System and methods thereof for monitoring and preventing security incidents in a computerized environment

US 10,243,985 B2
Filed: 06/03/2015
Issued: 03/26/2019
Est. Priority Date: 06/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method of generating a response to a security incident occurring in a computerized environment that comprises one or more user devices, the method comprising:

detecting, by a computerized device, at least one deviation from an expected behavior of at least one of the one or more user devices;

generating, by the computerized device in response to the computerized device detecting the at least one deviation from an expected behavior of at least one of the one or more user devices, at least one terminable agent;

sending, by the computerized device, the at least one terminable agent to the at least one user device in which the at least one deviation is detected;

configuring, by the computerized device, the at least one terminable agent to send metadata respective of the at least one deviation;

receiving, from the at least one terminable agent, the metadata;

determining, by the computerized device, whether the at least one deviation is a security incident respective of the metadata;

configuring, by the computerized device, the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident, the at least one action being determined by the computerized device respective of a type of the security incident; and

terminating, by the computerized device, the at least one terminable agent upon determination that the security incident is cleared.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system detects and handles security incidents in a computerized environment. The system collects metadata respective of one or more user devices communicatively coupled in the computerized environment. Respective of the collected metadata, the system generates expected behavior patterns of the user devices within the computerized environment. The system continuously monitors the actual behavior of the user devices. Upon detection of deviations from the expected behavior patterns, the system sends a terminable agent to the user device in which the deviation was detected. The system then receives from the terminable agent metadata respective of the deviation. Upon determination that the deviation is a security incident respective of the metadata, the system configures the terminable agent to initiate actions respective thereto. The type of actions required is determined respective of the metadata received from the terminable agent. Upon removal of the security incident, the agent may be terminated.

33 Citations

20 Claims

1. A method of generating a response to a security incident occurring in a computerized environment that comprises one or more user devices, the method comprising:
- detecting, by a computerized device, at least one deviation from an expected behavior of at least one of the one or more user devices;
  
  generating, by the computerized device in response to the computerized device detecting the at least one deviation from an expected behavior of at least one of the one or more user devices, at least one terminable agent;
  
  sending, by the computerized device, the at least one terminable agent to the at least one user device in which the at least one deviation is detected;
  
  configuring, by the computerized device, the at least one terminable agent to send metadata respective of the at least one deviation;
  
  receiving, from the at least one terminable agent, the metadata;
  
  determining, by the computerized device, whether the at least one deviation is a security incident respective of the metadata;
  
  configuring, by the computerized device, the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident, the at least one action being determined by the computerized device respective of a type of the security incident; and
  
  terminating, by the computerized device, the at least one terminable agent upon determination that the security incident is cleared.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - detecting the at least one deviation from the expected behavior of at least one of the one or more user devices, the detecting comprising;
      
      receiving, by the computerized device, at least one notification of the at least one deviation from the expected behavior of at least one of the one or more user devices.
  - 3. The method of claim 1, further comprising:
    - detecting the at least one deviation from the expected behavior of at least one of the one or more user devices, the detecting comprising;
      
      collecting, by the computerized device, metadata respective of behavior patterns of the one or more user devices; and
      
      generating, by the computerized device, expected behavior patterns of each of the one or more user devices.
  - 4. The method of claim 1, wherein the configuring the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident comprises:
    - configuring the at least one terminable agent to terminate a process in the at least one user device.
  - 5. The method of claim 1, wherein the configuring the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident comprises:
    - configuring the at least one terminable agent to remove content from the at least one user device.
  - 6. The method of claim 1, wherein the configuring the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident comprises:
    - configuring the at least one terminable agent to redirect network connectivity.
  - 7. The method of claim 1, wherein the configuring the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident comprises:
    - configuring the at least one terminable agent to generate a firewall protection.
  - 8. The method of claim 1, wherein the configuring the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident comprises:
    - configuring the at least one terminable agent to block a host connection.
  - 9. The method of claim 1, wherein the configuring the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident comprises:
    - configuring the at least one terminable agent to execute a cleaning and detection tool.
  - 10. The method of claim 1, wherein the expected behavior pattern is one of multiple expected behavior patterns generated respective of collected metadata respective of behavior patterns of the one or more user devices.
  - 11. The method of claim 1, the terminable agent requiring no configurations from the at least one user device.

12. An apparatus for generating a response to a security incident occurring in a computerized environment that comprises one or more user devices, the apparatus comprising:
- one or more processors; and
  
  memory storing executable instructions that, when executed by the one or more processors, causes the one or more processors to;
  
  detect at least one deviation from an expected behavior of at least one of the one or more user devices;
  
  generate, in response to the apparatus detecting the at least one deviation from an expected behavior of at least one of the one or more user devices, at least one terminable agent;
  
  send the at least one terminable agent to the at least one user device in which the at least one deviation is detected;
  
  configure the at least one terminable agent to send metadata respective of the at least one deviation;
  
  receive, from the at least one terminable agent, the metadata;
  
  determine whether the at least one deviation is a security incident respective of the metadata;
  
  configure the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident, the at least one action being determined respective of a type of the security incident; and
  
  terminate the terminable agent upon determination that the security incident is cleared.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The apparatus of claim 12, wherein the memory stores further executable instructions that, when executed by the one or more processors, causes the one or more processors to:
    - detect the at least one deviation from the expected behavior of at least one of the one or more user devices by receiving at least one notification of the at least one deviation from the expected behavior of at least one of the one or more user devices.
  - 14. The apparatus of claim 12, wherein the memory stores further executable instructions that, when executed by the one or more processors, causes the one or more processors to:
    - detect the at least one deviation from the expected behavior of at least one of the one or more user devices by;
      
      collecting, by the computerized device, metadata respective of behavior patterns of the one or more user devices; and
      
      generating, by the computerized device, expected behavior patterns of each of the one or more user devices.
  - 15. The apparatus of claim 12, wherein to configure the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident comprises to configure the at least one terminable agent to terminate a process in the at least one user device.
  - 16. The apparatus of claim 12, wherein to configure the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident comprises to configure the at least one terminable agent to remove content from the at least one user device.
  - 17. The apparatus of claim 12, wherein to configure the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident comprises to configure the at least one terminable agent to block a host connection.
  - 18. The apparatus of claim 12, wherein to configure the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident comprises to configure the at least one terminable agent to execute a cleaning and detection tool.

19. One or more computer readable storage media devices storing a program for executing a method of generating a response to a security incident occurring in a computerized environment that comprises one or more user devices, the method comprising:
- detecting, by a computerized device, at least one deviation from an expected behavior of at least one of the one or more user devices;
  
  generating, by the computerized device in response to the computerized device detecting the at least one deviation from an expected behavior of at least one of the one or more user devices, at least one terminable agent;
  
  sending, by the computerized device, the at least one terminable agent to the at least one user device in which the at least one deviation is detected;
  
  configuring, by the computerized device, the at least one terminable agent to send metadata respective of the at least one deviation;
  
  receiving, from the at least one terminable agent, the metadata;
  
  determining, by the computerized device, whether the at least one deviation is a security incident respective of the metadata;
  
  configuring, by the computerized device, the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident, the at least one action being determined by the computerized device respective of a type of the security incident; and
  
  terminating, by the computerized device, the at least one terminable agent upon determination that the security incident is cleared.
- View Dependent Claims (20)
- - 20. The one or more computer readable storage media devices of claim 19, wherein the configuring the at least one terminable agent to initiate at least one action upon determination that the at least one deviation is a security incident comprises:
    - configuring the at least one terminable agent to perform at least one of;
      
      terminating a process in the at least one user device,removing content from the at least one user device,redirecting network connectivity,generating a firewall protection,blocking a host connection, andexecuting a cleaning and detection tool.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Hexadite Ltd.
Inventors
Klinghofer, Barak, Levin, Idan
Primary Examiner(s)
Korsak, Oleg

Application Number

US14/729,717
Publication Number

US 20150350236A1
Time in Patent Office

1,392 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/02   for separating internal fro...

H04L 63/1433   Vulnerability analysis

System and methods thereof for monitoring and preventing security incidents in a computerized environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods thereof for monitoring and preventing security incidents in a computerized environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links