US 11,902,295 B2
Using a security analytics map to perform forensic analytics
Andrew Mortensen, Ann Arbor, MI (US); Assaf Almaz, Ra'anana (IL); David Coffey, Austin, TX (US); and Ofir Arkin, Tel Aviv (IL)
Assigned to Forcepoint LLC, Austin, TX (US)
Filed by Forcepoint, LLC, Austin, TX (US)
Filed on Dec. 31, 2020, as Appl. No. 17/139,055.
Application 17/139,055 is a continuation of application No. 16/557,560, filed on Aug. 30, 2019, granted, now 10,999,296.
Application 16/557,560 is a continuation in part of application No. 16/415,726, filed on May 17, 2019, granted, now 10,834,097, issued on Nov. 10, 2020.
Application 16/415,726 is a continuation in part of application No. 16/162,655, filed on Oct. 17, 2018, granted, now 10,530,786, issued on Jan. 7, 2020.
Application 16/162,655 is a continuation of application No. 15/963,729, filed on Apr. 26, 2018, granted, now 10,129,269, issued on Nov. 13, 2018.
Application 15/963,729 is a continuation in part of application No. 15/878,898, filed on Jan. 24, 2018, granted, now 10,063,568, issued on Aug. 28, 2018.
Application 15/878,898 is a continuation of application No. 15/720,788, filed on Sep. 29, 2017, granted, now 9,882,918, issued on Jan. 30, 2018.
Claims priority of provisional application 63/119,116, filed on Nov. 30, 2020.
Claims priority of provisional application 63/072,566, filed on Aug. 31, 2020.
Claims priority of provisional application 63/017,400, filed on Apr. 29, 2020.
Claims priority of provisional application 62/964,372, filed on Jan. 22, 2020.
Claims priority of provisional application 62/839,060, filed on Apr. 26, 2019.
Claims priority of provisional application 62/506,300, filed on May 15, 2017.
Prior Publication US 2021/0152569 A1, May 20, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 21/56 (2013.01); G06F 21/57 (2013.01); H04L 67/306 (2022.01)
CPC H04L 63/14 (2013.01) [G06F 21/566 (2013.01); G06F 21/577 (2013.01); H04L 63/102 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/205 (2013.01); H04L 67/306 (2013.01); G06F 2221/034 (2013.01)] 18 Claims
OG exemplary drawing
 
1. A computer-implementable method for performing a security operation, comprising:
monitoring a plurality of electronically-observable actions of a first entity, the plurality of electronically-observable actions of the first entity corresponding to a respective first plurality of events enacted by the first entity, the first entity comprising a first user entity;
monitoring a plurality of electronically-observable actions of a second entity, the plurality of electronically-observable actions of the second entity corresponding to a respective second plurality of events enacted by the second entity, the second entity comprising a second user entity;
determining whether a first event of the respective first plurality of events and a second event of the respective second plurality of events comprise an entity interaction between the first entity and the second entity, the entity interaction between the first entity and the second entity comprises a conveyance of data;
generating an entity interaction map, the entity interaction map providing a representation of the entity interaction between the first entity and the second entity, the entity interaction map providing a historical mapping of the conveyance of data between the first entity to the second entity, the generating the entity interaction map including generating a representation of a concatenation of correlated entity interactions;
performing a security analytics operation via a security analytics system using the entity interaction map, the security analytics system executing on a hardware processor, the security analytics operation detecting an anomalous event associated with the entity interaction between the first entity and the second entity, the anomalous event being related to the conveyance of data between the first entity to the second entity; and,
using the entity interaction map to perform a forensics analysis upon detection of the anomalous event.