US 12,348,537 B2
Determining trusted file awareness via loosely connected events and file attributes
Bradley David Bebchuk, St. Louis Park, MN (US); Elizabeth Verity Hammon Macgregor, Denver, CO (US); Rohit Kumar Bagda, St. Paul, MN (US); Shane Zako, Minneapolis, MN (US); Trevor Michael Tungseth, New Hope, MN (US); Nicholas Alexander Winninger, Minneapolis, MN (US); Erik Allan Hagen, Minneapolis, MN (US); and Eric Tracy Christensen, Golden, CO (US)
Assigned to Code42 Software, Inc., Minneapolis, MN (US)
Filed by Code42 Software, Inc., Minneapolis, MN (US)
Filed on May 8, 2024, as Appl. No. 18/658,288.
Application 18/658,288 is a continuation of application No. 17/468,285, filed on Sep. 7, 2021, granted, now 12,003,518.
Prior Publication US 2024/0364713 A1, Oct. 31, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 16/16 (2019.01)
CPC H04L 63/1416 (2013.01) [G06F 16/164 (2019.01); H04L 2463/121 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for detecting file system element exfiltration to or from a network-based service, the method comprising:
receiving a first file system element event from a first source type, the first file system element event describing events associated with a file system element of a file system corresponding to the first source type, wherein the first source type is one of a client computing device or the network-based service;
determining whether the first file system element event from the first source type corresponds to any file system element events in a set of previously received file system element events corresponding to a second source type, wherein the second source type is the client computing device when the first source type is the network-based service and the network-based service when the first source type is the client computing device, wherein the determination is based at least in part on:
a comparison of an identifier indicative of an identity of a file system element associated with the first file system element event to identities of file system elements associated with the previously received file system element events, wherein the identifier is derived from one or more attributes of a corresponding file system element; and
a comparison of a timestamp associated with the first file system element event to timestamps associated with the previously received file system element events, wherein the events match only if the timestamps are within a predetermined time threshold of each other;
responsive to determining that the first file system element event from the first source type does not correspond to any of the file system element events in the set of the previously received file system element events from the second source type, tagging the first file system element event as unmatched; and
transmitting, over a network, an indication that the first file system element event is unmatched to a computing device.