CPC G06F 21/60 (2013.01) [G06F 21/50 (2013.01); H04L 51/046 (2013.01); H04L 51/08 (2013.01)] | 22 Claims |
1. A method comprising:
(a) obtaining message metadata and screenshot metadata;
(b) matching a screenshot corresponding to the screenshot metadata with an electronic message corresponding to the message metadata and having one or more file attachments to generate an event, wherein the screenshot metadata indicates that the screenshot was captured prior to when the message metadata indicates the electronic message was sent by a sender;
(c) determining an anomaly score for the event by applying unsupervised machine learning to score the event relative to a baseline; and
(d) determining that the anomaly score meets or exceeds an anomaly threshold,
wherein multiple screenshots are captured prior to when the electronic message was sent, and the screenshot used to generate the event is one of the multiple screenshots, and
wherein:
of all the multiple screenshots, the screenshot used to generate the event was captured most recently to when the electronic message was sent, or
at least one of the multiple screenshots was captured more recently to when the electronic message was sent than the screenshot used to generate the event.
|