Fang Yih Yu

US Patent:

8069210, Nov 29, 2011

Filed:

Oct 10, 2008

Appl. No.:

12/249732

Inventors:

Eliot C. Gillum - Mountain View CA, US
Qifa Ke - Cupertino CA, US
Yinglian Xie - Cupertino CA, US
Fang Yu - Sunnyvale CA, US
Yao Zhao - Chicago IL, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 15/16

US Classification:

709206, 709224, 709225

Abstract:

Computer implemented methods are disclosed for detecting bot-user groups that send spam email over a web-based email service. Embodiments of the present system employ a two-prong approach to detecting bot-user groups. The first prong employs a historical-based approach for detecting anomalous changes in user account information, such as aggressive bot-user signups. The second prong of the present system entails constructing a large user-user relationship graph, which identifies bot-user sub-graphs through finding tightly connected subgraph components.

US Patent:

8185613, May 22, 2012

Filed:

Jun 8, 2009

Appl. No.:

12/479882

Inventors:

Yinglian Xie - Cupertino CA, US
Fang Yu - Sunnyvale CA, US
Martin Abadi - Palo Alto CA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 17/30

US Classification:

709220, 709224, 709227, 726 23

Abstract:

An IP (Internet Protocol) address is a directly observable identifier of host network traffic in the Internet and a host's IP address can dynamically change. Analysis of traffic (e. g. , network activity or application request) logs may be performed and a host tracking graph may be generated that shows hosts and their bindings to IP addresses over time. A host tracking graph may be used to determine host accountability. To generate a host tracking graph, a host is represented. Host representations may be application-dependent. In an implementation, application-level identifiers (IDs) such as user email IDs, messenger login IDs, social network IDs, or cookies may be used. Each identifier may be associated with a human user. These unreliable IDs can be used to track the activity of the corresponding hosts.

US Patent:

8289519, Oct 16, 2012

Filed:

Mar 21, 2008

Appl. No.:

12/077771

Inventors:

Richard Neil Zare - Stanford CA, US
Yiqi Luo - Mountain View CA, US
Fang Yu - Mountain View CA, US

Assignee:

Stanford University - Palo Alto CA

International Classification:

G01N 21/55

US Classification:

356445

Abstract:

Surface plasmon resonance (SPR) microscopy systems, methods of making SPR microscopy systems, methods of measuring and detecting the presence of one or more compounds present in a sample using the SPR microscopy system, and the like, are disclosed. In an embodiment, a surface plasmon resonance (SPR) microscopy system can include an integrated microfluidic chip that includes a plurality of layers, an SPR imaging system, and a pressure manifold to actuate flow control components in the integrated microfluidic chip.

US Patent:

8387145, Feb 26, 2013

Filed:

Jun 8, 2009

Appl. No.:

12/479860

Inventors:

Yinglian Xie - Cupertino CA, US
Fang Yu - Sunnyvale CA, US
Martin Abadi - Palo Alto CA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 12/14
G06F 12/16

US Classification:

726 24, 726 25

Abstract:

An IP (Internet Protocol) address is a directly observable identifier of host network traffic in the Internet and a host's IP address can dynamically change. Analysis of traffic (e. g. , network activity or application request) logs may be performed and a host tracking graph may be generated that shows hosts and their bindings to IP addresses over time. A host tracking graph may be used to determine host accountability. This can enable host-based blacklisting instead of the traditional IP address based blacklisting. Host tracking results can be leveraged for forensic analysis to understand an attacker's traces and identify malicious activities in a postmortem fashion. The host tracking information may be used to build a tracklist which can block future attacks.

US Patent:

8434150, Apr 30, 2013

Filed:

Mar 24, 2011

Appl. No.:

13/070497

Inventors:

Yinglian Xie - Cupertino CA, US
Fang Yu - Sunnyvale CA, US
Martin Abadi - Palo Alto CA, US
Eliot C. Gillum - Mountain View CA, US
Junxian Huang - Ann Arbor MI, US
Zhuoqing Morley Mao - Ann Arbor MI, US
Jason D. Walter - San Jose CA, US
Krishna Vitaldevara - Fremont CA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

H04L 29/06

US Classification:

726 22, 726 4, 726 14, 726 18, 713154, 709206

Abstract:

Detection of user accounts associated with spammer attacks may be performed by constructing a social graph of email users. Biggest connected components (BCC) of the social graph may be used to identify legitimate user accounts, as the majority of the users in the biggest connected components are legitimate users. BCC users may be used to identify more legitimate users. Using degree-based detection techniques and PageRank based detection techniques, the hijacked user accounts and spammer user accounts may be identified. The users' email sending and receiving behaviors may also be examined, and the subgraph structure may be used to detect stealthy attackers. From the social graph analysis, legitimate user accounts, malicious user accounts, and compromised user accounts can be identified.

US Patent:

8495742, Jul 23, 2013

Filed:

May 17, 2010

Appl. No.:

12/780935

Inventors:

Martin Abadi - Palo Alto CA, US
Yinglian Xie - Cupertino CA, US
Fang Yu - Sunnyvale CA, US
John Payyappillil John - Seattle WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 11/00
G06F 12/14
G06F 12/16
G08B 23/00

US Classification:

726 24

Abstract:

A framework identifies malicious queries contained in search logs to uncover relationships between the malicious queries and the potential attacks launched by attackers submitting the malicious queries. A small seed set of malicious queries may be used to identify an IP address in the search logs that submitted the malicious queries. The seed set may be expanded by examining all queries in the search logs submitted by the identified IP address. Regular expressions may be generated from the expanded set of queries and used for detecting yet new malicious queries. Upon identifying the malicious queries, the framework may be used to detect attacks on vulnerable websites, spamming attacks, and phishing attacks.

US Patent:

8615605, Dec 24, 2013

Filed:

Oct 22, 2010

Appl. No.:

12/909839

Inventors:

Fang Yu - Sunnyvale CA, US
Yinglian Xie - Cupertino CA, US
Martin Abadi - Palo Alto CA, US
Stefan Roberts Savage - Carlsbad CA, US
Geoffrey Michael Voelker - Del Mar CA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 15/16

US Classification:

709245, 709224, 709226

Abstract:

A system to automatically classify types of IP addresses associated with a user. Information, such as user names, machine information, IP address, etc. , may be obtained from logs. For each user or host in the logs, home IP addresses are identified from IP addresses where the user or host shows a predetermined level of activity. Travel IP addresses are identified, which are IP addresses at locations greater than a predetermined distance from the home IP addresses, as determined from geolocation data. A pattern analysis may be performed to determine which of the home IP addresses are work IP addresses associated with the user or host. The system may thus provide a classification of a user's or host's associated IP addresses as being one of travel, home, and work IP addresses. From this classification, mobility patterns may be derived, as well as applications to enhance security, advertising, search and network management.

US Patent:

20080320119, Dec 25, 2008

Filed:

Jun 22, 2007

Appl. No.:

11/821211

Inventors:

Kannan Achan - Mountain View CA, US
Eliot Gillum - Mountain View CA, US
Yinglian Xie - Cupertino CA, US
Fang Yu - San Jose CA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 15/177

US Classification:

709222

Abstract:

Dynamic IP addresses may be automatically identified and their dynamics patterns may be analyzed. Multi-user IP address blocks are determined as candidates for further analysis. An entropy score is determined for each IP address in every candidate block to distinguish between a dynamic IP and a static IP shared by multiple users. IP addresses with high entropy scores are grouped, and then analyzed, and may be used in various applications, such as spam filtering.