US 12,348,559 B2
Account classification using a trained model and sign-in data
Ye Xu, Kirkland, WA (US); Etan Micah Basseri, Seattle, WA (US); Biying Tan, Bellevue, WA (US); Caroline Katherine Templeton, Seattle, WA (US); and Prithviraj Sanjeev Kanherkar, Seattle, WA (US)
Assigned to Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed by Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed on Dec. 21, 2021, as Appl. No. 17/557,254.
Prior Publication US 2023/0199025 A1, Jun. 22, 2023
Int. Cl. H04L 9/00 (2022.01); G06N 5/01 (2023.01); G06N 20/00 (2019.01); H04L 9/40 (2022.01)
CPC H04L 63/1483 (2013.01) [G06N 5/01 (2023.01); G06N 20/00 (2019.01); H04L 63/0861 (2013.01); H04L 63/0869 (2013.01); H04L 63/1425 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computing system configured to classify an account in a computing environment as machine-driven or as human-driven, the computing system comprising:
a digital memory;
a processor in operable communication with the digital memory, the processor configured to perform account classification steps including (a) submitting sign-in data to a trained machine learning model, the sign-in data representing at least one attempt to sign-in to the account, the trained machine learning model tailored for account classification by at least one of the following: human-driven account sign-in data which trained the machine learning model to detect machine-driven accounts as anomalies, or machine-driven account sign-in data which trained the machine learning model to detect human-driven accounts as anomalies, (b) receiving from the trained machine learning model an anomaly detection result, (c) formulating an account classification based at least in part on the anomaly detection result, and (d) supplying the account classification for use by a cybersecurity risk management mechanism, the cybersecurity risk management mechanism configured to manage a cybersecurity risk associated with the account based at least in part on the account classification, thereby improving security by distinguishing the machine-driven accounts from the human-driven accounts;
wherein the trained machine learning model is tailored for account classification which classifies the account as a machine-driven account or a human-driven account at least in that the trained machine learning model has been trained to perform the account classification, and thereby configured, using training data which includes, represents, or is a calculation basis of at least three of:
an indication whether an IP address of a source of a sign-in attempt is hosted or residential;
an indication whether an autonomous system number of a source of a sign-in attempt represents hosted IPs or residential IPs;
an indication whether a source of a sign-in attempt is a browser; an indication whether a source of a sign-in attempt is a command line interpreter;
an indication whethera source of a sign-in attempt resides on a mobile device;
an indication whethera source of a sign-in attempt resides on an organizationally managed device;
an indication whethera sign-in attempt included or followed a successful multifactor authentication;
an indication whethera sign-in attempt included or followed a successful biometric authentication;
an indication whether a sign-in attempt included or followed a successful removable hardware security key device authentication;
an indication of which one or more operating systems are present on a source of a sign-in attempt;
an indication of how many operating systems are present on a source of a sign-in attempt; or an error code generated in response to the sign-in attempt.