&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
          function printpage()
          {
          window.print()
          }
        </script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=12229294.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 12,229,294 B2</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Event data processing</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Khai Nhu Pham,  Round Rock, TX (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  BlackBerry Limited,  Waterloo (CA)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  BlackBerry Limited,  Waterloo (CA)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Apr.  1, 2022, as Appl. No. 17/712,005.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Prior Publication US 2023/0315884 A1, Oct.  5, 2023</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>This patent is subject to a terminal disclaimer.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>G06F 21/62</b></i> (2013.01); <i><b>G06F 21/55</b></i> (2013.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>G06F 21/6218</b></i> (2013.01)</td>
            <td class="table_data" align="right"><b>20 Claims</b></td>
          </tr>
        </table>
        <center><img src="US12229294-20250218-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A computer-implemented method comprising:<div class="claim_text">receiving an event log comprising a plurality of event records, each of the event records describing one or more events that have occurred on each of one or more computer systems over a period of time;</div>
                <div class="claim_text">converting the event log into a graph by using a respective set of conversion algorithms that are specific to an operating system (OS) running on each of the one or more computer systems at the time the event records were created, wherein converting the event log comprises:<div class="claim_text">normalizing the plurality of event records, wherein normalizing the plurality of event records comprises anonymizing a unique identifier value in each event record and replacing a variable value in each event record with a predetermined value;</div>
                  <div class="claim_text">representing each normalized event record as one or more nodes in the graph; and</div>
                  <div class="claim_text">generating a plurality of event clusters, wherein each event cluster includes an aggregated group of nodes and is generated based on common attributes of and hierarchical relationships between the normalized event records represented by the nodes in the aggregated group; and</div>
                </div>
                <div class="claim_text">using the graph to detect threat or suspicious activities, wherein using the graph to detect the threat or suspicious activities comprises:<div class="claim_text">generating, from the graph, labeled training data that comprises a plurality of training inputs, wherein each training input (i) comprises one or more normalized event records represented by one or more nodes included in the graph and (ii) is associated with a ground truth label that specifies a classification of the one or more normalized event records;</div>
                  <div class="claim_text">training a machine learning model on the labeled training data to determine trained values of parameters of the machine learning model, wherein the machine learning model is trained to generate predictions of the threat or suspicious activities; and</div>
                  <div class="claim_text">after the training, using the machine learning model to process one or more new event logs, feature information derived from the one or more new event logs, or both in accordance with the trained values of the parameters to generate a new prediction of the threat or suspicious activities.</div>
                </div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>