Patents by Inventor Yonatan MOST
Yonatan MOST has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11297075Abstract: According to examples, an apparatus may include a processor and a computer readable medium on which is stored machine readable instructions that may cause the processor to assign the activities in user activity data into a plurality of groups based on common user identifiers corresponding to the pairs of activities. The instructions may also cause the processor to determine a correlation between a user event and the plurality of groups, determine whether the user event is suspicious based on the determined correlation, and based on a determination that the user event is suspicious, output an indication that the user event is suspicious.Type: GrantFiled: July 3, 2019Date of Patent: April 5, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Shai Keren, Yonatan Most
-
Patent number: 10999320Abstract: A system for determining whether a velocity event is fake or real is provided. The system accesses a data store of velocity events, each of which specifies a pair of addresses that share the velocity event. For each address of the velocity events, the system sets a score for that address based on the number of addresses that share a velocity event with that address. When the score for that address satisfies an originating address criterion, the system designates that address as an originating address. The system may determine that a velocity event is real when both addresses of the velocity event are originating addresses.Type: GrantFiled: March 30, 2017Date of Patent: May 4, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Ido Bar Av, Yonatan Most, Shai Kaplan
-
Publication number: 20210006572Abstract: According to examples, an apparatus may include a processor and a computer readable medium on which is stored machine readable instructions that may cause the processor to assign the activities in user activity data into a plurality of groups based on common user identifiers corresponding to the pairs of activities. The instructions may also cause the processor to determine a correlation between a user event and the plurality of groups, determine whether the user event is suspicious based on the determined correlation, and based on a determination that the user event is suspicious, output an indication that the user event is suspicious.Type: ApplicationFiled: July 3, 2019Publication date: January 7, 2021Applicant: Microsoft Technology Licensing, LLCInventors: Shai Keren, Yonatan Most
-
Patent number: 10764303Abstract: Embodiments detect unauthorized access to cloud-based resources. One technique analyzes cloud-based events to distinguish potentially malicious velocity incidents from benign velocity incidents. A velocity incident occurs when the same user causes events from two geographically remote locations in a short time. Benign velocity incidents are distinguished from malicious velocity incidents by comparing an event with past events that have the same features. Embodiments probabilistically determine if a velocity incident is malicious or benign based on a weighted multi-feature analysis. For each feature of an event, a probability is calculated based on past events that have the same feature. Then, each feature is associated with a weight based on a relative frequency of past events having that feature. A weighted average of probabilities is calculated, and the resulting probability is compared to a defined threshold to determine if the velocity incident is likely malicious or benign.Type: GrantFiled: April 25, 2018Date of Patent: September 1, 2020Assignee: Microsoft Technology Licensing, LLCInventors: Yonatan Most, Shai Kaplan, Ido Bar Av
-
Patent number: 10536473Abstract: An anomaly detection system is provided and includes a processor, a memory, and a security application that is stored in the memory and includes instructions. The instructions are configured to collect information of behavior data for the users of an organization accessing cloud applications via a distributed network. The behavior data includes one or more parameters tracked over time for the users. The instructions are further configured to: establish baselines for each of the users and for each of the cloud applications or types of cloud applications of the organization; detect anomalies based on the baselines; provide aggregated anomaly data by aggregating anomalies corresponding to two or more of the baselines and a same behavior or corresponding to multiple users of a same cloud application during a same period of time; determine a risk value based on the aggregated anomaly data; and perform a countermeasure based on the risk value.Type: GrantFiled: February 15, 2017Date of Patent: January 14, 2020Assignee: Microsoft Technology Licensing, LLCInventors: Shai Kaplan, Yonatan Most
-
Patent number: 10523676Abstract: A system and method for detecting unauthorized access to a cloud application hosted in a cloud-computing platform are presented. The method comprising: identifying, by a managed proxy device, a first access attempt to a cloud application at a first time and from a first location; identifying, by a managed proxy device, a second access attempt to the cloud application at a second time and from a second location; computing a velocity between the first access attempt and the second access attempt based on the first time, the second time, the first location, and the second location; checking if the computed velocity is greater than a velocity threshold; and generating a velocity event when the computed velocity is greater than the velocity threshold, wherein the velocity event indicates that an access attempt is unauthorized.Type: GrantFiled: July 12, 2018Date of Patent: December 31, 2019Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC.Inventors: Yonatan Most, Yinon Costica
-
Publication number: 20190334923Abstract: Embodiments detect unauthorized access to cloud-based resources. One technique analyzes cloud-based events to distinguish potentially malicious velocity incidents from benign velocity incidents. A velocity incident occurs when the same user causes events from two geographically remote locations in a short time. Benign velocity incidents are distinguished from malicious velocity incidents by comparing an event with past events that have the same features. Embodiments probabilistically determine if a velocity incident is malicious or benign based on a weighted multi-feature analysis. For each feature of an event, a probability is calculated based on past events that have the same feature. Then, each feature is associated with a weight based on a relative frequency of past events having that feature. A weighted average of probabilities is calculated, and the resulting probability is compared to a defined threshold to determine if the velocity incident is likely malicious or benign.Type: ApplicationFiled: April 25, 2018Publication date: October 31, 2019Inventors: Yonatan MOST, Shai KAPLAN, Ido BAR AV
-
Patent number: 10326787Abstract: An anomaly detection system is provided and includes a processor, a memory and a security application stored in the memory and including instructions. The instructions are for collecting behavior data corresponding to users of an organization accessing cloud applications. The behavior data includes parameters tracked over time for the users. The instructions are for: creating a first model based on the behavior data tracked for the users; creating a second model corresponding to a first user based on the parameters tracked for the users except the first user, where the second model excludes behavior data pertaining to the first user; scoring the second model based on the first model to generate a first score; determining whether the first user is an outlier based on the first score; and removing the behavior data corresponding to the first user from the first model if the first user is an outlier.Type: GrantFiled: February 15, 2017Date of Patent: June 18, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Anton Wolkov, Shai Kaplan, Yonatan Most, Ido Bar Av
-
Publication number: 20180324185Abstract: A system and method for detecting unauthorized access to a cloud application hosted in a cloud-computing platform are presented. The method comprising: identifying, by a managed proxy device, a first access attempt to a cloud application at a first time and from a first location; identifying, by a managed proxy device, a second access attempt to the cloud application at a second time and from a second location; computing a velocity between the first access attempt and the second access attempt based on the first time, the second time, the first location, and the second location; checking if the computed velocity is greater than a velocity threshold; and generating a velocity event when the computed velocity is greater than the velocity threshold, wherein the velocity event indicates that an access attempt is unauthorized.Type: ApplicationFiled: July 12, 2018Publication date: November 8, 2018Applicant: Microsoft Technology Licensing, LLC.Inventors: Yonatan MOST, Yinon COSTICA
-
Patent number: 10084807Abstract: A method and proxy device for detecting bypass vulnerabilities in a cloud-computing platform are provided. The method includes identifying an access attempt by a client device to a cloud-based application hosted in the cloud-computing platform; identifying login information corresponding to the identified access attempt; requesting authenticated login information from a central authentication system; correlating the login information corresponding to the access attempt with the authenticated login information; determining, based on the correlation, whether a bypass vulnerability exists; and generating a bypass event when it is determined that the bypass vulnerability has been exploited wherein the bypass event indicates that the access attempt to the cloud-based application has not been properly authenticated.Type: GrantFiled: February 26, 2016Date of Patent: September 25, 2018Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC.Inventors: Yonatan Most, Yinon Costica
-
Patent number: 10063554Abstract: A system and method for detecting unauthorized access to cloud applications based on velocity events are presented. The method includes identifying a first access attempt to a cloud application at a first time and from a first location; identifying a second access attempt to a cloud application at a second time and from a second location; computing a velocity between the first access attempt and the second access attempt based on the first time, the second time, the first location, and the second location; checking if the computed velocity is greater than a velocity threshold; and generating a velocity event when the computed velocity is greater than the velocity threshold, wherein the velocity event indicates that an access attempt is unauthorized.Type: GrantFiled: November 30, 2015Date of Patent: August 28, 2018Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC.Inventors: Yonatan Most, Yinon Costica
-
Publication number: 20180234444Abstract: An anomaly detection system is provided and includes a processor, a memory, and a security application that is stored in the memory and includes instructions. The instructions are configured to collect information of behavior data for the users of an organization accessing cloud applications via a distributed network. The behavior data includes one or more parameters tracked over time for the users. The instructions are further configured to: establish baselines for each of the users and for each of the cloud applications or types of cloud applications of the organization; detect anomalies based on the baselines; provide aggregated anomaly data by aggregating anomalies corresponding to two or more of the baselines and a same behavior or corresponding to multiple users of a same cloud application during a same period of time; determine a risk value based on the aggregated anomaly data; and perform a countermeasure based on the risk value.Type: ApplicationFiled: February 15, 2017Publication date: August 16, 2018Inventors: Shai Kaplan, Yonatan Most
-
Publication number: 20180234443Abstract: An anomaly detection system is provided and includes a processor, a memory and a security application stored in the memory and including instructions. The instructions are for collecting behavior data corresponding to users of an organization accessing cloud applications. The behavior data includes parameters tracked over time for the users. The instructions are for: creating a first model based on the behavior data tracked for the users; creating a second model corresponding to a first user based on the parameters tracked for the users except the first user, where the second model excludes behavior data pertaining to the first user; scoring the second model based on the first model to generate a first score; determining whether the first user is an outlier based on the first score; and removing the behavior data corresponding to the first user from the first model if the first user is an outlier.Type: ApplicationFiled: February 15, 2017Publication date: August 16, 2018Inventors: Anton Wolkov, Shai Kaplan, Yonatan Most, ldo Bar Av
-
Publication number: 20180139232Abstract: A system for determining whether a velocity event is fake or real is provided. The system accesses a data store of velocity events, each of which specifies a pair of addresses that share the velocity event. For each address of the velocity events, the system sets a score for that address based on the number of addresses that share a velocity event with that address. When the score for that address satisfies an originating address criterion, the system designates that address as an originating address. The system may determine that a velocity event is real when both addresses of the velocity event are originating addresses.Type: ApplicationFiled: March 30, 2017Publication date: May 17, 2018Inventors: Ido Bar Av, Yonatan Most, Shai Kaplan
-
Publication number: 20170155652Abstract: A system and method for detecting unauthorized access to cloud applications based on velocity events are presented. The method includes identifying a first access attempt to a cloud application at a first time and from a first location; identifying a second access attempt to a cloud application at a second time and from a second location; computing a velocity between the first access attempt and the second access attempt based on the first time, the second time, the first location, and the second location; checking if the computed velocity is greater than a velocity threshold; and generating a velocity event when the computed velocity is greater than the velocity threshold, wherein the velocity event indicates that an access attempt is unauthorized.Type: ApplicationFiled: November 30, 2015Publication date: June 1, 2017Applicant: Microsoft Technology Licensing, LLC.Inventors: Yonatan MOST, Yinon COSTICA
-
Publication number: 20170118239Abstract: A method and proxy device for detecting cyber threats against cloud-based application are presented. The method includes receiving a request from a client device, the request directed to a cloud-based application computing platform, wherein the client device is associated with a user attempting to access the cloud-based application; determining whether the received request belongs to a current session of the client device accessing the cloud-based application; extracting, from the received request, at least one application-layer parameter of the current session; comparing the at least one extracted application-layer parameter to application-layer parameters extracted from previous sessions to determine at least one risk factor; and computing a risk score based on the determined at least one risk factor, wherein the risk score is indicative of a potential cyber threat.Type: ApplicationFiled: January 26, 2016Publication date: April 27, 2017Applicant: Microsoft Technology Licensing, LLC.Inventors: Yonatan Most, Yinon Costica, Ami Luttwak
-
Publication number: 20170111383Abstract: A method and proxy device for detecting bypass vulnerabilities in a cloud-computing platform are provided. The method includes identifying an access attempt by a client device to a cloud-based application hosted in the cloud-computing platform; identifying login information corresponding to the identified access attempt; requesting authenticated login information from a central authentication system; correlating the login information corresponding to the access attempt with the authenticated login information; determining, based on the correlation, whether a bypass vulnerability exists; and generating a bypass event when it is determined that the bypass vulnerability has been exploited wherein the bypass event indicates that the access attempt to the cloud-based application has not been properly authenticated.Type: ApplicationFiled: February 26, 2016Publication date: April 20, 2017Applicant: Microsoft Technology Licensing, LLC.Inventors: Yonatan MOST, Yinon COSTICA