公开(公告)号：US11533240B2

公开(公告)日：2022-12-20

申请号：US15156182

申请日：2016-05-16

Applicant: Microsoft Technology Licensing, LLC

Inventor： Efim Hudis ,  Hani-Hana Neuvirth ,  Daniel Alon ,  Royi Ronen ,  Yair Tor ,  Gilad Michael Elyashar

IPC: H04L41/14 ,  G06Q30/06 ,  G06F8/60 ,  H04L41/0803 ,  H04L67/00

Abstract: A recommendation system for recommending a target feature value for a target feature for a target deployment is provided. The recommendation system, for each of a plurality of deployments, collects feature values for the features of that deployment. The recommendation system then generates a model for recommending a target feature value for the target feature based on the collected feature values of the features for the deployments. The recommendation system applies the model to the features of the target deployment to identify a target feature value for the target feature. The recommendation system then provides the identified target feature value as a recommendation for the target feature for the target deployment.

公开(公告)号：US20180084001A1

公开(公告)日：2018-03-22

申请号：US15273604

申请日：2016-09-22

Applicant: Microsoft Technology Licensing, LLC.

Inventor： Efim Hudis ,  Michal Braverman-Blumenstyk ,  Daniel Alon ,  Hani Hana Neuvirth ,  Royi Ronen ,  Yuri Gurevich

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/1433 ,  G06F16/9024 ,  G06F21/577 ,  H04L63/14 ,  H04L63/1408

Abstract: Systems and methods for analyzing security alerts within an enterprise are provided. An enterprise graph is generated based on information such as operational intelligence regarding the enterprise. The enterprise graph identifies relationships between entities of the enterprise and a plurality of security alerts are produced by a plurality of security components of the enterprise. One or more significant relationships are identified between two or more of the plurality of security alerts based on a strength of a relationship identified in the enterprise graph. A significant relationship is utilized to identify a potential security incident between two or more of the security alerts.

公开(公告)号：US20170207980A1

公开(公告)日：2017-07-20

申请号：US15156182

申请日：2016-05-16

Applicant: Microsoft Technology Licensing, LLC

Inventor： Efim Hudis ,  Hani-Hana Neuvirth ,  Daniel Alon ,  Royi Ronen ,  Yair Tor ,  Gilad Michael Elyashar

IPC: H04L12/24 ,  H04L29/08

CPC classification number: H04L41/145 ,  G06F8/60 ,  G06Q30/0631 ,  H04L41/0803 ,  H04L67/34

Abstract: A recommendation system for recommending a target feature value for a target feature for a target deployment is provided. The recommendation system, for each of a plurality of deployments, collects feature values for the features of that deployment. The recommendation system then generates a model for recommending a target feature value for the target feature based on the collected feature values of the features for the deployments. The recommendation system applies the model to the features of the target deployment to identify a target feature value for the target feature. The recommendation system then provides the identified target feature value as a recommendation for the target feature for the target deployment.

公开(公告)号：US09665460B2

公开(公告)日：2017-05-30

申请号：US14721777

申请日：2015-05-26

Applicant: Microsoft Technology Licensing, LLC

Inventor： Hani Neuvirth-Telem ,  Amit Hilbuch ,  Shay Baruch Nahum ,  Yehuda Finkelstein ,  Daniel Alon ,  Elad Yom-Tov

IPC: G06F11/00 ,  G06F11/34 ,  G06F11/30

CPC classification number: G06F11/006 ,  G06F11/00 ,  G06F11/3051 ,  G06F11/3447 ,  G06F11/3452 ,  G06F2201/86 ,  G06N5/04 ,  G06N99/005

Abstract: A system for identifying abnormal resource usage in a data center is provided. In some embodiments, the system employs a prediction model for each of a plurality of resources and an abnormal resource usage criterion. For each of a plurality of resources of the data center, the system retrieves current resource usage data for a current time and past resource usage data for that resource. The system then extracts features from the past resource usage data for that resource, predicts using the prediction model for that resource usage data for the current time based on the extracted features, and determines an error between the predicted resource usage data and the current resource usage data. After determining the error data for the resources, the system determines whether errors satisfy the abnormal resource usage criterion. If so, the system indicates that an abnormal resource usage has occurred.

公开(公告)号：US10534925B2

公开(公告)日：2020-01-14

申请号：US15286558

申请日：2016-10-05

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Royi Ronen ,  Daniel Alon ,  Tomer Teller ,  Hanan Shteingart

IPC: G06F21/56 ,  G06F21/62 ,  H04L29/08 ,  H04L12/24 ,  H04L12/26 ,  G06F21/55 ,  H04L29/06

Abstract: Controlling device security includes obtaining a set of device activity data indicating current device activity on a device and a set of user activity data indicating a current activity state of one or more legitimate users of the device. It is determined whether the indicated current activity state of the users indicates that a legitimate user is in an active state on the device, or that none of the legitimate users is in an active state on the device. A statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, is determined, by a comparison with at least one of the models that are generated via supervised learning. A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device.

公开(公告)号：US20180096157A1

公开(公告)日：2018-04-05

申请号：US15286558

申请日：2016-10-05

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Royi Ronen ,  Daniel Alon ,  Tomer Teller ,  Hanan Shteingart

IPC: G06F21/62 ,  H04L29/08 ,  H04L12/24 ,  H04L12/26 ,  G06F21/55

CPC classification number: G06F21/6218 ,  G06F21/55 ,  G06F21/566 ,  G06F2221/034 ,  H04L41/06 ,  H04L43/16 ,  H04L63/1416 ,  H04L63/1441 ,  H04L67/22 ,  H04L67/306

Abstract: Controlling device security includes obtaining a set of device activity data indicating current device activity on a device and a set of user activity data indicating a current activity state of one or more legitimate users of the device. It is determined whether the indicated current activity state of the users indicates that a legitimate user is in an active state on the device, or that none of the legitimate users is in an active state on the device. A statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, is determined, by a comparison with at least one of the models that are generated via supervised learning. A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device.

公开(公告)号：US20170161127A1

公开(公告)日：2017-06-08

申请号：US15385718

申请日：2016-12-20

Applicant: Microsoft Technology Licensing, LLC

Inventor： Hani Neuvirth-Telem ,  Amit Hilbuch ,  Shay Baruch Nahum ,  Yehuda Finkelstein ,  Daniel Alon ,  Elad Yom-Tov

IPC: G06F11/00 ,  G06N99/00 ,  G06N5/04 ,  G06F11/34

CPC classification number: G06F11/006 ,  G06F11/00 ,  G06F11/3051 ,  G06F11/3447 ,  G06F11/3452 ,  G06F2201/86 ,  G06N5/04 ,  G06N20/00

Abstract: A system for identifying abnormal resource usage in a data center is provided. In some embodiments, the system employs a prediction model for each of a plurality of resources and an abnormal resource usage criterion. For each of a plurality of resources of the data center, the system retrieves current resource usage data for a current time and past resource usage data for that resource. The system then extracts features from the past resource usage data for that resource, predicts using the prediction model for that resource usage data for the current time based on the extracted features, and determines an error between the predicted resource usage data and the current resource usage data. After determining the error data for the resources, the system determines whether errors satisfy the abnormal resource usage criterion. If so, the system indicates that an abnormal resource usage has occurred.

公开(公告)号：US20160350198A1

公开(公告)日：2016-12-01

申请号：US14721777

申请日：2015-05-26

Applicant: Microsoft Technology Licensing, LLC

Inventor： Hani Neuvirth-Telem ,  Amit Hilbuch ,  Shay Baruch Nahum ,  Yehuda Finkelstein ,  Daniel Alon ,  Elad Yom-Tov

IPC: G06F11/34 ,  G06F11/30

CPC classification number: G06F11/006 ,  G06F11/00 ,  G06F11/3051 ,  G06F11/3447 ,  G06F11/3452 ,  G06F2201/86 ,  G06N5/04 ,  G06N99/005

Abstract: A system for identifying abnormal resource usage in a data center is provided. In some embodiments, the system employs a prediction model for each of a plurality of resources and an abnormal resource usage criterion. For each of a plurality of resources of the data center, the system retrieves current resource usage data for a current time and past resource usage data for that resource. The system then extracts features from the past resource usage data for that resource, predicts using the prediction model for that resource usage data for the current time based on the extracted features, and determines an error between the predicted resource usage data and the current resource usage data. After determining the error data for the resources, the system determines whether errors satisfy the abnormal resource usage criterion. If so, the system indicates that an abnormal resource usage has occurred.

Abstract translation: 提供了用于识别数据中心中的异常资源使用的系统。 在一些实施例中，系统针对多个资源中的每个资源和异常资源使用准则采用预测模型。 对于数据中心的多个资源中的每一个，系统检索当前时间的当前资源使用数据和该资源的过去资源使用数据。 系统然后从该资源的过去资源使用数据中提取特征，基于所提取的特征，预测当前时间使用该资源使用数据的预测模型，并且确定预测资源使用数据与当前资源使用之间的误差 数据。 在确定资源的错误数据后，系统确定错误是否满足异常资源使用准则。 如果是这样，系统表示资源使用异常。

公开(公告)号：US10771492B2

公开(公告)日：2020-09-08

申请号：US15273604

申请日：2016-09-22

Applicant: Microsoft Technology Licensing, LLC.

Inventor： Efim Hudis ,  Michal Braverman-Blumenstyk ,  Daniel Alon ,  Hani Hana Neuvirth ,  Royi Ronen ,  Yuri Gurevich

IPC: H04L29/06 ,  G06F16/901 ,  G06F21/57

Abstract: Systems and methods for analyzing security alerts within an enterprise are provided. An enterprise graph is generated based on information such as operational intelligence regarding the enterprise. The enterprise graph identifies relationships between entities of the enterprise and a plurality of security alerts are produced by a plurality of security components of the enterprise. One or more significant relationships are identified between two or more of the plurality of security alerts based on a strength of a relationship identified in the enterprise graph. A significant relationship is utilized to identify a potential security incident between two or more of the security alerts.

公开(公告)号：US10402244B2

公开(公告)日：2019-09-03

申请号：US15385718

申请日：2016-12-20

Applicant: Microsoft Technology Licensing, LLC

Inventor： Hani Neuvirth-Telem ,  Amit Hilbuch ,  Shay Baruch Nahum ,  Yehuda Finkelstein ,  Daniel Alon ,  Elad Yom-Tov

IPC: G06F11/00 ,  G06F11/34 ,  G06F11/30 ,  G06N20/00 ,  G06N5/04

Abstract: A system for identifying abnormal resource usage in a data center is provided. In some embodiments, the system employs a prediction model for each of a plurality of resources and an abnormal resource usage criterion. For each of a plurality of resources of the data center, the system retrieves current resource usage data for a current time and past resource usage data for that resource. The system then extracts features from the past resource usage data for that resource, predicts using the prediction model for that resource usage data for the current time based on the extracted features, and determines an error between the predicted resource usage data and the current resource usage data. After determining the error data for the resources, the system determines whether errors satisfy the abnormal resource usage criterion. If so, the system indicates that an abnormal resource usage has occurred.