Controlling malicious activity detection using behavioral models

US 9,536,087 B2
Filed: 08/01/2015
Issued: 01/03/2017
Est. Priority Date: 03/20/2009
Status: Active Grant

First Claim

Patent Images

1. A system to control malicious activity detection, comprising:

one or more processors;

memory coupled to at least one of the one or more processors;

an interface module, implemented using at least one of the one or more processors, configured to display a first graphical interface element at a presentation device that enables a user to select a behavioral model to be associated with an information technology asset,the interface module further configured to display a second graphical interface element that enables the user to select a detection sensitivity to be associated with the information technology asset; and

an indicator distribution module, implemented using at least one of the one or more processors, configured to cause distribution of a behavioral model indicator indicating the selected behavioral model to a plurality of protection services deployed on one or more processing modules to cause the plurality of protection services to utilize a plurality of respective protection rule configurations corresponding to the selected behavioral model to generate respective malicious activity assessments with respect to the information technology asset,the indicator distribution module further configured to cause distribution of a detection sensitivity indicator indicating the selected detection sensitivity to the plurality of protection services to cause the plurality of protection services to utilize the plurality of respective protection rule configurations that further correspond to the selected detection sensitivity to generate the respective malicious activity assessments with respect to the information technology asset.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer program products are described for controlling malicious activity detection with respect to information technology assets based on behavioral models associated with the respective information technology assets. Protection rules and corresponding sensitivities associated with the behavioral models are applied by protection services to detect malicious activity with respect to the information technology assets.

Citations

20 Claims

1. A system to control malicious activity detection, comprising:
- one or more processors;
  
  memory coupled to at least one of the one or more processors;
  
  an interface module, implemented using at least one of the one or more processors, configured to display a first graphical interface element at a presentation device that enables a user to select a behavioral model to be associated with an information technology asset,the interface module further configured to display a second graphical interface element that enables the user to select a detection sensitivity to be associated with the information technology asset; and
  
  an indicator distribution module, implemented using at least one of the one or more processors, configured to cause distribution of a behavioral model indicator indicating the selected behavioral model to a plurality of protection services deployed on one or more processing modules to cause the plurality of protection services to utilize a plurality of respective protection rule configurations corresponding to the selected behavioral model to generate respective malicious activity assessments with respect to the information technology asset,the indicator distribution module further configured to cause distribution of a detection sensitivity indicator indicating the selected detection sensitivity to the plurality of protection services to cause the plurality of protection services to utilize the plurality of respective protection rule configurations that further correspond to the selected detection sensitivity to generate the respective malicious activity assessments with respect to the information technology asset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the first graphical interface element is configured to enable a user to select a behavioral model to be associated with a computer;
    - wherein the interface module is configured to display the second graphical interface element that enables the user to select a detection sensitivity to be associated with the computer; and
      
      wherein the indicator distribution module is configured to cause distribution of the behavioral model indicator and the detection sensitivity indicator to the plurality of protection services to cause the plurality of protection services to utilize the plurality of respective protection rule configurations that correspond to the selected behavioral model and the selected detection sensitivity to generate the respective malicious activity assessments with respect to the computer.
  - 3. The system of claim 1, wherein the first graphical interface element is configured to enable a user to select a behavioral model to be associated with a user account;
    - wherein the interface module is configured to display the second graphical interface element that enables the user to select a detection sensitivity to be associated with the user account; and
      
      wherein the indicator distribution module is configured to cause distribution of the behavioral model indicator and the detection sensitivity indicator to the plurality of protection services to cause the plurality of protection services to utilize the plurality of respective protection rule configurations that correspond to the selected behavioral model and the selected detection sensitivity to generate the respective malicious activity assessments with respect to the user account.
  - 4. The system of claim 1, wherein the first graphical interface element is configured to enable a user to select a behavioral model to be associated with a service;
    - wherein the interface module is configured to display the second graphical interface element that enables the user to select a detection sensitivity to be associated with the service; and
      
      wherein the indicator distribution module is configured to cause distribution of the behavioral model indicator and the detection sensitivity indicator to the plurality of protection services to cause the plurality of protection services to utilize the plurality of respective protection rule configurations that correspond to the selected behavioral model and the selected detection sensitivity to generate the respective malicious activity assessments with respect to the service.
  - 5. The system of claim 1, wherein the first graphical interface element is configured to enable a user to select a behavioral model to be associated with an application;
    - wherein the interface module is configured to display the second graphical interface element that enables the user to select a detection sensitivity to be associated with the application; and
      
      wherein the indicator distribution module is configured to cause distribution of the behavioral model indicator and the detection sensitivity indicator to the plurality of protection services to cause the plurality of protection services to utilize the plurality of respective protection rule configurations that correspond to the selected behavioral model and the selected detection sensitivity to generate the respective malicious activity assessments with respect to the application.
  - 6. The system of claim 1, wherein the first graphical interface element is configured to enable a user to select a behavioral model to be associated with an enterprise network;
    - wherein the interface module is configured to display the second graphical interface element that enables the user to select a detection sensitivity to be associated with the enterprise network; and
      
      wherein the indicator distribution module is configured to cause distribution of the behavioral model indicator and the detection sensitivity indicator to the plurality of protection services to cause the plurality of protection services to utilize the plurality of respective protection rule configurations that correspond to the selected behavioral model and the selected detection sensitivity to generate the respective malicious activity assessments with respect to the enterprise network.
  - 7. The system of claim 1, wherein the first graphical interface element is configured to enable a user to select a plurality of behavioral models to be associated with the information technology asset;
    - andwherein the behavioral model indicator indicates the selected plurality of behavioral models to the plurality of protection services to cause the plurality of protection services to utilize respective protection rule configurations corresponding to a combination of the selected behavioral models to generate the respective malicious activity assessments with respect to the information technology asset.
  - 8. The system of claim 1, wherein the interface module is further configured to display a third graphical interface element that enables the user to disable one or more protection technology sets, each protection technology set including at least two respective protection rules of the plurality of protection rule configurations;
    - andwherein the indicator distribution module is further configured to cause distribution of a disablement indicator indicating the disabled one or more protection technology sets to the plurality of protection services to cause the plurality of protection services to not include the disabled one or more protection sets to generate the respective malicious activity assessments with respect to the information technology asset.
  - 9. The system of claim 1, wherein the interface module is further configured to display a third graphical interface element that enables the user to disable the plurality of protection rule configurations independently;
    - andwherein the indicator distribution module is further configured to cause distribution of a disablement indicator indicating disabled protection rules to the plurality of protection services to cause the plurality of protection services to not include the disabled protection rules to generate the respective malicious activity assessments with respect to the information technology asset.

10. A method of generating a malicious activity assessment using one or more processors of a processor-based system, the method comprising:
- receiving a behavioral model indicator associating an information technology asset with a first behavioral model of a plurality of behavioral models that correspond to a plurality of respective protection rule configurations, the first behavioral model corresponding to a first protection rule configuration of the plurality of protection rule configurations;
  
  receiving a disablement indicator indicating one or more individually disabled protection rules of the plurality of protection rule configurations; and
  
  responsive to receiving the behavioral model indicator, generating, using at least one of the one or more processors, the malicious activity assessment with respect to the information technology asset based on the first protection rule configuration, the generating the malicious activity assessment with respect to the information technology asset not taking into account the one or more individually disabled protection rules.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein receiving the behavioral model indicator comprises:
    - receiving the behavioral model indicator associating a computer with the first behavioral model; and
      
      wherein generating the malicious activity assessment comprises;
      
      generating the malicious activity assessment with respect to the computer based on the first protection rule configuration, the generating the malicious activity assessment with respect to the computer not taking into account the one or more individually disabled protection rules.
  - 12. The method of claim 10, wherein receiving the behavioral model indicator comprises:
    - receiving the behavioral model indicator associating a user account with the first behavioral model; and
      
      wherein generating the malicious activity assessment comprises;
      
      generating the malicious activity assessment with respect to the user account based on the first protection rule configuration, the generating the malicious activity assessment with respect to the user account not taking into account the one or more individually disabled protection rules.
  - 13. The method of claim 10, further comprising:
    - adjusting a plurality of first rule sensitivities of a plurality of respective first protection rules that are included in the first protection rule configuration based on a detection sensitivity in response to receipt of a detection sensitivity indicator that indicates that the detection sensitivity is to be associated with the information technology asset.
  - 14. The method of claim 10, wherein the disablement indicator further indicates one or more protection technology sets to be disabled with respect to the information technology asset, each protection technology set including at least two respective protection rules of the plurality of protection rule configurations;
    - andwherein generating the malicious activity assessment with respect to the information technology asset does not take into account protection rules that are included in the one or more disabled protection technology sets.

15. A system comprising:
- one or more processors;
  
  memory coupled to at least one of the one or more processors;
  
  a detection module, implemented using at least one of the one or more processors, configured to detect a behavioral model indicator that associates an information technology asset with a first behavioral model of a plurality of behavioral models that correspond to a plurality of respective protection rule configurations, the first behavioral model corresponding to a first protection rule configuration of the plurality of protection rule configurations, the first behavioral model configured to indicate which protection rules selected from a plurality of protection rules are to be applied by each of a plurality of protection services during a plurality of operations that are to be performed by the plurality of respective protection services, each protection rule indicating respective information to be collected with respect to the information technology asset for generation of the malicious activity assessment with respect to the information technology asset; and
  
  an assessment module, implemented using at least one of the one or more processors, configured to generate a malicious activity assessment with respect to the information technology asset based on the first protection rule configuration in response to the behavioral model indicator being detected.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the behavioral model indicator associates a service with the first behavioral model;
    - wherein each protection rule indicates respective information to be collected with respect to the information technology asset for generation of the malicious activity assessment with respect to the service; and
      
      wherein the assessment module is configured to generate the malicious activity assessment with respect to the service based on the first protection rule configuration in response to the behavioral model indicator being detected.
  - 17. The system of claim 15, wherein the behavioral model indicator associates a application with the first behavioral model;
    - wherein each protection rule indicates respective information to be collected with respect to the information technology asset for generation of the malicious activity assessment with respect to the application; and
      
      wherein the assessment module is configured to generate the malicious activity assessment with respect to the application based on the first protection rule configuration in response to the behavioral model indicator being detected.
  - 18. The system of claim 15, wherein the behavioral model indicator associates a enterprise network with the first behavioral model;
    - wherein each protection rule indicates respective information to be collected with respect to the information technology asset for generation of the malicious activity assessment with respect to the enterprise network; and
      
      wherein the assessment module is configured to generate the malicious activity assessment with respect to the enterprise network based on the first protection rule configuration in response to the behavioral model indicator being detected.
  - 19. The system of claim 15, further comprising:
    - an adjustment module configured to adjust a plurality of first rule sensitivities of a plurality of respective first protection rules that are included in the first protection rule configuration based on a detection sensitivity in response to receipt of a detection sensitivity indicator that indicates that the detection sensitivity is to be associated with the information technology asset.
  - 20. The system of claim 15, wherein the assessment module is configured to not take into account protection rules that are included in one or more disabled protection technology sets to generate the malicious activity assessment with respect to the information technology asset in response to receipt of a disablement indicator that indicates that the one or more protection technology sets are to be disabled with respect to the information technology asset;
    - andwherein each protection technology set includes at least two protection rules of the plurality of protection rule configurations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Rubin, Shai A., Dinerstein, Yosef, Hudis, Efim, Helman, Yair, Barash, Uri, Friedman, Arie
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Doan, Trang

Application Number

US14/815,990
Publication Number

US 20150350230A1
Time in Patent Office

521 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 3/0484   for the control of specific...

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Controlling malicious activity detection using behavioral models

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling malicious activity detection using behavioral models

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links