Yinglian T Te Xie

US Patent:

8069374, Nov 29, 2011

Filed:

Feb 27, 2009

Appl. No.:

12/394451

Inventors:

Rina Panigrahy - Sunnyvale CA, US
Chad Verbowski - Redmond WA, US
Yinglian Xie - Cupertino CA, US
Junfeng Yang - New York City NY, US
Ding Yuan - Champaign IL, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 11/00

US Classification:

714 381, 714 39, 714 45

Abstract:

A technique for automatically detecting and correcting configuration errors in a computing system. In a learning process, recurring event sequences, including e. g. , registry access events, are identified from event logs, and corresponding rules are developed. In a detecting phase, the rules are applied to detected event sequences to identify violations and to recover from failures. Event sequences across multiple hosts can be analyzed. The recurring event sequences are identified efficiently by flattening a hierarchical sequence of the events such as is obtained from the Sequitur algorithm. A trie is generated from the recurring event sequences and edges of nodes of the trie are marked as rule edges or non-rule edges. A rule is formed from a set of nodes connected by rule edges. The rules can be updated as additional event sequences are analyzed.

US Patent:

8185613, May 22, 2012

Filed:

Jun 8, 2009

Appl. No.:

12/479882

Inventors:

Yinglian Xie - Cupertino CA, US
Fang Yu - Sunnyvale CA, US
Martin Abadi - Palo Alto CA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 17/30

US Classification:

709220, 709224, 709227, 726 23

Abstract:

An IP (Internet Protocol) address is a directly observable identifier of host network traffic in the Internet and a host's IP address can dynamically change. Analysis of traffic (e. g. , network activity or application request) logs may be performed and a host tracking graph may be generated that shows hosts and their bindings to IP addresses over time. A host tracking graph may be used to determine host accountability. To generate a host tracking graph, a host is represented. Host representations may be application-dependent. In an implementation, application-level identifiers (IDs) such as user email IDs, messenger login IDs, social network IDs, or cookies may be used. Each identifier may be associated with a human user. These unreliable IDs can be used to track the activity of the corresponding hosts.

US Patent:

8387145, Feb 26, 2013

Filed:

Jun 8, 2009

Appl. No.:

12/479860

Inventors:

Yinglian Xie - Cupertino CA, US
Fang Yu - Sunnyvale CA, US
Martin Abadi - Palo Alto CA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 12/14
G06F 12/16

US Classification:

726 24, 726 25

Abstract:

An IP (Internet Protocol) address is a directly observable identifier of host network traffic in the Internet and a host's IP address can dynamically change. Analysis of traffic (e. g. , network activity or application request) logs may be performed and a host tracking graph may be generated that shows hosts and their bindings to IP addresses over time. A host tracking graph may be used to determine host accountability. This can enable host-based blacklisting instead of the traditional IP address based blacklisting. Host tracking results can be leveraged for forensic analysis to understand an attacker's traces and identify malicious activities in a postmortem fashion. The host tracking information may be used to build a tracklist which can block future attacks.

US Patent:

8434150, Apr 30, 2013

Filed:

Mar 24, 2011

Appl. No.:

13/070497

Inventors:

Yinglian Xie - Cupertino CA, US
Fang Yu - Sunnyvale CA, US
Martin Abadi - Palo Alto CA, US
Eliot C. Gillum - Mountain View CA, US
Junxian Huang - Ann Arbor MI, US
Zhuoqing Morley Mao - Ann Arbor MI, US
Jason D. Walter - San Jose CA, US
Krishna Vitaldevara - Fremont CA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

H04L 29/06

US Classification:

726 22, 726 4, 726 14, 726 18, 713154, 709206

Abstract:

Detection of user accounts associated with spammer attacks may be performed by constructing a social graph of email users. Biggest connected components (BCC) of the social graph may be used to identify legitimate user accounts, as the majority of the users in the biggest connected components are legitimate users. BCC users may be used to identify more legitimate users. Using degree-based detection techniques and PageRank based detection techniques, the hijacked user accounts and spammer user accounts may be identified. The users' email sending and receiving behaviors may also be examined, and the subgraph structure may be used to detect stealthy attackers. From the social graph analysis, legitimate user accounts, malicious user accounts, and compromised user accounts can be identified.

US Patent:

8495742, Jul 23, 2013

Filed:

May 17, 2010

Appl. No.:

12/780935

Inventors:

Martin Abadi - Palo Alto CA, US
Yinglian Xie - Cupertino CA, US
Fang Yu - Sunnyvale CA, US
John Payyappillil John - Seattle WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 11/00
G06F 12/14
G06F 12/16
G08B 23/00

US Classification:

726 24

Abstract:

A framework identifies malicious queries contained in search logs to uncover relationships between the malicious queries and the potential attacks launched by attackers submitting the malicious queries. A small seed set of malicious queries may be used to identify an IP address in the search logs that submitted the malicious queries. The seed set may be expanded by examining all queries in the search logs submitted by the identified IP address. Regular expressions may be generated from the expanded set of queries and used for detecting yet new malicious queries. Upon identifying the malicious queries, the framework may be used to detect attacks on vulnerable websites, spamming attacks, and phishing attacks.

US Patent:

8615605, Dec 24, 2013

Filed:

Oct 22, 2010

Appl. No.:

12/909839

Inventors:

Fang Yu - Sunnyvale CA, US
Yinglian Xie - Cupertino CA, US
Martin Abadi - Palo Alto CA, US
Stefan Roberts Savage - Carlsbad CA, US
Geoffrey Michael Voelker - Del Mar CA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 15/16

US Classification:

709245, 709224, 709226

Abstract:

A system to automatically classify types of IP addresses associated with a user. Information, such as user names, machine information, IP address, etc. , may be obtained from logs. For each user or host in the logs, home IP addresses are identified from IP addresses where the user or host shows a predetermined level of activity. Travel IP addresses are identified, which are IP addresses at locations greater than a predetermined distance from the home IP addresses, as determined from geolocation data. A pattern analysis may be performed to determine which of the home IP addresses are work IP addresses associated with the user or host. The system may thus provide a classification of a user's or host's associated IP addresses as being one of travel, home, and work IP addresses. From this classification, mobility patterns may be derived, as well as applications to enhance security, advertising, search and network management.

US Patent:

20080320119, Dec 25, 2008

Filed:

Jun 22, 2007

Appl. No.:

11/821211

Inventors:

Kannan Achan - Mountain View CA, US
Eliot Gillum - Mountain View CA, US
Yinglian Xie - Cupertino CA, US
Fang Yu - San Jose CA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 15/177

US Classification:

709222

Abstract:

Dynamic IP addresses may be automatically identified and their dynamics patterns may be analyzed. Multi-user IP address blocks are determined as candidates for further analysis. An entropy score is determined for each IP address in every candidate block to distinguish between a dynamic IP and a static IP shared by multiple users. IP addresses with high entropy scores are grouped, and then analyzed, and may be used in various applications, such as spam filtering.

US Patent:

20090138937, May 28, 2009

Filed:

Nov 23, 2007

Appl. No.:

11/944460

Inventors:

Ulfar Erlingsson - San Francisco CA, US
Yinglian Xie - Cupertino CA, US
Ben Livshits - Kirkland WA, US
Cedric Fournet - Cambridge, GB

Assignee:

MICROSOFT CORPORATION - Redmond WA

International Classification:

H04L 9/00

US Classification:

726 1

Abstract:

A client-side enforcement mechanism may allow application security policies to be specified at a server in a programmatic manner. Servers may specify security policies as JavaScript functions included in a page returned by the server and run before other scripts. At runtime, and during initial loading, the functions are invoked by the client on each page modification to ensure the page conforms to the security policy. As such, before a mutation takes effect, the policy may transform that mutation and the code and data of the page. Replicated code execution may take place at both the client and the server where the server runs its own shadow copy of a client-side application in a trusted execution environment so that the server may check that the method calls coming from the client correspond to a correct execution of the client-side application The redundant execution at the client can be untrusted, but serves to improve the responsiveness and performance of the Web application.