US 12,170,680 B2
Systems and methods for detecting security incidents across cloud-based application services
Matt Wolff, Newport Beach, CA (US); Alexander Vandenberg-Rodes, Costa Mesa, CA (US); Naresh Chebolu, Irvine, CA (US); Marcus Mccurdy, Haddon Township, NJ (US); Matthew Maisel, Philadelphia, PA (US); Jody Forness, Laguna Beach, CA (US); Jedidiah Mitten, Lakeside, CA (US); Noah Corradin, Corona Del Mar, CA (US); Samantha Staszak, Costa Mesa, CA (US); David Newhall, Tustin, CA (US); Christopher Galbraith, Irvine, CA (US); Christopher Fuller, Stonehouse (GB); Brian Lau, Huntington Beach, CA (US); and Benjamin Johnson, Newport Beach, CA (US)
Assigned to Obsidian Security, Inc., Newport Beach, CA (US)
Appl. No. 17/430,577
Filed by Obsidian Security, Inc., Newport Beach, CA (US)
PCT Filed Feb. 12, 2020, PCT No. PCT/US2020/017901
§ 371(c)(1), (2) Date Aug. 12, 2021,
PCT Pub. No. WO2020/167928, PCT Pub. Date Aug. 20, 2020.
Claims priority of provisional application 62/804,956, filed on Feb. 13, 2019.
Prior Publication US 2022/0131883 A1, Apr. 28, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 21/31 (2013.01); G06F 21/56 (2013.01); G06N 7/01 (2023.01); H04L 67/50 (2022.01)
CPC H04L 63/1425 (2013.01) [G06F 21/316 (2013.01); G06F 21/566 (2013.01); G06N 7/01 (2023.01); H04L 63/14 (2013.01); H04L 63/1441 (2013.01); H04L 67/535 (2022.05)] 23 Claims
OG exemplary drawing
 
1. A computer-implemented method, comprising:
receiving, from a plurality of cloud-based application platforms provided by a plurality of service providers, activity data and state data for a plurality of users of the application platforms, the activity data being indicative of user activities within the application platforms, the state data being indicative of a status of the users within the application platforms, and the plurality of service providers using a plurality of naming conventions such that a first file is associated with multiple file names;
performing an entity resolution process to map the first file to the multiple file names, the entity resolution process including a first phase in which multiple entities are resolved to a single entity and a second phase in which the single entity is resolved against an application-agnostic dictionary such that entities having a similar type are identified using a common term;
providing, as input to one or more predictive models configured to detect deviations from normal user behavior across the application platforms, the activity data and the state data for at least one of the users;
receiving, as output from the one or more predictive models, an indication that an activity of the at least one of the users deviates from the normal user behavior; and
facilitating a remedial action to address the indicated deviation.