&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
			function printpage()
			{
			window.print()
			}
			</script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=11695643.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 11,695,643 B1</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Statistical control rules for detecting anomalies in time series data</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Seamus Cawley,  Dublin (IE); and  David Tracey,  Monasterboice (IE)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  Rapid7, Inc.,  Boston, MA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  Rapid7, Inc.,  Boston, MA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Oct.  28, 2021, as Appl. No. 17/513,620.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>G06F 15/173</b></i> (2006.01); <i><b>H04L 41/147</b></i> (2022.01); <i><b>H04L 43/067</b></i> (2022.01); <i><b>H04L 43/16</b></i> (2022.01); <i><b>H04L 43/045</b></i> (2022.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>H04L 41/147</b></i> (2013.01)&#xa0;[<i><b>H04L 43/045</b></i> (2013.01); <i><b>H04L 43/067</b></i> (2013.01); <i><b>H04L 43/16</b></i> (2013.01)]</td>
            <td class="table_data" align="right"><b>20 Claims</b></td>
          </tr>
        </table>
        <center><img src="US11695643-20230704-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A method comprising:<div class="claim_text">performing, by one or more computing systems that implements a network anomaly detection system:</div>
                <div class="claim_text">collecting activity data about a computer network over time;</div>
                <div class="claim_text">extracting, from the activity data, time series data of an activity metric;</div>
                <div class="claim_text">generating forecast data for the time series data based on one or more seasonal characteristics of the time series data, the forecast data including (a) predicted values for the time series data and (b) confidence intervals of the predicted values;</div>
                <div class="claim_text">storing a plurality of statistical control rules (SCRs), wherein the SCRs are defined via a graphical user interface (GUI) of the network anomaly detection system configured to edit the SCRs and display a performance score of the SCRs for detecting anomalies over a selected time range;</div>
                <div class="claim_text">evaluating observed values of the time series data with respect to the forecast data according to SCRs,<div class="claim_text">wherein the evaluation comprises, in successive time periods:<div class="claim_text">applying the SCRs to a current value of the activity metric observed in a current time period, and</div>
                    <div class="claim_text">generating a next value of the activity metric for a next time period and the next confidence interval for the next value, and</div>
                  </div>
                  <div class="claim_text">wherein the SCRs comprise at least (a) a first rule that checks whether a distance metric between the current value of the activity metric and a corresponding predicted value exceeds a first specified threshold, the distance metric calculated based on the confidence interval of the predicted value, and (b) a second rule that checks whether the distance metric for a last number or specified proportion of observed values of the activity metric exceeded a second specified threshold;</div>
                </div>
                <div class="claim_text">detecting an anomaly in the time series data based on the evaluation;</div>
                <div class="claim_text">generating, via the GUI, an alert indicating the anomaly and network activities in the computer network associated with the alert; and</div>
                <div class="claim_text">responsive to user input received via the GUI, initiating one or more remediations on the computer network.</div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>