Correlating Network Event Anomalies Using Active And Passive External Reconnaissance To Identify Attack Information

Patent No. US12301628 (titled "Correlating Network Event Anomalies Using Active And Passive External Reconnaissance To Identify Attack Information") was filed by Qomplx Llc on Sep 20, 2024.

’628 is related to the field of cybersecurity and threat analytics, specifically addressing the problem of identifying attack pathways and points of origin within a network. Existing cybersecurity rating methods often fail to adequately profile and rate organizations because they don't incorporate sufficient information about the complex relationships between network components and other organizational assets. The patent aims to improve threat detection and mitigation by correlating anomalous network events and identifying attack patterns.

The underlying idea behind ’628 is to create a cyber-physical graph that models an organization's entire infrastructure, including network devices, users, resources, and their relationships. By analyzing this graph in conjunction with real-time network event data, the system can identify anomalous events, trace their connections to other network resources, and construct a behavior graph that reveals potential attack pathways. This allows for determining the origin and progression of an attack.

The claims of ’628 focus on a computer system that stores a representation of a directed graph in hardware memory. This graph represents entities (accounts, resources) and their relationships. The system receives streaming data about network events, identifies new entities and relationships not already in the graph, and modifies the graph accordingly. For anomalous events, the system performs correlations to identify related nodes and generates a second graph representing event flows that could be involved in a cybersecurity attack, ultimately generating a report with information about these flows.

In practice, the system continuously monitors network traffic and system logs, feeding this data into the cyber-physical graph. When an unusual event occurs, such as a user accessing a restricted file or a device communicating with a known malicious IP address, the system flags it as an anomaly. It then uses the graph to trace the connections between the anomalous event and other network resources, identifying potential attack pathways. This allows security personnel to quickly understand the scope and impact of the attack.

The key differentiation from prior approaches lies in the use of a comprehensive cyber-physical graph and real-time data analysis to identify attack pathways. Instead of simply detecting individual anomalies, the system correlates these events to reveal the underlying attack patterns and points of origin. This proactive approach enables more effective threat mitigation and remediation by addressing the root causes of vulnerabilities rather than just the symptoms of an attack. The system also incorporates external threat intelligence feeds and machine learning to continuously improve its ability to detect and predict attacks.

How does this patent fit in bigger picture?

Technical landscape at the time

In the late 2010s when ’628 was filed, cybersecurity systems commonly relied on network monitoring and intrusion detection systems. At a time when threat intelligence was typically implemented using signature-based detection and rule-based correlation, hardware or software constraints made real-time analysis of large, heterogeneous datasets for anomaly detection non-trivial.

Novelty and Inventive Step

The examiner allowed the claims because the prior art, whether considered individually or in combination, did not disclose or suggest generating a representation of a second graph comprising representations of correlated nodes and edges, where these edges represent event flows that could be involved in a cybersecurity attack, and generating a report comprising information associated with these event flows. The examiner also noted that the applicant's arguments regarding other rejections were persuasive, leading to their withdrawal.

Claims

This patent contains 23 claims, with independent claims 1 and 11. The independent claims are directed to a computer system that uses graph representations and streaming data to identify and correlate events, particularly in the context of cybersecurity. The dependent claims generally elaborate on the specifics of the graph processing, event correlation, and vulnerability identification aspects of the independent claims.

Key Claim Terms New

Definitions of key terms used in the patent claims.

Term (Source)	Support for Specification	Interpretation
Cyber-physical graph (Claim 1)	“According to a preferred embodiment, a system for correlating network event anomalies to identify attack information, comprising: a cyber-physical graph module comprising a first plurality of programming instructions stored in a memory of, and operating on a processor of, a computing device, wherein the first plurality of programming instructions, when operating on the processor, cause the computing device to create a cyber-physical graph of the organization using the information, the cyber-physical graph comprising nodes representing entities associated with the organization and edges representing relationships between entities associated with the organization”	A graph comprising nodes representing entities associated with the organization and edges representing relationships between entities associated with the organization
Cybersecurity attack (Claim 1, Claim 11)	“What is needed is a system and method for monitoring critical infrastructure entities within a network, identifying anomalous network events, and correlating those anomalous events to identify attack paths and points of origin.”	A malicious event or series of events that compromises the security of a system or network.
Directed graph (Claim 1, Claim 11)	“According to an aspect of an embodiment, a directed computational graph is used, comprising nodes representing data transformations and edges representing communications between the nodes; wherein a plurality of nodes represents a data transformation pipeline; and wherein the directed computational graph is used to direct a workflow in the system.”	A graph where the edges have a direction, indicating a one-way relationship between entities.
Normal behavior model (Claim 1)	“According to a preferred embodiment, a system for correlating network event anomalies to identify attack information, comprising: a cyber-physical graph module comprising a first plurality of programming instructions stored in a memory of, and operating on a processor of, a computing device, wherein the first plurality of programming instructions, when operating on the processor, cause the computing device to create a cyber-physical graph of the organization using the information, the cyber-physical graph comprising nodes representing entities associated with the organization and edges representing relationships between entities associated with the organization; a reconnaissance engine comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the second plurality of programming instructions, when operating on the processor, cause the computing device to: perform a reconnaissance search using the cyber-physical graph; and apply some or all of the results of the reconnaissance search to the cyber-physical graph to create a normal behavior model for a plurality of nodes in the cyber-physical graph”	A model of expected behavior for nodes in the cyber-physical graph, created using reconnaissance search results.
Streaming data (Claim 1, Claim 11)	“The system and method may further comprise gathering data about the totality of the organization's infrastructure and operations, particularly including the organization's network infrastructure, but also including such information as physical locations, data assets, corporate legal structure, etc., and gathering data about the organization's operations, including such information as business processes and policies, business process dependencies, prior data loss information and security breaches, and behavioral data for both devices and their users.”	Time-stamped data about events relating to entities within the system.

Litigation Cases New

US Latest litigation cases involving this patent.

Case Number	Filing Date	Title
1:25-cv-01383	Nov 14, 2025	Astellas Pharma Inc. v. Renata Limited

Patent Family

File Wrapper

The dossier documents provide a comprehensive record of the patent's prosecution history - including filings, correspondence, and decisions made by patent offices - and are crucial for understanding the patent's legal journey and any challenges it may have faced during examination.

Date
Description

Get instant alerts for new documents

Feb 10, 2026
Communication - Re: Power of Attorney (PTOL-308)
Feb 10, 2026
Communication - Re: Power of Attorney (PTOL-308)
Feb 2, 2026
Power of Attorney
Feb 2, 2026
Electronic Filing System Acknowledgment Receipt
May 13, 2025
Digitally signed official patent eGrant document
May 13, 2025
eGrant day-of Notification
Apr 30, 2025
Issue Notification
Apr 5, 2025
Issue Fee Payment (PTO-85B)
Apr 5, 2025
Electronic Fee Payment
Apr 5, 2025
Electronic Filing System Acknowledgment Receipt
Apr 4, 2025
Notice of Allowance and Fees Due (PTOL-85)
Apr 4, 2025
Examiner Interview Summary Record (PTOL - 413)
Apr 4, 2025
List of references cited by examiner
Apr 4, 2025
Issue Information including classification, examiner, name, claim, renumbering, etc.
Apr 4, 2025
Index of Claims
Apr 4, 2025
Search information including classification, databases and other search related notes
Apr 4, 2025
Examiner's search strategy and results
Apr 4, 2025
Examiner's search strategy and results
Apr 4, 2025
Bibliographic Data Sheet
Apr 4, 2025
Examiner's search strategy and results
Feb 28, 2025
Electronic Filing System Acknowledgment Receipt
Feb 28, 2025
Electronic Fee Payment
Feb 27, 2025
Notice of Additional Fee Due
Feb 27, 2025
Fee Worksheet (SB06)
Feb 15, 2025
Electronic Filing System Acknowledgment Receipt
Feb 15, 2025
Amendment/Request for Reconsideration-After Non-Final Rejection
Feb 15, 2025
Claims
Feb 15, 2025
Applicant Arguments/Remarks Made in an Amendment
Feb 15, 2025
Terminal Disclaimer-Filed (Electronic)
Feb 15, 2025
Electronic Filing System Acknowledgment Receipt
Feb 15, 2025
Electronic Fee Payment
Feb 15, 2025
Terminal Disclaimer-Electronic-Approved
Jan 22, 2025
Examiner Interview Summary Record (PTOL - 413)
Jan 22, 2025
Office Action Appendix
Jan 10, 2025
Notice of Publication
Dec 6, 2024
Examiner Interview Summary Record (PTOL - 413)
Nov 29, 2024
Examiner Interview Summary Record (PTOL - 413)
Nov 15, 2024
Non-Final Rejection
Nov 15, 2024
List of references cited by examiner
Nov 15, 2024
Search information including classification, databases and other search related notes
Nov 15, 2024
Index of Claims
Nov 15, 2024
Bibliographic Data Sheet
Nov 15, 2024
Examiner's search strategy and results
Nov 15, 2024
List of References cited by applicant and considered by examiner
Oct 31, 2024
Track One request Granted
Oct 8, 2024
Assignment Record
Oct 8, 2024
Patent Assignment Verification
Oct 3, 2024
Filing Receipt
Oct 3, 2024
Fee Worksheet (SB06)
Oct 3, 2024
Welcome Letter from USPTO Director and Deputy Director
Sep 23, 2024
Fee Worksheet (SB06)
Sep 21, 2024
Electronic Filing System Acknowledgment Receipt
Sep 21, 2024
Electronic Filing System Acknowledgment Receipt
Sep 21, 2024
Electronic Filing System Acknowledgment Receipt
Sep 21, 2024
Application body structured text document
Sep 21, 2024
Oath or Declaration filed
Sep 21, 2024
Application Data Sheet
Sep 21, 2024
Oath or Declaration filed
Sep 21, 2024
Internet Communications Authorization
Sep 21, 2024
Track One Request
Sep 21, 2024
Drawings-only black and white line drawings
Sep 21, 2024
Power of Attorney
Sep 21, 2024
Specification
Sep 21, 2024
Claims
Sep 21, 2024
Abstract
Sep 21, 2024
Oath or Declaration filed
Sep 21, 2024
Information Disclosure Statement (IDS) Form (SB08)
Sep 21, 2024
Electronic Filing System Acknowledgment Receipt
Sep 21, 2024
Drawings-black and white line and/or other drawings
Sep 20, 2024
Placeholder sheet indicating presence of supplemental content in Supplemental Complex Repository for Examiners(SCORE)
Sep 20, 2024
Transmittal Letter
Sep 20, 2024
Electronic Fee Payment

US12301628

QOMPLX LLC

Application Number: US18892295
Filing Date: Sep 20, 2024
Status: Granted
Expiry Date: Oct 28, 2035
External Links: Slate, USPTO, Google Patents

IP Verse