INTRUSION DETECTION

US 20190098024A1
Filed: 09/28/2017
Published: 03/28/2019
Est. Priority Date: 09/28/2017
Status: Active Grant

First Claim

Patent Images

1. A method of detecting intrusions on a system or network, the method comprising:

identifying a plurality of instance types in which each instance type includes an instance;

identifying a compromised instance from the plurality of instance types; and

traversing a link between instance types from the compromised instance to discover an additional compromised instance.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process to detect intrusions with an intrusion detection system is disclosed. The intrusion detection system identifies instance types, and each instance type includes an instance. A know compromised instance is identified from the plurality of instances. A link between the plurality instance types is traversed from the compromised instance to discover an additional compromised instance.

Citations

20 Claims

1. A method of detecting intrusions on a system or network, the method comprising:
- identifying a plurality of instance types in which each instance type includes an instance;
  
  identifying a compromised instance from the plurality of instance types; and
  
  traversing a link between instance types from the compromised instance to discover an additional compromised instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the additional compromised instance becomes the compromised instance, and another link from the compromised instance is traversed to discover still another compromised instance.
  - 3. The method of claim 1 wherein each of the plurality of instance types includes a plurality of instances.
  - 4. The method of claim 3 wherein the plurality of instance types includes a first instance type and a second instance type, and an instance of a first instance type is connected to an instance of the second instance type via the link.
  - 5. The method of claim 4 wherein instance of the first instance type are connected to the instances of the second instance type via a plurality of links.
  - 6. The method of claim 1 wherein the instance types include at least two of network addresses, machines, file names, and file hashes.
  - 7. The method of claim 6 wherein the link is determined from an event log or directory listing.
  - 8. The method of claim 1 wherein each instance includes a state.
  - 9. The method of claim 8 wherein each state is either compromised or not compromised.
  - 10. The method of claim 8 wherein all instances are neither not compromised nor compromised.

11. A computer readable storage device, which is not a transitory propagating signal, to store computer executable instructions to control a processor to:
- identify a plurality of instance types in which each instance type includes an instance;
  
  identify a compromised instance from the plurality of instance types; and
  
  traverse a link between instance types from the compromised instance to discover an additional compromised instance.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer readable storage device of claim 11 wherein each of the instance types includes a plurality of instance, and instances from one of the plurality of instance types are connected to instances from another of the plurality of instance types via a plurality of links.
  - 13. The computer readable storage device of claim 12 wherein the compromised instance is from the one of the instance plurality of instance types and the additional compromised instance is from the other of another of the plurality of instance types.
  - 14. The computer readable storage device of claim 12 wherein the link between instance types is traversed via an optimization algorithm in which the compromised instance is a constraint.
  - 15. The computer readable storage device of claim 14 wherein the optimization algorithm includes integer programming, linear programming, gradient descent, or simulated annealing.
  - 16. The computer readable storage device of claim 12 wherein the instances of the plurality of instance types are vertices in a graph, the plurality of instance types are partitions on the graphs, and the links are edges of the graph.

17. A system, comprising:
- a memory device to store a set of instructions; and
  
  a processor to execute the set of instructions to;
  
  identify a plurality of instance types in which each instance type includes an instance;
  
  identify a compromised instance from the plurality of instance types; and
  
  traverse a link between instance types from the compromised instance to discover an additional compromised instance.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17 wherein each of the instance types includes a plurality of instance, and instances from one of the plurality of instance types are connected to instances from another of the plurality of instance types via a plurality of links.
  - 19. The system of claim 18 wherein the instance types include at least two of network addresses, machines, file names, and file hashes and the link is determined from an event log or directory listing.
  - 20. The system of claim 18 implemented as a security service in a cloud environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Gaivoronski, Svetlana, England, Paul, Rouatbi, Mohamed, Jakubowski, Mariusz H., Peinado, Marcus, Gonzalez, JR., Julian Federico

Granted Patent

US 10,791,128 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 2463/146   Tracing the source of attacks

H04L 43/08   Monitoring or testing based...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

INTRUSION DETECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

INTRUSION DETECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links