Efim I Hudis

US Patent:

7953969, May 31, 2011

Filed:

Aug 17, 2007

Appl. No.:

11/893974

Inventors:

John Neystadt - Kfar Saba, IL
Efim Hudis - Bellevue WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 15/173
H04L 9/32

US Classification:

713155, 709225

Abstract:

An automated arrangement for reducing the occurrence and/or minimizing the impact of false positives by a reputation service is provided in which overrides for a reputation of an adversary are reported to a reputation service from security devices, such as unified threat management systems, deployed in enterprise or consumer networks. An override is typically performed by an administrator at a customer network to allow the security device to accept traffic from, or send traffic to a given IP address or URL. Such connectivity is allowed—even if such objects have a blacklisted reputation provided by a reputation service—in cases where the administrator recognizes that the blacklisted reputation is a false positive. The reputation service uses the reported overrides to adjust the fidelity (i. e. , a confidence level) of that object's reputation, and then provides an updated reputation, which reflects the fidelity adjustment, to all the security devices that use the reputation service.

US Patent:

8095979, Jan 10, 2012

Filed:

Jan 26, 2007

Appl. No.:

11/627594

Inventors:

Ellen McDermott - Clyde Hill WA, US
Efim Hudis - Bellevue WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 11/00

US Classification:

726 22, 709225, 709224, 714 2, 705 44

Abstract:

Analysis of audit information that takes into account a wide context allows for a rich picture from which system conditions may be assessed. Event information about various events that have occurred or are occurring, on various sources in the computing arrangement, is maintained. Each entity has an “activity identifier”, which remains the same across various events performed by that entity at the various sources. Event information associated with the various sources is contextually analyzed on the basis of the activity identifier, to assess whether a condition exists that impacts the performance and/or security of the computing arrangement. In case it is determined that such a condition exists, an action is performed to remediate the condition.

US Patent:

8117659, Feb 14, 2012

Filed:

Dec 28, 2005

Appl. No.:

11/321754

Inventors:

Gregory D. Hartrell - Redmond WA, US
David J. Steeves - Seattle WA, US
Efim Hudis - Bellevue WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 21/00

US Classification:

726 24, 726 22, 726 23, 726 25, 709223, 709224, 713187, 713188

Abstract:

A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.

US Patent:

8136164, Mar 13, 2012

Filed:

Feb 27, 2008

Appl. No.:

12/038805

Inventors:

Yair Helman - Kefar Neter, IL
Efim Hudis - Bellevue WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 11/00
G06F 12/14
G06F 12/16
G06F 23/00

US Classification:

726 25

Abstract:

An enterprise-wide sharing arrangement uses a semantic abstraction, called a security assessment, to share security-related information between different security products, called endpoints. A security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information that is collected about an object of interest. Endpoints may publish security assessments onto a security assessment channel, as well as subscribe to a subset of security assessments published by other endpoints. A specialized endpoint is coupled to the channel that performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to received security assessments. Manual operations are supported by the specialized endpoint including manual approval of actions, security assessment cancellation, and manual injection of security assessments into the security assessment channel.

US Patent:

8181250, May 15, 2012

Filed:

Jun 30, 2008

Appl. No.:

12/165460

Inventors:

Ziv Rafalovich - Yokneam Ilit, IL
Lior Arzi - Atlit, IL
Ron Karidi - Herzeliya, IL
Efim Hudis - Bellevue WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 11/00
G06F 12/14

US Classification:

726 23, 726 26, 726 24, 726 25, 726 22, 726 13, 726 14, 713187, 713188

Abstract:

A honeypot in a computer network is configured for use with a wide variety of computing resources that are defined by a network administrator or user which may include desktop and network resources such as address book contacts, instant messaging contacts, active directory user accounts, IP addresses, and files that contain particular content or that are stored in particular locations. The resources may be real for which protection against leakage is desired, or fake to operate as bait to lure and detect malicious attacks. The honeypot is implemented in an extensible manner so that virtually any resource may be honeypotted to apply honeypot benefits to resources beyond static IP addresses in order to improve both the breadth of information leakage prevention and the detection of malicious attacks.

US Patent:

8296178, Oct 23, 2012

Filed:

Aug 14, 2008

Appl. No.:

12/192113

Inventors:

Efim Hudis - Bellevue WA, US
Yigal Edery - Pardesia, IL
Oleg Ananiev - Migdal Haemeq, IL
John Wohlfert - Everett WA, US
Nir Nice - Kfar Veradim, IL

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G05B 19/418

US Classification:

705 8, 705400, 726 4, 455436, 370401

Abstract:

Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.

US Patent:

8413247, Apr 2, 2013

Filed:

Mar 14, 2007

Appl. No.:

11/717978

Inventors:

Efim Hudis - Bellevue WA, US
Yair Helman - Kefar Neter, IL
Joseph Malka - Haifa, IL
Uri Barash - Redmond WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 21/00

US Classification:

726 25, 726 27, 713156, 709224

Abstract:

Endpoints in an enterprise security environment are configured to adaptively switch from their normal data collection mode to a long-term, detailed data collection mode where advanced analyses are applied to the collected detailed data. Such adaptive data collection and analysis is triggered upon the receipt of a security assessment of a particular type, where a security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information (i. e. , data in some context) that is collected about an object of interest. A specialized endpoint is coupled to the security assessment channel and performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to detected security incidents in the environment. The specialized endpoint is arranged to perform various analyses and processes on historical security assessments.

US Patent:

8424094, Apr 16, 2013

Filed:

Jun 30, 2007

Appl. No.:

11/824732

Inventors:

John Neystadt - Kfar Saba, IL
Efim Hudis - Bellevue WA, US
Yair Helman - Kefar Neter, IL
Alexandra Faynburd - Haifa, IL

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 21/00

US Classification:

726 25, 726 5, 726 24, 713167, 380282, 455410, 705317

Abstract:

An automated collection of forensic evidence associated with a security incident is provided by an arrangement in which different security products called endpoints in an enterprise network are enabled for sharing security-related information over a common communication channel using an abstraction called a security assessment. A security assessment is generally configured to indicate an endpoint's understanding of a detected security incident that pertains to an object in the environment which may include users, computers, IP addresses, and website URIs (Universal Resource Identifiers). The security assessment is published by the endpoint into the channel and received by subscribing endpoints. The security assessment triggers the receiving endpoints to go into a more comprehensive or detailed mode of evidence collection. In addition, any forensic evidence having relevance to the security incident that may have already been collected prior to the detection will be marked for retention so that it is not otherwise deleted.