DETECTING ANOMALOUS ACCOUNTS USING EVENT LOGS

US 20160350165A1
Filed: 05/28/2015
Published: 12/01/2016
Est. Priority Date: 05/28/2015
Status: Active Grant

First Claim

Patent Images

1. A system for anomalous process detection, comprising:

an event log module configured to receive a plurality of event logs;

a filter module configured to filter the plurality of event logs based on detected process creations;

a receiving module configured to receive a directory path and process name for each detected process creation;

a conversion module configured to convert each directory path to a sequence of integers based on a character count for each sub-directory of the directory path;

a detection module configured to detect an anomalous process based on a threshold number of matching character counts and matching process names; and

a display module configured to display the detected anomalous process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The claimed subject matter includes techniques for detecting anomalous accounts. An example method includes receiving, via a processor, a list of monitored machines and event logs including logons for the list of monitored machines for a predetermined window of time. The example method also includes generating, via the processor, a baseline based on the event logs for the predetermined window of time. The example method also includes collecting, via the processor, daily logon events after the predetermined time and comparing the daily logon events to the baseline. The method further includes detecting, via the processor, an anomalous account based on a difference of logon events of the anomalous account from the baseline. The method also includes displaying, via the processor, the detected anomalous account.

Citations

30 Claims

1. A system for anomalous process detection, comprising:
- an event log module configured to receive a plurality of event logs;
  
  a filter module configured to filter the plurality of event logs based on detected process creations;
  
  a receiving module configured to receive a directory path and process name for each detected process creation;
  
  a conversion module configured to convert each directory path to a sequence of integers based on a character count for each sub-directory of the directory path;
  
  a detection module configured to detect an anomalous process based on a threshold number of matching character counts and matching process names; and
  
  a display module configured to display the detected anomalous process.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, the receiver module further configured to receive user feedback as input to use in filtering and auto-classification of the plurality of event logs.
  - 3. The system of claim 1, the detection module further configured to match a process within an error of two characters to a process name on a list of process names.
  - 4. The system of claim 1, the detection module further configured to determine whether a number of matching sequences falls below a threshold number of matches for a given sequence.
  - 5. The system of claim 1, the detection module to further automatically classify patterns of processes linked with malware or grayware.

6. A system for detecting anomalous accounts, the system comprising:
- a receiving module configured to receive a list of monitored machines and event logs comprising logons for the list of monitored machines for a predetermined window of time;
  
  a baseline module configured to generate a baseline based on the event logs for the predetermined window of time;
  
  a collector module configured to collect daily logon events after the predetermined time and compare the daily logon events to the baseline;
  
  a detection module configured to detect an anomalous account based on a difference of logon events of the anomalous account from the baseline;
  
  an update module configured to generate a new baseline by removing older event logs from the baseline based on a predetermined adjustment time and adding new event logs from non-anomalous accounts based on the predetermined adjustment time and comparing daily logon events to the new baseline; and
  
  a display module configured to display the detected anomalous account.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, the update module to further generate a new baseline by removing older event logs from the baseline based on a predetermined adjustment time and adding new event logs from non-anomalous accounts based on the predetermined adjustment time and comparing daily logon events to the new baseline.
  - 8. The system of claim 6, further comprising a graphing module to generate a bubble plot graph to visualize account behavior and the detected anomalous accounts.
  - 9. The system of claim 6, the baseline module to further format the event logs into a table format.
  - 10. The system of claim 9, the table format comprising an Optimized Row Columnar (ORC) format.

11. A system for generating bubble plot graphs, comprising:
- a receiving module configured to receive processed event logs comprising logons of a logon account at a plurality of machines for a predetermined time;
  
  an aggregator module configured to aggregate the processed event logs for the logon account to generate a total number of logons, and a first and a last logon time for the logon account;
  
  a graphing module configured to generate a bubble plot graph comprising a bubble based on the total number of logons and a difference between the first and the last logon time for the logon account and a size of the bubble indicating an inverse difference between the first logon and the last logon for the logon account; and
  
  a display module configured to display the bubble plot graph.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, the logon account comprising one of a plurality of logon accounts to be represented by bubbles in the bubble plot graph.
  - 13. The system of claim 11, the graphing module to further receive an input and remove a bubble from the graph.
  - 14. The system of claim 11, the bubble plot graph further comprising an axis representing the last logon time for the logon account.
  - 15. The system of claim 11, the bubble plot graph further comprising an axis representing the total number of logons for the account.

16. A method for anomalous process detection, the method comprising:
- receiving, via a processor, a plurality of event logs;
  
  filtering, via the processor, the plurality of event logs to detect process creations;
  
  receiving, via the processor, a directory path and process name for each detected process creation;
  
  converting, via the processor, each directory path to a sequence of integers based on character count;
  
  detecting, via the processor, an anomalous process based on a threshold number of matching character counts; and
  
  displaying, via the processor, the detected anomalous process.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising receiving user feedback as input to use in filtering and auto-classification of the plurality of event logs.
  - 18. The method of claim 16, further comprising detecting an anomalous process based on matching process names.
  - 19. The method of claim 16, further comprising filtering the plurality of event logs to detect service installations and detecting an anomalous service installation based on the threshold number of matching character counts.
  - 20. The method of claim 16, further comprising automatically classifying patterns of processes linked with malware or grayware.

21. A method for detecting anomalous accounts, the method comprising:
- receiving, via a processor, a list of monitored machines and event logs comprising logons for the list of monitored machines for a predetermined window of time;
  
  generating, via the processor, a baseline based on the event logs for the predetermined window of time;
  
  collecting, via the processor, daily logon events after the predetermined time and comparing the daily logon events to the baseline;
  
  detecting, via the processor, an anomalous account based on a difference of logon events of the anomalous account from the baseline; and
  
  displaying, via the processor, the detected anomalous account.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method of claim 21, further comprising generating, via the processor, a new baseline by removing older event logs from the baseline based on a predetermined adjustment time and adding new event logs from non-anomalous accounts based on the predetermined adjustment time and comparing daily logon events to the new baseline.
  - 23. The method of claim 21, further comprising generating, via the processor, a bubble plot graph to visualize account behavior and the detected anomalous accounts.
  - 24. The method of claim 21, wherein the event logs include additions of members to groups, further comprising detecting an anomalous group membership addition based on a detected difference of the group membership addition from the baseline.
  - 25. The method of claim 21, further comprising compressing, via the processor, the event logs into an Optimized Row Columnar (ORC) format.

26. A method for generating a bubble plot graph, comprising:
- receiving, via a processor, processed event logs comprising logons of a logon account at a plurality of machines for a predetermined time;
  
  aggregating, via the processor, the processed event logs for the logon account to generate a total number of logons, and a first and a last logon time for the logon account;
  
  generating, via the processor, a bubble plot graph based on the total number of logons and a difference between a first logon time and a last logon time for the logon account; and
  
  displaying, via the processor, the bubble plot graph.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The method of claim 26, further comprising representing the difference between the first and last logon time for the account in the bubble plot graph via a bubble size.
  - 28. The method of claim 27, wherein the bubble size indicates an inverse difference between a first logon and last logon for the account.
  - 29. The method of claim 26, further comprising representing the last logon time for the logon account along one axis of the bubble plot graph.
  - 30. The method of claim 26, further comprising representing the total number of logons for the account along one axis of the bubble plot graph.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
LeMond, Jennifer, Duan, Haoyang, Wang, Xiaoming

Granted Patent

US 9,760,426 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/0751   Error or fault detection no...

G06F 11/0787   Storage of error reports, e...

G06F 11/079   Root cause analysis, i.e. e...

G06F 21/316   by observing the pattern of...

G06F 21/41   where a single sign-on prov...

G06F 21/552   involving long-term monitor...

G06F 2221/033   Test or assess software

G06F 2221/2151   Time stamp

DETECTING ANOMALOUS ACCOUNTS USING EVENT LOGS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING ANOMALOUS ACCOUNTS USING EVENT LOGS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links