公开(公告)号：US10425443B2

公开(公告)日：2019-09-24

申请号：US15182331

申请日：2016-06-14

Applicant: Microsoft Technology Licensing, LLC.

Inventor： Royi Ronen ,  Hani Neuvirth-Telem ,  Shai Baruch Nahum ,  Yuri Gabaev ,  Oleg Yanovsky ,  Vlad Korsunsky ,  Tomer Teller ,  Hanan Shteingart

IPC: G06F12/14 ,  H04L29/06 ,  G06F21/56

Abstract: Detecting a volumetric attack on a computer network with fewer false positives and while also requiring fewer processing resources is provided. The systems and methods described herein use observations taken at the network level to observe network traffic to form a predictive model for future traffic. When the network's future traffic sufficiently exceeds the predictive model, the monitoring systems and methods will indicate to the network to take security measures. The traffic to the network may be observed in subsets, corresponding to various groupings of sources, destinations, and protocols so that security measures may be targeted to that subset without affecting other machines in the network.

公开(公告)号：US10404738B2

公开(公告)日：2019-09-03

申请号：US15444110

申请日：2017-02-27

Applicant: Microsoft Technology Licensing, LLC

Inventor： Mathias Scherman ,  Tomer Teller ,  Hanan Shteingart ,  Royi Ronen

IPC: H04L29/06 ,  G06N20/00 ,  H04L29/12

Abstract: One embodiment illustrated herein includes a computer implemented method. The method includes acts for training an amplification attack detection system. The method includes obtaining a plurality of samples of IPFIX data. The method further includes using the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds. The method further includes identifying a plurality of the server samples that are labeled positive for amplification attacks. The method further includes identifying a plurality of server samples that are labeled negative for amplification attacks. The method further includes automatically labeling at least some of the remaining server samples as positive or negative based on the previously identified labeled samples. The method further includes using the automatically labeled samples to train an amplification attack detection system.

公开(公告)号：US10911478B2

公开(公告)日：2021-02-02

申请号：US15637515

申请日：2017-06-29

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Dotan Patrich ,  Vlad Korsunsky ,  Maya Maimon ,  Moshe Israel ,  Oran Brill ,  Tomer Teller

IPC: H04L29/06 ,  G06F21/55 ,  H04L12/26 ,  G06F21/57 ,  G06F21/62 ,  G06F21/31

Abstract: Methods are provided for building and tuning a correlation data structure. The correlation data structure includes relationship correlations with relationship scores that reflect the level of correlation between alert conditions and feature set events that occurred in a machine. Each relationship correlation further includes a time of influence associated with the times of occurrence for each alert condition and corresponding feature set event. The correlation data structure is built and tuned using sourcing to leverage the alert conditions and feature set events on each machine for all machines in the network. Methods are also provided to use the correlation data structure to monitor the machines in a network, detect feature set events, and detect if alert conditions correlated with those feature set events are likely to occur. The methods further provide for mitigating those alert conditions.

公开(公告)号：US10460101B2

公开(公告)日：2019-10-29

申请号：US15615002

申请日：2017-06-06

Applicant: Microsoft Technology Licensing, LLC

Inventor： Tomer Teller ,  Roy Levin

IPC: H04L29/06 ,  G06F21/55 ,  H04L29/08 ,  H04L29/12

Abstract: In one example, a system includes a processor, memory, and a botnet detection application stored in memory and executed by the processor and configured to: obtain (i) Netflow data indicating one or more IP addresses accessed by a computer and (ii) passive Domain Name System (DNS) data indicating respective one or more domains associated with each of the one or more IP addresses; generate features associated with the computer based on the Netflow data and passive DNS data; generate probability data based on the Netflow data and passive DNS data, wherein the probability data indicates a probability that the computer accessed the one or more domains; assign weights to the features based on the probability data to provide weighted features; and determine whether the computer is likely to be part of a botnet based on the weighted features.

公开(公告)号：US10534925B2

公开(公告)日：2020-01-14

申请号：US15286558

申请日：2016-10-05

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Royi Ronen ,  Daniel Alon ,  Tomer Teller ,  Hanan Shteingart

IPC: G06F21/56 ,  G06F21/62 ,  H04L29/08 ,  H04L12/24 ,  H04L12/26 ,  G06F21/55 ,  H04L29/06

Abstract: Controlling device security includes obtaining a set of device activity data indicating current device activity on a device and a set of user activity data indicating a current activity state of one or more legitimate users of the device. It is determined whether the indicated current activity state of the users indicates that a legitimate user is in an active state on the device, or that none of the legitimate users is in an active state on the device. A statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, is determined, by a comparison with at least one of the models that are generated via supervised learning. A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device.

公开(公告)号：US20190005225A1

公开(公告)日：2019-01-03

申请号：US15637515

申请日：2017-06-29

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Dotan Patrich ,  Vlad Korsunsky ,  Maya Maimon ,  Moshe Israel ,  Oran Brill ,  Tomer Teller

IPC: G06F21/50 ,  H04L29/06 ,  G06F21/31

Abstract: Methods are provided for building and tuning a correlation data structure. The correlation data structure includes relationship correlations with relationship scores that reflect the level of correlation between alert conditions and feature set events that occurred in a machine. Each relationship correlation further includes a time of influence associated with the times of occurrence for each alert condition and corresponding feature set event. The correlation data structure is built and tuned using sourcing to leverage the alert conditions and feature set events on each machine for all machines in the network. Methods are also provided to use the correlation data structure to monitor the machines in a network, detect feature set events, and detect if alert conditions correlated with those feature set events are likely to occur. The methods further provide for mitigating those alert conditions.

公开(公告)号：US20180248906A1

公开(公告)日：2018-08-30

申请号：US15444110

申请日：2017-02-27

Applicant: Microsoft Technology Licensing, LLC

Inventor： Mathias Scherman ,  Tomer Teller ,  Hanan Shteingart ,  Royi Ronen

IPC: H04L29/06

CPC classification number: H04L63/1441 ,  G06N20/00 ,  H04L61/1511 ,  H04L63/0245 ,  H04L63/1425 ,  H04L63/1458

Abstract: One embodiment illustrated herein includes a computer implemented method. The method includes acts for training an amplification attack detection system. The method includes obtaining a plurality of samples of IPFIX data. The method further includes using the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds. The method further includes identifying a plurality of the server samples that are labeled positive for amplification attacks. The method further includes identifying a plurality of server samples that are labeled negative for amplification attacks. The method further includes automatically labeling at least some of the remaining server samples as positive or negative based on the previously identified labeled samples. The method further includes using the automatically labeled samples to train an amplification attack detection system.

公开(公告)号：US20180096157A1

公开(公告)日：2018-04-05

申请号：US15286558

申请日：2016-10-05

Applicant: Microsoft Technology Licensing, LLC

Inventor： Moshe Israel ,  Royi Ronen ,  Daniel Alon ,  Tomer Teller ,  Hanan Shteingart

IPC: G06F21/62 ,  H04L29/08 ,  H04L12/24 ,  H04L12/26 ,  G06F21/55

CPC classification number: G06F21/6218 ,  G06F21/55 ,  G06F21/566 ,  G06F2221/034 ,  H04L41/06 ,  H04L43/16 ,  H04L63/1416 ,  H04L63/1441 ,  H04L67/22 ,  H04L67/306

Abstract: Controlling device security includes obtaining a set of device activity data indicating current device activity on a device and a set of user activity data indicating a current activity state of one or more legitimate users of the device. It is determined whether the indicated current activity state of the users indicates that a legitimate user is in an active state on the device, or that none of the legitimate users is in an active state on the device. A statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, is determined, by a comparison with at least one of the models that are generated via supervised learning. A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device.

公开(公告)号：US20170359372A1

公开(公告)日：2017-12-14

申请号：US15182331

申请日：2016-06-14

Applicant: Microsoft Technology Licensing, LLC.

Inventor： Royi Ronen ,  Hani Neuvirth-Telem ,  Shai Baruch Nahum ,  Yuri Gabaev ,  Oleg Yanovsky ,  Vlad Korsunsky ,  Tomer Teller ,  Hanan Shteingart

IPC: H04L29/06

Abstract: Detecting a volumetric attack on a computer network with fewer false positives and while also requiring fewer processing resources is provided. The systems and methods described herein use observations taken at the network level to observe network traffic to form a predictive model for future traffic. When the network's future traffic sufficiently exceeds the predictive model, the monitoring systems and methods will indicate to the network to take security measures. The traffic to the network may be observed in subsets, corresponding to various groupings of sources, destinations, and protocols so that security measures may be targeted to that subset without affecting other machines in the network.