Patents by Inventor Omer Karin
Omer Karin has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11943246Abstract: Methods, systems, apparatuses, and computer program products are provided for reconstructing network activity. A network activity monitor is configured to monitor network activity for various network entities. Based on the monitoring, a set of features may be obtained for each network entity. A determination may be made for a number of vertices suitable for describing the sets of features in a multidimensional space. In some implementations, the vertices may define a convex hull in the multidimensional space. Each of the vertices may be assigned a different usage pattern that represents a certain type of network usage types. Reconstructed network activity for a particular network entity may be represented as a weighted combination of the usage patterns. Based on the reconstruction, a network anomaly may be detected, a network may be modified, and/or an alert may be generated.Type: GrantFiled: May 6, 2022Date of Patent: March 26, 2024Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventor: Omer Karin
-
Publication number: 20230025488Abstract: According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to receive a request to upload a file to a directory and determine whether the request is a request to upload a predefined type of file to the directory. In addition, based on a determination that the request is a request to upload the predefined type of file to the directory, the processor may determine, through application of a predictive model, whether the directory is a user content directory and based on a determination that the application of the predictive model indicates that the directory is a user content directory, block the request and/or output a notification regarding the receipt of the request.Type: ApplicationFiled: September 21, 2022Publication date: January 26, 2023Applicant: Microsoft Technology Licensing, LLCInventors: Omer KARIN, Josef WEIZMAN, Ram Haim PLISKIN
-
Patent number: 11487880Abstract: Methods, systems, and apparatuses are provided for inferring security incidents from observational data. For example, alerts generated with respect to a set of entities by a first alert generator are received, association scores are calculated for pairs of alerts, the alerts are formed into clusters based on the association scores, and a security incident model is formed based on the clusters. The security incident model may define sequences of alerts corresponding to security incidents. Furthermore, the security incident model may be used to determine a match between additional alerts and a sequence of alerts in the security incident model and identify the additional alerts as a security incident corresponding to the sequence of alerts in the security incident model.Type: GrantFiled: September 13, 2019Date of Patent: November 1, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Omer Karin, Yotam Livny, Yaniv Zohar
-
Patent number: 11483375Abstract: According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to receive a request to upload a file to a directory and determine whether the request is a request to upload a predefined type of file to the directory. In addition, based on a determination that the request is a request to upload the predefined type of file to the directory, the processor may determine, through application of a predictive model, whether the directory is a user content directory and based on a determination that the application of the predictive model indicates that the directory is a user content directory, block the request and/or output a notification regarding the receipt of the request.Type: GrantFiled: June 19, 2020Date of Patent: October 25, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Omer Karin, Josef Weizman, Ram Haim Pliskin
-
Publication number: 20220278999Abstract: A machine compromised by malicious activity is detected by identifying an anomalous port opened on an entity of a network. The anomalous port is detected through collaborative filtering using usage patterns derived from normal network traffic using open ports of entities on the network. The collaborative filtering employs single value decomposition with alternating least squares to generate a recommendation score identifying whether an entity having a newly-opened port is likely to be used for malicious activity.Type: ApplicationFiled: May 17, 2022Publication date: September 1, 2022Inventors: OMER KARIN, RAM HAIM PLISKIN
-
Publication number: 20220263848Abstract: Methods, systems, apparatuses, and computer program products are provided for reconstructing network activity. A network activity monitor is configured to monitor network activity for various network entities. Based on the monitoring, a set of features may be obtained for each network entity. A determination may be made for a number of vertices suitable for describing the sets of features in a multidimensional space. In some implementations, the vertices may define a convex hull in the multidimensional space. Each of the vertices may be assigned a different usage pattern that represents a certain type of network usage types. Reconstructed network activity for a particular network entity may be represented as a weighted combination of the usage patterns. Based on the reconstruction, a network anomaly may be detected, a network may be modified, and/or an alert may be generated.Type: ApplicationFiled: May 6, 2022Publication date: August 18, 2022Inventor: Omer Karin
-
Patent number: 11363037Abstract: A machine compromised by malicious activity is detected by identifying an anomalous port opened on an entity of a network. The anomalous port is detected through collaborative filtering using usage patterns derived from normal network traffic using open ports of entities on the network. The collaborative filtering employs single value decomposition with alternating least squares to generate a recommendation score identifying whether an entity having a newly-opened port is likely to be used for malicious activity.Type: GrantFiled: April 1, 2019Date of Patent: June 14, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC.Inventors: Omer Karin, Ram Haim Pliskin
-
Patent number: 11356466Abstract: Methods, systems, apparatuses, and computer program products are provided for reconstructing network activity. A network activity monitor is configured to monitor network activity for various network entities. Based on the monitoring, a set of features may be obtained for each network entity. A determination may be made for a number of vertices suitable for describing the sets of features in a multidimensional space. In some implementations, the vertices may define a convex hull in the multidimensional space. Each of the vertices may be assigned a different usage pattern that represents a certain type of network usage types. Reconstructed network activity for a particular network entity may be represented as a weighted combination of the usage patterns. Based on the reconstruction, a network anomaly may be detected, a network may be modified, and/or an alert may be generated.Type: GrantFiled: March 7, 2019Date of Patent: June 7, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventor: Omer Karin
-
Publication number: 20220131900Abstract: Methods, systems, apparatuses, and computer-readable storage mediums are described for machine learning-based techniques for identifying a deployment environment in which computing resources (e.g., servers, virtual machines, databases, etc.) reside and for enhancing security for the identified deployment environment. For instance, usage data is collected from the computing resources. The usage data is featurized and provided to a machine learning-based classification model that determines a deployment environment in which the computing resources reside based on the featurized usage data. Once the deployment environment is identified, a security policy that is applicable for the identified deployment environment is determined. The security policy specifies a plurality of recommended security settings that should be applied to the computing resources included in the identified deployment environment. The recommended security settings may be provided to the user (e.g.Type: ApplicationFiled: October 26, 2020Publication date: April 28, 2022Inventors: Omer KARIN, Amit MAGEN, Moshe ISRAEL, Tamer SALMAN
-
Publication number: 20220067484Abstract: Generally discussed herein are devices, systems, and methods for cloud traffic monitoring. A method can include receiving sampled network metadata of a packet transmitted via a computer network, providing the sampled network metadata to a neural network (NN) trained on labeled sampled network metadata, and providing, based on only the sampled network metadata, a classification for the sampled network metadata via the trained neural network.Type: ApplicationFiled: August 27, 2020Publication date: March 3, 2022Inventors: Omer Karin, Idan Y. Hen, Roy Levin
-
Publication number: 20210400106Abstract: According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to receive a request to upload a file to a directory and determine whether the request is a request to upload a predefined type of file to the directory. In addition, based on a determination that the request is a request to upload the predefined type of file to the directory, the processor may determine, through application of a predictive model, whether the directory is a user content directory and based on a determination that the application of the predictive model indicates that the directory is a user content directory, block the request and/or output a notification regarding the receipt of the request.Type: ApplicationFiled: June 19, 2020Publication date: December 23, 2021Applicant: Microsoft Technology Licensing, LLCInventors: Omer KARIN, Josef WEIZMAN, Ram Haim PLISKIN
-
Patent number: 11196746Abstract: “Sensitive” URIs for a website can be determined. Access attempts to a sensitive URI can be extracted from server logs. As used herein, sensitive URIs are URIs which if breached are likely to result in harm to the website owner. Access to sensitive URIs can be restricted to trusted accessors. Trusted accessors can be determined by filtering out untrusted accessors using thresholds and/or machine learning techniques. After filtering out untrusted accessors, any remaining accessors can be identified as trusted accessors. Trusted accessors can be added to a whitelist. Access requests to access-restricted URIs by an accessor not in the whitelist can be denied and an alert can be generated. Access requests to access-restricted URIs by an accessor in the whitelist can be granted.Type: GrantFiled: July 4, 2018Date of Patent: December 7, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Omer Karin, Hani Hana Neuvirth, Dotan Patrich, Tomer Koren, Ram Haim Pliskin, Josef Weizman, Yotam Livny
-
Patent number: 11159542Abstract: A method for detecting machine logon attacks within a cloud service. The method can include accessing a collection of network traffic protocol monitoring data. The network traffic protocol monitoring data can be network traffic protocol monitoring data across a cloud service. The method can also include analyzing the collection of network traffic protocol monitoring data to identify anomalous behavior by attacker entities associated with IP addresses indicating a brute force attack by the attacker entities associated with the IP addresses. Then, based on the anomalous behavior, the method can comprise identifying the IP addresses associated with the attacker entities, and at least one of attack patterns or campaign attack characteristics. Finally, the method can include compiling IP addresses associated with the attacker entities and the at least one of attack patterns or campaign attack characteristics into a reference data structure.Type: GrantFiled: March 21, 2019Date of Patent: October 26, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Tomer Weinberger, Tomer Koren, Hani Hana Neuvirth, Omer Karin
-
Publication number: 20210081539Abstract: Methods, systems, and apparatuses are provided for inferring security incidents from observational data. For example, alerts generated with respect to a set of entities by a first alert generator are received, association scores are calculated for pairs of alerts, the alerts are formed into clusters based on the association scores, and a security incident model is formed based on the clusters. The security incident model may define sequences of alerts corresponding to security incidents. Furthermore, the security incident model may be used to determine a match between additional alerts and a sequence of alerts in the security incident model and identify the additional alerts as a security incident corresponding to the sequence of alerts in the security incident model.Type: ApplicationFiled: September 13, 2019Publication date: March 18, 2021Inventors: Omer Karin, Yotam Livny, Yaniv Zohar
-
Publication number: 20200314119Abstract: A machine compromised by malicious activity is detected by identifying an anomalous port opened on an entity of a network. The anomalous port is detected through collaborative filtering using usage patterns derived from normal network traffic using open ports of entities on the network. The collaborative filtering employs single value decomposition with alternating least squares to generate a recommendation score identifying whether an entity having a newly-opened port is likely to be used for malicious activity.Type: ApplicationFiled: April 1, 2019Publication date: October 1, 2020Inventors: OMER KARIN, RAM HAIM PLISKIN
-
Publication number: 20200304524Abstract: A method for detecting machine logon attacks within a cloud service. The method can include accessing a collection of network traffic protocol monitoring data. The network traffic protocol monitoring data can be network traffic protocol monitoring data across a cloud service. The method can also include analyzing the collection of network traffic protocol monitoring data to identify anomalous behavior by attacker entities associated with IP addresses indicating a brute force attack by the attacker entities associated with the IP addresses. Then, based on the anomalous behavior, the method can comprise identifying the IP addresses associated with the attacker entities, and at least one of attack patterns or campaign attack characteristics. Finally, the method can include compiling IP addresses associated with the attacker entities and the at least one of attack patterns or campaign attack characteristics into a reference data structure.Type: ApplicationFiled: March 21, 2019Publication date: September 24, 2020Inventors: Tomer WEINBERGER, Tomer KOREN, Hani Hana NEUVIRTH, Omer KARIN
-
Publication number: 20200287921Abstract: Methods, systems, apparatuses, and computer program products are provided for reconstructing network activity. A network activity monitor is configured to monitor network activity for various network entities. Based on the monitoring, a set of features may be obtained for each network entity. A determination may be made for a number of vertices suitable for describing the sets of features in a multidimensional space. In some implementations, the vertices may define a convex hull in the multidimensional space. Each of the vertices may be assigned a different usage pattern that represents a certain type of network usage types. Reconstructed network activity for a particular network entity may be represented as a weighted combination of the usage patterns. Based on the reconstruction, a network anomaly may be detected, a network may be modified, and/or an alert may be generated.Type: ApplicationFiled: March 7, 2019Publication date: September 10, 2020Inventor: Omer Karin
-
Publication number: 20200014697Abstract: “Sensitive” URIs for a website can be determined. Access attempts to a sensitive URI can be extracted from server logs. As used herein, sensitive URIs are URIs which if breached are likely to result in harm to the website owner. Access to sensitive URIs can be restricted to trusted accessors. Trusted accessors can be determined by filtering out untrusted accessors using thresholds and/or machine learning techniques. After filtering out untrusted accessors, any remaining accessors can be identified as trusted accessors. Trusted accessors can be added to a whitelist. Access requests to access-restricted URIs by an accessor not in the whitelist can be denied and an alert can be generated. Access requests to access-restricted URIs by an accessor in the whitelist can be granted.Type: ApplicationFiled: July 4, 2018Publication date: January 9, 2020Inventors: Omer KARIN, Hani Hana NEUVIRTH, Dotan PATRICH, Tomer KOREN, Ram Haim PLISKIN, Josef WEIZMAN, Yotam LIVNY
-
Patent number: 10511615Abstract: A system for detecting a non-targeted attack by a first machine on a second machine is provided. The system includes an application that includes instructions configured to: extract network data corresponding to traffic flow between the first and second machines, where the second machine is implemented in a cloud-based network; identify a first suspect external IP address based on the network data; calculate features for the first suspect external IP address, where the features include exploration type features and exploitation type features; train a classifier based on predetermined examples and the features to generate and update a model; classify the first suspect external IP address based on the model and at least some of the features; and perform a countermeasure if a classification provided from classifying the first suspect external IP address indicates that the first suspect external IP address is associated with a malicious attack on the second machine.Type: GrantFiled: May 5, 2017Date of Patent: December 17, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Royi Ronen, Hani Hana Neuvirth, Tomer Koren, Omer Karin
-
Patent number: 10129295Abstract: Use machine learning to train a classifier to classify entities to increase confidence with respect to an entity being part of a distributed denial of service attack. The method includes training a classifier to use a first classification method, to identify probabilities that entities from a set of entities are performing denial of service attacks. The method further includes identifying a subset of entities meeting a threshold probability of performing a denial of service attack. The method further includes using a second classification method, identifying similarity of entities in the subset of entities. The method further includes based on the similarity, classifying individual entities.Type: GrantFiled: August 31, 2016Date of Patent: November 13, 2018Assignee: Microsoft Technology Licensing, LLCInventors: Omer Karin, Royi Ronen, Hani Neuvirth, Roey Vilnai