of the properties.

公开(公告)号：US20180176227A1

公开(公告)日：2018-06-21

申请号：US15387427

申请日：2016-12-21

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Ronen Yaari ,  Ben Kliger ,  Yaniv Dagan ,  Gilad Elyashar ,  Moshe Shalala ,  Erel Hansav

IPC: H04L29/06

Abstract: A computing system for generating allowed lists of applications for machines is provided. The system, for each machine, identifies a set of executed applications that were executed by that machine. The system then clusters the machines based on similarity between the sets of executed applications so that machines with similar sets are in the same cluster. The system then, for each cluster of machines, creates an allowed list of applications for the cluster that includes the applications in the sets of executed applications of the machines of the cluster. An allowed list for a cluster indicates that only applications in the allowed list are allowed to be executed by a machine in the cluster. The system then distributes the allowed list for a cluster to the machines of that cluster so that the machines execute only applications in the allowed list for their cluster.

公开(公告)号：US12289335B2

公开(公告)日：2025-04-29

申请号：US18105928

申请日：2023-02-06

Applicant: Microsoft Technology Licensing, LLC

Inventor： Jonathan Gazit ,  Moshe Israel ,  Dotan Patrich

IPC: H04L9/40 ,  G06F16/28

Abstract: Some embodiments bridge a gap between focusing on security alerts raised by conditions and events that have already occurred, and focusing on vulnerabilities that might be exploited in the future. Alerts are organized into alert categories, vulnerabilities are organized into vulnerability categories, and are optionally supplemented with misconfiguration categories. Correlations are identified between alert categories and vulnerability or misconfiguration categories, and the correlation values noted, to produce category association rules. The alerts, vulnerabilities, and other security findings are gathered in some situations from multiple similar environments, and in some cases are filtered to pertain to similar resources or similar configurations. The category association rules are utilized to perform cybersecurity prioritizations such as assigning priority levels to alerts and assigning likelihood levels to potential breaches. Graphs showing resources and data flow paths are annotated with risk scores or with security findings relevant to the applicable category association rules.

公开(公告)号：US11991210B2

公开(公告)日：2024-05-21

申请号：US17080204

申请日：2020-10-26

Applicant: Microsoft Technology Licensing, LLC

Inventor： Omer Karin ,  Amit Magen ,  Moshe Israel ,  Tamer Salman

IPC: H04L9/40 ,  G06F21/57 ,  G06N20/00

CPC classification number: H04L63/20 ,  G06F21/57 ,  G06F21/572 ,  G06N20/00 ,  G06F2221/034

Abstract: Methods, systems, apparatuses, and computer-readable storage mediums are described for machine learning-based techniques for identifying a deployment environment in which computing resources (e.g., servers, virtual machines, databases, etc.) reside and for enhancing security for the identified deployment environment. For instance, usage data is collected from the computing resources. The usage data is featurized and provided to a machine learning-based classification model that determines a deployment environment in which the computing resources reside based on the featurized usage data. Once the deployment environment is identified, a security policy that is applicable for the identified deployment environment is determined. The security policy specifies a plurality of recommended security settings that should be applied to the computing resources included in the identified deployment environment. The recommended security settings may be provided to the user (e.g., via a graphical user interface) for application thereby and/or may be automatically activated.

公开(公告)号：US20220391509A1

公开(公告)日：2022-12-08

申请号：US17888949

申请日：2022-08-16

Applicant: Microsoft Technology Licensing, LLC

Inventor： Nadav Wolfin ,  Moshe Israel ,  Liran Englender ,  Benyamin Farshteindiker ,  Elizabeta Mash Levin ,  Lior Becker ,  Josef Weizman

IPC: G06F21/56 ,  G06F11/30 ,  G06F11/34 ,  G06F21/53

Abstract: Generally discussed herein are devices, systems, and methods for secure container operation. A behavior profile of normal container operation can be generated, such as by using crowd sourced data. A container monitor can provide container actions of an application in a deployed container. The container action can be compared to a behavior profile that indicates normal behavior of the container. A communication can in response to the container actions being inconsistent with the normal behavior of the behavior profile. The container can be halted to stop the abnormal behavior.

公开(公告)号：US20210409419A1

公开(公告)日：2021-12-30

申请号：US16913876

申请日：2020-06-26

Applicant: Microsoft Technology Licensing, LLC

Inventor： Naama KRAUS ,  Tamer Salman ,  Moshe Israel ,  Moshe Shalala ,  Idan Hen ,  Avihai Dvir ,  Rotem Lurie

IPC: H04L29/06

Abstract: According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to identify a privilege level assigned to a principal over a resource and determine whether the assigned privilege level is to be maintained or modified for the principal over the resource. Based on a determination that the assigned privilege level is to be maintained for the principal, the processor may determine whether access by the principal over the resource is to be limited and based on a determination that access to the resource is to be limited, apply a limited access by the principal over the resource.