US 12,120,140 B2
Detecting threats against computing resources based on user behavior changes
Harish Kumar Bharat Singh, Pleasanton, CA (US); Vikram Kapoor, Cupertino, CA (US); Murat Bog, Fremont, CA (US); and Yijou Chen, Cupertino, CA (US)
Assigned to Fortinet, Inc., Sunnyvale, CA (US)
Filed by Lacework, Inc., Mountain View, CA (US)
Filed on May 11, 2023, as Appl. No. 18/196,149.
Application 18/196,149 is a continuation of application No. 17/196,887, filed on Mar. 9, 2021, granted, now 11,689,553.
Application 17/196,887 is a continuation of application No. 16/459,207, filed on Jul. 1, 2019, granted, now 10,986,114, issued on Apr. 20, 2021.
Application 16/459,207 is a continuation of application No. 16/134,821, filed on Sep. 18, 2018, granted, now 10,419,469, issued on Sep. 17, 2019.
Claims priority of provisional application 62/650,971, filed on Mar. 30, 2018.
Claims priority of provisional application 62/590,986, filed on Nov. 27, 2017.
Prior Publication US 2024/0031390 A1, Jan. 25, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); G06F 9/455 (2018.01); G06F 9/54 (2006.01); G06F 16/901 (2019.01); G06F 16/9038 (2019.01); G06F 16/9535 (2019.01); G06F 16/9537 (2019.01); G06F 21/57 (2013.01); H04L 9/40 (2022.01); H04L 43/045 (2022.01); H04L 43/06 (2022.01); H04L 67/306 (2022.01); H04L 67/50 (2022.01); G06F 16/2455 (2019.01)
CPC H04L 63/1425 (2013.01) [G06F 9/455 (2013.01); G06F 9/545 (2013.01); G06F 16/9024 (2019.01); G06F 16/9038 (2019.01); G06F 16/9535 (2019.01); G06F 16/9537 (2019.01); G06F 21/57 (2013.01); H04L 43/045 (2013.01); H04L 43/06 (2013.01); H04L 63/10 (2013.01); H04L 67/306 (2013.01); H04L 67/535 (2022.05); G06F 16/2456 (2019.01)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
generating, based on log data associated with at least one user session in a network environment associated with a user, a logical graph, wherein the logical graph comprises: (1) a first node corresponding to the user, (2) a plurality of additional nodes, and (3) a set of edges connecting the first node to one or more of the additional nodes, wherein each edge in the set of edges represents a change in behavior of the user;
using the logical graph to detect an anomaly, wherein detecting the anomaly includes determining that a change has been made to at least one edge included in the set of edges; and
generating, in response to detecting the anomaly, an alert.