Lloyds Banking Group, a British financial institution, announced that it secured a U.S. patent for its so-called Global Correlation Engine, a system for algorithmically determining when a cybersecurity alert is a genuine threat.
The U.S. Patent and Trademark Office, or USPTO, granted the patent in August, but the bank's announcement this week said it is looking to "supercharge its capabilities" using artificial intelligence, according to Matt Rowe, chief security officer at the bank.
Within
"Our Global Correlation Engine is an exciting innovation that will allow us to identify genuine threats more quickly and efficiently, ensuring customers are protected," Rowe said in the press release.
The patented system, the co-called Global Correlation Engine, or GCE, works by analyzing individual network events. Examples of events are a user logging into an application, a user receiving an email that includes a web link or someone trying to export all of the credentials from a server.
The GCE scores each event based on its similarity to tactics and techniques used in the real world by cyberattackers. The MITRE Corporation publishes a taxonomy of such tactics and techniques, known as
Software code generation and knowledge management are two of the places the bank has begun using generative AI to improve efficiency.
Here's an example of how the GCE might score an event: Based on the time, location and other information about when a user logged into an application, the system can score how similar a login attempt appears to an adversary using stolen credentials (rather than the legitimate user logging in). Or, the system could score how fishy an emailed link is — in other words, how much the email looks like a phishing attempt (rather than, say, a marketing email with an innocuous link).
The GCE also graphs each event, to correlate related events. For example, if a user logs in, opens a command line and uses the command line to modify data on a remote server, each of those events would be connected to the other in the graph.
For each grouping, the GCE adds the threat score of each event to get a total. If this total exceeds some threshold, the system sends an alert to a security analyst, who can then determine whether a cyberattack has taken place.
Related approaches to security alert monitoring have been patented in the past. For example, security company FireEye received a patent in 2020 titled "Analytic-based security monitoring system and method," which describes a system for correlating so-called behavior fragments (similar to the events described in the Lloyds patent) that correlate together to form a malicious behavior pattern.
This so-called prior art limits how wide a scope Lloyds has in enforcing its patent. In other words, while the patent will provide legal protection for shutting down exact replications of its methods, the company cannot establish a broad blockade on threat detection systems that correlate security events with each other to surface legitimate threats.
The patent is the first granted to Lloyds in the U.S. The bank holds the same patent in the U.K. and has applied for an international patent, as well. The inventors are Miguel Merayo Suarez, Alexander Wallace and James Bell, each an employee of the bank at the time the USPTO granted the patent.
