Anomaly detection using multiple detection models
US-2023325292-A1 · Oct 12, 2023 · US
Organization-level ransomware incrimination
US12301615B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12301615-B2 |
| Application number | US-202217727759-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 24, 2022 |
| Priority date | Apr 24, 2022 |
| Publication date | May 13, 2025 |
| Grant date | May 13, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Some embodiments help protect an organization against ransomware attacks by combining incrimination logics. An organizational-level incrimination logic helps detect alert spikes across many machines, which collectively indicate an attack. Graph-based incrimination logics help detect infestations of even a few machines, and local incrimination logics focus on protecting respective individual machines. Graph-based incrimination logics may compare monitored system graphs to known ransomware attack graphs. Graphs may have devices as nodes and device network connectivity, repeated files, repeated processes or actions, or other connections as edges. Statistical analyses and machine learning models may be employed as incrimination logics. Search logics may find additional incrimination candidates that would otherwise evade detection, based on files, processes, IP addresses, devices, accounts, or other computational entities previously incriminated. Incrimination engine results are forwarded to endpoint protection systems, intrusion protection systems, authentication controls, or other intervention mechanisms to enhance monitored system security.
First claim
Opening claim text (preview).
What is claimed is: 1. A computing system which is configured to help protect an organization against a ransomware attack by an organizational ransomware that targets multiple machines of the organization, the computing system comprising: a digital memory; an organization-level incrimination logic configured to detect a spike in cybersecurity alerts which occur collectively on at least a specified number of machines of the organization or on at least a specified percentage of machines of the organization, or both; at least one sub-organization-level incrimination logic configured to detect a cybersecurity anomaly on at least one machine of the organization without regard to the organization-level incrimination logic specified number of machines of the organization and without regard to the organization-level incrimination logic specified percentage of machines of the organization; an incrimination logics interface in operable digital communication with the incrimination logics; a processor in operable communication with the digital memory, the processor configured to execute organizational protection against the organizational ransomware, the execution of organizational protection comprising execution of a two-level approach which combines consideration of alerts from a group of machines by using the organization-level incrimination logic with consideration of alerts from fewer machines or from only a single machine by using the at least one sub-organization-level incrimination logic, in order to detect organizational ransomware, the organizational ransomware being a particular kind of malware which is designed to spread among multiple machines without detection and then present a ransom demand, the organizational protection including: collecting at least one incrimination candidate, the incrimination candidate comprising a set of one or more attack indication computational entities, the collecting based on at least one cybersecurity alert specifying at least one computational entity of at least one machine of the organization, the at least one incrimination candidate including the at least one computational entity, submitting the at least one collected incrimination candidate to the incrimination logics interface and in response receiving an incrimination boost attempt result, determining that the incrimination boost attempt result indicates a boost in an incrimination confidence past a specified threshold, marking each computational entity specified in the at least one cybersecurity alert as an incriminated computational entity, the marking being in response to the boost attempt result indicating that the incrimination confidence passed the specified threshold, and notifying an intervention mechanism of the incriminated computational entity. 2. The computing system of claim 1 , wherein the at least one sub-organization-level incrimination logic comprises a graph-based incrimination logic, the graph-based incrimination logic comprising computing hardware configured by software to detect a cybersecurity anomaly based on a digital graph representation of the following: at least two machines of the organization, at least one connection between machines of the organization, and at least one machine attribute or at least one connection attribute or both. 3. The computing system of claim 2 , wherein the at least one sub-organization-level incrimination logic further comprises a local incrimination logic, the local incrimination logic comprising computing hardware configured by software to detect a cybersecurity anomaly based on a digital representation of data or computational activity or both on a particular machine of the organization. 4. The computing system of claim 1 , wherein the processor is further configured to search for an additional incrimination candidate based on at least one incriminated computational entity. 5. The computing system of claim 1 , further characterized in at least one of the following ways: the organization-level incrimination logic comprises computing hardware configured by a machine learning software model trained using alert spike data derived from multiple ransomware organizational-level attacks; the organization-level incrimination logic comprises computing hardware configured by a machine learning software model trained by supervised learning using alert spike data derived from at least one ransomware organizational-level attack; the sub-organization-level incrimination logic comprises a graph-based incrimination logic, which comprises computing hardware configured by a graph convolutional neural network machine learning software model trained using a graph having nodes which represent machines of the organization, edges which represent connections between machines of the organization, and at least one machine attribute or at least one connection attribute or both; or the sub-organization-level incrimination logic comprises a graph-based incrimination logic, which comprises computing hardware configured by a graph machine learning software model trained by supervised learning using graphs having nodes which represent machines of the organization, and edges which represent connections between machines of the organization. 6. A method for protecting an organization against a ransomware attack by an organizational ransomware, the organizational ransomware being a particular kind of malware which is designed to spread among multiple machines without detection and then present a ransom demand, the method executed by a computing system, the method comprising: collecting at least one incrimination candidate based on at least one cybersecurity alert specifying at least one computational entity, the incrimination candidate comprising a set of one or more attack indication computational entities; submitting at least one collected incrimination candidate to an organization-level incrimination logic via an organization-level incrimination logic interface and in response receiving an organization-level incrimination boost attempt result, the organization-level incrimination logic configured to detect a spike in cybersecurity alerts which occur collectively on at least a specified number of machines of the organization or on at least a specified percentage of machines of the organization, or both; submitting at least one collected incrimination candidate to at least one sub-organization-level incrimination logic via at least one sub-organization-level incrimination interface and in response receiving at least one sub-organization-level incrimination boost attempt result, the sub-organization-level incrimination logic configured to detect a cybersecurity anomaly on at least one machine of the organization without regard to the organization-level incrimination logic specified number of machines of the organization and without regard to the organization-level incrimination logic specified percentage of machines of the organization; determining the incrimination boost attempt results collectively indicate a boost in an incrimination confidence past the specified threshold, and marking each computational entity specified in the at least one cybersecurity alert as an incriminated computational entity which is compromised by the organizational ransomware, the marking being in response to the boost attempt results collectively indicating that the incrimination confidence passed the specified threshold; and notifying an intervention mechanism of the at least one incriminated computational entity; wherein the method comprises execution of a two-level approach which combines consideration of alerts from a group of machines by using the organization-level incrimination logic with consideration of alerts from fewer machines or from only a single machine by using the at least one sub-organization-le
Assignees
Inventors
Classifications
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
- H04L63/1433Primary
Vulnerability analysis · CPC title
Traffic logging, e.g. anomaly detection · CPC title
Event detection, e.g. attack signature detection · CPC title
Architecture, e.g. interconnection topology · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12301615B2 cover?
- Some embodiments help protect an organization against ransomware attacks by combining incrimination logics. An organizational-level incrimination logic helps detect alert spikes across many machines, which collectively indicate an attack. Graph-based incrimination logics help detect infestations of even a few machines, and local incrimination logics focus on protecting respective individual mac…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 13 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).