Patents by Inventor Sivan Krigsman
Sivan Krigsman has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11818228Abstract: Systems and methods for determining a user's presence on a network of an enterprise are provided. Traffic is collected to a network from devices and, over a period of time, login and logoff information from a user is determined from the collected network traffic. Network sessions are determined from a user's login and logoff information and timetable is generated specific to the user that contains the network sessions. The time table identifies when the user was active and when the user was not active based on the login and logoff information and, therefore, present at a particular location over a period of time.Type: GrantFiled: September 22, 2016Date of Patent: November 14, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Tal Arieh Be'ery, Itai Grady, Tom Jurgenson, Idan Plotnik, Sivan Krigsman, Michael Dubinsky, Gil David
-
Patent number: 11126713Abstract: A system for detecting directory reconnaissance in a directory service includes a sensor and a directory reconnaissance detector, each of which is executing on one or more computing devices. The sensor determines whether a query that is submitted to a directory server is a suspicious query and, if the query is determined to be a suspicious query, transmits the suspicious query to the directory reconnaissance detector. The director reconnaissance detector includes a receiver, a context obtainer, an alert determiner and an alert transmitter. The receiver receives the suspicious query from the sensor and the context obtainer obtains context information associated with the suspicious query. The alert determiner determines whether a security alert should be generated based at least on the suspicious query and the context information. The alert transmitter generates the security alert responsive to a determination that the security alert should be generated.Type: GrantFiled: April 8, 2019Date of Patent: September 21, 2021Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Tal J. Maor, Itai Grady Ashkenazy, Gal Z. Bruchim, Jonathan M. Monsonego, Sivan Krigsman, Lior Schindler
-
Publication number: 20200320190Abstract: A system for detecting directory reconnaissance in a directory service includes a sensor and a directory reconnaissance detector, each of which is executing on one or more computing devices. The sensor determines whether a query that is submitted to a directory server is a suspicious query and, if the query is determined to be a suspicious query, transmits the suspicious query to the directory reconnaissance detector. The director reconnaissance detector includes a receiver, a context obtainer, an alert determiner and an alert transmitter. The receiver receives the suspicious query from the sensor and the context obtainer obtains context information associated with the suspicious query. The alert determiner determines whether a security alert should be generated based at least on the suspicious query and the context information. The alert transmitter generates the security alert responsive to a determination that the security alert should be generated.Type: ApplicationFiled: April 8, 2019Publication date: October 8, 2020Inventors: Tal J. Maor, Itai Grady Ashkenazy, Gal Z. Bruchim, Jonathan M. Monsonego, Sivan Krigsman, Lior Schindler
-
Patent number: 10623234Abstract: According to examples, an apparatus for managing alerts pertaining to additions of users to a user group in a computer network may include a processor and a memory, which may have stored thereon machine readable instructions that are to cause the processor to, during a learning period, identify an entity that added a user to the user group during the learning period and enter an identification of the identified entity into an allowed entity list for the user group. Following the learning period, the instructions are to cause the processor to identify a user addition event that indicates that an adding entity added another user to the user group, determine whether the adding entity is in the allowed entity list, and manage issuance of an alert regarding the user addition event based upon whether the adding entity is in the allowed entity list to reduce a number of issued alerts.Type: GrantFiled: June 8, 2017Date of Patent: April 14, 2020Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Sivan Krigsman, Tal Be'ery, Itai Grady, Yaron Kaner, Amit Rosenzweig, Tom Jurgenson
-
Patent number: 10505894Abstract: A system and method for performing IP to name resolution in organizational environments. IP addresses are determined for devices utilizing the corporate network. An IP address is resolved to a first device name and then the same IP address is subsequently resolved to a second device name. A profile is generated such as a timeline for the IP address including both the first and second device names. The timeline may be queried to determine whether the first device name or the second device name was associated with the IP address during a period of time.Type: GrantFiled: February 6, 2017Date of Patent: December 10, 2019Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Idan Plotnik, Sivan Krigsman, Benny Lakunishok, Tal Arieh Be'ery, Michael Dubinsky, Michael Dolinsky
-
Patent number: 10333944Abstract: Determining impossible travel for a specific user entity associated with an on-premises site. A method includes identifying an estimated location of an on-premises site associated with an organization network. Identifying the estimated location of an on-premises site comprises aggregating connection information of remote devices, remote from the on-premises site connecting to the on-premises site. Information related to an on-premises connection event is identified including the estimated location, time information, and a first user identification for an entity. Information is identified related to a different connection event. The information comprises location information, time information and a second user identification for the entity. The information related to the on-premises connection event and the information related to the different connection event are used to detect impossible travel for the entity. An alert indicating an impossible travel condition is provided.Type: GrantFiled: November 3, 2016Date of Patent: June 25, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Tom Jurgenson, Sivan Krigsman, Michael Dubinsky, Tal Arieh Be'ery, Idan Plotnik, Gil David
-
Patent number: 10298699Abstract: The present disclosure provides for improved computational efficiency and security in a network by determining the physical location of network connected components, without requiring the components to self-locate. The locations of devices remotely connected to a site within the network are geolocated so that the physical location of that site may be inferred from a centralized point to the remote devices' locations. This calculate site location may be compared against a known site location to improve a generalized algorithm for determining the calculated location of a site with an unknown location, and may be applied to devices that are locally connected to the network, which may be otherwise incapable of being geolocated.Type: GrantFiled: September 8, 2016Date of Patent: May 21, 2019Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Tom Jurgenson, Tal Arieh Be'ery, Idan Plotnik, Michael Dubinsky, Sivan Krigsman, Gil David
-
Publication number: 20180359136Abstract: According to examples, an apparatus for managing alerts pertaining to additions of users to a user group in a computer network may include a processor and a memory, which may have stored thereon machine readable instructions that are to cause the processor to, during a learning period, identify an entity that added a user to the user group during the learning period and enter an identification of the identified entity into an allowed entity list for the user group. Following the learning period, the instructions are to cause the processor to identify a user addition event that indicates that an adding entity added another user to the user group, determine whether the adding entity is in the allowed entity list, and manage issuance of an alert regarding the user addition event based upon whether the adding entity is in the allowed entity list to reduce a number of issued alerts.Type: ApplicationFiled: June 8, 2017Publication date: December 13, 2018Applicant: Microsoft Technology Licensing, LLCInventors: Sivan KRIGSMAN, Tal Be'ery, Itai Grady, Yaron Kaner, Amit Rosenzweig, Tom Jurgenson
-
Patent number: 10148639Abstract: Brute force attacks on a given account with various password attempts are a common threat to computer security. When a suspected brute force on an account is detected, systems may lock the account from access, which is frustrating to users and time consuming for administrators in the event of a false positive. To reduce the number of false positives, brute force counterattacks are taught in the present disclosure. A brute force counterattack is used to learn whether the login attempts change the passwords attempted, and are to be classified as malicious, or keep the attempted password the same in multiple attempts, and are to be classified as benign.Type: GrantFiled: May 24, 2016Date of Patent: December 4, 2018Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Idan Plotnik, Michael Dolinsky, Sivan Krigsman, Tal Arieh Be'ery, Gil David, Marina Simakov
-
Publication number: 20180343317Abstract: A system includes a data collector to collect first information from traffic monitored by a gateway. An IP resolver resolves addresses to device names using the first information. The device names are associated with respective ones of a plurality of devices. Resolving the IP addresses includes identifying which of the device names was assigned each of the IP addresses. An IP address profiler generates IP address profiles for the IP addresses. The IP address profiles include second information identifying which of the device names were assigned which of the IP addresses in a login session and at least one characteristic of the login session. The data collector collects third information from one of the IP address profiles. A device role resolver uses the third information to determine a role of a first device that is associated with a first device name and store fourth information identifying the determined role.Type: ApplicationFiled: May 26, 2017Publication date: November 29, 2018Inventors: Benny LAKUNISHOK, Sivan KRIGSMAN
-
Publication number: 20180124065Abstract: Determining impossible travel for a specific user entity associated with an on-premises site. A method includes identifying an estimated location of an on-premises site associated with an organization network. Identifying the estimated location of an on-premises site comprises aggregating connection information of remote devices, remote from the on-premises site connecting to the on-premises site. Information related to an on-premises connection event is identified including the estimated location, time information, and a first user identification for an entity. Information is identified related to a different connection event. The information comprises location information, time information and a second user identification for the entity. The information related to the on-premises connection event and the information related to the different connection event are used to detect impossible travel for the entity. An alert indicating an impossible travel condition is provided.Type: ApplicationFiled: November 3, 2016Publication date: May 3, 2018Inventors: Tom Jurgenson, Sivan Krigsman, Michael Dubinsky, Tal Arieh Be'ery, Idan Plotnik, Gil David
-
Publication number: 20180109490Abstract: A system and method for performing IP to name resolution in organizational environments. IP addresses are determined for devices utilizing the corporate network. An IP address is resolved to a first device name and then the same IP address is subsequently resolved to a second device name. A profile is generated such as a timeline for the IP address including both the first and second device names. The timeline may be queried to determine whether the first device name or the second device name was associated with the IP address during a period of time.Type: ApplicationFiled: February 6, 2017Publication date: April 19, 2018Applicant: Microsoft Technology Licensing, LLCInventors: Idan Plotnik, Sivan Krigsman, Benny Lakunishok, Tal Arieh Be'ery, Michael Dubinsky, Michael Dolinsky
-
Publication number: 20180084069Abstract: Systems and methods for determining a user's presence on a network of an enterprise are provided. Traffic is collected to a network from devices and, over a period of time, login and logoff information from a user is determined from the collected network traffic. Network sessions are determined from a user's login and logoff information and timetable is generated specific to the user that contains the network sessions. The time table identifies when the user was active and when the user was not active based on the login and logoff information and, therefore, present at a particular location over a period of time.Type: ApplicationFiled: September 22, 2016Publication date: March 22, 2018Applicant: Microsoft Technology Licensing, LLC.Inventors: Tal Arieh Be'ery, Itai Grady, Tom Jurgenson, Idan Plotnik, Sivan Krigsman, Michael Dubinsky, Gil David
-
Publication number: 20180069934Abstract: The present disclosure provides for improved computational efficiency and security in a network by determining the physical location of network connected components, without requiring the components to self-locate. The locations of devices remotely connected to a site within the network are geolocated so that the physical location of that site may be inferred from a centralized point to the remote devices' locations. This calculate site location may be compared against a known site location to improve a generalized algorithm for determining the calculated location of a site with an unknown location, and may be applied to devices that are locally connected to the network, which may be otherwise incapable of being geolocated.Type: ApplicationFiled: September 8, 2016Publication date: March 8, 2018Applicant: Microsoft Technology Licensing, LLC.Inventors: Tom Jurgenson, Tal Arieh Be'ery, Idan Plotnik, Michael Dubinsky, Sivan Krigsman, Gil David
-
Publication number: 20170346809Abstract: Brute force attacks on a given account with various password attempts are a common threat to computer security. When a suspected brute force on an account is detected, systems may lock the account from access, which is frustrating to users and time consuming for administrators in the event of a false positive. To reduce the number of false positives, brute force counterattacks are taught in the present disclosure. A brute force counterattack is used to learn whether the login attempts change the passwords attempted, and are to be classified as malicious, or keep the attempted password the same in multiple attempts, and are to be classified as benign.Type: ApplicationFiled: May 24, 2016Publication date: November 30, 2017Applicant: Microsoft Technology Licensing, LLC.Inventors: Idan Plotnik, Michael Dolinsky, Sivan Krigsman, Tal Arieh Be'ery, Gil David, Marina Simakov
-
Patent number: 9729538Abstract: A method, system and computer program for recoupling Kerberos Authentication and Authorization requests, the method including the steps of: (a) extracting authorization information, including a copy of a Ticket Granting Ticket (TGT), from an authorization request; (b) retrieving authentication information including the TGT, the authentication information having been previously extracted from an authentication transaction and stored; (c) cross-referencing the extracted authorization information with the retrieved authentication information, such that a discrepancy between the cross-referenced information invokes a security event alert.Type: GrantFiled: September 1, 2014Date of Patent: August 8, 2017Assignee: Microsoft Israel Research and Development (2002) LtdInventors: Idan Plotnik, Tal Arieh Be'ery, Michael Dolinsky, Ohad Plotnik, Gregory Messerman, Sivan Krigsman
-
Publication number: 20160065565Abstract: A method, system and computer program for recoupling Kerberos Authentication and Authorization requests, the method including the steps of (a) extracting authorization information, including a copy of a Ticket Granting Ticket (TGT), from an authorization request; (b) retrieving authentication information including the TOT, the authentication information having been previously extracted from an authentication transaction and stored; (c) cross-referencing the extracted authorization information with the retrieved authentication information, such that a discrepancy between the cross-referenced information invokes a security event alert.Type: ApplicationFiled: September 1, 2014Publication date: March 3, 2016Applicant: Aorato LtdInventors: Idan PLOTNIK, Tal Arieh Be'ery, Michael Dolinsky, Ohad Plotnik, Gregory Messerman, Sivan Krigsman