# How Multiple AI Models Detect Unusual Behavior on Computer Networks > This patent describes a computer system that uses several artificial intelligence models working together to spot unusual and potentially dangerous activity from users or devices on a computer network. - **Patent:** US 12438891 - **Original title:** Anomaly detection based on ensemble machine learning model - **Owner:** Cisco Technology - **Granted:** 2025 - **Status:** Active - **Times cited:** 0 - **Field:** cybersecurity, software, telecommunications, ai_ml, consumer_electronics ## What it does This patent details a method for detecting anomalies in a computer network by processing event data. First, a computer system receives 'event data' related to an 'entity' on the network and analyzes it to create 'feature scores' for that entity (Claim 1). These scores are then stored in a unique 'entity profile.' Next, the system feeds these feature scores into multiple individual 'machine-learning models,' each generating an 'intermediate anomaly score.' Finally, an 'ensemble learning model' combines these intermediate scores to produce a single 'anomaly score' for the entity. If this final anomaly score meets a specific threshold, the system flags an anomaly, which could indicate a security threat like malware communication (Claim 2). For example, if a user's login times, data transfer volumes, and accessed websites suddenly change, each change might generate a feature score. These scores are then evaluated by several AI models, and their combined output determines if the user's behavior is truly suspicious. ## What it does NOT cover - Does not cover anomaly detection systems that do not create a unique 'entity profile' for each network participant. - Does not cover systems that use only a single machine learning model to generate the final anomaly score, as it requires 'a plurality of machine-learning models' and an 'ensemble learning model' (Claim 1). - Does not cover methods that do not generate 'intermediate anomaly scores' from individual feature scores before combining them. - Does not cover anomaly detection that is not based on 'event data' associated with an entity on a computer network (Claim 1). - Does not cover systems that detect anomalies without first generating 'feature scores' from the event data (Claim 1). ## The clever bit The novelty lies in using an 'ensemble learning model' to combine 'intermediate anomaly scores' from multiple individual machine learning models. This layered approach allows the system to leverage diverse analytical perspectives, making the overall anomaly detection more robust and less prone to errors than relying on a single model. ## Real-world examples 1. Cisco Secure Network Analytics (Stealthwatch) 2. Splunk User Behavior Analytics 3. CrowdStrike Falcon Insight 4. Palo Alto Networks Cortex XDR 5. Most modern network detection and response (NDR) platforms ## Why it matters This patent addresses the critical challenge of identifying unknown security threats and unusual behavior in complex computer networks. By combining multiple machine learning models, it aims to improve the accuracy and reliability of anomaly detection, reducing false alarms while catching sophisticated attacks. This approach is fundamental to modern User and Entity Behavioral Analytics (UEBA) platforms, which are essential for protecting organizations from cyber threats that bypass traditional signature-based defenses. ## Frequently asked questions ### What does How Multiple AI Models Detect Unusual Behavior on Computer Networks cover? This patent describes a computer system that uses several artificial intelligence models working together to spot unusual and potentially dangerous activity from users or devices on a computer network. ### Who owns patent US 12438891? Cisco Technology owns this patent, granted in 2025. ### When does this patent expire? This patent is expected to expire on February 18, 2042, when the invention enters the public domain. ### What problem does this patent solve? This patent addresses the critical challenge of identifying unknown security threats and unusual behavior in complex computer networks. By combining multiple machine learning models, it aims to improve the accuracy and reliability of anomaly detection, reducing false alarms while catching sophisticated attacks. This approach is fundamental to modern User and Entity Behavioral Analytics (UEBA) platforms, which are essential for protecting organizations from cyber threats that bypass traditional signature-based defenses. ### What does this patent NOT cover? Does not cover anomaly detection systems that do not create a unique 'entity profile' for each network participant. **Full plain-English explainer:** https://patentbrief.org/patent/us/12438891/anomaly-detection-based-on-ensemble-machine-learning-model **Original patent:** https://patents.google.com/patent/US12438891 --- _Source: PatentBrief — https://patentbrief.org. Patent facts are from public records; the plain-English explanation is PatentBrief's._ ## Related patents Semantically similar inventions in the PatentBrief corpus: - [AI System That Learns Normal Email Use to Spot and Stop Cyber Threats](https://patentbrief.org/patent/us/11606373/cyber-threat-defense-system-protecting-email-networks-with-machine-learning-mode) — This 2023 patent describes an AI system that learns how your company normally uses email and then automatically takes action to stop cyber threats that behave unusually. - [How to Automatically Detect and Fix Changes in AI Model Data](https://patentbrief.org/patent/us/10599957/systems-and-methods-for-detecting-data-drift-for-data-used-in-machine-learning-m) — This patent describes a system that automatically notices when the real-world data an AI model sees changes, causing its predictions to become less accurate, and then fixes the model. - [Training AI on Private Data Without Seeing It](https://patentbrief.org/patent/us/12518214/distributed-machine-learning-systems-including-generation-of-synthetic-data) — This patent describes a way to train artificial intelligence models using private data stored on many separate computers, by generating fake data that mimics the real data's patterns, so the private data itself never leaves its original location. - [How Caterpillar Compresses Heavy Machinery Data Using Neural Networks](https://patentbrief.org/patent/us/7664715/apparatus-and-method-for-compressing-data-apparatus-and-method-for-analyzing-data-and-data-management-system) — A method for shrinking massive amounts of sensor data from construction equipment into small, efficient packets for cheaper wireless transmission by using neural network training. - [How AI Models Understand Language Using 'Attention'](https://patentbrief.org/patent/us/10452978/transformer-attention-mechanism) — This patent describes a neural network architecture, known as a Transformer, that uses a "self-attention" mechanism to process sequences of information, like words in a sentence, by weighing the importance of different parts of the input.