公开(公告)号：US11681710B2

公开(公告)日：2023-06-20

申请号：US16231517

申请日：2018-12-23

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Yaakov Garyani ,  Or Cohen

IPC: G06F7/00 ,  G06F16/2457 ,  G06F16/26 ,  G06N20/00 ,  G06F16/2455

CPC classification number: G06F16/2457 ,  G06F16/2455 ,  G06F16/26 ,  G06N20/00

Abstract: Security Information and Event Management tools, log management tools, log analysis tools, and other event data management tools are enhanced. Enhancements harvest entity extraction rules from queries, query results, and other examples involving the extraction of field values from large amounts of data, and help perform entity extraction efficiently. Entity extraction operations locate IP addresses, usernames, and other field values that are embedded in logs or data streams, for example, and populate object properties with extracted values. Previously used extraction rules are applied in new contexts with different users, different data sources, or both. An entity extraction rules database serves as a model that contains rules specifying parsing mechanisms. Parsing mechanisms may include regular expressions, separation character definitions, and may process particular file formats or object notation formats or markup language formats. A recommender suggests extraction rules to users, based on frequency, machine learning classifications, correctness certainty, or other considerations.

公开(公告)号：US11263544B2

公开(公告)日：2022-03-01

申请号：US16105189

申请日：2018-08-20

Applicant: Microsoft Technology Licensing, LLC

Inventor： Yotam Livny ,  Roy Levin ,  Ram Haim Pliskin ,  Ben Kliger ,  Mathias Abraham Marc Scherman ,  Moshe Israel ,  Michael Zeev Bargury

IPC: G06N5/04 ,  G06N99/00 ,  G06N20/00 ,  H04L29/06

Abstract: Systems, methods, and apparatuses are provided for clustering incidents in a computing environment. An incident notification relating to an event (e.g., a potential cyberthreat or any other alert) in the computing environment is received and a set of features may be generated based on the incident notification. The set of features may be provided as an input to a machine-learning engine to identify a similar incident notification in the computing environment. The similar incident notification may include a resolved incident notification or an unresolved incident notification. An action to resolve the incident notification may be received, and the received action may thereby be executed. In some implementations, in addition to resolving the received incident notification, the action may be executed to resolve a similar unresolved incident notification identified by the machine-learning engine.

公开(公告)号：US20200057953A1

公开(公告)日：2020-02-20

申请号：US16105189

申请日：2018-08-20

Applicant: Microsoft Technology Licensing, LLC

Inventor： Yotam Livny ,  Roy Levin ,  Ram Haim Pliskin ,  Ben Kliger ,  Mathias Abraham Marc Scherman ,  Moshe Israel ,  Michael Zeev Bargury

IPC: G06N5/04 ,  G06N99/00

Abstract: Systems, methods, and apparatuses are provided for clustering incidents in a computing environment. An incident notification relating to an event (e.g., a potential cyberthreat or any other alert) in the computing environment is received and a set of features may be generated based on the incident notification. The set of features may be provided as an input to a machine-learning engine to identify a similar incident notification in the computing environment. The similar incident notification may include a resolved incident notification or an unresolved incident notification. An action to resolve the incident notification may be received, and the received action may thereby be executed. In some implementations, in addition to resolving the received incident notification, the action may be executed to resolve a similar unresolved incident notification identified by the machine-learning engine.

公开(公告)号：US10474966B2

公开(公告)日：2019-11-12

申请号：US15444124

申请日：2017-02-27

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Dotan Patrich

IPC: G06F21/55 ,  G06N20/00 ,  H04L29/08 ,  H04L29/06

Abstract: Providing network entities with notifications of attacks on the entities. A method includes collecting alerts from a plurality of network entities in a cluster computing environment. Alerts are grouped into heterogeneous groups of alerts. Each group includes a plurality of different types of alerts. Each alert has corresponding properties, including at least one property identifying the type of alert. Each group of alerts corresponds to a timeline of alerts for a particular entity. Groups of alerts that correspond to a valid cyber-kill chain are identified. Different groups of alerts that correspond to a valid cyber-kill chain are correlated into clusters of groups of alerts by correlating the types of alerts and corresponding properties. At least one cluster is identified as having some characteristic of interest. Entities corresponding to groups of alerts in the cluster are notified of the characteristic of interest.

公开(公告)号：US20180375831A1

公开(公告)日：2018-12-27

申请号：US15634554

申请日：2017-06-27

Applicant: Microsoft Technology Licensing, LLC

Inventor： Ben Kliger ,  Gilad Elyashar ,  Moshe Israel ,  Michael Zeev Bargury

IPC: H04L29/06

Abstract: A security configuration for a firewall is generated. Network traffic data, network reputation data, and endpoint protection data are received from a network environment. A reputation score for a network address is generated from the network traffic data and the network reputation data. An endpoint protection configuration is generated from a routine based on the network traffic data and the endpoint protection data. A set of security rules is provided from the endpoint configuration and the reputation score.

公开(公告)号：US20180365412A1

公开(公告)日：2018-12-20

申请号：US15626892

申请日：2017-06-19

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Ben Kliger

IPC: G06F21/52 ,  H04L29/08

Abstract: Methods, systems, and apparatuses are provided for managing an execution of applications in a computing environment. A whitelist list of applications that are permitted to execute in a computing environment is obtained. For one or more of the applications on the whitelist, a temporal rule is assigned that specifies a time period in which the application is permitted to execute in the computing environment. For instance, the temporal rule may be obtained via a user input or may be determined automatically by analyzing an execution history of the application. Applications are permitted to execute in the computing environment during the time period specified by the temporal rule, and are prevented from executing outside of the time period. By restricting the time period in which an application can execute, the overall vulnerability to malware attacks in a computing environment may be reduced.

公开(公告)号：US20180248893A1

公开(公告)日：2018-08-30

申请号：US15444124

申请日：2017-02-27

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Dotan Patrich

IPC: H04L29/06 ,  H04L29/08 ,  G06N99/00

Abstract: Providing network entities with notifications of attacks on the entities. A method includes collecting alerts from a plurality of network entities in a cluster computing environment. Alerts are grouped into heterogeneous groups of alerts. Each group includes a plurality of different types of alerts. Each alert has corresponding properties, including at least one property identifying the type of alert. Each group of alerts corresponds to a timeline of alerts for a particular entity. Groups of alerts that correspond to a valid cyber-kill chain are identified. Different groups of alerts that correspond to a valid cyber-kill chain are correlated into clusters of groups of alerts by correlating the types of alerts and corresponding properties. At least one cluster is identified as having some characteristic of interest. Entities corresponding to groups of alerts in the cluster are notified of the characteristic of interest.

公开(公告)号：US11888870B2

公开(公告)日：2024-01-30

申请号：US17493060

申请日：2021-10-04

Applicant: Microsoft Technology Licensing, LLC

Inventor： Yaakov Garyani ,  Moshe Israel ,  Hani Hana Neuvirth ,  Ely Abramovitch ,  Amir Keren ,  Timothy William Burrell

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/1441

Abstract: Embodiments detect cyberattack campaigns against multiple cloud tenants by analyzing activity data to find sharing anomalies. Data that appears benign in a single tenant's activities may indicate an attack when the same or similar data is also found for additional tenants. Attack detection may depend on activity time frames, on how similar certain activities of different tenants are to one another, on how unusual it is for different tenants to share an activity, and on other factors. Sharing anomaly analysis may utilize hypergeometric probabilities or other statistical measures. Detection avoidance attempts using entity randomization are revealed and thwarted. Authorized vendors may be recognized, mooting anomalousness. Although data from multiple tenants is analyzed together for sharing anomalies while monitoring for attacks, tenant confidentiality and privacy are respected through technical and legal mechanisms. Mitigation is performed in response to an attack indication.

公开(公告)号：US11297086B2

公开(公告)日：2022-04-05

申请号：US16738675

申请日：2020-01-09

Applicant: Microsoft Technology Licensing, LLC

Inventor： Michael Zeev Bargury ,  Moshe Israel

IPC: G06F15/173 ,  H04L29/06 ,  H04L41/12 ,  H04L67/10

Abstract: A correlation-based network security for network devices is disclosed. Correlations between a plurality of network devices are mapped based on telemetry from the network devices to determine correlated devices. The behaviors of the correlated devices are monitored based on telemetry received from the correlated devices to determine a deviant device of the plurality of devices. A prioritized alert for the plurality of network devices is generated from a security alert received for the deviant device.

公开(公告)号：US11030303B2

公开(公告)日：2021-06-08

申请号：US15626892

申请日：2017-06-19

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Ben Kliger

IPC: G06F21/52 ,  H04L29/08 ,  G06F21/51 ,  G06F21/10 ,  G06F21/62 ,  G06F21/53

Abstract: Methods, systems, and apparatuses are provided for managing an execution of applications in a computing environment. A whitelist list of applications that are permitted to execute in a computing environment is obtained. For one or more of the applications on the whitelist, a temporal rule is assigned that specifies a time period in which the application is permitted to execute in the computing environment. For instance, the temporal rule may be obtained via a user input or may be determined automatically by analyzing an execution history of the application. Applications are permitted to execute in the computing environment during the time period specified by the temporal rule, and are prevented from executing outside of the time period. By restricting the time period in which an application can execute, the overall vulnerability to malware attacks in a computing environment may be reduced.