US 11,924,235 B2
Leveraging user-behavior analytics for improved security event classification
Udi Yavo, Herzlia (IL); Roy Katmor, San Francisco, CA (US); and Ido Kelson, Tel-Aviv (IL)
Assigned to Fortinet, Inc., Sunnyvale, CA (US)
Filed by Fortinet, Inc., Sunnyvale, CA (US)
Filed on Jan. 17, 2023, as Appl. No. 18/155,186.
Application 18/155,186 is a continuation of application No. 16/709,352, filed on Dec. 10, 2019, granted, now 11,588,839.
Prior Publication US 2023/0179617 A1, Jun. 8, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 16/28 (2019.01); G06N 20/00 (2019.01)
CPC H04L 63/1425 (2013.01) [G06F 16/285 (2019.01); G06N 20/00 (2019.01); H04L 63/1416 (2013.01)] 23 Claims
OG exemplary drawing
 
1. A method comprising:
maintaining, by a User Entity Behavior Analytics (UEBA)-based security event service of a cloud-based security platform, information regarding historical user behavior of a plurality of users of an enterprise network;
responsive to an event associated with a process of an endpoint device that is part of the enterprise network, performing, by an endpoint protection platform running on the endpoint device, an initial classification of the event;
based on the initial classification being malicious, blocking, by the endpoint protection platform, activity by the process;
transmitting, from the endpoint protection platform, the initial classification of malicious to the cloud-based security platform, wherein the cloud-based security platform extracts commonality user behavior information associated with the event from the information regarding historical user behavior of a plurality of users using a machine-learning based approach;
receiving, to the endpoint protection platform, a reclassification of the event from malicious, based on the commonality user behavior; and
based on the reclassification not being malicious, unblocking, by the endpoint protection platform, activity by the process.