Detecting directory reconnaissance in a directory service

Assignee

• MICROSOFT TECHNOLOGY LICENSING, LLC · US

Inventors

• Tal Joseph Maor · Nes Ziona, IL
• Itai Grady Ashkenazy · Ramat HaSharon, IL
• Gal Z. Bruchim · Nes Ziona, IL
• Jonathan Moshe Monsonego · Tel Aviv-Yafo, IL
• Sivan Krigsman · Herzliya, IL
• Lior Schindler · Givatayim, IL

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F21/6227
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

A system for detecting directory reconnaissance in a directory service includes a sensor and a directory reconnaissance detector, each of which is executing on one or more computing devices. The sensor determines whether a query that is submitted to a directory server is a suspicious query and, if the query is determined to be a suspicious query, transmits the suspicious query to the directory reconnaissance detector. The director reconnaissance detector includes a receiver, a context obtainer, an alert determiner and an alert transmitter. The receiver receives the suspicious query from the sensor and the context obtainer obtains context information associated with the suspicious query. The alert determiner determines whether a security alert should be generated based at least on the suspicious query and the context information. The alert transmitter generates the security alert responsive to a determination that the security alert should be generated.