Behavior analytics rests on a simple premise: learn what normal looks like for each user and device, then flag what deviates. An account that suddenly logs in at 3 a.m. from a new country, or a server that starts talking to systems it's never contacted, is behaving anomalously — and anomaly is often the first visible sign of a compromised credential or a machine under an attacker's control.
The grant US11089045B2, "User and entity behavioral analysis with network topology enhancements" (issued August 10, 2021, assigned to QOMPLX, INC.), argues that behavior alone is missing context. Its CPC classifications span the intrusion-detection and access-control classes — H04L 63/1433, H04L 63/102, H04L 63/1416, H04L 63/1425, H04L 63/20 — describing analytics enriched with where each entity sits in the network.
“A system and method for network cybersecurity analysis that uses user and entity behavioral analysis combined with network topology information to provide improved cybersecurity.”— U.S. Patent No. 11,089,045 source
The mechanism that matters is the addition of topology. A deviation is more or less alarming depending on the position of the entity that produced it. An anomalous action from an account that has a path to sensitive systems is a different risk than the same action from an isolated endpoint. Topology lets the analytics weigh not just 'is this unusual' but 'is this unusual in a place that matters,' which sharpens prioritization enormously.
For defenders reconstructing an attack, the topology layer maps the anomaly onto the question they actually care about: how far could this reach. A flagged behavior tied to network position immediately suggests blast radius and likely next moves, turning a raw anomaly into an actionable lead.
The recurring challenge in UEBA is false positives — people and systems do unusual-but-benign things constantly. Topology helps by letting the system reserve its loudest alarms for anomalies in consequential positions. The patent reflects a maturation of the field, away from treating every deviation equally and toward weighing each one by the structural risk it represents.