Patents by Inventor Roy Levin

Roy Levin has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20210326744
    Abstract: Technology automatically groups security alerts into incidents using data about earlier groupings. A machine learning model is trained with select data about past alert-incident grouping actions. The trained model prioritizes new alerts and aids alert investigation by rapidly and accurately grouping alerts with incidents. The groupings are provided directly to an analyst or fed into a security information and event management tool. Training data may include entity identifiers, alert identifiers, incident identifiers, action indicators, action times, and optionally incident classifications. Investigative options presented to an analyst but not exercised may serve as training data. Incident updates produced by the trained model may add an alert to an incident, remove an alert, merge two incidents, divide an incident, or create an incident. Personalized incident updates may be based on a particular analyst's historic manual investigation actions.
    Type: Application
    Filed: April 17, 2020
    Publication date: October 21, 2021
    Inventors: Moshe ISRAEL, Yaakov GARYANI, Roy LEVIN
  • Patent number: 11126736
    Abstract: Described technologies enhance cybersecurity by leveraging collaborative filtering tools and techniques for security use by scoring attempts to access items in digital storage. Examples provided illustrate usage of accessor IDs and storage item IDs to compute recommendation scores which then operate as inverse measures of intrusion risk. Actions taken in response to recommendation scores that fall below a specified threshold may include preventing or terminating access, or alerting an administrator, for instance. A requested access may be allowed when the computed recommendation score is above a specified threshold, which indicates an acceptably low risk that the access is an unauthorized intrusion. Described cybersecurity technologies may be used by, or incorporated within, cloud services, cloud infrastructure, or virtual machines. Described cybersecurity technologies may also be used outside a cloud, e.g.
    Type: Grant
    Filed: March 12, 2018
    Date of Patent: September 21, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Roy Levin, Ram Haim Pliskin
  • Patent number: 11106789
    Abstract: Anomalous sequences are detected by approximating user sessions with heuristically extracted event sequences, allowing behavior analysis even without user identification or session identifiers. Extraction delimiters may include event count or event timing constraints. Event sequences extracted from logs or other event lists are vectorized and embedded in a vector space. A machine learning model similarity function measures anomalousness of a candidate sequence relative to a specified history, thus computing an anomaly score. Restrictions may be placed on the history to focus on a particular IP address or time frame, without retraining the model. Anomalous sequences may generate alerts, prompt investigations by security personnel, trigger automatic mitigation, trigger automatic acceptance, trigger tool configuration actions, or result in other cybersecurity actions.
    Type: Grant
    Filed: March 5, 2019
    Date of Patent: August 31, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Naama Kraus, Roy Levin, Andrey Karpovsky, Tamer Salman
  • Publication number: 20210152581
    Abstract: Cybersecurity anomaly explainability is enhanced, with particular attention to collaborative filter-based anomaly detection. An enhanced system obtains user behavior vectors derived from a trained collaborative filter, computes a similarity measure of user behavior based on a distance between user behavior vectors and a similarity threshold, and automatically produces an explanation of a detected cybersecurity anomaly. The explanation describes a change in user behavior similarity, in human-friendly terms, such as “User X from Sales is now behaving like a network administrator.” Each user behavior vector includes latent features, and corresponds to access attempts or other behavior of a user with respect to a monitored computing system. Users may be sorted according to behavioral similarity. Explanations may associate a collaborative filter anomaly detection result with a change in behavior of an identified user or cluster of users, per specified explanation structures.
    Type: Application
    Filed: November 17, 2019
    Publication date: May 20, 2021
    Inventors: Idan HEN, Roy LEVIN
  • Patent number: 11003766
    Abstract: Tools and techniques are described to automate triage of security and operational alerts. Insight instances extracted from raw event data associated with an alert are aggregated, vectorized, and assigned confidence scores through classification based on machine learning. Confidence scoring enables heavily loaded administrators and controls to focus attention and resources where they are most likely to protect or improve the functionality of a monitored system. Feature vectors receive a broad base in the underlying instance values through aggregation, even when the number of instance values is unknown prior to receipt of the event data. Visibility into the confidence scoring process may be provided, to allow tuning or inform further training of a classifier model. Performance metrics are defined, and production level performance may be achieved.
    Type: Grant
    Filed: August 20, 2018
    Date of Patent: May 11, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Naama Kraus, Roy Levin, Assaf Israel, Oran Brill, Yotam Livny
  • Patent number: 10944791
    Abstract: A system for predicting vulnerability of network resources is provided. The system can calculate an initial vulnerability score for each of the network resources and use the initial vulnerability scores along with activity data of the network resources to train a vulnerability model. After training, the vulnerability model can predict the vulnerability of the network resources based on new activity data collected from the network resources. Based on the predicted vulnerability, vulnerable network resources can be identified. Further analysis can be performed by comparing the activities of the vulnerable network resources and other network resources to identify activity patterns unique to the vulnerable network resources as attack patterns. Based on the attack patterns, one or more actions can be taken to increase the security of the vulnerable network resources to avoid further vulnerability.
    Type: Grant
    Filed: August 27, 2018
    Date of Patent: March 9, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Yotam Livny, Mathias Abraham Marc Scherman, Moshe Israel, Ben Kliger, Ram Haim Pliskin, Roy Levin, Michael Zeev Bargury
  • Publication number: 20200336506
    Abstract: Disclosed herein is a system for predicting, given a pattern of triggered alerts, a next alert in order to identify malicious activity that is about to occur on resource(s) being monitored by a security operations center. A resource can include a server, a storage device, a user device (e.g., a personal computer, a tablet computer, a smartphone, etc.), a virtual machine, networking equipment, etc. Accordingly, the next alert is speculatively triggered in advance and a security analyst can be notified of a pattern of activity that is likely to be malicious. The security analyst can then investigate the pattern of triggered alerts and the speculatively triggered alert to determine whether steps to mitigate the malicious activity before it occurs should be taken.
    Type: Application
    Filed: April 22, 2019
    Publication date: October 22, 2020
    Inventors: Roy LEVIN, Mathias Abraham Marc SCHERMAN, Yotam LIVNY
  • Patent number: 10795738
    Abstract: Generally discussed herein are devices, systems, and methods for computer or other network device security. A method can include providing an alert to a device of a first cloud user in response to determining an operation performed on a cloud resource is inconsistent with a behavior profile that defines normal operation of the cloud resource, receiving feedback from the first cloud user regarding the alert, and generating, for a second, different cloud user and by prioritizing a second alert based on the feedback from the first cloud user, a second alert.
    Type: Grant
    Filed: March 26, 2019
    Date of Patent: October 6, 2020
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Roy Levin, Tamer Salman, Yotam Livny
  • Publication number: 20200310889
    Abstract: Generally discussed herein are devices, systems, and methods for computer or other network device security.
    Type: Application
    Filed: March 26, 2019
    Publication date: October 1, 2020
    Inventors: Roy Levin, Tamer Salman, Yotam Livny
  • Publication number: 20200311231
    Abstract: An anomalous user session detector is disclosed. A sequence of operations in a logon session for an authorized user is gathered. A supervised learning model is trained to identify the authorized user from the sequence of operations. An anomalous session is detected by querying the supervised learning model.
    Type: Application
    Filed: March 27, 2019
    Publication date: October 1, 2020
    Applicant: Microsoft Technology Licensing, LLC
    Inventors: Roy Levin, Naama Kraus, Andrey Karpovsky, Tamer Salman
  • Publication number: 20200314118
    Abstract: Methods, systems, and apparatuses are provided for detecting a missing security alert by receiving an alert sequence generated by a network security provider, applying the received alert sequence to a security incident model, receiving an indication from the security incident model that the received alert sequence corresponds to a security incident defined by a predetermined sequence of alerts that includes at least one alert missing from the received alert sequence, and generating a notification to the network security provider that indicates at least one of the security incident or the missing alert(s). In addition, the security incident model may be generated by providing a set of historical alerts and a set of historical security incidents to a machine learning algorithm to generate the security incident model.
    Type: Application
    Filed: March 28, 2019
    Publication date: October 1, 2020
    Inventors: Roy Levin, Mathias A.M. Scherman
  • Publication number: 20200296117
    Abstract: Generally discussed herein are devices, systems, and methods for computer or other network device security. A method can include identifying a profile associated with event data regarding an operation performed on a cloud resource, determining whether the event data is associated with anomalous customer interaction with the cloud resource, in response to determining the event data is associated with anomalous customer interaction, identifying whether another cloud resource of the cloud resources with a lower granularity profile that is associated with the profile of the cloud resource has previously been determined to be a target of an anomalous operation, and providing a single alert to a client device indicating the anomalous behavior on the cloud resource in response to determining both the event data is associated with anomalous customer interaction and the another cloud resource is determined to be the target of the anomalous operation.
    Type: Application
    Filed: March 13, 2019
    Publication date: September 17, 2020
    Inventors: Andrey Karpovsky, Ron Matchoro, Haim Saadia Ben Danan, Yotam Livny, Naama Kraus, Roy Levin, Tamer Salman
  • Publication number: 20200285737
    Abstract: Anomalous sequences are detected by approximating user sessions with heuristically extracted event sequences, allowing behavior analysis even without user identification or session identifiers. Extraction delimiters may include event count or event timing constraints. Event sequences extracted from logs or other event lists are vectorized and embedded in a vector space. A machine learning model similarity function measures anomalousness of a candidate sequence relative to a specified history, thus computing an anomaly score. Restrictions may be placed on the history to focus on a particular IP address or time frame, without retraining the model. Anomalous sequences may generate alerts, prompt investigations by security personnel, trigger automatic mitigation, trigger automatic acceptance, trigger tool configuration actions, or result in other cybersecurity actions.
    Type: Application
    Filed: March 5, 2019
    Publication date: September 10, 2020
    Inventors: Naama KRAUS, Roy LEVIN, Andrey KARPOVSKY, Tamer SALMAN
  • Publication number: 20200274894
    Abstract: A machine learning model is trained using tuples that identify an actor, a resource, and a rating based on a normalized count of the actor's attempts to access the resource. Actors may be users, groups, IP addresses, or otherwise defined. Resources may be storage, virtual machines, APIs, or otherwise defined. A risk assessor code feeds an actor—resource pair to the trained model, which computes a recommendation score using collaborative filtering. The risk assessor inverts the recommendation score to obtain a risk measurement; a low recommendation score corresponds to a high risk, and vice versa. The risk assessor code or other code takes cybersecurity action based on the recommendation score. Code may accept a risk R, or aid mitigation of the risk R, where R denotes a risk that the scored pair represents an unauthorized attempt by the pair actor to access the pair resource.
    Type: Application
    Filed: February 27, 2019
    Publication date: August 27, 2020
    Inventors: Itay ARGOETI, Roy LEVIN, Jonathan Moshe MONSONEGO
  • Patent number: 10699009
    Abstract: Malicious computer behavior is detected automatically based on a user session. A user session comprising a sequence of process events is identified and a text-based representation is generated, wherein process events correspond to words and a sequence of words corresponds to a sentence. Subsequently, a text-based classifier classifies the session as malicious or non-malicious based on the sequence of events within the session in the text representation.
    Type: Grant
    Filed: February 28, 2018
    Date of Patent: June 30, 2020
    Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC
    Inventors: Mathias Scherman, Roy Levin, Yotam Livny
  • Patent number: 10594711
    Abstract: A method and device for detecting botnets in a cloud-computing infrastructure are provided. The method includes gathering data feeds over a predefined detection time window to produce a detection dataset, wherein the detection dataset includes at least security events and a first set of bot-labels related to the activity of each of at least one virtual machine in the cloud-computing infrastructure during the detection time window; generating, using the detection dataset, a features vector for each of a plurality of virtual machines in the cloud-computing infrastructure, wherein the features vector is based on idiosyncratic (iSync) scores related to botnet activity; transmitting each generated features vector to a supervised machine learning decision model to generate a label indicating if each of the plurality of virtual machines is a bot based on the respective features vector; and determining each virtual machine labeled as a bot as being part of a botnet.
    Type: Grant
    Filed: November 28, 2016
    Date of Patent: March 17, 2020
    Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC.
    Inventors: Roy Levin, Royi Ronen
  • Publication number: 20200067980
    Abstract: A system for predicting vulnerability of network resources is provided. The system can calculate an initial vulnerability score for each of the network resources and use the initial vulnerability scores along with activity data of the network resources to train a vulnerability model. After training, the vulnerability model can predict the vulnerability of the network resources based on new activity data collected from the network resources. Based on the predicted vulnerability, vulnerable network resources can be identified. Further analysis can be performed by comparing the activities of the vulnerable network resources and other network resources to identify activity patterns unique to the vulnerable network resources as attack patterns. Based on the attack patterns, one or more actions can be taken to increase the security of the vulnerable network resources to avoid further vulnerability.
    Type: Application
    Filed: August 27, 2018
    Publication date: February 27, 2020
    Inventors: Yotam LIVNY, Mathias Abraham Marc SCHERMAN, Moshe ISRAEL, Ben KLIGER, Ram Haim PLISKIN, Roy LEVIN, Michael Zeev BARGURY
  • Publication number: 20200057850
    Abstract: Tools and techniques are described to automate triage of security and operational alerts. Insight instances extracted from raw event data associated with an alert are aggregated, vectorized, and assigned confidence scores through classification based on machine learning. Confidence scoring enables heavily loaded administrators and controls to focus attention and resources where they are most likely to protect or improve the functionality of a monitored system. Feature vectors receive a broad base in the underlying instance values through aggregation, even when the number of instance values is unknown prior to receipt of the event data. Visibility into the confidence scoring process may be provided, to allow tuning or inform further training of a classifier model. Performance metrics are defined, and production level performance may be achieved.
    Type: Application
    Filed: August 20, 2018
    Publication date: February 20, 2020
    Inventors: Naama KRAUS, Roy LEVIN, Assaf ISRAEL, Oran BRILL, Yotam LIVNY
  • Publication number: 20200057953
    Abstract: Systems, methods, and apparatuses are provided for clustering incidents in a computing environment. An incident notification relating to an event (e.g., a potential cyberthreat or any other alert) in the computing environment is received and a set of features may be generated based on the incident notification. The set of features may be provided as an input to a machine-learning engine to identify a similar incident notification in the computing environment. The similar incident notification may include a resolved incident notification or an unresolved incident notification. An action to resolve the incident notification may be received, and the received action may thereby be executed. In some implementations, in addition to resolving the received incident notification, the action may be executed to resolve a similar unresolved incident notification identified by the machine-learning engine.
    Type: Application
    Filed: August 20, 2018
    Publication date: February 20, 2020
    Inventors: Yotam Livny, Roy Levin, Ram Haim Pliskin, Ben Kliger, Mathias Abraham Marc Scherman, Moshe Israel, Michael Zeev Bargury
  • Publication number: 20200053090
    Abstract: Methods, systems, and media are shown for generating access control rules for computer resources involving collecting historical access data for user accesses to a computer resource and separating the historical access data into a training data set and a validation data set. An access control rule is generated for the computer resource based on the properties of the user accesses to the computer resource in the training data set. The rule is validated against the validation data set to determine whether the rule produces a denial rate level is below a threshold when the rule is applied to the validation data set. If the rule is valid, then it is provided to an administrative interface so that an administrator can select the rule for application to incoming user requests.
    Type: Application
    Filed: August 9, 2018
    Publication date: February 13, 2020
    Inventors: Ben KLIGER, Yotam LIVNY, Ram Haim PLISKIN, Roy LEVIN, Mathias Abraham Marc SCHERMAN, Moshe ISRAEL, Michael Zeev BARGURY