Volatility-based classifier for security solutions

US 9,485,263 B2
Filed: 07/16/2014
Issued: 11/01/2016
Est. Priority Date: 07/16/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

producing usage data associated with an online service, the usage data being associated with online service interactions comprising synthetic attack patterns and describing interaction with the online service;

producing operational data associated with the online service, the operational data being associated with the online service interactions and describing hardware and software operations of a datacenter hosting the online service;

processing the usage data and the operational data to produce a measure of behavioral changes over time;

correlating behavioral changes of the usage data and the operational data; and

processing the correlated behavioral changes to recognize one or more events in which usage and operational behavioral changes deviate from historical data of the online service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments provide an approach to classifying security events based on the concept of behavior change detection or “volatility.” Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system'"'"'s behavior and detect any variances from what would otherwise be normal operating behavior. In operation, machine learning techniques are utilized as an event classification mechanism which facilitates implementation scalability. The machine learning techniques are iterative and continue to learn over time. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents. When in operation, the system evaluates those features in real-time and provides a probability that an incident is about to occur.

90 Citations

View as Search Results

17 Claims

1. A computer-implemented method comprising:
- producing usage data associated with an online service, the usage data being associated with online service interactions comprising synthetic attack patterns and describing interaction with the online service;
  
  producing operational data associated with the online service, the operational data being associated with the online service interactions and describing hardware and software operations of a datacenter hosting the online service;
  
  processing the usage data and the operational data to produce a measure of behavioral changes over time;
  
  correlating behavioral changes of the usage data and the operational data; and
  
  processing the correlated behavioral changes to recognize one or more events in which usage and operational behavioral changes deviate from historical data of the online service.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the online service interactions further include user interactions.
  - 3. The method of claim 1, wherein the synthetic attack patterns comprise attack strings and attack code injected into one or more URLs.
  - 4. The method of claim 1, wherein said measure of behavioral changes comprises individual numbers which are correlated to deviations of the behavioral change.
  - 5. The method of claim 1, wherein said correlating behavioral changes produces a stream that captures correlated aggregation of both usage and operational behavioral changes.

6. One of an optical storage device, a magnetic storage device or a memory storage device configured to store computer readable instructions which, when executed, perform operations comprising:
- providing a recognizer that has been trained using one or more synthetic attack patterns with usage data describing interaction with an online service, and operational data describing hardware and software operations of a datacenter hosting the online service;
  
  processing received usage data and operational data to recognize one or more events in which usage and operational behavioral changes deviate from historical data;
  
  scoring the recognized one or more events to identify one of false positives and false negatives; and
  
  using the one of false positives and false negatives to further train the recognizer.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The optical storage device, magnetic storage device or memory storage device of claim 6, wherein processing said received usage data and operational data comprises:
    - producing, from the usage data and the operational data, measures of behavioral change over time;
      
      correlating the behavioral changes of the usage data and operational data; and
      
      processing the correlated behavioral changes to recognize the one or more events.
  - 8. The optical storage device, magnetic storage device or memory storage device of claim 7, wherein said correlating the behavioral changes produces a stream that captures correlated aggregation of both usage and operational behavioral changes.
  - 9. The optical storage device, magnetic storage device or memory storage device of claim 6, wherein:
    - processing the received usage data comprises processing the usage data with a usage data volatility processor to produce a time series of usage data volatility; and
      
      wherein processing the operational data comprises processing the operational data with an operational data volatility processor to produce a time series of operational data volatility.
  - 10. The optical storage device, magnetic storage device or memory storage device of claim 9, wherein processing the received usage data and the operational data further comprises correlating the time series of usage data volatility and the time series of operational data volatility to provide a stream that captures correlated aggregation of both usage volatility and operational volatility in a time series bounded to pre-defined intervals.
  - 11. The optical storage device, magnetic storage device or memory storage device of claim 6, wherein the recognizer has been trained using one or more synthetic attack patterns, wherein the one or more synthetic attack patterns comprise attack strings and attack code injected into one or more URLs.
  - 12. The optical storage device, magnetic storage device or memory storage device of claim 6, wherein the recognizer has been trained using both user interactions and the one or more synthetic attack patterns.

13. A computing device comprising:
- one or more microprocessors;
  
  one or more computer readable storage device storing computer readable instructions which, when executed by the one or more microprocessors, implement;
  
  one or more online services;
  
  a user traffic module configured to provide user interactions with the one or more online services;
  
  a synthetic attack generator configured to generate synthetic attacks on the one or more online services; and
  
  a recognizer configured to;
  
  process received usage data and operational data to recognize one or more events in which usage and operational behavioral changes deviate from historical data;
  
  score recognized events to identify false positives and false negatives; and
  
  use the false positives and false negatives to further train the recognizer,wherein the one or more online services are configured to produce, from the user interactions with the user traffic module and the synthetic attack generator, usage data and operational data.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computing device of claim 13, wherein the recognizer is configured to process said received usage data and operational data by at least:
    - producing, from the usage data and the operational data, measures of behavioral change over time;
      
      correlating the behavioral changes of the usage data and operational data; and
      
      processing the correlated behavioral changes to recognize the one or more events.
  - 15. The computing device of claim 14, wherein correlating the behavioral changes produces a stream that captures correlated aggregation of both usage and operational behavioral changes.
  - 16. The computing device of claim 13, wherein the recognizer is configured to process the received usage data and the operational data by at least:
    - processing the usage data with a usage data volatility processor to produce a time series with an indicated volatility of usage data; and
      
      processing the operational data by at least processing the operational data with an operational data volatility processor to produce a time series with an indicated volatility of operational data.
  - 17. The computing device of claim 16, wherein the recognizer is further configured to process the received usage data and the operational data by at least correlating the time series with the indicated volatility of usage data and the time series with the indicated volatility of operational data to provide a stream that captures correlated aggregation of both the time series with the indicated volatility of usage data and the time series with the indicated volatility of operational data in a time series bounded to pre-defined intervals.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Sol, Alisson Augusto Souza, Markey, Barry, Fish, Robert D., Ankney, Donald J., Boia, Dragos D., Ramdatmisier, Viresh
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US14/333,377
Publication Number

US 20160021124A1
Time in Patent Office

839 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Volatility-based classifier for security solutions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Volatility-based classifier for security solutions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links