US 11,989,310 B2
Method and system for facilitating identification of electronic data exfiltration
Nariman Mammadli, Toronto (CA); Dhanya Jothimani, Toronto (CA); Ramanpreet Singh, Toronto (CA); Cathal Smyth, Toronto (CA); Felix Kurmish, Toronto (CA); and Amit Kumar Tiwari, Toronto (CA)
Assigned to ROYAL BANK OF CANADA, Toronto (CA)
Filed by Royal Bank of Canada, Toronto (CA)
Filed on Dec. 14, 2021, as Appl. No. 17/550,783.
Prior Publication US 2023/0185926 A1, Jun. 15, 2023
Int. Cl. G06F 21/60 (2013.01); G06F 21/50 (2013.01); H04L 51/046 (2022.01); H04L 51/08 (2022.01)
CPC G06F 21/60 (2013.01) [G06F 21/50 (2013.01); H04L 51/046 (2013.01); H04L 51/08 (2013.01)] 22 Claims
OG exemplary drawing
 
1. A method comprising:
(a) obtaining message metadata and screenshot metadata;
(b) matching a screenshot corresponding to the screenshot metadata with an electronic message corresponding to the message metadata and having one or more file attachments to generate an event, wherein the screenshot metadata indicates that the screenshot was captured prior to when the message metadata indicates the electronic message was sent by a sender;
(c) determining an anomaly score for the event by applying unsupervised machine learning to score the event relative to a baseline; and
(d) determining that the anomaly score meets or exceeds an anomaly threshold,
wherein multiple screenshots are captured prior to when the electronic message was sent, and the screenshot used to generate the event is one of the multiple screenshots, and
wherein:
of all the multiple screenshots, the screenshot used to generate the event was captured most recently to when the electronic message was sent, or
at least one of the multiple screenshots was captured more recently to when the electronic message was sent than the screenshot used to generate the event.