&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
			function printpage()
			{
			window.print()
			}
			</script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=11792214.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 11,792,214 B1</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Methods and apparatus for monitoring network events for intrusion detection</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Geoffrey Ryan Salmon,  East York (CA);  Hazem Mohamed Ahmed Soliman,  Toronto (CA); and  Mohan Rao,  Mississaugua (CA)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  Arctic Wolf Networks, Inc.,  Eden Prairie, MN (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  Arctic Wolf Networks, Inc.,  Eden Prairie, MN (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Nov.  18, 2022, as Appl. No. 18/56,840.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>H04L 29/06</b></i> (2006.01); <i><b>H04L 9/40</b></i> (2022.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>H04L 63/1416</b></i> (2013.01)&#xa0;[<i><b>H04L 63/1425</b></i> (2013.01); <i><b>H04L 63/1441</b></i> (2013.01)]</td>
            <td class="table_data" align="right"><b>20 Claims</b></td>
          </tr>
        </table>
        <center><img src="US11792214-20231017-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A method, comprising:<div class="claim_text">receiving, via a processor, an indication of a plurality of sets of events from a time period, the plurality of sets of events associated with a first device, each set of events from the plurality of sets of events associated with the first device and a second device from a plurality of second devices that is different for remaining sets of events from the plurality of sets of events and does not include the first device, each event for each set of events from the plurality of sets of events associated with a start time, an end time, a value indicating significance of that event, and a plurality of attributes;</div>
                <div class="claim_text">converting, via the processor, the plurality of sets of events into a time series based on the value for each event from each set of events from the plurality of sets of events, the start time for each event from each set of events from the plurality of sets of events, and the end time for each event from each set of events from the plurality of sets of events;</div>
                <div class="claim_text">normalizing, via the processor, the time series to generate a normalized time series;</div>
                <div class="claim_text">performing, via the processor, a discrete Fourier transform using the normalized time series to generate an output that is associated with a plurality of frequencies and a plurality of magnitude values, each frequency from the plurality of frequencies associated with a magnitude value from the plurality of magnitude values;</div>
                <div class="claim_text">selecting, via the processor, a set of candidate frequencies from the plurality of frequencies potentially exhibiting periodic behavior;</div>
                <div class="claim_text">generating, via the processor, a set of correlation values based on a comparison between each set of events from the plurality of sets of events and each candidate frequency from the set of candidate frequencies for correlation;</div>
                <div class="claim_text">identifying, via the processor and based on the set of correlation values, an attribute that is from the plurality of attributes associated with an event from a set of events from the plurality of sets of events and that is predicted to cause the periodic behavior; and</div>
                <div class="claim_text">sending, via the processor, a signal to cause an output including representation of the attribute.</div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>