	US 11,743,294 B2
	Retrospective learning of communication patterns by machine learning models for discovering abnormal behavior
Sanjay Jeyakumar, Berkeley, CA (US); Jeshua Alexis Bratman, Brooklyn, NY (US); Dmitry Chechik, San Carlos, CA (US); Abhijit Bagri, Oakland, CA (US); Evan James Reiser, San Francisco, CA (US); Sanny Xiao Yang Liao, San Francisco, CA (US); Yu Zhou Lee, San Francisco, CA (US); Carlos Daniel Gasperi, New York, NY (US); Kevin Lau, Long Island, NY (US); Kai Jing Jiang, San Francisco, CA (US); Su Li Debbie Tan, San Mateo, CA (US); Jeremy Kao, Corona, CA (US); and Cheng-Lin Yeh, Menlo Park, CA (US)
Assigned to Abnormal Security Corporation, San Francisco, CA (US)
Filed by Abnormal Security Corporation, San Francisco, CA (US)
Filed on Jun. 28, 2021, as Appl. No. 17/361,106.
Application 17/361,106 is a continuation of application No. 16/927,335, filed on Jul. 13, 2020, granted, now 11,050,793.
Application 16/927,335 is a continuation in part of application No. PCT/US2019/067279, filed on Dec. 18, 2019.
Application PCT/US2019/067279 is a continuation in part of application No. 16/672,854, filed on Nov. 4, 2019.
Claims priority of provisional application 62/813,603, filed on Mar. 4, 2019.
Claims priority of provisional application 62/807,888, filed on Feb. 20, 2019.
Claims priority of provisional application 62/782,158, filed on Dec. 19, 2018.
Prior Publication US 2021/0329035 A1, Oct. 21, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); G06N 20/00 (2019.01); H04L 9/40 (2022.01)

CPC H04L 63/20 (2013.01) [G06N 20/00 (2019.01); H04L 63/102 (2013.01); H04L 63/1416 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01)]

24 Claims

1. A method comprising:

establishing, via an application programming interface, a connection with a storage medium that includes information related to communication activities of an enterprise;

downloading, via the application programming interface, a series of communications received by an employee over an interval of time;

providing the series of communications to a machine learning (ML) model as training data, so as to produce a trained ML model that is able to identify deviations in features, content, or context of communications received by the employee;

storing the trained ML model in a profile that is associated with the employee or the enterprise;

generating a statistical profile that includes at least one score by providing at least two attributes of a first communication to the trained ML model as input, wherein each score corresponds to a pair of attributes selected from amongst the at least two attributes, and wherein each score is based on an analysis of the corresponding pair of attributes by the trained ML model; and

determining, based on the statistical profile, whether the first communication represents a security risk, including by comparing each score in the statistical profile to a corresponding threshold that is calibrated based on a threshold at which at least one of false positives or false negatives are to be generated by the trained ML model.