Detecting impossible travel in the on-premise settings

US 10,333,944 B2
Filed: 11/03/2016
Issued: 06/25/2019
Est. Priority Date: 11/03/2016
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

one or more processors; and

one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to determine impossible travel for users connecting to on-premises sites of a multi-site distributed network, including instructions that are executable to configure the computer system to perform at least the following;

identify an estimated location of a given on-premises site associated with the multi-site distributed network, wherein the multi-site distributed network comprises a plurality of on-premises networks that share networking resources including a corpus of IP addresses each of which can be assigned to a user device connected to the distributed network without regard to which on-premises network the user device is connected, and wherein identifying the estimated location of the given on-premises site comprises inferring the geolocation of the given on-premises site by aggregating geolocation based on network address information of remote devices that are each logging into the given on-premises site using an external IP address, and wherein local devices that use an internal IP address from the given on-premises site but which are otherwise not locatable via geolocation are then assigned a geolocation equal to the given on-premises site'"'"'s estimated geolocation;

identify information related to a first on-premises connection event at the given on-premises site, wherein the identified information comprises the estimated location, time information, and a first user identification for an entity;

identify information related to a second different on-premises connection event, where the information related to the second different on-premises connection event comprises location information, time information and a second user identification for the entity;

compare the information related to the first on-premises connection event and the information related to the second different on-premises connection event, wherein the information related to at least one of the first and second on-premises connection events is based on the inferred location of the given on premises site, and based on the comparison detecting impossible travel for the entity irrespective of whether the impossible travel is based on i) travel from the given on-premises site to a remote location outside of the multi-site distributed network, ii) travel from the given on-premises site to another on-premises site of the multi-site distribution network, or iii) travel from a remote location outside of the multi-site distributed network to the given on-premises site; and

provide an alert indicating an impossible travel condition.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Determining impossible travel for a specific user entity associated with an on-premises site. A method includes identifying an estimated location of an on-premises site associated with an organization network. Identifying the estimated location of an on-premises site comprises aggregating connection information of remote devices, remote from the on-premises site connecting to the on-premises site. Information related to an on-premises connection event is identified including the estimated location, time information, and a first user identification for an entity. Information is identified related to a different connection event. The information comprises location information, time information and a second user identification for the entity. The information related to the on-premises connection event and the information related to the different connection event are used to detect impossible travel for the entity. An alert indicating an impossible travel condition is provided.

11 Citations

20 Claims

1. A computer system comprising:
- one or more processors; and
  
  one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to determine impossible travel for users connecting to on-premises sites of a multi-site distributed network, including instructions that are executable to configure the computer system to perform at least the following;
  
  identify an estimated location of a given on-premises site associated with the multi-site distributed network, wherein the multi-site distributed network comprises a plurality of on-premises networks that share networking resources including a corpus of IP addresses each of which can be assigned to a user device connected to the distributed network without regard to which on-premises network the user device is connected, and wherein identifying the estimated location of the given on-premises site comprises inferring the geolocation of the given on-premises site by aggregating geolocation based on network address information of remote devices that are each logging into the given on-premises site using an external IP address, and wherein local devices that use an internal IP address from the given on-premises site but which are otherwise not locatable via geolocation are then assigned a geolocation equal to the given on-premises site'"'"'s estimated geolocation;
  
  identify information related to a first on-premises connection event at the given on-premises site, wherein the identified information comprises the estimated location, time information, and a first user identification for an entity;
  
  identify information related to a second different on-premises connection event, where the information related to the second different on-premises connection event comprises location information, time information and a second user identification for the entity;
  
  compare the information related to the first on-premises connection event and the information related to the second different on-premises connection event, wherein the information related to at least one of the first and second on-premises connection events is based on the inferred location of the given on premises site, and based on the comparison detecting impossible travel for the entity irrespective of whether the impossible travel is based on i) travel from the given on-premises site to a remote location outside of the multi-site distributed network, ii) travel from the given on-premises site to another on-premises site of the multi-site distribution network, or iii) travel from a remote location outside of the multi-site distributed network to the given on-premises site; and
  
  provide an alert indicating an impossible travel condition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer system of claim 1, wherein the different connection event comprises a connection event from a different on-premises site associated with the multi-site distributed network.
  - 3. The computer system of claim 1, wherein the different connection event comprises a connection event from a remote location outside of the multi-site distributed network to the given on-premises site.
  - 4. The computer system of claim 3, wherein the connection event from the remote location comprises a VPN connection.
  - 5. The computer system of claim 3, wherein the connection event from the remote location comprises a connection event using at least one of tunneling protocols, cloud services, or consumer connections.
  - 6. The computer system of claim 1, wherein one or more computer-readable media further have stored thereon instructions that are executable by the one or more processors to configure the computer system to further perform the following:
    - pre-processing the information related to the given on-premises connection event to create a standardized information set;
      
      pre-processing the information related to the different connection event to create a different standardized information set; and
      
      combining the standardized information sets to create a composite information set, and wherein using the information related to the given on-premises connection event and information related to the different connection event comprises using the composite information set to identify impossible travel.
  - 7. The computer system of claim 1, wherein one or more computer-readable media further have stored thereon instructions that are executable by the one or more processors to configure the computer system to perform post-processing on any detected impossible travel to reduce noise for false positive alerts.
  - 8. The computer system of claim 7, wherein the post processing comprises pattern recognition for removing common patterns.

9. A computer implemented method of determining impossible travel for users connecting to on-premises sites of a multi-site distributed network, the method comprising:
- identifying an estimated location of a given on-premises site associated with the multi-site distributed network, wherein the multi-site distributed network comprises a plurality of on-premises networks that share networking resources including a corpus of IP addresses each of which can be assigned to a user device connected to the distributed network without regard to which on-premises network the user device is connected, and wherein identifying the estimated location of the given on-premises site comprises inferring the geolocation of the given on-premises site by aggregating geolocation based on network address information of remote devices that are each logging into the given on-premises site using an external IP address, and wherein local devices that use an internal IP address from the given on-premises site but which are otherwise not locatable via geolocation are then assigned a geolocation equal to the given on-premises site'"'"'s estimated geolocation;
  
  identifying information related to a first on-premises connection event at the given on-premises site, wherein the identified information comprises the estimated location, time information, and a first user identification for an entity;
  
  identifying information related to a second different on-premises connection event, where the information related to the second different on-premises connection event comprises location information, time information and a second user identification for the entity;
  
  comparing the information related to the first on-premises connection event and the information related to the second different on-premises connection event, wherein the information related to at least one of the first and second on-premises connection events is based on the inferred location of the given on premises site, and based on the comparison detecting impossible travel for the entity irrespective of whether the impossible travel is based on i) travel from the given on-premises site to a remote location outside of the multi-site distributed network, ii) travel from the given on-premises site to another on-premises site of the multi-site distribution network, or iii) travel from a remote location outside of the multi-site distributed network to the given on-premises site; and
  
  providing an alert indicating an impossible travel condition.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein the different connection event comprises a connection event from a different on-premises site associated with the multi-site distributed network.
  - 11. The method of claim 9, wherein the different connection event comprises a connection event from a remote location outside of the multi-site distributed network to the given on-premises site.
  - 12. The method of claim 11, wherein the connection event from the remote location comprises a VPN connection.
  - 13. The method of claim 11, wherein the connection event from the remote location comprises a connection event using at least one of tunneling protocols, cloud services, or consumer connections.
  - 14. The method of claim 9, further comprising:
    - pre-processing the information related to the given on-premises connection event to create a standardized information set;
      
      pre-processing the information related to the different connection event to create a different standardized information set; and
      
      combining the standardized information sets to create a composite information set, and wherein using the information related to the given on-premises connection event and information related to the different connection event comprises using the composite information set to identify impossible travel.
  - 15. The method of claim 9, further comprising performing post-processing on any detected impossible travel to reduce noise for false positive alerts.
  - 16. The method of claim 15, wherein the post processing comprises pattern recognition for removing common patterns.

17. A computer system for determining impossible travel for users connecting to on-premises sites of a multi-site distributed network, the system comprising one or more processors executing instructions that configure the computer system with an architecture comprising:
- a gateway that accepts communications from both remote and local devices connecting to a given on-premises site associated with the multi-site distributed network, wherein the multi-site distributed network comprises a plurality of on-premises networks that share networking resources including a corpus of IP addresses each of which can be assigned to a user device connected to the distributed network without regard to which on-premises network the user device is connected;
  
  a monitor coupled to the gateway, wherein the monitor performs at least the following;
  
  identifies an estimated location of the given on-premises site by inferring the geolocation of the given on-premises site by aggregating geolocation based on network address information of remote devices that are each logging into the given on-premises site using an external IP address, and wherein local devices that use an internal IP address from the given on-premises site but which are otherwise not locatable via geolocation are then assigned a geolocation equal to the given on-premises site'"'"'s estimated geolocation;
  
  identify information related to a first on-premises connection event at the given on-premises site, wherein the identified information comprises the estimated location, time information, and a first user identification for an entity;
  
  identify information related to a second different connection event, where the information related to the second different connection event comprises location information, time information and a second user identification for the entity; and
  
  compare the information related to the first on-premises connection event and the information related to the second different on-premises connection event, wherein the information related to at least one of the first and second on-premises connection events is based on the inferred location of the given on premises site, and based on the comparison detecting impossible travel for the entity irrespective of whether the impossible travel is based on i) travel from the given on-premises site to a remote location outside of the multi-site distributed network, ii) travel from the given on-premises site to another on-premises site of the multi-site distribution network, or iii) travel from a remote location outside of the multi-site distributed network to the given on-premises site; and
  
  provide an alert indicating an impossible travel condition.
- View Dependent Claims (18, 19, 20)
- - 18. The computer system of claim 17, wherein the first on-premises connection event comprises a connection event at the given on-premises site, and the second different on-premises connection event comprises a connection event from a different on-premises site other than the given on-premises site.
  - 19. The computer system of claim 17, wherein the first on-premises connection event comprises a connection event at the given on-premises site, and the second different connection event comprises a connection event from a remote location to the given on-premises site.
  - 20. The computer system of claim 19, wherein the connection event from the remote location comprises a connection event using at least one of tunneling protocols, cloud services, or consumer connections.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Jurgenson, Tom, Krigsman, Sivan, Dubinsky, Michael, Be'ery, Tal Arieh, Plotnik, Idan, David, Gil
Primary Examiner(s)
Gee, Jason K
Assistant Examiner(s)
Gao, Shu Chun

Application Number

US15/342,631
Publication Number

US 20180124065A1
Time in Patent Office

964 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0281   Proxies

H04L 63/107   wherein the security polici...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/52   specially adapted for the l...

H04W 12/12   Detection or prevention of ...

H04W 4/02   Services making use of loca...

Detecting impossible travel in the on-premise settings

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting impossible travel in the on-premise settings

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links