How Multiple AI Models Detect Unusual Behavior on Computer Networks

This patent describes a computer system that uses several artificial intelligence models working together to spot unusual and potentially dangerous activity from users or devices on a computer network.

What it covers

This patent details a method for detecting anomalies in a computer network by processing event data. First, a computer system receives 'event data' related to an 'entity' on the network and analyzes it to create 'feature scores' for that entity (Claim 1). These scores are then stored in a unique 'entity profile.' Next, the system feeds these feature scores into multiple individual 'machine-learning models,' each generating an 'intermediate anomaly score.' Finally, an 'ensemble learning model' combines these intermediate scores to produce a single 'anomaly score' for the entity. If this final anomaly score meets a specific threshold, the system flags an anomaly, which could indicate a security threat like malware communication (Claim 2). For example, if a user's login times, data transfer volumes, and accessed websites suddenly change, each change might generate a feature score. These scores are then evaluated by several AI models, and their combined output determines if the user's behavior is truly suspicious.

What it doesn't cover

• —Does not cover anomaly detection systems that do not create a unique 'entity profile' for each network participant.
• —Does not cover systems that use only a single machine learning model to generate the final anomaly score, as it requires 'a plurality of machine-learning models' and an 'ensemble learning model' (Claim 1).
• —Does not cover methods that do not generate 'intermediate anomaly scores' from individual feature scores before combining them.
• —Does not cover anomaly detection that is not based on 'event data' associated with an entity on a computer network (Claim 1).
• —Does not cover systems that detect anomalies without first generating 'feature scores' from the event data (Claim 1).

The clever bit

The novelty lies in using an 'ensemble learning model' to combine 'intermediate anomaly scores' from multiple individual machine learning models. This layered approach allows the system to leverage diverse analytical perspectives, making the overall anomaly detection more robust and less prone to errors than relying on a single model.

Why it matters

This patent addresses the critical challenge of identifying unknown security threats and unusual behavior in complex computer networks. By combining multiple machine learning models, it aims to improve the accuracy and reliability of anomaly detection, reducing false alarms while catching sophisticated attacks. This approach is fundamental to modern User and Entity Behavioral Analytics (UEBA) platforms, which are essential for protecting organizations from cyber threats that bypass traditional signature-based defenses.

Real-world examples

• 1.Cisco Secure Network Analytics (Stealthwatch)
• 2.Splunk User Behavior Analytics
• 3.CrowdStrike Falcon Insight
• 4.Palo Alto Networks Cortex XDR
• 5.Most modern network detection and response (NDR) platforms