Patents by Inventor Joshua Charles Neil
Joshua Charles Neil has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20230129144Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for identifying malicious enterprise behaviors within a large enterprise. At a high level, embodiments of the present disclosure identify sub-graphs of behaviors within an enterprise based on probabilistic and deterministic methods. For example, starting with the node or edge having the highest risk score, embodiments of the present disclosure iteratively crawl a list of neighbors associated with the nodes or edges to identify subsets of behaviors within an enterprise that indicate potentially malicious activity based on the risk scores of each connected node and edge. In another example, embodiments select a target node and traverse the connected nodes via edges until a root-cause condition is met. Based on the traversal, a sub-graph is identified indicating a malicious execution path of traversed nodes with associated insights indicating the meaning or activity of the node.Type: ApplicationFiled: December 22, 2022Publication date: April 27, 2023Inventors: Joshua Charles NEIL, Evan John Argyle, Anna Swanson Bertiger, Lior Granit, Yair Tsarfaty, David Natan Kaplan
-
Patent number: 11556636Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for identifying malicious enterprise behaviors within a large enterprise. At a high level, embodiments of the present disclosure identify sub-graphs of behaviors within an enterprise based on probabilistic and deterministic methods. For example, starting with the node or edge having the highest risk score, embodiments of the present disclosure iteratively crawl a list of neighbors associated with the nodes or edges to identify subsets of behaviors within an enterprise that indicate potentially malicious activity based on the risk scores of each connected node and edge. In another example, embodiments select a target node and traverse the connected nodes via edges until a root-cause condition is met. Based on the traversal, a sub-graph is identified indicating a malicious execution path of traversed nodes with associated insights indicating the meaning or activity of the node.Type: GrantFiled: June 30, 2020Date of Patent: January 17, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Joshua Charles Neil, Evan John Argyle, Anna Swanson Bertiger, Lior Granit, Yair Tsarfaty, David Natan Kaplan
-
Publication number: 20210406365Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for identifying malicious enterprise behaviors within a large enterprise. At a high level, embodiments of the present disclosure identify sub-graphs of behaviors within an enterprise based on probabilistic and deterministic methods. For example, starting with the node or edge having the highest risk score, embodiments of the present disclosure iteratively crawl a list of neighbors associated with the nodes or edges to identify subsets of behaviors within an enterprise that indicate potentially malicious activity based on the risk scores of each connected node and edge. In another example, embodiments select a target node and traverse the connected nodes via edges until a root-cause condition is met. Based on the traversal, a sub-graph is identified indicating a malicious execution path of traversed nodes with associated insights indicating the meaning or activity of the node.Type: ApplicationFiled: June 30, 2020Publication date: December 30, 2021Inventors: Joshua Charles Neil, Evan John Argyle, Anna Swanson Bertiger, Lior Granit, Yair Tsarfaty, David Natan Kaplan
-
Publication number: 20210226999Abstract: Processes for determining whether new subgraphs that are observed locally in dynamic graphs are indicative of anomalous behavior are disclosed. Community models including certain factors, such as the rate of creation of new subgraphs of given structures and labels, may provide a basis for measuring the likelihood of newly observed subgraphs. For instance, edge labels including attributes for these specific shapes, such as port numbers and/or other categories, may differentiate legitimate new local occurrences thereof from those that are anomalous. Such processes may have applications including anomaly detection in computer networks, distributed systems, other patterns of life applications including dynamic graphs (e.g., dynamic directed multi graphs), etc.Type: ApplicationFiled: August 6, 2019Publication date: July 22, 2021Applicant: Triad National Security, LLCInventors: Michael Edward Fisk, Joshua Charles Neil
-
Patent number: 10728270Abstract: Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions.Type: GrantFiled: June 7, 2018Date of Patent: July 28, 2020Assignee: Triad National Security, LLCInventor: Joshua Charles Neil
-
Patent number: 10356107Abstract: Significant and aggregate user authentication activity may be analyzed across a population of users and computers in one or more networks to differentiate between authorized users and intruders in a network, and/or to detect inappropriate behavior by otherwise authorized users. Dynamic graphs and graph models over user and computer authentication activity, including time-constrained models, may be used for the purposes of profiling and analyzing user behavior in computer networks. More specifically, an edge-based breadth first search of graphs may be used that enforces time-constraints while maintaining traditional breadth first search computational complexity equivalence.Type: GrantFiled: June 21, 2018Date of Patent: July 16, 2019Assignees: Triad National Security, LLC, New Mexico Tech Research Park CorporationInventors: Alexander D. Kent, Joshua Charles Neil, Lorie Liebrock
-
Publication number: 20190182281Abstract: A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent (“UHCA”) may also be used to detect anomalous behavior.Type: ApplicationFiled: February 18, 2019Publication date: June 13, 2019Applicant: Triad National Security, LLCInventors: Joshua Charles Neil, Michael Edward Fisk, Alexander William Brugh, Curtis Lee Hash, JR., Curtis Byron Storlie, Benjamin Uphoff, Alexander Kent
-
Patent number: 10243984Abstract: A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent (“UHCA”) may also be used to detect anomalous behavior.Type: GrantFiled: November 10, 2017Date of Patent: March 26, 2019Assignee: Triad National Security, LLCInventors: Joshua Charles Neil, Michael Edward Fisk, Alexander William Brugh, Curtis Lee Hash, Jr., Curtis Byron Storlie, Benjamin Uphoff, Alexander Kent
-
Publication number: 20180278641Abstract: Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions.Type: ApplicationFiled: June 7, 2018Publication date: September 27, 2018Applicant: Los Alamos National Security, LLCInventor: Joshua Charles Neil
-
Patent number: 10015183Abstract: Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions.Type: GrantFiled: June 29, 2017Date of Patent: July 3, 2018Assignee: Los Alamos National Security, LLCInventor: Joshua Charles Neil
-
Publication number: 20180109544Abstract: A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent (“UHCA”) may also be used to detect anomalous behavior.Type: ApplicationFiled: November 10, 2017Publication date: April 19, 2018Applicant: Los Alamos National Security, LLCInventors: Joshua Charles Neil, Michael Edward Fisk, Alexander William Brugh, Curtis Lee Hash, Jr., Curtis Byron Storlie, Benjamin Uphoff, Alexander Kent
-
Patent number: 9825979Abstract: A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent (“UHCA”) may also be used to detect anomalous behavior.Type: GrantFiled: January 30, 2017Date of Patent: November 21, 2017Assignee: Los Alamos National Security, LLCInventors: Joshua Charles Neil, Michael Edward Fisk, Alexander William Brugh, Curtis Lee Hash, Curtis Byron Storlie, Benjamin Uphoff, Alexander Kent
-
Patent number: 9699206Abstract: Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions.Type: GrantFiled: January 30, 2015Date of Patent: July 4, 2017Assignee: Los Alamos National Security, LLCInventor: Joshua Charles Neil
-
Publication number: 20170163668Abstract: A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent (“UHCA”) may also be used to detect anomalous behavior.Type: ApplicationFiled: January 30, 2017Publication date: June 8, 2017Applicant: Los Alamos National Security, LLCInventors: Joshua Charles Neil, Michael Edward Fisk, Alexander William Brugh, Curtis Lee Hash, Curtis Byron Storlie, Benjamin Uphoff, Alexander Kent
-
Patent number: 9560065Abstract: A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent (“UHCA”) may also be used to detect anomalous behavior.Type: GrantFiled: March 14, 2013Date of Patent: January 31, 2017Assignee: Los Alamos National Security, LLCInventors: Joshua Charles Neil, Michael Edward Fisk, Alexander William Brugh, Curtis Lee Hash, Jr., Curtis Byron Storlie, Benjamin Uphoff, Alexander Kent
-
Patent number: 9374380Abstract: Non-harmful data mimicking computer network attacks may be inserted in a computer network. Anomalous real network connections may be generated between a plurality of computing systems in the network. Data mimicking an attack may also be generated. The generated data may be transmitted between the plurality of computing systems using the real network connections and measured to determine whether an attack is detected.Type: GrantFiled: March 14, 2013Date of Patent: June 21, 2016Assignee: Los Alamos National Security, LLCInventors: Joshua Charles Neil, Alexander Kent, Curtis Lee Hash, Jr.
-
Publication number: 20150180889Abstract: Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions.Type: ApplicationFiled: January 30, 2015Publication date: June 25, 2015Inventor: Joshua Charles Neil
-
Patent number: 9038180Abstract: Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions.Type: GrantFiled: March 14, 2013Date of Patent: May 19, 2015Assignee: Los Alamos National Security, LLCInventor: Joshua Charles Neil
-
Publication number: 20150047026Abstract: Systems, apparatuses, methods, and computer programs for detecting anomalies to identify coordinated group attacks on computer networks are provided. An anomaly graph of a network including nodes, edges, and an indegree of the nodes in the anomaly graph may be determined. Nodes with an indegree of at least two may be designated as potential targets. Nodes with no incoming connections may be designated as potentially compromised nodes. The designated potentially compromised nodes may be outputted as potentially associated with a coordinated attack on the network when the potentially compromised nodes connect to one or more of the same potential target nodes.Type: ApplicationFiled: March 14, 2013Publication date: February 12, 2015Applicant: Los Alamos National Security, LLCInventors: Joshua Charles Neil, Melissa Turcotte, Nicholas Andrew Heard
-
Publication number: 20150020199Abstract: A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent (“UHCA”) may also be used to detect anomalous behavior.Type: ApplicationFiled: March 14, 2013Publication date: January 15, 2015Applicant: Los Alamos National Security, LLCInventors: Joshua Charles Neil, Michael Edward Fisk, Alexander William Brugh, Curtis Lee Hash, JR., Curtis Byron Storlie, Benjamin Upoff, Alexander Kent