&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
          function printpage()
          {
          window.print()
          }
        </script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=12259968.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 12,259,968 B2</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Detecting anomalous post-authentication behavior for a workload identity</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Shinesa Elaine Cambric,  Sachse, TX (US);  Maria Puertas Calvo,  Seattle, WA (US);  Ye Xu,  Kirkland, WA (US);  Etan Micah Basseri,  Seattle, WA (US);  Sergio Romero Zambrano,  Seattle, WA (US); and  Jeffrey Thomas Sakowicz,  Seattle, WA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  MICROSOFT TECHNOLOGY LICENSING, LLC,  Redmond, WA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  Microsoft Technology Licensing, LLC,  Redmond, WA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Mar.  30, 2022, as Appl. No. 17/708,855.</b></td>
          </tr>
          <tr>
            <td colspan="3" class="table_data" align="center"><b>Claims priority of provisional application 63/309,322, filed on Feb.  11, 2022.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Prior Publication US 2023/0315840 A1, Oct.  5, 2023</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>G06F 21/55</b></i> (2013.01); <i><b>G06F 21/34</b></i> (2013.01); <i><b>G06F 21/57</b></i> (2013.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>G06F 21/552</b></i> (2013.01)&#xa0;[<i><b>G06F 21/34</b></i> (2013.01); <i><b>G06F 21/577</b></i> (2013.01); <i>G06F 2221/034</i> (2013.01)]</td>
            <td class="table_data" align="right"><b>20 Claims</b></td>
          </tr>
        </table>
        <center><img src="US12259968-20250325-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A computing system, comprising:<div class="claim_text">at least one memory that stores program code; and</div>
                <div class="claim_text">a processing system, comprising one or more processors, configured to receive the program code from the at least one memory and, in response to at least receiving the program code, to:<div class="claim_text">receive activity log information corresponding to state change actions taken in a services platform for a workload identity of a service principal that is executed in the services platform, where the state change actions<div class="claim_text">take place during an associated authentication to the workload identity, and</div>
                    <div class="claim_text">involve workload identity credentials in an identity service of the services platform;</div>
                  </div>
                  <div class="claim_text">generate, for state change actions in a sequence combination of state change actions, probability values indicative of a likelihood that a particular state change action in the sequence combination of state change actions occurs after a state change action in the sequence combination of state change actions immediately preceding the particular state change action;</div>
                  <div class="claim_text">generate an anomaly score, via an action model, for the sequence combination of the state change actions by aggregating the probability values;</div>
                  <div class="claim_text">determine an anomalous state change has occurred based at least on satisfaction of a threshold condition associated with the anomaly score; and</div>
                  <div class="claim_text">perform a remedial action against the anomalous state change and within the services platform.</div>
                </div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>