	US 11,902,293 B2
	Using an entity behavior catalog when performing distributed security operations
Lawrence Bruce Huston, III, Ann Arbor, MI (US); Nicolas Christian Fischbach, Uitikon (CH); and Raffael Marty, Austin, TX (US)
Assigned to Forcepoint LLC, Austin, TX (US)
Filed by Forcepoint, LLC, Austin, TX (US)
Filed on Dec. 22, 2020, as Appl. No. 17/131,023.
Application 17/131,023 is a continuation of application No. 16/557,560, filed on Aug. 30, 2019, granted, now 10,999,296.
Application 16/557,560 is a continuation in part of application No. 16/415,726, filed on May 17, 2019, granted, now 10,834,097, issued on Nov. 10, 2020.
Application 16/415,726 is a continuation in part of application No. 16/162,655, filed on Oct. 17, 2018, granted, now 10,530,786, issued on Jan. 7, 2020.
Application 16/162,655 is a continuation of application No. 15/963,729, filed on Apr. 26, 2018, granted, now 10,129,269, issued on Nov. 13, 2018.
Application 15/963,729 is a continuation in part of application No. 15/878,898, filed on Jan. 24, 2018, granted, now 10,063,568, issued on Aug. 28, 2018.
Application 15/878,898 is a continuation of application No. 15/720,788, filed on Sep. 29, 2017, granted, now 9,882,918, issued on Jan. 30, 2018.
Claims priority of provisional application 63/119,116, filed on Nov. 30, 2020.
Claims priority of provisional application 63/017,400, filed on Apr. 29, 2020.
Claims priority of provisional application 62/964,372, filed on Jan. 22, 2020.
Claims priority of provisional application 62/839,060, filed on Apr. 26, 2019.
Claims priority of provisional application 62/506,300, filed on May 15, 2017.
Prior Publication US 2021/0152567 A1, May 20, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 21/56 (2013.01); G06F 21/57 (2013.01); H04L 67/306 (2022.01)

CPC H04L 63/04 (2013.01) [G06F 21/566 (2013.01); G06F 21/577 (2013.01); H04L 63/102 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/205 (2013.01); H04L 67/306 (2013.01); G06F 2221/034 (2013.01)]

20 Claims

1. A computer-implementable method for performing a security operation, comprising:

monitoring an entity, the monitoring observing at least one electronically-observable data source;

identifying a security related activity of the entity, the security related activity being of analytic utility;

accessing an entity behavior catalog based upon the security related activity, the entity behavior catalog storing entity behavior catalog data, the entity behavior catalog data comprising an inventory of entity behaviors and a human-centric risk modeling framework, the human-centric risk modeling framework enabling quantification of a human-centric factor associated with the entity, the human-centric factor comprising a motivation factor, a stressor factor and an organizational dynamics stressor factor, the human-centric factor having an associated effect on the entity, the motivation factor representing a user entity behavior that provides an indication of a motivation for enacting the user entity behavior, the stressor factor representing an issue influencing the user entity behavior, the organizational stressor factor representing an event occurring within an organization affecting the user entity behavior; and

performing a security operation via a distributed security analytics environment, the security operation being performed by at least one of an entity edge component and a security analytics system, the entity edge component executing the security operation on a hardware processor associated with the entity edge component, the security analytics system executing the security operation on a hardware processor associated with the security analytics system, the security operation using the entity behavior catalog data stored within the entity behavior catalog based upon the security related activity.