System and method for detecting anomalies associated with network traffic to cloud applications

US 10,536,473 B2
Filed: 02/15/2017
Issued: 01/14/2020
Est. Priority Date: 02/15/2017
Status: Active Grant

First Claim

Patent Images

1. An anomaly detection system comprising:

a processor;

a memory; and

a security application stored in the memory and including instructions, which are executable by the processor and are configured to;

collect information of behavior data for a plurality of users of an organization accessing one or more cloud application(s) via a distributed network, wherein the behavior data includes tracked information tracked over time for the plurality of users, and wherein the one or more cloud application(s) are implemented on one or more server computer(s) of a service provider;

establish a plurality of baselines for each of the plurality of users and for each of the one or more cloud application(s) or types of cloud applications of the organization;

detect anomalies based on the plurality of baselines;

provide aggregated anomaly data by aggregating the anomalies (i) corresponding to two or more of the plurality of baselines and a same behavior, or (ii) corresponding to multiple users of a same cloud application during a same period of time,wherein the aggregated anomaly data includes weighted values describing the aggregated anomalies, with higher weights of the weighted values indicating higher likelihoods that the aggregated anomaly data is associated with malicious activity,wherein multiple different types of aggregations are selectably performable to aggregate the anomalies, each of the multiple different types of aggregations being associated with a corresponding weight used to weight the weighted values, andwherein determining which specific weight to apply to the weighted values is based on which particular type of aggregation included within the multiple different types of aggregations is selected to aggregate the anomalies;

determine a risk value based on the aggregated anomaly data; and

perform a countermeasure based on the risk value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anomaly detection system is provided and includes a processor, a memory, and a security application that is stored in the memory and includes instructions. The instructions are configured to collect information of behavior data for the users of an organization accessing cloud applications via a distributed network. The behavior data includes one or more parameters tracked over time for the users. The instructions are further configured to: establish baselines for each of the users and for each of the cloud applications or types of cloud applications of the organization; detect anomalies based on the baselines; provide aggregated anomaly data by aggregating anomalies corresponding to two or more of the baselines and a same behavior or corresponding to multiple users of a same cloud application during a same period of time; determine a risk value based on the aggregated anomaly data; and perform a countermeasure based on the risk value.

22 Citations

View as Search Results

21 Claims

1. An anomaly detection system comprising:
- a processor;
  
  a memory; and
  
  a security application stored in the memory and including instructions, which are executable by the processor and are configured to;
  
  collect information of behavior data for a plurality of users of an organization accessing one or more cloud application(s) via a distributed network, wherein the behavior data includes tracked information tracked over time for the plurality of users, and wherein the one or more cloud application(s) are implemented on one or more server computer(s) of a service provider;
  
  establish a plurality of baselines for each of the plurality of users and for each of the one or more cloud application(s) or types of cloud applications of the organization;
  
  detect anomalies based on the plurality of baselines;
  
  provide aggregated anomaly data by aggregating the anomalies (i) corresponding to two or more of the plurality of baselines and a same behavior, or (ii) corresponding to multiple users of a same cloud application during a same period of time,wherein the aggregated anomaly data includes weighted values describing the aggregated anomalies, with higher weights of the weighted values indicating higher likelihoods that the aggregated anomaly data is associated with malicious activity,wherein multiple different types of aggregations are selectably performable to aggregate the anomalies, each of the multiple different types of aggregations being associated with a corresponding weight used to weight the weighted values, andwherein determining which specific weight to apply to the weighted values is based on which particular type of aggregation included within the multiple different types of aggregations is selected to aggregate the anomalies;
  
  determine a risk value based on the aggregated anomaly data; and
  
  perform a countermeasure based on the risk value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The anomaly detection system of claim 1, wherein:
    - the security application collects the information by requesting logs from at least one of a proxy, a gateway, or a firewall; and
      
      the logs include fields indicating access periods of the one or more cloud application(s), Internet protocol addresses of client computers of the plurality of users, usernames of the plurality of users, names of the one or more cloud application(s), volumes of data transferred between the client computers and machines of the one or more cloud application(s), and numbers of transactions between the client computers and the machines of the one or more cloud application(s).
  - 3. The anomaly detection system of claim 1, wherein the security application, in establishing the plurality of baselines:
    - selects the tracked information of the behavior data to monitor;
      
      selects a parameterized statistical distribution from a family of distributions based on the tracked information;
      
      fits values of the tracked information provided from the behavior data to the selected parameterized statistical distribution; and
      
      determines a mean and a variance based on the fitted values.
  - 4. The anomaly detection system of claim 3, wherein the security application detects the anomalies based on the values of the tracked information, the mean and the variance.
  - 5. The anomaly detection system of claim 3, wherein the security application, in determining the risk value, determines a probability that the aggregated anomaly data is to occur based on the plurality of baselines, the mean, a difference between the mean and the aggregated anomaly data, and the variance.
  - 6. The anomaly detection system of claim 1, wherein the security application aggregates the anomalies corresponding to the two or more of the plurality of baselines to provide the aggregated anomaly data.
  - 7. The anomaly detection system of claim 1, wherein the security application aggregates the anomalies corresponding to the multiple users of the same cloud application during the same period of time to provide the aggregated anomaly data.
  - 8. The anomaly detection system of claim 1, wherein the countermeasure includes:
    - alerting one of the plurality of users, a client computer, an owner of a machine executing a cloud application associated with the aggregated anomaly data, or a representative of a service provider of the cloud application associated with the aggregated anomaly data, wherein the one or more cloud application(s) include the cloud application associated with the aggregated anomaly data; and
      
      preventing or limiting access for one of the plurality of users to the cloud application associated with the aggregated anomaly data.
  - 9. The anomaly detection system of claim 1, wherein collecting the information of the behavior data for the plurality of users is performed by determining one or more parameter(s) to monitor and requesting the one or more parameter(s) from a firewall.

10. An anomaly detection system comprising:
- a processor;
  
  a memory; and
  
  a security application stored in the memory and including instructions, which are executable by the processor and are configured to;
  
  collect information of behavior data for a plurality of client computers of an organization accessing one or more cloud application(s) via a distributed network, wherein the behavior data includes tracked information tracked over time for the plurality of client computers, and wherein the one or more cloud application(s) are implemented on one or more server computer(s) of a service provider;
  
  establish a plurality of baselines for each of the plurality of client computers and for each of the one or more cloud application(s) or types of cloud applications of the organization;
  
  detect anomalies based on the plurality of baselines;
  
  provide aggregated anomaly data by aggregating the anomalies (i) corresponding to two or more of the plurality of baselines and a same behavior, or (ii) corresponding to multiple client computers accessing a same cloud application during a same period of time,wherein the aggregated anomaly data includes weighted values describing the aggregated anomalies, with higher weights of the weighted values indicating higher likelihoods that the aggregated anomaly data is associated with malicious activity,wherein multiple different types of aggregations are selectably performable to aggregate the anomalies, each of the multiple different types of aggregations being associated with a corresponding weight used to weight the weighted values, andwherein determining which specific weight to apply to the weighted values is based on which particular type of aggregation included within the multiple different types of aggregations is selected to aggregate the anomalies;
  
  determine a risk value based on the aggregated anomaly data; and
  
  perform a countermeasure based on the risk value.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The anomaly detection system of claim 10, wherein the security application, in establishing the plurality of baselines:
    - selects the tracked information of the behavior data to monitor;
      
      selects a parameterized statistical distribution from a family of distributions based on the tracked information;
      
      fits values of the tracked information provided from the behavior data to the selected parameterized statistical distribution; and
      
      determines a mean and a variance based on the fitted values.
  - 12. The anomaly detection system of claim 11, wherein the security application detects the anomalies based on the values of the tracked information, the mean and the variance.
  - 13. The anomaly detection system of claim 11, wherein the security application, in determining the risk value, determines a probability that the aggregated anomaly data is to occur based on the plurality of baselines, the mean, a difference between the mean and the aggregated anomaly data, and the variance.
  - 14. The anomaly detection system of claim 10, wherein the security application aggregates the anomalies corresponding to the two or more of the plurality of baselines to provide the aggregated anomaly data.
  - 15. The anomaly detection system of claim 10, wherein the security application aggregates the anomalies corresponding to the multiple client computers of the same cloud application during the same period of time to provide the aggregated anomaly data.

16. One or more computer readable hardware storage device(s) having stored thereon computer-executable instructions that are executable by one or more processor(s) of a computer system to cause the computer system to detect an anomaly associated with access of a cloud application by causing the computer system to:
- collect information of behavior data for a plurality of users of an organization accessing one or more cloud application(s) via a distributed network, wherein the behavior data includes tracked information tracked over time for the plurality of users, and wherein the one or more cloud application(s) are implemented on one or more server computer(s) of a service provider;
  
  establish a plurality of baselines for each of the plurality of users and for each of the one or more cloud application(s) or types of cloud applications of the organization;
  
  detect anomalies based on the plurality of baselines;
  
  provide aggregated anomaly data by aggregating the anomalies (i) corresponding to two or more of the plurality of baselines and a same behavior, or (ii) corresponding to multiple users of a same cloud application during a same period of time,wherein the aggregated anomaly data includes weighted values describing the aggregated anomalies, with higher weights of the weighted values indicating higher likelihoods that the aggregated anomaly data is associated with malicious activity,wherein multiple different types of aggregations are selectably performable to aggregate the anomalies, each of the multiple different types of aggregations being associated with a corresponding weight used to weight the weighted values, andwherein determining which specific weight to apply to the weighted values is based on which particular type of aggregation included within the multiple different types of aggregations is selected to aggregate the anomalies;
  
  determine a risk value based on the aggregated anomaly data; and
  
  perform a countermeasure based on the risk value.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The one or more computer-readable hardware storage device(s) of claim 16, wherein establishing the plurality of baselines includes:
    - selecting the tracked information of the behavior data to monitor;
      
      selecting a parameterized statistical distribution from a family of distributions based on the tracked information;
      
      fitting values of the tracked information provided from the behavior data to the selected parameterized statistical distribution; and
      
      determining a mean and a variance based on the fitted values.
  - 18. The one or more computer-readable hardware storage device(s) of claim 17, wherein the anomalies are detected based on the values of the tracked information, the mean and the variance.
  - 19. The one or more computer-readable hardware storage device(s) of claim 17, wherein determining the risk value includes determining a probability that the aggregated anomaly data is to occur based on the plurality of baselines, the mean, a difference between the mean and the aggregated anomaly data, and the variance.
  - 20. The one or more computer-readable hardware storage device(s) of claim 16, wherein the anomalies corresponding to the two or more of the plurality of baselines are aggregated to provide the aggregated anomaly data.
  - 21. The one or more computer-readable hardware storage device(s) of claim 16, wherein the anomalies corresponding to the multiple users of the same cloud application during the same period of time are aggregated to provide the aggregated anomaly data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Kaplan, Shai, Most, Yonatan
Primary Examiner(s)
Le, Chau
Assistant Examiner(s)
Little, Vance M

Application Number

US15/433,058
Publication Number

US 20180234444A1
Time in Patent Office

1,063 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

System and method for detecting anomalies associated with network traffic to cloud applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

System and method for detecting anomalies associated with network traffic to cloud applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others