	US 12,267,347 B2
	System and method for comprehensive data loss prevention and compliance management
Jason Crabtree, Vienna, VA (US); and Andrew Sellers, Monument, CO (US)
Assigned to QOMPLX LLC, Reston, VA (US)
Filed by QPX LLC, New York, NY (US)
Filed on Sep. 4, 2023, as Appl. No. 18/460,667.
Application 18/460,667 is a continuation of application No. 17/589,811, filed on Jan. 31, 2022, granted, now 11,750,631.
Application 17/589,811 is a continuation of application No. 16/896,764, filed on Jun. 9, 2020, granted, now 11,297,088, issued on Apr. 5, 2022.
Application 16/896,764 is a continuation of application No. 16/191,054, filed on Nov. 14, 2018, granted, now 10,681,074, issued on Jun. 9, 2020.
Application 16/191,054 is a continuation in part of application No. 15/655,113, filed on Jul. 20, 2017, granted, now 10,735,456, issued on Aug. 4, 2020.
Application 15/655,113 is a continuation in part of application No. 15/616,427, filed on Jun. 7, 2017, abandoned.
Application 15/616,427 is a continuation in part of application No. 14/925,974, filed on Oct. 28, 2015, abandoned.
Application 15/655,113 is a continuation in part of application No. 15/237,625, filed on Aug. 15, 2016, granted, now 10,248,910, issued on Apr. 2, 2019.
Application 15/237,625 is a continuation in part of application No. 15/206,195, filed on Jul. 8, 2016, abandoned.
Application 15/206,195 is a continuation in part of application No. 15/186,453, filed on Jun. 18, 2016, abandoned.
Application 15/186,453 is a continuation in part of application No. 15/166,158, filed on May 26, 2016, abandoned.
Application 15/166,158 is a continuation in part of application No. 15/141,752, filed on Apr. 28, 2016, granted, now 10,860,962, issued on Dec. 8, 2020.
Application 15/141,752 is a continuation in part of application No. 15/091,563, filed on Apr. 5, 2016, granted, now 10,204,147, issued on Feb. 12, 2019.
Application 15/141,752 is a continuation in part of application No. 14/986,536, filed on Dec. 31, 2015, granted, now 10,210,255, issued on Feb. 19, 2019.
Application 15/141,752 is a continuation in part of application No. 14/925,974, filed on Oct. 28, 2015, abandoned.
Prior Publication US 2023/0421593 A1, Dec. 28, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); H04L 43/045 (2022.01); H04L 43/08 (2022.01); G06F 21/57 (2013.01)

CPC H04L 63/1425 (2013.01) [H04L 43/045 (2013.01); H04L 43/08 (2013.01); H04L 63/1433 (2013.01); G06F 21/577 (2013.01)]

12 Claims

1. A system for comprehensive data loss prevention and compliance management, comprising:

a computing system comprising a processor and a memory;

an observation and state estimation subsystem comprising a first plurality of programming instructions stored in the memory and operating on the processor, wherein the first plurality of programming instructions, when operating on the processor, cause the computing system to:

produce a cyber-physical graph representing a plurality of connected resources on a network, wherein:

the connected resources comprise one or more of people, devices, systems, and organizations within the network;

the cyber-physical graph comprises nodes representing the connected resources, with each node having one or more properties associated with the connected resource represented by that node;

the cyber-physical graph comprises edges representing logical or physical relationships between pairs of the connected resources; and

the cyber-physical graph includes information about sensitive data stored on one or more of the connected resources; and

an activity monitoring subsystem comprising a second plurality of programming instructions stored in the memory and operating on the processor, wherein the second plurality of programming instructions, when operating on the processor, cause the computing system to:

collect data from a plurality of sources within the network, wherein the plurality of sources includes one or more of: system endpoints, infrastructure servers, perimeter security devices, and network security monitoring tools;

analyze the collected data to identify sensitive data stored on one or more of the connected resources;

update the cyber-physical graph to include information about the identified sensitive data and its location; and

generate expected behavior data of at least some of the plurality of connected resources on the network by applying a behavioral model to nodes of the cyber-physical graph;

generate actual behavior data of at least some of the plurality of connected resources on the network from time-series data comprising a record of network events and the respective times at which each network event occurred;

detect a deviation between the actual behavior data and the expected behavior data for a first node by comparing properties of the expected behavior data of the first node with properties of the actual behavior data of the first node;

when a deviation is detected, transmit data relevant to the deviation to a risk analysis and scoring subsystem; and

the risk analysis and scoring subsystem comprising a third plurality of programming instructions stored in the memory and operating on the processor, wherein the third plurality of programming instructions, when operating on the processor, cause the computing system to:

receive data relevant to the deviation;

analyze severity of a threat posed by the deviation using at least one analysis algorithm; and

generate a risk score based on a plurality of factors that indicate the severity of the threat.