Patents by Inventor Tomer Rotstein
Tomer Rotstein has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240121249Abstract: A method may include receiving from a first computing device, metadata that includes a suspected malicious activity indicator and a device identifier associated with the indicator; receiving, from a second computing device, log activity data; matching the device identifier included in the metadata to a device identifier in the log activity data; and based on the matching, transmitting an alert identifying the second computing device as a source of the suspected malicious activity.Type: ApplicationFiled: December 14, 2022Publication date: April 11, 2024Inventors: Tomer Rotstein, Eran SHANY
-
Patent number: 11936669Abstract: Unauthorized use of user credentials in a network is detected. Data indicative of text strings being used to access resources in the network is accessed. Regex models are determined for the text strings. Troupings of the regex models are determined based on an optimization of a cumulative weighted function. A regex model having a cumulative weighted function that exceeds a predetermined threshold is identified. An alert is generated when the cumulative weighted function for the identified regex model exceeds the predetermined threshold.Type: GrantFiled: October 4, 2022Date of Patent: March 19, 2024Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Andrey Karpovsky, Tomer Rotstein, Fady Nasereldeen, Naama Kraus, Roy Levin, Yotam Livny
-
Publication number: 20230205882Abstract: The detection and alerting on malicious queries that are directed towards a data store. The detection is done by using syntax metrics of the query. This can be done without evaluating (or at least without retaining) the unmasked query. In order to detect a potentially malicious query, syntax metric(s) of that query are accessed. The syntax metric(s) are then fed into a model that is configured to predict maliciousness of the query based on the one or more syntax metrics. The output of the model then represents a prediction of maliciousness of the query. Based on the output of the model representing the predicted maliciousness, a computing entity associated with the data store is then alerted.Type: ApplicationFiled: December 29, 2021Publication date: June 29, 2023Inventors: Andrey KARPOVSKY, Michael MAKHLEVICH, Tomer ROTSTEIN
-
Patent number: 11647035Abstract: An indication is received of a security alert. The indication is generated based on a detected anomaly in one of a data plane or a control plane of a computing environment. When the detected anomaly is in the data plane, the control plane is monitored for a subsequent anomaly in the control plane, and otherwise the data plane is monitored for a subsequent anomaly in the data plane. A correlation between the detected anomalies is determined. A notification of the security alert is sent when the correlation exceeds a predetermined threshold.Type: GrantFiled: September 15, 2020Date of Patent: May 9, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Andrey Karpovsky, Roy Levin, Tomer Rotstein, Michael Makhlevich, Tamer Salman, Ram Haim Pliskin
-
Publication number: 20230123632Abstract: A computing system is configured to train a machine-learning model for detecting suspicious network activities based on a training dataset. The training of the machine-learning model may be supervised or unsupervised training. The training dataset includes multiple strings. For each of the multiple strings, the computing system extracts one or more N-grams substrings, where N is a natural number that is equal to or greater than 2. The computing system then determines a probability of each N-grams substring that may occur in a string. When the machine-learning model is executed, it is configured to classify whether a given string contained in network communication is a random string. In response to classifying that the given string is a random string, an alert is generated at a particular computing system to which the network communication is directed.Type: ApplicationFiled: October 15, 2021Publication date: April 20, 2023Inventors: Andrey KARPOVSKY, Tomer ROTSTEIN, Michael MAKHLEVICH, Fady NASERELDEEN
-
Publication number: 20230101686Abstract: Disclosed herein is a system that implements a model for automatic discovery and identification of a person who is most relevant to handle a notification generated for a resource based on a triggered event. The model accesses an activity log for the resource to identify operations that are relevant to a type of the event. The operations are performed by different users (e.g., owners of the shared resource). The model then calculates an operation relevance score for each of the operations and a user relevance score for each of the different users. The user relevance scores are used to identify a most relevant person from the different users. Contact information for the most relevant person (e.g., name, email address, phone number) is added to the notification so that a person that first views the notification can efficiently forward the notification to the person best positioned to deal with the event.Type: ApplicationFiled: November 8, 2022Publication date: March 30, 2023Inventors: Michael MAKHLEVICH, Andrey KARPOVSKY, Tomer ROTSTEIN
-
Publication number: 20230028840Abstract: Unauthorized use of user credentials in a network is detected. Data indicative of text strings being used to access resources in the network is accessed. Regex models are determined for the text strings. Troupings of the regex models are determined based on an optimization of a cumulative weighted function. A regex model having a cumulative weighted function that exceeds a predetermined threshold is identified. An alert is generated when the cumulative weighted function for the identified regex model exceeds the predetermined threshold.Type: ApplicationFiled: October 4, 2022Publication date: January 26, 2023Inventors: Andrey KARPOVSKY, Tomer ROTSTEIN, Fady NASERELDEEN, Naama KRAUS, Roy LEVIN, Yotam LIVNY
-
Patent number: 11526603Abstract: Disclosed herein is a system that implements a model for automatic discovery and identification of a person who is most relevant to handle a notification generated for a resource based on a triggered event. The model accesses an activity log for the resource to identify operations that are relevant to a type of the event. The operations are performed by different users (e.g., owners of the shared resource). The model then calculates an operation relevance score for each of the operations and a user relevance score for each of the different users. The user relevance scores are used to identify a most relevant person from the different users. Contact information for the most relevant person (e.g., name, email address, phone number) is added to the notification so that a person that first views the notification can efficiently forward the notification to the person best positioned to deal with the event.Type: GrantFiled: March 30, 2020Date of Patent: December 13, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Michael Makhlevich, Andrey Karpovsky, Tomer Rotstein
-
Patent number: 11477216Abstract: Unauthorized use of user credentials in a network is detected. Data indicative of text strings being used to access resources in the network is accessed. Regex models are determined for the text strings. Groupings of the regex models are determined based on an optimization of a cumulative weighted function. A regex model having a cumulative weighted function that exceeds a predetermined threshold is identified. An alert is generated when the cumulative weighted function for the identified regex model exceeds the predetermined threshold.Type: GrantFiled: May 4, 2020Date of Patent: October 18, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Andrey Karpovsky, Tomer Rotstein, Fady Nasereldeen, Naama Kraus, Roy Levin, Yotam Livny
-
Patent number: 11477167Abstract: A firewall rule evaluation service scores firewall rules based on characteristics of logical objects that fall within ranges of Internet Protocol (IP) addresses corresponding to the firewall rules. Firewall rule scoring criteria may cause scores to be assigned to individual firewall rules based on an inverse relationship to quantities of discrete Autonomous Systems as well as aggregate numbers of and/or severity scores for threat intelligence flagged IP addresses granted access by individual firewall rules. The firewall rule evaluation service may further determine firewall rule recommendations for replacing firewall rules spanning multiple IP prefixes for different Autonomous Systems with more narrowly defined firewall rules that precisely encompass IP prefixes corresponding to single autonomous systems or multiple related Autonomous Systems (e.g., Autonomous Systems operated by a single trustworthy entity).Type: GrantFiled: December 16, 2020Date of Patent: October 18, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Andrey Karpovsky, Tomer Rotstein, Tomer Levav, Ron Matchoro, Michael Makhlevich
-
Publication number: 20220191173Abstract: A firewall rule evaluation service scores firewall rules based on characteristics of logical objects that fall within ranges of Internet Protocol (IP) addresses corresponding to the firewall rules. Firewall rule scoring criteria may cause scores to be assigned to individual firewall rules based on an inverse relationship to quantities of discrete Autonomous Systems as well as aggregate numbers of and/or severity scores for threat intelligence flagged IP addresses granted access by individual firewall rules. The firewall rule evaluation service may further determine firewall rule recommendations for replacing firewall rules spanning multiple IP prefixes for different Autonomous Systems with more narrowly defined firewall rules that precisely encompass IP prefixes corresponding to single autonomous systems or multiple related Autonomous Systems (e.g., Autonomous Systems operated by a single trustworthy entity).Type: ApplicationFiled: December 16, 2020Publication date: June 16, 2022Inventors: Andrey KARPOVSKY, Tomer ROTSTEIN, Tomer LEVAV, Ron MATCHORO, Michael MAKHLEVICH
-
Publication number: 20220086180Abstract: An indication is received of a security alert. The indication is generated based on a detected anomaly in one of a data plane or a control plane of a computing environment. When the detected anomaly is in the data plane, the control plane is monitored for a subsequent anomaly in the control plane, and otherwise the data plane is monitored for a subsequent anomaly in the data plane. A correlation between the detected anomalies is determined. A notification of the security alert is sent when the correlation exceeds a predetermined threshold.Type: ApplicationFiled: September 15, 2020Publication date: March 17, 2022Inventors: Andrey KARPOVSKY, Roy LEVIN, Tomer ROTSTEIN, Michael MAKHLEVICH, Tamer SALMAN, Ram Haim PLISKIN
-
Publication number: 20210344691Abstract: Unauthorized use of user credentials in a network is detected. Data indicative of text strings being used to access resources in the network is accessed. Regex models are determined for the text strings. Groupings of the regex models are determined based on an optimization of a cumulative weighted function. A regex model having a cumulative weighted function that exceeds a predetermined threshold is identified. An alert is generated when the cumulative weighted function for the identified regex model exceeds the predetermined threshold.Type: ApplicationFiled: May 4, 2020Publication date: November 4, 2021Inventors: Andrey KARPOVSKY, Tomer ROTSTEIN, Fady NASERELDEEN, Naama KRAUS, Roy LEVIN, Yotam LIVNY
-
Publication number: 20210303684Abstract: Disclosed herein is a system that implements a model for automatic discovery and identification of a person who is most relevant to handle a notification generated for a resource based on a triggered event. The model accesses an activity log for the resource to identify operations that are relevant to a type of the event. The operations are performed by different users (e.g., owners of the shared resource). The model then calculates an operation relevance score for each of the operations and a user relevance score for each of the different users. The user relevance scores are used to identify a most relevant person from the different users. Contact information for the most relevant person (e.g., name, email address, phone number) is added to the notification so that a person that first views the notification can efficiently forward the notification to the person best positioned to deal with the event.Type: ApplicationFiled: March 30, 2020Publication date: September 30, 2021Inventors: Michael MAKHLEVICH, Andrey KARPOVSKY, Tomer ROTSTEIN
-
Patent number: 11057424Abstract: Computer systems, devices, and associated methods of detecting and/or preventing injection attacks in databases are disclosed herein. In one embodiment, a method includes determining whether parsing a database statement received from an application on the application server cause a syntax error in a database. In response to determining that parsing the received database statement does not cause a syntax error, determining whether an identical syntactic pattern already exists. In response to determining that an identical syntactic pattern already exists in the database, the method includes indicating that the received database statement does not involve an injection attack.Type: GrantFiled: July 19, 2019Date of Patent: July 6, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Yosef Dinerstein, Oren Yossef, Tomer Weisberg, Assaf Akrabi, Tomer Rotstein
-
Patent number: 10733189Abstract: Query processors often receive queries to be processed against a data set, such as by inserting user input into parameterized fields of a query template. Some queries may be manipulated by user input (e.g., injection attacks) to introduce intentional errors in the query, where the error message reveals a protected detail about the data set, such as the existence or number of records or tables, the data set schema, and/or the configuration of the query processor. Instead, when the processing of a query results in an error message that contains a protected detail about the data set (including the query processor), the error message may be redacted to redact the protected detail before providing a redacted error message that avoids revealing information that might otherwise be usable to exploit the contents of the data set and/or the integrity of the data processor.Type: GrantFiled: April 7, 2017Date of Patent: August 4, 2020Assignee: Microsoft Technology Licensing, LLCInventors: David Edward Brookler, Tomer Weisberg, Oren Yossef, Tomer Rotstein
-
Patent number: 10496647Abstract: Query processors often receive queries to be processed against a data set, such as by inserting user input into parameterized fields of a query template. Some queries may include a conditional statement, and manipulation of user input (e.g., injection attacks) may introduce a delay through a conditional branch. The time required to fulfill the query may indicate which conditional branch was taken, thus revealing properties of the data set that are intended to be withheld. Instead, a query processor may examine the query to identify, between a pair of conditional branches, a processing delay of the first conditional branch as compared with the second conditional branch. The query processor may identify a query adaptation that reduces the processing delay of the first conditional branch as compared with the second conditional branch, and evaluate the query against the data set according to the query adaptation to present a query result.Type: GrantFiled: April 18, 2017Date of Patent: December 3, 2019Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: David Edward Brookler, Tomer Weisberg, Oren Yossef, Tomer Rotstein
-
Publication number: 20190342332Abstract: Computer systems, devices, and associated methods of detecting and/or preventing injection attacks in databases are disclosed herein. In one embodiment, a method includes determining whether parsing a database statement received from an application on the application server cause a syntax error in a database. In response to determining that parsing the received database statement does not cause a syntax error, determining whether an identical syntactic pattern already exists. In response to determining that an identical syntactic pattern already exists in the database, the method includes indicating that the received database statement does not involve an injection attack.Type: ApplicationFiled: July 19, 2019Publication date: November 7, 2019Inventors: Yosef Dinerstein, Oren Yossef, Tomer Weisberg, Assaf Akrabi, Tomer Rotstein
-
Patent number: 10404744Abstract: Computer systems, devices, and associated methods of detecting and/or preventing injection attacks in databases are disclosed herein. In one embodiment, a method includes determining whether parsing a database statement received from an application on the application server cause a syntax error in a database. In response to determining that parsing the received database statement does not cause a syntax error, determining whether an identical syntactic pattern already exists. In response to determining that an identical syntactic pattern already exists in the database, the method includes indicating that the received database statement does not involve an injection attack.Type: GrantFiled: September 20, 2016Date of Patent: September 3, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Yosef Dinerstein, Oren Yossef, Tomer Weisberg, Assaf Akrabi, Tomer Rotstein
-
Publication number: 20180300370Abstract: Query processors often receive queries to be processed against a data set, such as by inserting user input into parameterized fields of a query template. Some queries may include a conditional statement, and manipulation of user input (e.g., injection attacks) may introduce a delay through a conditional branch. The time required to fulfill the query may indicate which conditional branch was taken, thus revealing properties of the data set that are intended to be withheld. Instead, a query processor may examine the query to identify, between a pair of conditional branches, a processing delay of the first conditional branch as compared with the second conditional branch. The query processor may identify a query adaptation that reduces the processing delay of the first conditional branch as compared with the second conditional branch, and evaluate the query against the data set according to the query adaptation to present a query result.Type: ApplicationFiled: April 18, 2017Publication date: October 18, 2018Inventors: David Edward Brookler, Tomer Weisberg, Oren Yossef, Tomer Rotstein