How Multiple AI Models Detect Unusual Behavior on Computer Networks
This patent describes a computer system that uses several artificial intelligence models working together to spot unusual and potentially dangerous activity from users or devices on a computer network.
Original patent title: “Anomaly detection based on ensemble machine learning model”
This patent describes a computer system that uses several artificial intelligence models working together to spot unusual and potentially dangerous activity from users or devices on a computer network. Granted to Cisco Technology in 2025 with 21 claims, and it is expected to expire in 2042.
Key facts
Coverage
What does this patent actually cover?
This patent details a method for detecting anomalies in a computer network by processing event data. First, a computer system receives 'event data' related to an 'entity' on the network and analyzes it to create 'feature scores' for that entity (ClaimclaimA numbered sentence at the end of a patent that legally defines what the inventor owns. The most important section.Read more → 1). These scores are then stored in a unique 'entity profile.' Next, the system feeds these feature scores into multiple individual 'machine-learning models,' each generating an 'intermediate anomaly score.' Finally, an 'ensemble learning model' combines these intermediate scores to produce a single 'anomaly score' for the entity. If this final anomaly score meets a specific threshold, the system flags an anomaly, which could indicate a security threat like malware communication (Claim 2). For example, if a user's login times, data transfer volumes, and accessed websites suddenly change, each change might generate a feature score. These scores are then evaluated by several AI models, and their combined output determines if the user's behavior is truly suspicious.
The gap
What does this patent NOT cover?
- Does not cover anomaly detection systems that do not create a unique 'entity profile' for each network participant.
- Does not cover systems that use only a single machine learning model to generate the final anomaly score, as it requires 'a plurality of machine-learning models' and an 'ensemble learning model' (ClaimclaimA numbered sentence at the end of a patent that legally defines what the inventor owns. The most important section.Read more → 1).
- Does not cover methods that do not generate 'intermediate anomaly scores' from individual feature scores before combining them.
- Does not cover anomaly detection that is not based on 'event data' associated with an entity on a computer network (ClaimclaimA numbered sentence at the end of a patent that legally defines what the inventor owns. The most important section.Read more → 1).
- Does not cover systems that detect anomalies without first generating 'feature scores' from the event data (ClaimclaimA numbered sentence at the end of a patent that legally defines what the inventor owns. The most important section.Read more → 1).
These exclusions are unique to PatentBrief — derived from the actual claim language, not patent-office boilerplate.
What made this novel
The noveltynoveltyThe requirement that an invention be different from anything publicly known before its priority date.Read more → lies in using an 'ensemble learning model' to combine 'intermediate anomaly scores' from multiple individual machine learning models. This layered approach allows the system to leverage diverse analytical perspectives, making the overall anomaly detection more robust and less prone to errors than relying on a single model.
The Patent Drawing
Schematic visualization of the patent's claim structure. Hand-drawn diagrams in progress for each landmark patent.
Where you've seen this
Real-world examples
Cisco Secure Network Analytics (Stealthwatch)
Splunk User Behavior Analytics
CrowdStrike Falcon Insight
Palo Alto Networks Cortex XDR
Most modern network detection and response (NDR) platforms
Why it matters
The bigger picture
This patent addresses the critical challenge of identifying unknown security threats and unusual behavior in complex computer networks. By combining multiple machine learning models, it aims to improve the accuracy and reliability of anomaly detection, reducing false alarms while catching sophisticated attacks. This approach is fundamental to modern User and Entity Behavioral Analytics (UEBA) platforms, which are essential for protecting organizations from cyber threats that bypass traditional signature-based defenses.
Filed
February 18, 2022
Granted
October 7, 2025
Market context
Who's building on this
Companies in this space
Cisco Technology Inc., the assigneeassigneeThe entity that owns the patent — usually the inventor's employer or a company.Read more →, is a major player in network security and continues to develop and integrate advanced analytics into its products. Other companies like Palo Alto Networks, Fortinet, CrowdStrike, and Splunk are also actively building and refining similar AI-driven anomaly detection capabilities for their cybersecurity platforms, leveraging machine learning ensembles to enhance threat intelligence and behavioral analytics.
Market impact
This patent reflects a broader industry shift towards using advanced artificial intelligence and machine learning for cybersecurity. It enables security platforms to move beyond detecting known threats to identifying novel and sophisticated attacks by understanding deviations from normal behavior. This capability has become essential for enterprise security, driving the development of User and Entity Behavioral Analytics (UEBA) solutions and influencing how network security products are designed and deployed to combat evolving cyber threats.
Claim 1 — Plain English
What this patent covers
This patent details a method for detecting anomalies in a computer network by processing event data. First, a computer system receives 'event data' related to an 'entity' on the network and analyzes it to create 'feature scores' for that entity (Claim 1). These scores are then stored in a unique 'entity profile.' Next, the system feeds these feature scores into multiple individual 'machine-learning models,' each generating an 'intermediate anomaly score.' Finally, an 'ensemble learning model' combines these intermediate scores to produce a single 'anomaly score' for the entity. If this final anomaly score meets a specific threshold, the system flags an anomaly, which could indicate a security threat like malware communication (Claim 2). For example, if a user's login times, data transfer volumes, and accessed websites suddenly change, each change might generate a feature score. These scores are then evaluated by several AI models, and their combined output determines if the user's behavior is truly suspicious.
The clever bit
The novelty lies in using an 'ensemble learning model' to combine 'intermediate anomaly scores' from multiple individual machine learning models. This layered approach allows the system to leverage diverse analytical perspectives, making the overall anomaly detection more robust and less prone to errors than relying on a single model.
What it does not cover
- Does not cover anomaly detection systems that do not create a unique 'entity profile' for each network participant.
- Does not cover systems that use only a single machine learning model to generate the final anomaly score, as it requires 'a plurality of machine-learning models' and an 'ensemble learning model' (Claim 1).
- Does not cover methods that do not generate 'intermediate anomaly scores' from individual feature scores before combining them.
- Does not cover anomaly detection that is not based on 'event data' associated with an entity on a computer network (Claim 1).
- Does not cover systems that detect anomalies without first generating 'feature scores' from the event data (Claim 1).
Patent timeline
Application submitted to the patent office
Application published, typically 18 months after filing
Patent officially issued
Patent enters public domain
PatentBrief Score
Impact Score
Moderate
Citation count
0/40
No citations yet
Claim breadth
14/20
Broad claimsclaimsThe numbered statements at the end of a patent that legally define what the inventor owns.Read more →
Recency
20/20
Granted within 5 years
Assignee scale
20/20
Major company or institution
PatentBrief Impact Score — based on citation count, claim breadth, recency, and assignee scale. Not a legal assessment.
Heuristic Value Estimate
What this patent might be worth
$47K – $150K
Midpoint $94K · 15.7 yr remaining · industry ×1.6
Heuristic only — blends forward/backward citation counts, claim scope, time remaining, litigation history, and CPC-derived industry baseline. Real valuations need a professional appraisal.
The original legal language
Original claims
21 claims as filed with the patent office.
Concepts involved
Citations
Patent lineage
Cite this patent
Tryfonas, C., Zadeh, J. A., Athalye, A., Bond, A. B., & Muddu, S. (2025). How Multiple AI Models Detect Unusual Behavior on Computer Networks (U.S. Patent No. 12,438,891). U.S. Patent and Trademark Office. https://patentbrief.org/patent/us/12438891/anomaly-detection-based-on-ensemble-machine-learning-model
Auto-generated from the patent record. Double-check author order and the issue date against the official USPTO document before submitting.
Embed
Add this patent to your site
Drop this plain-English patent card into any blog post or article — free, no signup. It always links back to the full breakdown here.
<div data-patentlens-widget data-patent-number="US12438891"></div> <script src="https://patentbrief.org/embed.js" async></script>
Stay in the loop
Get a weekly digest of new patents.
One email per week. No spam. Unsubscribe anytime.
Keep exploring
Related patents you should know
US 4683195 · 1987
How to Make Billions of Copies of a DNA Segment
This patent describes the Polymerase Chain Reaction (PCR), a method to rapidly create many copies of a specific piece of DNA or RNA, enabling its detection and analysis.
Cetus Corp
US 8697359 · 2014
How to Edit Genes in Human Cells Using an Engineered CRISPR System
This patent describes an engineered CRISPR-Cas9 system for precisely cutting DNA in eukaryotic cells to change how genes work, opening the door for gene editing in complex organisms.
Massachusetts Institute of Technology
US 7657849 · 2010
How the iPhone's Slide-to-Unlock Gesture Works
Apple's 2010 patent describes unlocking a device by dragging a specific graphical image across the touchscreen along a predefined path, a gesture that became iconic with the original iPhone.
Apple Inc
US 4733665 · 1988
How Doctors Implant a Permanent Stent Using a Balloon
This patent describes the method for placing a permanent, expandable wire mesh tube inside a blood vessel or other body tube using a balloon-tipped catheter to widen it and keep it open.
Expandable Grafts Partnership
US 4405829 · 1983
How RSA Public-Key Encryption Keeps Digital Messages Secret
This patent describes the foundational RSA algorithm, a method for securely sending messages where anyone can encrypt a message using a public key, but only the intended recipient can decrypt it using a secret private key.
Massachusetts Institute of Technology
US 4575330 · 1986
How 3D Printers Build Objects Layer by Layer from Liquid
This patent describes the foundational method for 3D printing, where a machine builds a three-dimensional object layer by layer by hardening a liquid material with light or other energy.
UVP Inc
Semantically similar
You might also find these interesting
US 10599957 · 2020 · Capital One Services
How to Automatically Detect and Fix Changes in AI Model Data
US 12518214 · 2026 · Nant Holdings IP
Training AI on Private Data Without Seeing It
US 7664715 · 2010 · Caterpillar Japan Ltd
How Caterpillar Compresses Heavy Machinery Data Using Neural Networks
US 10452978 · 2019 · Google LLC
How AI Models Understand Language Using 'Attention'
More to explore
More in Software & Internet
US 4405829 · 1983 · Massachusetts Institute of Technology
How RSA Public-Key Encryption Keeps Digital Messages Secret
US 6285999 · 2001 · Leland Stanford Junior University
How Websites Get Ranked by Importance
US 5960411 · 1999 · Amazon com Inc
How Amazon's One-Click Ordering Works for Online Purchases
US 7669123 · 2010 · Facebook Inc
Displaying Friends' Activities in a Social Network Feed
New to patents?
Common Questions
Frequently Asked Questions
What does How Multiple AI Models Detect Unusual Behavior on Computer Networks cover?
This patent describes a computer system that uses several artificial intelligence models working together to spot unusual and potentially dangerous activity from users or devices on a computer network.
Who owns patent US 12438891?
Cisco Technology owns this patent, granted in 2025.
When does this patent expire?
This patent is expected to expire on February 18, 2042, when the invention enters the public domain.
What problem does this patent solve?
This patent addresses the critical challenge of identifying unknown security threats and unusual behavior in complex computer networks. By combining multiple machine learning models, it aims to improve the accuracy and reliability of anomaly detection, reducing false alarms while catching sophisticated attacks. This approach is fundamental to modern User and Entity Behavioral Analytics (UEBA) platforms, which are essential for protecting organizations from cyber threats that bypass traditional signature-based defenses.
What does this patent NOT cover?
Does not cover anomaly detection systems that do not create a unique 'entity profile' for each network participant.
Patent monitoring