US 12301627

Summary of U.S. Patent No. 12,301,627

A detailed analysis of U.S. Patent No. 12,301,627 reveals a system and method for identifying and analyzing cybersecurity threats by correlating anomalous network events. The patent, assigned to Qomplx Inc., leverages both active and passive reconnaissance to build a comprehensive model of a network's normal behavior, which is then used to detect and trace the origins of cyberattacks.

Title: Correlating network event anomalies using active and passive external reconnaissance to identify attack information

Assignee: Qomplx Inc.

Inventors: Jason Crabtree, Andrew Sellers, Richard Kelley

Filing Date: September 20, 2024

Issue Date: May 13, 2025

Abstract:
The patent describes a system and method for correlating network event anomalies to identify attack information. This involves identifying unusual events within a network, finding connections between these anomalies and other network activities and resources, creating a "behavior graph" to map out potential attack pathways based on these connections, and then using this graph to trace back to the origin of an attack.

Plain-Language Overview of Independent Claims:

This patent includes two independent claims which form the core of the invention.

Independent Claim 1 (A System): This claim describes a system designed to identify the source of a cyberattack. The system is comprised of three main components:

• A cyber-physical graph module: This part of the system creates a detailed map of an organization's entire network. This map, called a "cyber-physical graph," includes not just computers and servers, but also the relationships between them.
• A reconnaissance engine: This component actively and passively gathers information about the network to understand what is "normal" behavior for each part of the system. This baseline of normal activity is crucial for spotting anything unusual.
• A directed computational graph engine: This is the analytical core of the system. When an unusual event (an anomaly) is detected, this engine analyzes the cyber-physical graph and the normal behavior model to find connections between the affected parts of the network. It then generates a "behavior graph" that shows the cause-and-effect relationships between events. By tracing these relationships backward in time, the system can pinpoint the initial conditions that led to the anomalous event, effectively identifying the starting point of a potential attack.

Independent Claim 2 (A Method): This claim outlines the steps involved in the process of identifying attack information:

1. Creating a Cyber-Physical Graph: The process begins by building a comprehensive map of the organization's network, representing all its components and their interconnections.
2. Performing Reconnaissance: The system then conducts searches and monitoring to gather data and establish a baseline of normal network behavior.
3. Applying Reconnaissance Results: The collected data is used to create a "normal behavior model" for various parts of the network within the cyber-physical graph.
4. Identifying and Analyzing Anomalies: Using the established graph and behavior model, the system identifies any events that deviate from the norm. It then analyzes these anomalies to find correlations with other network events and affected components.
5. Generating and Analyzing a Behavior Graph: Based on the identified correlations, a "behavior graph" is created to visualize the chain of events. This graph is then analyzed to understand the cause-and-effect relationships.
6. Tracing to the Origin: Finally, by following the chain of events in the behavior graph backward in time, the method can determine the starting point and initial conditions of the anomalous event, thereby identifying the origin of a potential attack.

Litigation:

As of April 26, 2026, research into federal court dockets has found that U.S. Patent No. 12,301,627 is asserted in litigation. The assignee, QOMPLX LLC (a successor in interest to Qomplx Inc.), has filed a patent infringement lawsuit against Microsoft Corporation in the U.S. District Court for the Western District of Texas (Case No. 1:25-cv-01383). This case, filed on August 28, 2025, alleges that a range of Microsoft's cloud data analytics and cybersecurity products infringe on this patent, among others.

Additionally, the provided patent documentation notes that its family of patents has been involved in litigation in the Texas Western and Eastern District Courts. A search of court records confirms that QOMPLX LLC is also engaged in patent infringement litigation against Palo Alto Networks, Inc. in the U.S. District Court for the Eastern District of Texas (Case No. 2:25-cv-00913), filed on August 28, 2025. While it is not confirmed if U.S. Patent No. 12,301,627 is directly asserted in the Palo Alto Networks case, the litigation activity demonstrates the patent holder's active enforcement of its intellectual property portfolio in the cybersecurity sector.

No specific dockets for U.S. Patent No. 12,301,627 were found in the Court of Appeals for the Federal Circuit (CAFC) for the year 2026 at the time of this analysis.