Correlating Network Event Anomalies Using Active And Passive External Reconnaissance To Identify Attack Information

Patent No. US12301627 (titled "Correlating Network Event Anomalies Using Active And Passive External Reconnaissance To Identify Attack Information") was filed by Qomplx Llc on Sep 20, 2024.

’627 is related to the field of cybersecurity and threat analytics, specifically addressing the challenge of understanding and mitigating cyberattacks within complex network environments. Existing cybersecurity rating methods often fail to adequately profile and rate organizations because they don't incorporate sufficient information about the organization's infrastructure, operations, and the relationships between network components. The patent aims to improve the identification of attack patterns and points of origin by correlating anomalous network events.

The underlying idea behind ’627 is to create a cyber-physical graph that models an organization's entire infrastructure, including network devices, users, data assets, and their interrelationships. By analyzing this graph in conjunction with real-time network event data, the system can identify anomalous events, trace attack pathways, and pinpoint the origin of attacks. The key insight is that understanding the relationships between network entities is crucial for effective threat detection and mitigation.

The claims of ’627 focus on a computer system that stores a representation of a directed graph in hardware memory. This graph comprises nodes representing entities (accounts, resources) and edges representing relationships between those entities. The system receives streaming data about network events, identifies new entities and relationships not already in the graph, modifies the graph to include them, and then uses the updated graph to identify potential attack paths involving the new entity. Finally, the system generates a report identifying the involved entities.

In practice, the system continuously monitors network traffic and security logs, identifying deviations from normal behavior. When an anomaly is detected, the system uses the cyber-physical graph to trace the potential attack path, identifying which resources are at risk and how the attacker might be moving through the network. This allows security teams to quickly understand the scope of the attack and take appropriate action to contain it. The system also uses machine learning to refine its understanding of normal behavior and improve its ability to detect anomalies.

The invention differentiates itself from prior approaches by combining real-time network monitoring with a comprehensive model of the organization's infrastructure. Traditional security systems often rely on signature-based detection or simple anomaly detection, which can be easily bypassed by sophisticated attackers. By using a cyber-physical graph, the system can identify attack paths even when the individual events are not inherently malicious. This approach provides a more holistic and proactive approach to cybersecurity, enabling organizations to better protect themselves from evolving threats.

How does this patent fit in bigger picture?

Technical landscape at the time

In the mid-2020s when ’627 was filed, cybersecurity systems commonly relied on graph databases and real-time data analysis to detect and mitigate network threats. At a time when anomaly detection was typically implemented using machine learning algorithms, systems commonly relied on distributed computing architectures to handle large volumes of network data. Hardware and software constraints made real-time graph analysis and anomaly correlation non-trivial.

Novelty and Inventive Step

The examiner allowed the claims because the prior art, specifically Neil and Altman, did not disclose the specific combination of limitations recited in the independent claims. These limitations include identifying an attack path based on a modified graph representation, where the attack path involves identifying a second and third entity reachable from the first entity, and generating a report identifying these entities. The examiner also noted that Neil discloses "detecting anomalous behavior in a network" and Altman teaches “detecting online attacks,” but neither reference teaches the specific combination of limitations in the claims.

Claims

This patent contains 28 claims, with independent claims 1 and 18. The independent claims focus on a computer system that uses graph representations of entities and their relationships to identify attack paths based on streaming data. The dependent claims generally elaborate on specific aspects of attack path identification, graph modification, event analysis, and system configurations.

Key Claim Terms New

Definitions of key terms used in the patent claims.

Term (Source)	Support for Specification	Interpretation
Attack path (Claim 1, Claim 18)	“Accordingly, the inventor has developed a system and method for correlating network event anomalies using active and passive reconnaissance to identify attack information, that can identify attack patterns and points of origin based on observed anomalies and their relationships to other observed network events.”	A route through the graph that could be involved in an attack, involving a sequence of entities and relationships.
Cyber-physical graph (Claim 1)	“According to a preferred embodiment, a system for correlating network event anomalies to identify attack information, comprising: a cyber-physical graph module comprising a first plurality of programming instructions stored in a memory of, and operating on a processor of, a computing device, wherein the first plurality of programming instructions, when operating on the processor, cause the computing device to create a cyber-physical graph of the organization using the information, the cyber-physical graph comprising nodes representing entities associated with the organization and edges representing relationships between entities associated with the organization”	A graph of the organization using the information, the cyber-physical graph comprising nodes representing entities associated with the organization and edges representing relationships between entities associated with the organization
Directed graph (Claim 1, Claim 18)	“According to an aspect of an embodiment, a directed computational graph is used, comprising nodes representing data transformations and edges representing communications between the nodes; wherein a plurality of nodes represents a data transformation pipeline; and wherein the directed computational graph is used to direct a workflow in the system.”	A graph where the edges have a direction, indicating a one-way relationship between entities.
Normal behavior model (Claim 1)	“a reconnaissance engine comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the second plurality of programming instructions, when operating on the processor, cause the computing device to: perform a reconnaissance search using the cyber-physical graph; and apply some or all of the results of the reconnaissance search to the cyber-physical graph to create a normal behavior model for a plurality of nodes in the cyber-physical graph”	A model of expected behavior for nodes in the cyber-physical graph, created using reconnaissance search results.
Streaming data (Claim 1, Claim 18)	“The system and method may further comprise gathering data about the totality of the organization's infrastructure and operations, particularly including the organization's network infrastructure, but also including such information as physical locations, data assets, corporate legal structure, etc., and gathering data about the organization's operations, including such information as business processes and policies, business process dependencies, prior data loss information and security breaches, and behavioral data for both devices and their users.”	Time-stamped data about events relating to one or more entities.

Litigation Cases New

US Latest litigation cases involving this patent.

Case Number	Filing Date	Title
1:25-cv-01383	Nov 14, 2025	Astellas Pharma Inc. v. Renata Limited
2:25-cv-00913	Oct 14, 2025	VeriDoc Systems LLC v. PlanRadar Inc

Patent Family

File Wrapper

The dossier documents provide a comprehensive record of the patent's prosecution history - including filings, correspondence, and decisions made by patent offices - and are crucial for understanding the patent's legal journey and any challenges it may have faced during examination.

Date
Description

Get instant alerts for new documents

Feb 10, 2026
Communication - Re: Power of Attorney (PTOL-308)
Feb 10, 2026
Communication - Re: Power of Attorney (PTOL-308)
Feb 2, 2026
Power of Attorney
Feb 2, 2026
Electronic Filing System Acknowledgment Receipt
May 13, 2025
Digitally signed official patent eGrant document
May 13, 2025
eGrant day-of Notification
Apr 30, 2025
Issue Notification
Apr 7, 2025
Issue Fee Payment (PTO-85B)
Apr 7, 2025
Electronic Filing System Acknowledgment Receipt
Apr 7, 2025
Electronic Fee Payment
Apr 7, 2025
Notice of Allowance and Fees Due (PTOL-85)
Apr 7, 2025
Examiner Interview Summary Record (PTOL - 413)
Apr 7, 2025
List of references cited by examiner
Apr 7, 2025
Index of Claims
Apr 7, 2025
Issue Information including classification, examiner, name, claim, renumbering, etc.
Apr 7, 2025
Search information including classification, databases and other search related notes
Apr 7, 2025
Bibliographic Data Sheet
Apr 7, 2025
Examiner's search strategy and results
Apr 7, 2025
Examiner's search strategy and results
Apr 7, 2025
Examiner's search strategy and results
Feb 27, 2025
Electronic Filing System Acknowledgment Receipt
Feb 27, 2025
Electronic Fee Payment
Feb 26, 2025
Notice of Additional Fee Due
Feb 14, 2025
Electronic Filing System Acknowledgment Receipt
Feb 14, 2025
Amendment/Request for Reconsideration-After Non-Final Rejection
Feb 14, 2025
Claims
Feb 14, 2025
Applicant Arguments/Remarks Made in an Amendment
Feb 14, 2025
Electronic Fee Payment
Feb 14, 2025
Terminal Disclaimer-Filed (Electronic)
Feb 14, 2025
Terminal Disclaimer-Electronic-Approved
Feb 14, 2025
Electronic Filing System Acknowledgment Receipt
Feb 13, 2025
Fee Worksheet (SB06)
Jan 23, 2025
Notice of Publication
Jan 22, 2025
Examiner Interview Summary Record (PTOL - 413)
Jan 22, 2025
Office Action Appendix
Dec 6, 2024
Examiner Interview Summary Record (PTOL - 413)
Nov 29, 2024
Examiner Interview Summary Record (PTOL - 413)
Nov 13, 2024
Non-Final Rejection
Nov 13, 2024
List of references cited by examiner
Nov 13, 2024
Search information including classification, databases and other search related notes
Nov 13, 2024
Index of Claims
Nov 13, 2024
Bibliographic Data Sheet
Nov 13, 2024
Examiner's search strategy and results
Nov 13, 2024
List of References cited by applicant and considered by examiner
Nov 7, 2024
Assignment Record
Nov 6, 2024
Patent Assignment Verification
Oct 30, 2024
Track One request Granted
Oct 15, 2024
Filing Receipt
Oct 15, 2024
Fee Worksheet (SB06)
Oct 3, 2024
Applicant Response to Pre-Exam Formalities Notice
Oct 3, 2024
Electronic Filing System Acknowledgment Receipt
Oct 3, 2024
Electronic Fee Payment
Oct 2, 2024
Filing Receipt
Oct 2, 2024
Fee Worksheet (SB06)
Oct 2, 2024
Notice to File Missing Parts
Oct 2, 2024
Welcome Letter from USPTO Director and Deputy Director
Sep 23, 2024
Fee Worksheet (SB06)
Sep 21, 2024
Electronic Filing System Acknowledgment Receipt
Sep 21, 2024
Electronic Filing System Acknowledgment Receipt
Sep 21, 2024
Application body structured text document
Sep 21, 2024
Oath or Declaration filed
Sep 21, 2024
Oath or Declaration filed
Sep 21, 2024
Electronic Filing System Acknowledgment Receipt
Sep 21, 2024
Application Data Sheet
Sep 21, 2024
Power of Attorney
Sep 21, 2024
Track One Request
Sep 21, 2024
Drawings-only black and white line drawings
Sep 21, 2024
Information Disclosure Statement (IDS) Form (SB08)
Sep 21, 2024
Oath or Declaration filed
Sep 21, 2024
Electronic Fee Payment
Sep 21, 2024
Specification
Sep 21, 2024
Claims
Sep 21, 2024
Abstract
Sep 21, 2024
Internet Communications Authorization
Sep 21, 2024
Drawings-black and white line and/or other drawings
Sep 20, 2024
Placeholder sheet indicating presence of supplemental content in Supplemental Complex Repository for Examiners(SCORE)
Sep 20, 2024
Transmittal Letter
Sep 20, 2024
Electronic Filing System Acknowledgment Receipt
Sep 20, 2024
Electronic Fee Payment

US12301627

QOMPLX LLC

Application Number: US18892283
Filing Date: Sep 20, 2024
Status: Granted
Expiry Date: Oct 28, 2035
External Links: Slate, USPTO, Google Patents

IP Verse