US 12,206,696 B1
Detecting anomalies in a network environment
Vikram Kapoor, Cupertino, CA (US); Samuel Joseph Pullara, III, Los Altos, CA (US); Murat Bog, Fremont, CA (US); Yijou Chen, Cupertino, CA (US); and Sanjay Kalra, San Jose, CA (US)
Assigned to Fortinet, Inc., Sunnyvale, CA (US)
Filed by Lacework, Inc., Mountain View, CA (US)
Filed on Apr. 27, 2023, as Appl. No. 18/140,394.
Application 18/140,394 is a continuation of application No. 17/504,311, filed on Oct. 18, 2021, granted, now 11,677,772.
Application 17/504,311 is a continuation of application No. 16/665,961, filed on Oct. 28, 2019, granted, now 11,153,339, issued on Oct. 19, 2021.
Application 16/665,961 is a continuation of application No. 16/134,794, filed on Sep. 18, 2018, granted, now 10,581,891, issued on Mar. 3, 2020.
Claims priority of provisional application 62/650,971, filed on Mar. 30, 2018.
Claims priority of provisional application 62/590,986, filed on Nov. 27, 2017.
Int. Cl. H04L 9/40 (2022.01); G06F 9/455 (2018.01); G06F 9/54 (2006.01); G06F 16/2455 (2019.01); G06F 16/901 (2019.01); G06F 16/9038 (2019.01); G06F 16/9535 (2019.01); G06F 16/9537 (2019.01); G06F 21/57 (2013.01); H04L 43/045 (2022.01); H04L 43/06 (2022.01); H04L 67/306 (2022.01); H04L 67/50 (2022.01)
CPC H04L 63/1425 (2013.01) [G06F 9/455 (2013.01); G06F 9/545 (2013.01); G06F 16/2456 (2019.01); G06F 16/9024 (2019.01); G06F 16/9038 (2019.01); G06F 16/9535 (2019.01); G06F 16/9537 (2019.01); G06F 21/57 (2013.01); H04L 43/045 (2013.01); H04L 43/06 (2013.01); H04L 63/10 (2013.01); H04L 67/306 (2013.01); H04L 67/535 (2022.05)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
monitoring activities within a network environment;
generating a logical graph model using at least a portion of the monitored activities, the logical graph model comprising a set of nodes representative of logical entities in the network environment and a set of edges representative of behavioral relationships between nodes interconnected by the edges;
identifying a new process with a process identifier; and
using the generated logical graph model to detect an anomaly in the network environment, wherein the anomaly is detected based on a change to the set of nodes of the logical graph model, the change to the set of nodes comprising an addition of a new node to the set of nodes, wherein the new node represents the new process that is identified with the process identifier and is executing in the network environment.