BEHAVIOR-BASED SECURITY SYSTEM

US 20110225644A1
Filed: 03/09/2010
Published: 09/15/2011
Est. Priority Date: 03/09/2010
Status: Active Grant

First Claim

Patent Images

1. In a network comprising at least one client computing device and at least one security server regulating access to the network for the at least one client computing device, a method of detecting unauthorized access to the network, the method comprising:

(A) receiving, at the at least one security server from a client computing device, at least one request for a security operation to be performed for an entity;

(B) comparing properties of the at least one request to a behavioral profile for the entity to determine a similarity score for the at least one request, the behavioral profile identifying properties of requests commonly transmitted by the entity; and

(C) when the similarity score is below a threshold, increasing security restrictions on the entity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are techniques for operating a security server to determine behavioral profiles for entities in a network and to detect attacks or unauthorized traffic in a network based on those behavioral profiles. In one technique, a behavioral profile may be generated based on requests for security operations to be performed that are received at a security server from an entity in a network. The behavioral profile may be generated using learning techniques, including artificial intelligence techniques such as neural networks. When the security server receives from an entity one or more requests for security operations to be performed, the security server may compare properties of the requests to the behavioral profile for the entity and properties of requests commonly sent by the entity. The security server may determine a similarity score indicating how similar the request are to the behavioral profile and to requests commonly received from the entity.

98 Citations

View as Search Results

20 Claims

1. In a network comprising at least one client computing device and at least one security server regulating access to the network for the at least one client computing device, a method of detecting unauthorized access to the network, the method comprising:
- (A) receiving, at the at least one security server from a client computing device, at least one request for a security operation to be performed for an entity;
  
  (B) comparing properties of the at least one request to a behavioral profile for the entity to determine a similarity score for the at least one request, the behavioral profile identifying properties of requests commonly transmitted by the entity; and
  
  (C) when the similarity score is below a threshold, increasing security restrictions on the entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - (D) adjusting the behavioral profile based on the properties of the at least one request.
  - 3. The method of claim 2, wherein the act (C) of increasing the security restrictions comprises:
    - (C1) performing at least one security check to confirm the identity of the entity, andwherein the act (D) of adjusting is performed when the similarity score is above the threshold and/or when the entity passes the at least one security check.
  - 4. The method of claim 1, further comprising:
    - (D) when the similarity score is below the threshold, increasing a security level and/or an amount of resources available to a target of the at least one request.
  - 5. The method of claim 1, further comprising:
    - (D) establishing the behavioral profile through analyzing properties of a plurality of requests for security operations to be performed transmitted by the entity.
  - 6. The method of claim 5, wherein the analyzing is performed in real time by observing each of the plurality of requests as they are transmitted by the entity.
  - 7. The method of claim 5, wherein the act (D) of establishing comprises analyzing respective requests for each entity communicating in the network and establishing a respective behavioral profile for each of the entities based on the respective requests.
  - 8. The method of claim 7, wherein the act (D) of establishing further comprises:
    - (D1) establishing at least one group behavioral profile based at least in part on a plurality of respective behavioral profiles, the group behavioral profile identifying properties of requests commonly transmitted by entities in the group, andwherein the act (B) of comparing further comprises second comparing the properties of the at least one request to a group behavioral profile for a group to which the entity belongs and determining the similarity score based at least in part on the second comparing.
  - 9. The method of claim 8, wherein a group of the at least one group includes all entities communicating in the network.
  - 10. The method of claim 1, further comprising:
    - (D) providing the behavioral profile for the entity to the client computing device.
  - 11. The method of claim 1, wherein the act (C) of increasing comprises restricting access by the entity to some network resources when the similarity is below a first threshold, and blocking all communications by the entity if the similarity is below a second threshold.

12. At least one computer-readable storage medium encoded with computer-executable instructions that, when executed by a computer cause the computer to carry out, in a network comprising at least one client computing device and at least one security server regulating access to the network for the at least one client computing device, a method of detecting unauthorized access to the network, the method comprising:
- (A) establishing at least one respective behavioral profile through analyzing properties of a plurality of requests for security operations to be performed transmitted by each entity communicating in the network, each respective behavioral profile being associated with an entity and identifying properties of requests commonly transmitted by the entity;
  
  (B) establishing at least one group behavioral profile based at least in part on a plurality of respective behavioral profiles, each group behavioral profile identifying properties of requests commonly transmitted by entities in the group;
  
  (C) receiving at the at least one security server from a client computing device at least one request for a security operation to be performed for a particular entity;
  
  (D) identifying a group to which a particular entity belongs;
  
  (E) comparing properties of the at least one request to a respective behavioral profile for the entity and to a group behavioral profile for the group to determine a similarity score for the at least one request; and
  
  (F) when the similarity score is below a threshold, increasing security restrictions on the entity.
- View Dependent Claims (13, 14, 15, 16, 20)
- - 13. The at least one computer-readable medium of claim 12, further comprising:
    - (G) if the similarity score is above the threshold, adjusting the behavioral profile based on the properties of the at least one request.
  - 14. The at least one computer-readable medium of claim 12, wherein the act (F) of increasing comprises restricting access by the entity to some network resources when the similarity is below a first threshold, and blocking all requests by the entity if the similarity is below a second threshold.
  - 15. The at least one computer-readable medium of claim 12, wherein the comparing of act (E) comprises using a neural network to perform the comparing.
  - 16. The at least one computer-readable medium of claim 12, wherein the group includes all entities communicating in the network.
  - 20. The apparatus of claim 16, wherein the at least one processor is further adapted to adjust the behavioral profile based on the properties of the at least one request when the similarity score is above the threshold.

17. An apparatus comprising:
- at least one network adapter; and
  
  at least one processor adapted to;
  
  receive, via the at least one network adapter, a behavioral profile for an entity from at least one security server of a network to which the at least one network adapter has established a connection;
  
  receive at least one request to transmit into the network, on behalf of the entity, at least one request for a security operation to be performed;
  
  compare properties of the at least one request to the behavioral profile for the entity to determine a similarity score for the at least one request; and
  
  when the similarity score is below a threshold, prevent the at least one request from being transmitted into the network.
- View Dependent Claims (18, 19)
- - 18. The apparatus of claim 17, wherein the at least one processor is further adapted to:
    - receive, via the at least one network adapter, a second behavioral profile from the at least one security server, the second behavioral profile being a group behavioral profile identifying properties of requests for security operations to be performed commonly transmitted by entities in the group; and
      
      determine the similarity score for the at least one request based at least in part on comparing the properties of the at least one request to the group behavioral profile.
  - 19. The apparatus of claim 17, wherein the at least one processor is further adapted to prevent all communications from the entity from being transmitted into the network when the similarity score is below the threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Manu, Mitica, Pullikottil, Jack

Granted Patent

US 8,424,072 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

BEHAVIOR-BASED SECURITY SYSTEM

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

BEHAVIOR-BASED SECURITY SYSTEM

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links