US 11,689,553 B1
User session-based generation of logical graphs and detection of anomalies
Harish Kumar Bharat Singh, Mountain View, CA (US); Vikram Kapoor, Cupertino, CA (US); Murat Bog, Fremont, CA (US); and Yijou Chen, Cupertino, CA (US)
Assigned to Lacework Inc., Mountain View, CA (US)
Filed by Lacework Inc., Mountain View, CA (US)
Filed on Mar. 9, 2021, as Appl. No. 17/196,887.
Application 17/196,887 is a continuation of application No. 16/459,207, filed on Jul. 1, 2019, granted, now 10,986,114.
Application 16/459,207 is a continuation of application No. 16/134,821, filed on Sep. 18, 2018, granted, now 10,419,469, issued on Sep. 17, 2019.
Claims priority of provisional application 62/650,971, filed on Mar. 30, 2018.
Claims priority of provisional application 62/590,986, filed on Nov. 27, 2017.
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); H04L 9/40 (2022.01); G06F 16/901 (2019.01); G06F 21/57 (2013.01); H04L 67/306 (2022.01); G06F 16/9038 (2019.01); G06F 16/9537 (2019.01); G06F 9/455 (2018.01); G06F 9/54 (2006.01); H04L 43/045 (2022.01); H04L 43/06 (2022.01); G06F 16/9535 (2019.01); H04L 67/50 (2022.01); G06F 16/2455 (2019.01)
CPC H04L 63/1425 (2013.01) [G06F 9/455 (2013.01); G06F 9/545 (2013.01); G06F 16/9024 (2019.01); G06F 16/9038 (2019.01); G06F 16/9535 (2019.01); G06F 16/9537 (2019.01); G06F 21/57 (2013.01); H04L 43/045 (2013.01); H04L 43/06 (2013.01); H04L 63/10 (2013.01); H04L 67/306 (2013.01); H04L 67/535 (2022.05); G06F 16/2456 (2019.01)] 18 Claims
OG exemplary drawing
 
1. A system, comprising:
a processor configured to:
generate, based on log data associated with at least one user session in a network environment associated with an original user, a logical graph, wherein the logical graph comprises: (1) a first node corresponding to the original user, (2) at least a second node, and (3) a set of edges, wherein the set of edges include at least one edge connecting the first node to the second node;
use the generated logical graph to detect an anomaly, wherein detecting the anomaly includes determining that a change has been made to the set of edges, wherein the anomaly is associated with a second user different from the original user, and wherein the detecting the anomaly includes determining an association between the second user and the original user; and
in response to detecting the anomaly, take a remedial action; and
a memory coupled to the processor and configured to provide the processor with instructions.