Patents by Inventor Roy Levin
Roy Levin has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11936669Abstract: Unauthorized use of user credentials in a network is detected. Data indicative of text strings being used to access resources in the network is accessed. Regex models are determined for the text strings. Troupings of the regex models are determined based on an optimization of a cumulative weighted function. A regex model having a cumulative weighted function that exceeds a predetermined threshold is identified. An alert is generated when the cumulative weighted function for the identified regex model exceeds the predetermined threshold.Type: GrantFiled: October 4, 2022Date of Patent: March 19, 2024Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Andrey Karpovsky, Tomer Rotstein, Fady Nasereldeen, Naama Kraus, Roy Levin, Yotam Livny
-
Patent number: 11856015Abstract: An anomalous action security assessor is disclosed. An anomaly is received from a set of anomalies. A series of linked queries associated with the anomaly is presented to the user. The series of linked queries includes a base query and a subquery. The base query tests an attribute of the anomaly and resolves to a plurality of outcomes of the base query. The subquery is associated with an outcome of the plurality of outcomes of the base query. The series of linked queries finally resolve to one of tag the anomaly and dismiss the anomaly. A security alert is issued if the series of linked queries finally resolves to tag the anomaly.Type: GrantFiled: June 24, 2021Date of Patent: December 26, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Roy Levin, Andrey Karpovsky
-
Patent number: 11843626Abstract: A system to determine an intrusion risk and take action is described. The system collaboratively filters a combination based on a user access and a network item in a computer network to determine an associated recommendation score. The system determines connected components of a model of the computer network and separately collaboratively filters the connected components to determine the recommendation score as a measure of intrusion risk. An action is taken on the user access based on the intrusion risk.Type: GrantFiled: April 30, 2021Date of Patent: December 12, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Roy Levin, Idan Hen
-
Publication number: 20230344849Abstract: Generally discussed herein are devices, systems, and methods for improving cloud resource security. A method can include obtaining a cloud resource management log that details actions performed by users of cloud resources in a cloud portal, the actions including entries comprising at least two of a user identification (ID) of a user of the users, an operation of operations performed on the cloud resource, a uniform resource identifier (URI) of a cloud resource of the cloud resources that is a target of the operation, or a time the operation was performed. The method can include determining a respective score for each action in the cloud resource management log, comparing the respective score to a specified criterion, and providing an indication of anomalous action in response to determining the respective score satisfies the specified criterion.Type: ApplicationFiled: June 9, 2023Publication date: October 26, 2023Inventors: Roy LEVIN, Ram Haim PLISKIN, Johnathan Samuel SIMON
-
Patent number: 11716340Abstract: Generally discussed herein are devices, systems, and methods for improving cloud resource security. A method can include obtaining a cloud resource management log that details actions performed by users of cloud resources in a cloud portal, the actions including entries comprising at least two of a user identification (ID) of a user of the users, an operation of operations performed on the cloud resource, a uniform resource identifier (URI) of a cloud resource of the cloud resources that is a target of the operation, or a time the operation was performed. The method can include determining a respective score for each action in the cloud resource management log, comparing the respective score to a specified criterion, and providing an indication of anomalous action in response to determining the respective score satisfies the specified criterion.Type: GrantFiled: May 28, 2021Date of Patent: August 1, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Roy Levin, Ram Haim Pliskin, Johnathan Samuel Simon
-
Publication number: 20230199003Abstract: The embodiments described herein are directed to generating labels for alerts and utilizing such labels to train a machine learning algorithm for generating more accurate alerts. For instance, alerts may be generated based on log data generated from an application. After an alert is issued, activity of a user in relation to the alert is tracked. The tracked activity is utilized to generate a metric for the alert indicating a level of interaction between the user and the alert. Based on the metric, the log data on which the alert is based is labeled as being indicative of one of suspicious activity or benign activity. During a training process, the labeled log data is provided to a supervised machine learning algorithm that learns what constitutes suspicious activity or benign activity. The algorithm generates a model, which is configured to receive newly-generated log data and issue security alerts based thereon.Type: ApplicationFiled: December 20, 2021Publication date: June 22, 2023Inventors: Andrey KARPOVSKY, Roy LEVIN, Tamer SALMAN
-
Patent number: 11647035Abstract: An indication is received of a security alert. The indication is generated based on a detected anomaly in one of a data plane or a control plane of a computing environment. When the detected anomaly is in the data plane, the control plane is monitored for a subsequent anomaly in the control plane, and otherwise the data plane is monitored for a subsequent anomaly in the data plane. A correlation between the detected anomalies is determined. A notification of the security alert is sent when the correlation exceeds a predetermined threshold.Type: GrantFiled: September 15, 2020Date of Patent: May 9, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Andrey Karpovsky, Roy Levin, Tomer Rotstein, Michael Makhlevich, Tamer Salman, Ram Haim Pliskin
-
Patent number: 11647034Abstract: Enriched access data supports anomaly detection to enhance network cybersecurity. Network access data is enriched using service nodes representing resource provision and other services, with geolocation nodes representing grouped access origins, and access values representing access legitimacy confidence. Data enrichment provides a trained model by mapping IP addresses to geolocations, building a bipartite access graph whose inter-node links indicate aspects of accesses from geolocations to services, and generating semantic vectors from the graph. Vector generation may include collaborative filtering, autoencoding, neural net embedding, and other machine learning tools and techniques. Anomaly detection systems then calculate service-geolocation or geolocation-geolocation vector distances with anomaly candidate vectors and the model's graph-based vectors, and treat distances past a threshold as anomaly indicators.Type: GrantFiled: September 12, 2020Date of Patent: May 9, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Roy Levin, Andrey Karpovsky
-
Publication number: 20230028840Abstract: Unauthorized use of user credentials in a network is detected. Data indicative of text strings being used to access resources in the network is accessed. Regex models are determined for the text strings. Troupings of the regex models are determined based on an optimization of a cumulative weighted function. A regex model having a cumulative weighted function that exceeds a predetermined threshold is identified. An alert is generated when the cumulative weighted function for the identified regex model exceeds the predetermined threshold.Type: ApplicationFiled: October 4, 2022Publication date: January 26, 2023Inventors: Andrey KARPOVSKY, Tomer ROTSTEIN, Fady NASERELDEEN, Naama KRAUS, Roy LEVIN, Yotam LIVNY
-
Publication number: 20220417273Abstract: An anomalous action security assessor is disclosed. An anomaly is received from a set of anomalies. A series of linked queries associated with the anomaly is presented to the user. The series of linked queries includes a base query and a subquery. The base query tests an attribute of the anomaly and resolves to a plurality of outcomes of the base query. The subquery is associated with an outcome of the plurality of outcomes of the base query. The series of linked queries finally resolve to one of tag the anomaly and dismiss the anomaly. A security alert is issued if the series of linked queries finally resolves to tag the anomaly.Type: ApplicationFiled: June 24, 2021Publication date: December 29, 2022Applicant: Microsoft Technology Licensing, LLCInventors: Roy Levin, Andrey Karpovsky
-
Publication number: 20220405632Abstract: Generally discussed herein are devices, systems, and methods for improving legacy cyber security solutions. A method can include receiving a sequence of traffic data, the sequence of traffic data representing operations performed by devices communicatively coupled in a network, generating, by cyber security event detection logic, actions corresponding to the sequence of traffic data, the actions corresponding to a cyber security event in the network, creating a training dataset based on the sequence of traffic data, the training dataset including the actions as labels, training a machine learning model based on the training dataset to generate a classification indicating a likelihood of the cyber security event, and distributing the trained machine learning model in place of the cyber security event detection logic.Type: ApplicationFiled: June 22, 2021Publication date: December 22, 2022Inventors: Idan Y. HEN, Roy LEVIN
-
Publication number: 20220385682Abstract: Generally discussed herein are devices, systems, and methods for improving cloud resource security. A method can include obtaining a cloud resource management log that details actions performed by users of cloud resources in a cloud portal, the actions including entries comprising at least two of a user identification (ID) of a user of the users, an operation of operations performed on the cloud resource, a uniform resource identifier (URI) of a cloud resource of the cloud resources that is a target of the operation, or a time the operation was performed. The method can include determining a respective score for each action in the cloud resource management log, comparing the respective score to a specified criterion, and providing an indication of anomalous action in response to determining the respective score satisfies the specified criterion.Type: ApplicationFiled: May 28, 2021Publication date: December 1, 2022Inventors: Roy Levin, Ram Haim Pliskin, Johnathan Samuel Simon
-
Publication number: 20220368696Abstract: Opaque module processing costs may be reduced without substantial loss of efficacy, e.g., security costs may be reduced with little or no loss of security. The processing cost of the opaque module is correlated with particular sets of input data, and the efficacy of the output resulting from processing samples of those sets is measured. Data whose processing is the most expensive or the most efficacious is identified. A data cluster is delimited by a parameter set, which may be supplied by a user or a machine learning model. Inputs to security tools may serve as parameters. The incremental cost and incremental efficacy of processing the cluster is determined. Security efficacy may be measured using alert counts, content, severity, and confidence. Processing cost and efficacy may then be managed by including or excluding particular datasets that match the parameters, either proactively pursuant to a policy, or per user selections.Type: ApplicationFiled: May 17, 2021Publication date: November 17, 2022Inventors: Andrey KARPOVSKY, Roy LEVIN
-
Patent number: 11503059Abstract: Disclosed herein is a system for predicting, given a pattern of triggered alerts, a next alert in order to identify malicious activity that is about to occur on resource(s) being monitored by a security operations center. A resource can include a server, a storage device, a user device (e.g., a personal computer, a tablet computer, a smartphone, etc.), a virtual machine, networking equipment, etc. Accordingly, the next alert is speculatively triggered in advance and a security analyst can be notified of a pattern of activity that is likely to be malicious. The security analyst can then investigate the pattern of triggered alerts and the speculatively triggered alert to determine whether steps to mitigate the malicious activity before it occurs should be taken.Type: GrantFiled: April 22, 2019Date of Patent: November 15, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Roy Levin, Mathias Abraham Marc Scherman, Yotam Livny
-
Publication number: 20220353288Abstract: A system to determine an intrusion risk and take action is described. The system collaboratively filters a combination based on a user access and a network item in a computer network to determine an associated recommendation score. The system determines connected components of a model of the computer network and separately collaboratively filters the connected components to determine the recommendation score as a measure of intrusion risk. An action is taken on the user access based on the intrusion risk.Type: ApplicationFiled: April 30, 2021Publication date: November 3, 2022Applicant: Microsoft Technology Licensing, LLCInventors: Roy Levin, Idan Hen
-
Patent number: 11481478Abstract: An anomalous user session detector is disclosed. A sequence of operations in a logon session for an authorized user is gathered. A supervised learning model is trained to identify the authorized user from the sequence of operations. An anomalous session is detected by querying the supervised learning model.Type: GrantFiled: March 27, 2019Date of Patent: October 25, 2022Assignee: Microsoft Technology Licensing, LLCInventors: Roy Levin, Naama Kraus, Andrey Karpovsky, Tamer Salman
-
Patent number: 11483327Abstract: Cybersecurity anomaly explainability is enhanced, with particular attention to collaborative filter-based anomaly detection. An enhanced system obtains user behavior vectors derived from a trained collaborative filter, computes a similarity measure of user behavior based on a distance between user behavior vectors and a similarity threshold, and automatically produces an explanation of a detected cybersecurity anomaly. The explanation describes a change in user behavior similarity, in human-friendly terms, such as “User X from Sales is now behaving like a network administrator.” Each user behavior vector includes latent features, and corresponds to access attempts or other behavior of a user with respect to a monitored computing system. Users may be sorted according to behavioral similarity. Explanations may associate a collaborative filter anomaly detection result with a change in behavior of an identified user or cluster of users, per specified explanation structures.Type: GrantFiled: November 17, 2019Date of Patent: October 25, 2022Assignee: Microsoft Technology Licensing, LLCInventors: Idan Hen, Roy Levin
-
Patent number: 11477216Abstract: Unauthorized use of user credentials in a network is detected. Data indicative of text strings being used to access resources in the network is accessed. Regex models are determined for the text strings. Groupings of the regex models are determined based on an optimization of a cumulative weighted function. A regex model having a cumulative weighted function that exceeds a predetermined threshold is identified. An alert is generated when the cumulative weighted function for the identified regex model exceeds the predetermined threshold.Type: GrantFiled: May 4, 2020Date of Patent: October 18, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Andrey Karpovsky, Tomer Rotstein, Fady Nasereldeen, Naama Kraus, Roy Levin, Yotam Livny
-
Publication number: 20220272112Abstract: Methods, systems, and apparatuses are provided for detecting a missing security alert by receiving an alert sequence generated by a network security provider, applying the received alert sequence to a security incident model, receiving an indication from the security incident model that the received alert sequence corresponds to a security incident defined by a predetermined sequence of alerts that includes at least one alert missing from the received alert sequence, and generating a notification to the network security provider that indicates at least one of the security incident or the missing alert(s). In addition, the security incident model may be generated by providing a set of historical alerts and a set of historical security incidents to a machine learning algorithm to generate the security incident model.Type: ApplicationFiled: May 12, 2022Publication date: August 25, 2022Inventors: Roy LEVIN, Mathias A.M. SCHERMAN
-
Patent number: 11363036Abstract: Methods, systems, and apparatuses are provided for detecting a missing security alert by receiving an alert sequence generated by a network security provider, applying the received alert sequence to a security incident model, receiving an indication from the security incident model that the received alert sequence corresponds to a security incident defined by a predetermined sequence of alerts that includes at least one alert missing from the received alert sequence, and generating a notification to the network security provider that indicates at least one of the security incident or the missing alert(s). In addition, the security incident model may be generated by providing a set of historical alerts and a set of historical security incidents to a machine learning algorithm to generate the security incident model.Type: GrantFiled: March 28, 2019Date of Patent: June 14, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Roy Levin, Mathias A. M. Scherman