US 12,206,708 B2
Correlating network event anomalies using active and passive external reconnaissance to identify attack information
Jason Crabtree, Vienna, VA (US); Andrew Sellers, Monument, CO (US); and Richard Kelley, Woodbridge, VA (US)
Assigned to QOMPLX LLC, Reston, VA (US)
Filed by QOMPLX LLC
Filed on Apr. 22, 2021, as Appl. No. 17/237,346.
Application 17/237,346 is a continuation in part of application No. 16/777,270, filed on Jan. 30, 2020, granted, now 11,025,674.
Application 16/777,270 is a continuation in part of application No. 16/720,383, filed on Dec. 19, 2019, granted, now 10,944,795.
Application 16/720,383 is a continuation of application No. 15/823,363, filed on Nov. 27, 2017, granted, now 10,560,483, issued on Feb. 11, 2020.
Application 15/823,363 is a continuation in part of application No. 15/725,274, filed on Oct. 4, 2017, granted, now 10,609,079, issued on Mar. 31, 2020.
Application 15/725,274 is a continuation in part of application No. 15/655,113, filed on Jul. 20, 2017, granted, now 10,735,456, issued on Aug. 4, 2020.
Application 15/655,113 is a continuation in part of application No. 15/616,427, filed on Jun. 7, 2017, abandoned.
Application 15/655,113 is a continuation in part of application No. 15/237,625, filed on Aug. 15, 2016, granted, now 10,248,910, issued on Apr. 2, 2019.
Application 15/616,427 is a continuation in part of application No. 15/206,195, filed on Jul. 8, 2016, abandoned.
Application 15/206,195 is a continuation in part of application No. 15/186,453, filed on Jun. 18, 2016, abandoned.
Application 15/186,453 is a continuation in part of application No. 15/166,158, filed on May 26, 2016, abandoned.
Application 15/166,158 is a continuation in part of application No. 15/141,752, filed on Apr. 28, 2016, granted, now 10,860,962.
Application 15/141,752 is a continuation in part of application No. 15/091,563, filed on Apr. 5, 2016, granted, now 10,204,147, issued on Feb. 12, 2019.
Application 15/141,752 is a continuation in part of application No. 14/986,536, filed on Dec. 31, 2015, granted, now 10,210,255, issued on Feb. 19, 2019.
Application 15/141,752 is a continuation in part of application No. 14/925,974, filed on Oct. 28, 2015, abandoned.
Application 15/616,427 is a continuation in part of application No. 14/925,974, filed on Oct. 28, 2015, abandoned.
Prior Publication US 2022/0014560 A1, Jan. 13, 2022
Int. Cl. H04L 9/40 (2022.01); G06F 16/2458 (2019.01); G06F 16/951 (2019.01)
CPC H04L 63/20 (2013.01) [G06F 16/2477 (2019.01); G06F 16/951 (2019.01); H04L 63/1425 (2013.01); H04L 63/1441 (2013.01)] 8 Claims
OG exemplary drawing
 
1. A system for correlating network event anomalies to identify attack information, comprising:
a cyber-physical graph module comprising a first plurality of programming instructions stored in a memory of, and operating on a processor of, a computing device, wherein the first plurality of programming instructions, when operating on the processor, cause the computing device to create a cyber-physical graph of an organization using information about the organization, the cyber-physical graph comprising nodes representing entities associated with the organization and edges representing relationships between entities associated with the organization;
a reconnaissance engine comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the second plurality of programming instructions, when operating on the processor, cause the computing device to:
perform a reconnaissance search using the cyber-physical graph; and
apply some or all of the results of the reconnaissance search to the cyber-physical graph to create a normal behavior model for a plurality of nodes in the cyber-physical graph; and
a directed computational graph engine comprising a third plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the third plurality of programming instructions, when operating on the processor, cause the computing device to:
receive the normal behavior model;
using the cyber-physical graph and the normal behavior model:
identify an anomalous event based on analysis of cyber-physical graph and the normal behavior model;
analyze the cyber-physical graph and the normal behavior model to identify correlations between affected nodes, the affected nodes being based on the anomalous event;
generate a behavior graph based on the identified correlations;
analyze the behavior graph to produce a dependency tree comprising causative relationships between events; and
traverse the behavior tree backward in a temporal dimension to identify a plurality of starting conditions for the anomalous event.