US Patent Application 17727759. ORGANIZATION-LEVEL RANSOMWARE INCRIMINATION simplified abstract
Contents
ORGANIZATION-LEVEL RANSOMWARE INCRIMINATION
Organization Name
Microsoft Technology Licensing, LLC
Inventor(s)
Arie Agranonik of Herzliya (IL)
Charles Edouard Elie Bettan of Tel Aviv (IL)
Yair Tsarfaty of Nahariya (IL)
Itai Kollmann Dekel of Herzliya (IL)
ORGANIZATION-LEVEL RANSOMWARE INCRIMINATION - A simplified explanation of the abstract
- This abstract for appeared for US patent application number 17727759 Titled 'ORGANIZATION-LEVEL RANSOMWARE INCRIMINATION'
Simplified Explanation
The abstract describes a method to protect organizations from ransomware attacks by using different types of incrimination logics. These logics help detect and prevent attacks at various levels, such as across multiple machines, on individual machines, and within small groups of machines. The method involves comparing system graphs to known ransomware attack graphs and using statistical analysis and machine learning models. Additional search logics are used to find potential threats that may go undetected. The results of the incrimination logics are then used to enhance the security of the monitored system through various intervention mechanisms.
Original Abstract Submitted
Some embodiments help protect an organization against ransomware attacks by combining incrimination logics. An organizational-level incrimination logic helps detect alert spikes across many machines, which collectively indicate an attack. Graph-based incrimination logics help detect infestations of even a few machines, and local incrimination logics focus on protecting respective individual machines. Graph-based incrimination logics may compare monitored system graphs to known ransomware attack graphs. Graphs may have devices as nodes and device network connectivity, repeated files, repeated processes or actions, or other connections as edges. Statistical analyses and machine learning models may be employed as incrimination logics. Search logics may find additional incrimination candidates that would otherwise evade detection, based on files, processes, IP addresses, devices, accounts, or other computational entities previously incriminated. Incrimination engine results are forwarded to endpoint protection systems, intrusion protection systems, authentication controls, or other intervention mechanisms to enhance monitored system security.
