US 12,231,448 B2
Using graph enrichment to detect a potentially malicious access attempt
Shay Chriba Sakazi, Beer Sheva (IL); Andrey Karpovsky, Kiryat Motzkin (IL); Amit Magen Medina, Netanya (IL); and Tamer Salman, Haifa (IL)
Assigned to Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed by Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed on Feb. 25, 2022, as Appl. No. 17/681,658.
Prior Publication US 2023/0275913 A1, Aug. 31, 2023
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1425 (2013.01) [H04L 63/1416 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system to use graph enrichment to detect a potentially malicious access attempt, the system comprising:
a memory; and
a processing system coupled to the memory, the processing system configured to:
generate a graph that includes at least a subset of a plurality of nodes and a plurality of configuration-based links, the plurality of nodes representing a plurality of respective resources in a network-based system, each configuration-based link representing a hierarchical relationship between a respective pair of the nodes such that a first node in the pair belongs to a second node in the pair;
add a plurality of behavior-based links to the graph based at least in part on traffic logs associated with at least a subset of the resources, each behavior-based link representing at least one of the following:
an access-based relationship between a respective pair of the nodes, which is based at least in part on a first node in the pair accessing a second node in the pair; or
an association-based relationship between a respective pair of nodes, which is based at least in part on a first node in the pair having a relationship with a third node and which is further based at least in part on the third node sharing a link with a second node in the pair;
identify an attempt to create a new behavior-based link between a designated first node of the plurality of nodes and a designated second node of the plurality of nodes, wherein the designated first node attempts to access the designated second node;
determine a probability of the new behavior-based link being created in the graph, wherein the probability is based at least in part on the plurality of configuration-based links and the plurality of behavior-based links;
identify the new behavior-based link as a potentially malicious link based at least in part on the probability of the new behavior-based link being created in the graph being less than or equal to a threshold probability; and
perform a security action based at least in part on the new behavior-based link being identified as a potentially malicious link, the security action configured to increase security of the network-based system.