logo

For the Inventor, By the Inventor

The patent badge is an abbreviated version of the USPTO patent document. The patent badge does contain a link to the full patent document.

The patent badge is an abbreviated version of the USPTO patent document. The patent badge covers the following: Patent number, Date patent was issued, Date patent was filed, Title of the patent, Applicant, Inventor, Assignee, Attorney firm, Primary examiner, Assistant examiner, CPCs, and Abstract. The patent badge does contain a link to the full patent document (in Adobe Acrobat format, aka pdf). To download or print any patent click here.

Patent No.:

US 9591006 B1

PDFFull Text
Date of Patent:
Mar. 07, 2017

Filed:

Sep. 18, 2014

Lateral movement detection

Applicant:

Microsoft Corporation, Redmond, WA (US);

Inventors:

Ram Shankar Siva Kumar, Kirkland, WA (US);

Nguyen Song Khanh Vu, Woodinville, WA (US);

Marco DiPlacido, Waltham, MA (US);

Vinod Nair, Bangalore, IN;

Aniruddha Das, Watertown, MA (US);

Matt Swann, Bothell, WA (US);

Keerthi Selvaraj, Cupertino, CA (US);

Sundararajan Sellamanickam, Bangalore, IN;

Assignee:

Microsoft Technology Licensing, LLC, Redmond, WA (US);

Attorneys:

Anand Gupta

Tom Wong

Micky Minhas

Primary Examiner:

Don Zhao

Int. Cl.
CPC ...
H04L 29/06 (2006.01);
U.S. Cl.
CPC ...
H04L 63/1416 (2013.01); H04L 63/083 (2013.01); H04L 63/10 (2013.01); H04L 63/1425 (2013.01);
Abstract

Lateral movement detection may be performed by employing different detection models to score logon sessions. The different detection models may be implemented by and/or utilize counts computed from historical security event data. The different detection models may include probabilistic intrusion detection models for detecting compromised behavior based on logon behavior, a sequence of security events observed during a logon session, inter-event time between security events observed during a logon session, and/or an attempt to logon using explicit credentials. Scores for each logon session that are output by the different detection models may be combined to generate a ranking score for each logon session. A list of ranked alerts may be generated based on the ranking score for each logon session to identify compromised authorized accounts and/or compromised machines. An attack graph may be automatically generated based on compromised account-machine pairs to visually display probable paths of an attacker.

Find Patent Forward Citations

Loading…