US 12,238,136 B2
Malware data clustering
Harkirat Singh, New York, NY (US); Geoffrey Stowe, San Francisco, CA (US); Stefan Bach, Isleworth (GB); Matthew Sprague, Palo Alto, CA (US); Michael Kross, Palo Alto, CA (US); Adam Borochoff, New York, NY (US); Parvathy Menon, San Jose, CA (US); and Michael Harris, Carmel, IN (US)
Assigned to Palantir Technologies Inc., Denver, CO (US)
Filed by Palantir Technologies Inc., Denver, CO (US)
Filed on Nov. 8, 2023, as Appl. No. 18/504,392.
Application 18/504,392 is a continuation of application No. 17/658,893, filed on Apr. 12, 2022, granted, now 11,848,760.
Application 17/658,893 is a continuation of application No. 16/898,850, filed on Jun. 11, 2020, granted, now 11,336,681, issued on May 17, 2022.
Application 16/898,850 is a continuation of application No. 16/239,081, filed on Jan. 3, 2019, granted, now 10,721,268, issued on Jul. 21, 2020.
Application 16/239,081 is a continuation of application No. 14/928,512, filed on Oct. 30, 2015, granted, now 10,264,014, issued on Apr. 16, 2019.
Application 14/928,512 is a continuation of application No. 14/139,640, filed on Dec. 23, 2013, granted, now 9,177,344, issued on Nov. 3, 2015.
Application 14/928,512 is a continuation of application No. 13/968,265, filed on Aug. 15, 2013, granted, now 8,788,405, issued on Jul. 22, 2014.
Application 14/139,640 is a continuation in part of application No. 13/968,213, filed on Aug. 15, 2013, granted, now 8,818,892, issued on Aug. 26, 2014.
Claims priority of provisional application 61/800,887, filed on Mar. 15, 2013.
Prior Publication US 2024/0146761 A1, May 2, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. G06Q 40/00 (2023.01); G06F 16/23 (2019.01); G06F 16/242 (2019.01); G06F 16/2457 (2019.01); G06F 16/2458 (2019.01); G06F 16/26 (2019.01); G06F 16/28 (2019.01); G06F 16/335 (2019.01); G06F 16/35 (2019.01); G06F 16/355 (2025.01); G06F 16/9535 (2019.01); G06Q 10/10 (2023.01); G06Q 20/38 (2012.01); G06Q 20/40 (2012.01); G06Q 30/018 (2023.01); G06Q 40/02 (2023.01); G06Q 40/03 (2023.01); G06Q 40/10 (2023.01); G06Q 40/12 (2023.01); H04L 9/40 (2022.01)
CPC H04L 63/145 (2013.01) [G06F 16/23 (2019.01); G06F 16/244 (2019.01); G06F 16/24578 (2019.01); G06F 16/2465 (2019.01); G06F 16/26 (2019.01); G06F 16/283 (2019.01); G06F 16/285 (2019.01); G06F 16/287 (2019.01); G06F 16/288 (2019.01); G06F 16/335 (2019.01); G06F 16/35 (2019.01); G06F 16/355 (2019.01); G06F 16/9535 (2019.01); G06Q 10/10 (2013.01); G06Q 20/382 (2013.01); G06Q 20/4016 (2013.01); G06Q 30/0185 (2013.01); G06Q 40/00 (2013.01); G06Q 40/02 (2013.01); G06Q 40/03 (2023.01); G06Q 40/10 (2013.01); G06Q 40/123 (2013.12)] 19 Claims
OG exemplary drawing
 
1. A computer system comprising:
one or more computer readable storage devices configured to store a plurality of captured communications; and
one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute computer executable instructions to cause the computer system to:
execute a cluster engine configured to at least:
generate, based on a plurality of captured communications, a filtered collection of captured communications, wherein the captured communications include user-agent strings;
determine, based on the filtered collection of captured communications, a first set of captured communications associated with a first time period, and a second set of captured communications associated with a second time period;
identify a first captured communication in the first set of captured communications that is not included among the second set of captured communications, wherein the first captured communication indicates a new user-agent string associated with the first time period and not associated with the second time period;
designate the new user-agent string as a seed;
generate a data item cluster based on the designated seed; and
determine scores for the data item cluster and a plurality of additional data items clusters generated based on user-agent-related data items; and
execute a workflow engine configured to at least:
cause presentation of the data item cluster and the plurality of additional data item clusters in a user interface of a client computing device; and
cause ordering of the presented data item cluster and the plurality of additional data item clusters in the user interface based at least in part on the respective determined scores for the data item cluster and the plurality of additional data item clusters.