Analysis of computer network activity by successively removing accepted types of access events

Assignee

• Microsoft Corporation · US

Inventors

• Robert Eric Fitzgerald · Herndon, US
• Jack Wilson Stokes, III · North Bend, US
• Alice Zheng · Seattle, US
• Edward W. Hardy · Seattle, US
• Bodicherla Aditya Prakash · Pittsburgh, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/1425
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

An analysis system is described for identifying potentially malicious activity within a computer network. It performs this task by interacting with a user to successively remove known instances of non-malicious activity, to eventually reveal potentially malicious activity. The analysis system interacts with the user by inviting the user to apply labels to identified examples of network behavior; upon response by the user, the analysis system supplies new examples of network behavior to the user. In one implementation, the analysis system generates such examples using a combination of feature-based analysis and graph-based analysis. The graph-based analysis relies on analysis of graph structure associated with access events, such as by identifying entropy scores for respective portions of the graph structure.