&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
          function printpage()
          {
          window.print()
          }
        </script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=11930020.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 11,930,020 B2</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Detection and mitigation of security threats to a domain name system for a communication network</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Zheng Dong,  Redmond, WA (US);  Jack Wilson Stokes, III,  North Bend, WA (US);  Jie Li,  Bellevue, WA (US); and  Jinyuan Jia,  Durham, NC (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  MICROSOFT TECHNOLOGY LICENSING, LLC,  Redmond, WA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  MICROSOFT TECHNOLOGY LICENSING, LLC,  Redmond, WA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on May   11, 2021, as Appl. No. 17/317,573.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Prior Publication US 2022/0385673 A1, Dec.  1, 2022</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>H04L 29/06</b></i> (2006.01); <i><b>G06F 16/901</b></i> (2019.01); <i><b>G06N 20/00</b></i> (2019.01); <i><b>H04L 9/40</b></i> (2022.01); <i><b>H04L 61/4511</b></i> (2022.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>H04L 63/1416</b></i> (2013.01)&#xa0;[<i><b>G06F 16/9024</b></i> (2019.01); <i><b>G06N 20/00</b></i> (2019.01); <i><b>H04L 61/4511</b></i> (2022.05)]</td>
            <td class="table_data" align="right"><b>17 Claims</b></td>
          </tr>
        </table>
        <center><img src="US11930020-20240312-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A computer-implemented method for identifying suspicious communication network assets, the method comprising:<div class="claim_text">accessing network traffic (NT) data that encodes at least one domain name resolution (DNR) transaction associated with a plurality of addresses that includes a plurality of domain name system (DNS) addresses and at least one target address;</div>
                <div class="claim_text">employing the NT data to generate a graph data structure including a plurality of nodes with each node representing an address from the plurality of addresses and a plurality of edges, the plurality of nodes including a plurality of DNS nodes with each DNS node representing a DNS address from the plurality of DNS addresses and at least one target node representing the at least one target address, and at least one edge from the plurality of edges connecting each of the plurality of DNS nodes to at least one of the at least one target node based on the at least one DNR transaction;</div>
                <div class="claim_text">identifying a first portion of the plurality of nodes, each node included in the first portion of the plurality of nodes is ground-truth labeled as a suspicious node;</div>
                <div class="claim_text">identifying a second portion of the plurality of nodes, each node included in the second portion of the plurality of nodes is unclassified; and</div>
                <div class="claim_text">assigning a node risk score to each node included in the second portion of the plurality of nodes, based on a comparison of the nodes included in the second portion of the plurality of nodes and each node included in the first portion of the plurality of nodes;</div>
                <div class="claim_text">based on the node risk score assigned to each of the plurality of nodes in the second portion, identifying a third portion of the plurality of nodes;</div>
                <div class="claim_text">classifying each address of the plurality of addresses that is represented by a node included in the third portion of the plurality of nodes as a suspicious address; and</div>
                <div class="claim_text">providing an indication of at least one address of the plurality of addresses that has been classified as a suspicious address.</div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>