Controlling Malicious Activity Detection Using Behavioral Models

US 20100241974A1
Filed: 03/20/2009
Published: 09/23/2010
Est. Priority Date: 03/20/2009
Status: Active Grant

First Claim

Patent Images

1. A method of controlling malicious activity detection, comprising:

providing a first graphical interface element at a device that enables an administrative user to select a behavioral model to be associated with an information technology asset; and

distributing a behavioral model indicator indicating the selected behavioral model to each of a plurality of protection services deployed on one or more processing modules to cause the plurality of protection services to utilize a plurality of respective protection rule configurations corresponding to the behavioral model to generate respective malicious activity assessments with respect to the information technology asset, wherein each protection rule configuration includes a respective plurality of protection rules having respective rule sensitivities.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer program products are described for controlling malicious activity detection with respect to information technology assets based on behavioral models associated with the respective information technology assets. Protection rules and corresponding sensitivities associated with the behavioral models are applied by protection services to detect malicious activity with respect to the information technology assets.

55 Citations

View as Search Results

20 Claims

1. A method of controlling malicious activity detection, comprising:
- providing a first graphical interface element at a device that enables an administrative user to select a behavioral model to be associated with an information technology asset; and
  
  distributing a behavioral model indicator indicating the selected behavioral model to each of a plurality of protection services deployed on one or more processing modules to cause the plurality of protection services to utilize a plurality of respective protection rule configurations corresponding to the behavioral model to generate respective malicious activity assessments with respect to the information technology asset, wherein each protection rule configuration includes a respective plurality of protection rules having respective rule sensitivities.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein providing the first graphical interface element comprises:
    - providing the first graphical interface element that enables the administrative user to select a behavioral model to be associated with a computer.
  - 3. The method of claim 1, wherein providing the first graphical interface element comprises:
    - providing the first graphical interface element that enables the administrative user to select a behavioral model to be associated with a user account.
  - 4. The method of claim 1, wherein providing the first graphical interface element includes providing the first graphical interface element that enables the administrative user to select a plurality of behavioral models to be associated with the information technology asset;
    - andwherein distributing the behavioral model indicator includes distributing the behavioral model indicator indicating the selected plurality of behavioral models to each of the plurality of protection services to cause the plurality of protection services to utilize respective protection rule configurations corresponding to a combination of the selected behavioral models to generate the respective malicious activity assessments with respect to the information technology asset.
  - 5. The method of claim 1, further comprising:
    - providing a second graphical interface element that enables the administrative user to select a detection sensitivity to be associated with the information technology asset; and
      
      distributing a detection sensitivity indicator indicating the selected detection sensitivity to each of the plurality of protection services to cause the plurality of protection services to utilize the plurality of respective protection rule configurations that further correspond to the detection sensitivity to generate the respective malicious activity assessments with respect to the information technology asset.
  - 6. The method of claim 1, further comprising:
    - providing a second graphical interface element that enables the administrative user to disable one or more protection technology sets, each protection technology set including at least two respective protection rules of the plurality of protection rule configurations; and
      
      distributing a disablement indicator indicating the disabled one or more protection technology sets to each of the plurality of protection services to cause the plurality of protection services to not include the disabled one or more protection sets when generating the respective malicious activity assessments with respect to the information technology asset.
  - 7. The method of claim 1, further comprising:
    - providing a second graphical interface element that enables the administrative user to disable each protection rule of the plurality of protection rule configurations independently; and
      
      distributing a disablement indicator indicating disabled protection rules to each of the plurality of protection services to cause the plurality of protection services to not include the disabled protection rules when generating the respective malicious activity assessments with respect to the information technology asset.

8. A method of generating a malicious activity assessment, comprising:
- storing a plurality of protection rule configurations corresponding to a plurality of respective behavioral models in a storage, each protection rule configuration including a plurality of protection rules having respective rule sensitivities;
  
  receiving a behavioral model indicator associating an information technology asset with a first behavioral model of the plurality of behavioral models, wherein the first behavioral model corresponds to a first protection rule configuration of the plurality of protection rule configurations; and
  
  responsive to receiving the behavioral model indicator, generating the malicious activity assessment with respect to the information technology asset using one or more processors based on the first protection rule configuration.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein receiving the behavioral model indicator comprises:
    - receiving the behavioral model indicator associating a computer with the first behavioral model.
  - 10. The method of claim 8, wherein receiving the behavioral model indicator comprises:
    - receiving the behavioral model indicator associating a user account with the first behavioral model.
  - 11. The method of claim 8, wherein receiving the behavioral model indicator includes receiving the behavioral model indicator associating the information technology asset with n behavioral models of the plurality of behavioral models, wherein each of the n behavioral models corresponds to a respective configuration of the plurality of protection rule configurations;
    - wherein generating the malicious activity assessment includes generating the malicious activity assessment with respect to the information technology asset based on a protection rule configuration corresponding to a combination of the n behavioral models; and
      
      wherein n≧
      
      2.
  - 12. The method of claim 8, further comprising:
    - receiving a detection sensitivity indicator indicating a detection sensitivity to be associated with the information technology asset, wherein the first protection rule configuration includes a plurality of first protection rules having respective first rule sensitivities; and
      
      adjusting the first rule sensitivities based on the detection sensitivity.
  - 13. The method of claim 8, further comprising:
    - receiving a disablement indicator indicating one or more protection technology sets to be disabled with respect to the information technology asset, each protection technology set including at least two respective protection rules of the plurality of protection rule configurations;
      
      wherein generating the malicious activity assessment with respect to the information technology asset does not take into account protection rules that are included in the one or more disabled protection technology sets.
  - 14. The method of claim 8, further comprising:
    - receiving a disablement indicator indicating one or more individually disabled protection rules of the plurality of protection rule configurations;
      
      wherein generating the malicious activity assessment with respect to the information technology asset does not take into account the one or more individually disabled protection rules.

15. A system comprising:
- storage to store a plurality of protection rule configurations corresponding to a plurality of respective behavioral models, each protection rule configuration including a plurality of protection rules having respective rule sensitivities;
  
  a detection module configured to detect a behavioral model indicator that associates an information technology asset with a first behavioral model of the plurality of behavioral models, wherein the first behavioral model corresponds to a first protection rule configuration of the plurality of protection rule configurations; and
  
  an assessment module configured to generate a malicious activity assessment with respect to the information technology asset based on the first protection rule configuration in response to the behavioral model indicator being detected.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the information technology asset is a computer.
  - 17. The system of claim 15, wherein the information technology asset is a user account.
  - 18. The system of claim 15, wherein the behavioral model indicator further associates the information technology asset with at least one second behavioral model of the plurality of behavioral models, wherein each at least one second behavioral model corresponds to a respective at least one second protection rule configuration of the plurality of protection rule configurations;
    - andwherein the malicious activity assessment is further based on the at least one second protection rule configuration.
  - 19. The system of claim 15, wherein the detection module is further configured to detect a detection sensitivity indicator that indicates a detection sensitivity to be associated with the information technology asset, wherein the first protection rule configuration includes a plurality of first protection rules having respective first rule sensitivities;
    - andan adjustment module configured to adjust the first rule sensitivities based on the detection sensitivity.
  - 20. The system of claim 15, wherein the detection module is further configured to detect a disablement indicator that indicates one or more protection technology sets to be disabled with respect to the information technology asset, each protection technology set including at least two respective protection rules of the plurality of protection rule configurations;
    - wherein the malicious activity assessment does not take into account protection rules that are included in the one or more disabled protection technology sets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Barash, Uri, Rubin, Shai A., Friedman, Arie, Dinerstein, Yosef, Hudis, Efim, Helman, Yair

Granted Patent

US 8,490,187 B2
Time in Patent Office

Days
Field of Search
US Class Current

715/764
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 3/0484   for the control of specific...

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Controlling Malicious Activity Detection Using Behavioral Models

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling Malicious Activity Detection Using Behavioral Models

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links