公开(公告)号：US20160379133A1

公开(公告)日：2016-12-29

申请号：US14748211

申请日：2015-06-23

Applicant: Microsoft Technology Licensing, LLC

Inventor： Hanan Shteingart ,  Yair Tor ,  Eli Koreh ,  Amit Hilbuch ,  Yifat Schacter

IPC: G06N99/00

CPC classification number: G06N20/00

Abstract: Disclosed herein is a system and method that can be used with any underlying classification technique. The method takes into account both the value of the current feature vector. It is based on evaluating the effect of perturbing each feature by bootstrapping it with the negative samples and measuring the change in the classifier output. To assess the importance of a given feature value in the classified feature vector, a random negatively labeled instance is taken out of the training set and replaces the feature at question with a corresponding feature from this set. Then, by classifying the modified feature vector and comparing its predicted label and classifier output a user is able measure and observe the effect of changing each feature.

Abstract translation: 本文公开的是可以与任何基础分类技术一起使用的系统和方法。 该方法考虑了当前特征向量的值。 它是基于通过用负样本引导来扰动每个特征的效果，并测量分类器输出的变化。 为了评估给定特征值在分类特征向量中的重要性，从训练集中取出随机负面标记的实例，并用该集合中的相应特征替换所讨论的特征。 然后，通过对修改的特征向量进行分类并比较其预测标签和分类器输出，用户可以测量和观察改变每个特征的效果。

公开(公告)号：US10943181B2

公开(公告)日：2021-03-09

申请号：US14751135

申请日：2015-06-26

Applicant: Microsoft Technology Licensing, LLC

Inventor： Hanan Shteingart ,  Yair Tor ,  Eli Koreh ,  Amit Hilbuch ,  Yifat Schacter

IPC: G06N20/00

Abstract: Disclosed herein is a system and method that can be used with any underlying classification technique. The method receives a test dataset and determines the features in that test dataset that are present. From these features the training dataset is modified to only have those features that are present in the test dataset. This modified test dataset is then used to calibrate the classifier for the particular incoming data set. The process repeats itself for each different incoming dataset providing a just in time calibration of the classifier.

公开(公告)号：US10404738B2

公开(公告)日：2019-09-03

申请号：US15444110

申请日：2017-02-27

Applicant: Microsoft Technology Licensing, LLC

Inventor： Mathias Scherman ,  Tomer Teller ,  Hanan Shteingart ,  Royi Ronen

IPC: H04L29/06 ,  G06N20/00 ,  H04L29/12

Abstract: One embodiment illustrated herein includes a computer implemented method. The method includes acts for training an amplification attack detection system. The method includes obtaining a plurality of samples of IPFIX data. The method further includes using the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds. The method further includes identifying a plurality of the server samples that are labeled positive for amplification attacks. The method further includes identifying a plurality of server samples that are labeled negative for amplification attacks. The method further includes automatically labeling at least some of the remaining server samples as positive or negative based on the previously identified labeled samples. The method further includes using the automatically labeled samples to train an amplification attack detection system.

公开(公告)号：US20160379135A1

公开(公告)日：2016-12-29

申请号：US14751135

申请日：2015-06-26

Applicant: Microsoft Technology Licensing, LLC

Inventor： Hanan Shteingart ,  Yair Tor ,  Eli Koreh ,  Amit Hilbuch ,  Yifat Schacter

IPC: G06N99/00

CPC classification number: G06N20/00

Abstract: Disclosed herein is a system and method that can be used with any underlying classification technique. The method receives a test dataset and determines the features in that test dataset that are present. From these features the training dataset is modified to only have those features that are present in the test dataset. This modified test dataset is then used to calibrate the classifier for the particular incoming data set. The process repeats itself for each different incoming dataset providing a just in time calibration of the classifier.

Abstract translation: 本文公开的是可以与任何基础分类技术一起使用的系统和方法。 该方法接收测试数据集并确定存在的测试数据集中的特征。 从这些功能中，训练数据集被修改为仅具有测试数据集中存在的那些特征。 然后，修改后的测试数据集用于校准特定输入数据集的分类器。 该过程对于每个不同的传入数据集重复，从而提供分类器的正确的时间校准。

公开(公告)号：US10534925B2

公开(公告)日：2020-01-14

申请号：US15286558

申请日：2016-10-05

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Royi Ronen ,  Daniel Alon ,  Tomer Teller ,  Hanan Shteingart

IPC: G06F21/56 ,  G06F21/62 ,  H04L29/08 ,  H04L12/24 ,  H04L12/26 ,  G06F21/55 ,  H04L29/06

Abstract: Controlling device security includes obtaining a set of device activity data indicating current device activity on a device and a set of user activity data indicating a current activity state of one or more legitimate users of the device. It is determined whether the indicated current activity state of the users indicates that a legitimate user is in an active state on the device, or that none of the legitimate users is in an active state on the device. A statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, is determined, by a comparison with at least one of the models that are generated via supervised learning. A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device.

公开(公告)号：US20180248906A1

公开(公告)日：2018-08-30

申请号：US15444110

申请日：2017-02-27

Applicant: Microsoft Technology Licensing, LLC

Inventor： Mathias Scherman ,  Tomer Teller ,  Hanan Shteingart ,  Royi Ronen

IPC: H04L29/06

CPC classification number: H04L63/1441 ,  G06N20/00 ,  H04L61/1511 ,  H04L63/0245 ,  H04L63/1425 ,  H04L63/1458

Abstract: One embodiment illustrated herein includes a computer implemented method. The method includes acts for training an amplification attack detection system. The method includes obtaining a plurality of samples of IPFIX data. The method further includes using the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds. The method further includes identifying a plurality of the server samples that are labeled positive for amplification attacks. The method further includes identifying a plurality of server samples that are labeled negative for amplification attacks. The method further includes automatically labeling at least some of the remaining server samples as positive or negative based on the previously identified labeled samples. The method further includes using the automatically labeled samples to train an amplification attack detection system.

公开(公告)号：US20180096157A1

公开(公告)日：2018-04-05

申请号：US15286558

申请日：2016-10-05

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Royi Ronen ,  Daniel Alon ,  Tomer Teller ,  Hanan Shteingart

IPC: G06F21/62 ,  H04L29/08 ,  H04L12/24 ,  H04L12/26 ,  G06F21/55

CPC classification number: G06F21/6218 ,  G06F21/55 ,  G06F21/566 ,  G06F2221/034 ,  H04L41/06 ,  H04L43/16 ,  H04L63/1416 ,  H04L63/1441 ,  H04L67/22 ,  H04L67/306

Abstract: Controlling device security includes obtaining a set of device activity data indicating current device activity on a device and a set of user activity data indicating a current activity state of one or more legitimate users of the device. It is determined whether the indicated current activity state of the users indicates that a legitimate user is in an active state on the device, or that none of the legitimate users is in an active state on the device. A statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, is determined, by a comparison with at least one of the models that are generated via supervised learning. A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device.

公开(公告)号：US20170359372A1

公开(公告)日：2017-12-14

申请号：US15182331

申请日：2016-06-14

Applicant: Microsoft Technology Licensing, LLC.

Inventor： Royi Ronen ,  Hani Neuvirth-Telem ,  Shai Baruch Nahum ,  Yuri Gabaev ,  Oleg Yanovsky ,  Vlad Korsunsky ,  Tomer Teller ,  Hanan Shteingart

IPC: H04L29/06

Abstract: Detecting a volumetric attack on a computer network with fewer false positives and while also requiring fewer processing resources is provided. The systems and methods described herein use observations taken at the network level to observe network traffic to form a predictive model for future traffic. When the network's future traffic sufficiently exceeds the predictive model, the monitoring systems and methods will indicate to the network to take security measures. The traffic to the network may be observed in subsets, corresponding to various groupings of sources, destinations, and protocols so that security measures may be targeted to that subset without affecting other machines in the network.

公开(公告)号：US10530768B2

公开(公告)日：2020-01-07

申请号：US15132657

申请日：2016-04-19

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Hanan Shteingart ,  Ariel N. Gordon ,  Jonathan Gazit

IPC: H04L29/06 ,  H04W12/00 ,  H04W12/06 ,  H04W12/08 ,  H04W4/50 ,  H04W4/80

Abstract: Systems, methods, and computer-readable storage media are provided for authenticating users to secure services or apps utilizing reversed, hands-free and/or continuous two-factor authentication. When a user desires to access a secure service or app for which s/he is already registered, the user, having a registered mobile computing device in proximity to his or her presence, comes within a threshold distance of a computing device that includes the desired secure service or app. The computing device authenticates the particular mobile computing device as associated with the particular registered user that utilized that mobile device during registration. Subsequent to such device authentication, the user is able to login to the service or app by simply providing his or her user credentials at a login form associated therewith. Two-factor authentication in accordance with embodiments hereof is more secure and more efficient that traditional authentication methodologies.

公开(公告)号：US10425443B2

公开(公告)日：2019-09-24

申请号：US15182331

申请日：2016-06-14

Applicant: Microsoft Technology Licensing, LLC.

Inventor： Royi Ronen ,  Hani Neuvirth-Telem ,  Shai Baruch Nahum ,  Yuri Gabaev ,  Oleg Yanovsky ,  Vlad Korsunsky ,  Tomer Teller ,  Hanan Shteingart

IPC: G06F12/14 ,  H04L29/06 ,  G06F21/56

Abstract: Detecting a volumetric attack on a computer network with fewer false positives and while also requiring fewer processing resources is provided. The systems and methods described herein use observations taken at the network level to observe network traffic to form a predictive model for future traffic. When the network's future traffic sufficiently exceeds the predictive model, the monitoring systems and methods will indicate to the network to take security measures. The traffic to the network may be observed in subsets, corresponding to various groupings of sources, destinations, and protocols so that security measures may be targeted to that subset without affecting other machines in the network.