Patents by Inventor Hani-Hana Neuvirth

Hani-Hana Neuvirth has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 12026253
    Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that when executed by the processor, may cause the processor to identify a first set of entities corresponding to a security incident, identify anomalies associated with the first set of entities that occurred around a predefined time period with respect to the incident, identify a second set of entities associated with the identified anomalies, identify a set of incidents that share a common entity from the second set of entities, determine a probability of likelihood that the set of incidents normally share the common entity, determine whether the determined probability of likelihood falls below a predefined threshold, and based on the determined probability of likelihood falling below the predefined threshold, output an indication that the security incident and the set of incidents are likely related.
    Type: Grant
    Filed: September 16, 2021
    Date of Patent: July 2, 2024
    Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC
    Inventors: Hani Hana Neuvirth, Dawn Antonette Burns
  • Patent number: 11991201
    Abstract: The principles described herein relate to the training and implementation of a model designed to estimate the probability of new security incidents being true incidents. This occurs in an environment where a service such as a SIEM monitors a network of computing systems and other resources and detects a variety of incidents that could be security threats. These incidents are reported to the SOC for investigation and the SOC will take appropriate action to mitigate potential threats of true security breaches. As part of the investigation process, the SOC can label whether a security incident is true, false or benign. After labeling enough security incidents a model can be produced to estimate the probability that new security incidents are true incidents. This would help the SOC filter through security incidents more efficiently and allow for quicker response of the most likely security breaches.
    Type: Grant
    Filed: June 18, 2021
    Date of Patent: May 21, 2024
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Hani Hana Neuvirth, Ishai Wertheimer, Ely Abramovitch, Yaron David Fruchtmann, Amir Keren
  • Publication number: 20240129323
    Abstract: Embodiments detect cyberattack campaigns against multiple cloud tenants by analyzing activity data to find sharing anomalies. Data that appears benign in a single tenant's activities may indicate an attack when the same or similar data is also found for additional tenants. Attack detection may depend on activity time frames, on how similar certain activities of different tenants are to one another, on how unusual it is for different tenants to share an activity, and on other factors. Sharing anomaly analysis may utilize hypergeometric probabilities or other statistical measures. Detection avoidance attempts using digital entity randomization are revealed and thwarted. Authorized vendors may be recognized, mooting anomalousness. Although data from multiple tenants is analyzed together for sharing anomalies while monitoring for attacks, tenant confidentiality and privacy are respected through technical and legal mechanisms. Mitigation is performed in response to an attack indication.
    Type: Application
    Filed: December 6, 2023
    Publication date: April 18, 2024
    Inventors: Yaakov GARYANI, Moshe ISRAEL, Hani Hana NEUVIRTH, Ely ABRAMOVITCH, Amir KEREN, Timothy William BURRELL
  • Patent number: 11888870
    Abstract: Embodiments detect cyberattack campaigns against multiple cloud tenants by analyzing activity data to find sharing anomalies. Data that appears benign in a single tenant's activities may indicate an attack when the same or similar data is also found for additional tenants. Attack detection may depend on activity time frames, on how similar certain activities of different tenants are to one another, on how unusual it is for different tenants to share an activity, and on other factors. Sharing anomaly analysis may utilize hypergeometric probabilities or other statistical measures. Detection avoidance attempts using entity randomization are revealed and thwarted. Authorized vendors may be recognized, mooting anomalousness. Although data from multiple tenants is analyzed together for sharing anomalies while monitoring for attacks, tenant confidentiality and privacy are respected through technical and legal mechanisms. Mitigation is performed in response to an attack indication.
    Type: Grant
    Filed: October 4, 2021
    Date of Patent: January 30, 2024
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Yaakov Garyani, Moshe Israel, Hani Hana Neuvirth, Ely Abramovitch, Amir Keren, Timothy William Burrell
  • Publication number: 20230376399
    Abstract: According to examples, an apparatus may include a processor and a memory on which are stored machine-readable instructions that, when executed by the processor, may cause the processor to receive event data for a subject incident. The processor may filter a set of candidate incidents to identify a first predefined number of candidate incidents. The first predefined number of candidate incidents may be filtered based on a respective first similarity score assigned to each of the candidate incidents. The processor may assign a respective second similarity score to each of the identified first predefined number of candidate incidents. The second similarity score may be based on common property values between the subject incident and respective candidate incidents. The processor may identify and output a second predefined number of candidate incidents among the first predefined number of candidate incidents based on the assigned second similarity score.
    Type: Application
    Filed: May 19, 2022
    Publication date: November 23, 2023
    Applicant: Microsoft Technology Licensing, LLC
    Inventors: Shany Klein Antman, Ely Abramovitch, Hani Hana Neuvirth, Diana Attar-Sityon, Moshe Israel
  • Publication number: 20230297332
    Abstract: Methods and systems to normalize an input table having a plurality of input table columns with a normalized table having a plurality of normalized table columns are disclosed. For each normalized column identifier associated with a normalized column of the normalized table, a compatibility score is computed for the normalized column identifier and each input column identifier associated with an input column of the input column table to provide set of compatibility scores associated with each normalized column identifier and input column identifier pair. A combinatorial optimization is applied to determine a match for each normalized column identifier with an input column identifier. Data associated with an input column of the input column identifier is mapped to the normalized column of the normalized column identifier matched with the input column identifier.
    Type: Application
    Filed: March 21, 2022
    Publication date: September 21, 2023
    Applicant: Microsoft Technology Licensing, LLC
    Inventors: Hadas Orgad, Hani Hana Neuvirth, Moshe ISRAEL, Ofer Shezaf, Ishai Wertheimer, Yaron David Fruchtmann
  • Patent number: 11652833
    Abstract: An indication of a security alert and a context for the security alert is received. The context includes one or more entities related to the context and a timestamp for the security alert. Data sources for the one or more entities are searched during a time window around the timestamp. One or more anomaly detection models are executed to identify anomalies that are related to the security alert based on the context. Identified anomalies for investigation of the security alert are output.
    Type: Grant
    Filed: July 24, 2020
    Date of Patent: May 16, 2023
    Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC
    Inventors: Hani Hana Neuvirth, Dawn A. Burns, Andrey Karpovsky, Yotam Livny
  • Publication number: 20230107335
    Abstract: Embodiments detect cyberattack campaigns against multiple cloud tenants by analyzing activity data to find sharing anomalies. Data that appears benign in a single tenant's activities may indicate an attack when the same or similar data is also found for additional tenants. Attack detection may depend on activity time frames, on how similar certain activities of different tenants are to one another, on how unusual it is for different tenants to share an activity, and on other factors. Sharing anomaly analysis may utilize hypergeometric probabilities or other statistical measures. Detection avoidance attempts using entity randomization are revealed and thwarted. Authorized vendors may be recognized, mooting anomalousness. Although data from multiple tenants is analyzed together for sharing anomalies while monitoring for attacks, tenant confidentiality and privacy are respected through technical and legal mechanisms. Mitigation is performed in response to an attack indication.
    Type: Application
    Filed: October 4, 2021
    Publication date: April 6, 2023
    Inventors: Yaakov GARYANI, Moshe ISRAEL, Hani Hana NEUVIRTH, Ely ABRAMOVITCH, Amir KEREN, Timothy William BURRELL
  • Publication number: 20230078713
    Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that when executed by the processor, may cause the processor to identify a first set of entities corresponding to a security incident, identify anomalies associated with the first set of entities that occurred around a predefined time period with respect to the incident, identify a second set of entities associated with the identified anomalies, identify a set of incidents that share a common entity from the second set of entities, determine a probability of likelihood that the set of incidents normally share the common entity, determine whether the determined probability of likelihood falls below a predefined threshold, and based on the determined probability of likelihood falling below the predefined threshold, output an indication that the security incident and the set of incidents are likely related.
    Type: Application
    Filed: September 16, 2021
    Publication date: March 16, 2023
    Applicant: Microsoft Technology Licensing, LLC
    Inventors: Hani Hana Neuvirth, Dawn Antonette Burns
  • Publication number: 20230071347
    Abstract: A recommendation system for recommending a target feature value for a target feature for a target deployment is provided. The recommendation system, for each of a plurality of deployments, collects feature values for the features of that deployment. The recommendation system then generates a model for recommending a target feature value for the target feature based on the collected feature values of the features for the deployments. The recommendation system applies the model to the features of the target deployment to identify a target feature value for the target feature. The recommendation system then provides the identified target feature value as a recommendation for the target feature for the target deployment.
    Type: Application
    Filed: November 14, 2022
    Publication date: March 9, 2023
    Inventors: Efim HUDIS, Hani-Hana NEUVIRTH, Daniel ALON, Royi RONEN, Yair TOR, Gilad Michael ELYASHAR
  • Publication number: 20220407882
    Abstract: The principles described herein relate to the training and implementation of a model designed to estimate the probability of new security incidents being true incidents. This occurs in an environment where a service such as a SIEM monitors a network of computing systems and other resources and detects a variety of incidents that could be security threats. These incidents are reported to the SOC for investigation and the SOC will take appropriate action to mitigate potential threats of true security breaches. As part of the investigation process, the SOC can label whether a security incident is true, false or benign. After labeling enough security incidents a model can be produced to estimate the probability that new security incidents are true incidents. This would help the SOC filter through security incidents more efficiently and allow for quicker response of the most likely security breaches.
    Type: Application
    Filed: June 18, 2021
    Publication date: December 22, 2022
    Inventors: Hani Hana NEUVIRTH, Ishai WERTHEIMER, Ely ABRAMOVITCH, Yaron David FRUCHTMANN, Amir KEREN
  • Patent number: 11533240
    Abstract: A recommendation system for recommending a target feature value for a target feature for a target deployment is provided. The recommendation system, for each of a plurality of deployments, collects feature values for the features of that deployment. The recommendation system then generates a model for recommending a target feature value for the target feature based on the collected feature values of the features for the deployments. The recommendation system applies the model to the features of the target deployment to identify a target feature value for the target feature. The recommendation system then provides the identified target feature value as a recommendation for the target feature for the target deployment.
    Type: Grant
    Filed: May 16, 2016
    Date of Patent: December 20, 2022
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Efim Hudis, Hani-Hana Neuvirth, Daniel Alon, Royi Ronen, Yair Tor, Gilad Michael Elyashar
  • Patent number: 11405413
    Abstract: Performing anomaly lookup on data sources that include an entity related to an alert. One or more entities related to an alert and a date when the alert occurred are received. The alert may indicate that an anomaly in data collected from a various data sources may be present in at least one of the data sources. The various data sources are searched for the one or more entities around the alert date to determine which of the data sources include the one or more entities. For those data sources including the one or more entities, an anomaly lookup procedure is performed on the data sources during a first time window to determine an initial set of suspicious anomalies.
    Type: Grant
    Filed: February 1, 2019
    Date of Patent: August 2, 2022
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Hani Hana Neuvirth, Gueorgui Chkodrov, Dotan Patrich, Elad Yom-Tov, Dawn Antonette Burns, Yotam Livny
  • Patent number: 11290473
    Abstract: Using a set of anomalies indicative of a malicious pattern of behavior collected from data to determine new alerts for anomalies included in subsequently collected data. A set of anomalies found in data collected from data sources is accessed. The set of anomalies is determined by a prior analysis to be indicative of a malicious pattern of behavior by entities associated with the set of anomalies. Data that is subsequently collected from the data sources is searched to determine if any of the data includes the set of anomalies. Alerts are generated for any of the subsequently collected data that includes the set of anomalies.
    Type: Grant
    Filed: August 8, 2019
    Date of Patent: March 29, 2022
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Hani Hana Neuvirth, Owen Joseph Davis, Scott Elliott Gorlick, Gueorgui Bonov Chkodrov, Yotam Livny, Dawn Antonette Burns, Zhipeng Zhao, Julian Federico Gonzalez
  • Publication number: 20220030019
    Abstract: An indication of a security alert and a context for the security alert is received. The context includes one or more entities related to the context and a timestamp for the security alert. Data sources for the one or more entities are searched during a time window around the timestamp. One or more anomaly detection models are executed to identify anomalies that are related to the security alert based on the context. Identified anomalies for investigation of the security alert are output.
    Type: Application
    Filed: July 24, 2020
    Publication date: January 27, 2022
    Inventors: Hani Hana NEUVIRTH, Dawn A. BURNS, Andrey KARPOVSKY, Yotam LIVNY
  • Patent number: 11223637
    Abstract: A previously-unknown type of attack on a web application can be detected dynamically using server logs. An alert can be raised for an application that returns a valid response to the potential attacker (e.g., when an http (hypertext transfer protocol) status code of 200 is returned to the requestor). Server logs can be analyzed to identify an external computer that uses the same attack methodology on multiple targets. The external computer may attempt to access the same Uniform Resource Identifier (URI) on various web sites. In many cases, the http status code that is returned is an error code. Characteristics such as but not limited to fast crawling and numerous error status codes being returned to a particular requestor can be used by a machine learning (ML) system to identify potentially malicious external computing devices and/or vulnerable URIs.
    Type: Grant
    Filed: January 7, 2018
    Date of Patent: January 11, 2022
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Hani Hana Neuvirth, Ram Haim Pliskin, Tomer Koren, Josef Weizman, Karl William Reinsch, Efim Hudis
  • Patent number: 11212298
    Abstract: Methods, systems, apparatuses, and computer program products are provided for evaluating security detections. A detection instance obtainer obtains detection instances from a pool, such as a security detections pool. The detection instances may be obtained for detections that meet a predetermined criterion, such as detections that have not been onboarded or rejected, or detections that have generated detection instances for a threshold time period. The detection may be onboarded or rejected automatically based on a volume thresholder and/or a detection performance evaluator. For instance, the volume thresholder may be configured to automatically onboard the detection if the volume of the detection instances is below a first threshold, and reject the detection if the volume is above a second threshold. The detection performance evaluator may be configured to onboard or reject the detection based on an efficacy of the detection (e.g., based on a true positive rate of the detection instances).
    Type: Grant
    Filed: April 4, 2019
    Date of Patent: December 28, 2021
    Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC
    Inventors: Dawn A. Burns, Hani Hana Neuvirth
  • Patent number: 11196746
    Abstract: “Sensitive” URIs for a website can be determined. Access attempts to a sensitive URI can be extracted from server logs. As used herein, sensitive URIs are URIs which if breached are likely to result in harm to the website owner. Access to sensitive URIs can be restricted to trusted accessors. Trusted accessors can be determined by filtering out untrusted accessors using thresholds and/or machine learning techniques. After filtering out untrusted accessors, any remaining accessors can be identified as trusted accessors. Trusted accessors can be added to a whitelist. Access requests to access-restricted URIs by an accessor not in the whitelist can be denied and an alert can be generated. Access requests to access-restricted URIs by an accessor in the whitelist can be granted.
    Type: Grant
    Filed: July 4, 2018
    Date of Patent: December 7, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Omer Karin, Hani Hana Neuvirth, Dotan Patrich, Tomer Koren, Ram Haim Pliskin, Josef Weizman, Yotam Livny
  • Patent number: 11159542
    Abstract: A method for detecting machine logon attacks within a cloud service. The method can include accessing a collection of network traffic protocol monitoring data. The network traffic protocol monitoring data can be network traffic protocol monitoring data across a cloud service. The method can also include analyzing the collection of network traffic protocol monitoring data to identify anomalous behavior by attacker entities associated with IP addresses indicating a brute force attack by the attacker entities associated with the IP addresses. Then, based on the anomalous behavior, the method can comprise identifying the IP addresses associated with the attacker entities, and at least one of attack patterns or campaign attack characteristics. Finally, the method can include compiling IP addresses associated with the attacker entities and the at least one of attack patterns or campaign attack characteristics into a reference data structure.
    Type: Grant
    Filed: March 21, 2019
    Date of Patent: October 26, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Tomer Weinberger, Tomer Koren, Hani Hana Neuvirth, Omer Karin
  • Patent number: 11089024
    Abstract: Systems, methods, and apparatuses are provided for restricting access to a web resource. Website access information is obtained by monitoring accesses to a plurality of websites for each access, which may include a network identifier of an access requestor, a website identifier, and an access time for each request. Based on at least the website access information, it may be determined that a particular access requestor has accessed a number of different websites in a given time period. As a result, the particular access requestor may be classified as a web robot. A request to permit access to a web resource is received by the particular access requestor. In response to receiving the request to permit access to the web resource, the particular access requestor is prevented from accessing the web resource and/or a notification is generated that the particular access requestor is attempting to access the web resource.
    Type: Grant
    Filed: March 9, 2018
    Date of Patent: August 10, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Dotan Patrich, Ram Haim Pliskin, Tomer Koren, Moshe Israel, Hani Hana Neuvirth, Josef Weizman