&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
          function printpage()
          {
          window.print()
          }
        </script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=11956253.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 11,956,253 B1</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Ranking cybersecurity alerts from multiple sources using machine learning</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Derek Lin,  San Mateo, CA (US);  Domingo Mihovilovic,  Menlo Park, CA (US); and  Sylvain Gil,  San Francisco, CA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  Exabeam, Inc.,  Foster City, CA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  Exabeam, Inc.,  Foster City, CA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Apr.  23, 2021, as Appl. No. 17/239,426.</b></td>
          </tr>
          <tr>
            <td colspan="3" class="table_data" align="center"><b>Claims priority of provisional application 63/039,347, filed on Jun.  15, 2020.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>H04L 9/40</b></i> (2022.01); <i><b>G06N 5/04</b></i> (2023.01); <i><b>G06N 20/00</b></i> (2019.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>H04L 63/1416</b></i> (2013.01)&#xa0;[<i><b>G06N 5/04</b></i> (2013.01); <i><b>G06N 20/00</b></i> (2019.01)]</td>
            <td class="table_data" align="right"><b>9 Claims</b></td>
          </tr>
        </table>
        <center><img src="US11956253-20240409-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A method, performed by a computer system, for ranking computer network security alerts from multiple sources, the method comprising:<div class="claim_text">(a) receiving a security alert from one of a plurality of alert-generation sources in a computer network;</div>
                <div class="claim_text">(b) evaluating the security alert with respect to a plurality of feature indicators to obtain feature indicator values for the security alert;</div>
                <div class="claim_text">(c) creating a feature vector for the security alert that includes the feature indicator values for the security alert;</div>
                <div class="claim_text">(d) calculating a probability that the security alert relates to a cybersecurity risk in the computer network based on the created feature vector and historical alert data in the network, wherein the probability is a Bayes probability calculated as a function of the probability of seeing the feature vector with respect to a cybersecurity risk and the probability of seeing the feature vector with respect to legitimate or low-interest activity, wherein calculating the probability of seeing the feature vector with respect to a cybersecurity risk and the probability of seeing the feature vector with respect to legitimate or low-interest activity comprises: dividing the feature vector for the alert into a plurality of non-overlapping subsets to create a plurality of subset feature vectors, for each subset feature vector, calculating a probability of seeing the subset feature vector with respect to a cybersecurity risk and a probability of seeing the subset feature vector with respect to legitimate or low-interest activity, and calculating the product of the probabilities calculated for the subset feature vectors to obtain the probability of seeing the feature vector with respect to a cybersecurity risk and the probability of seeing the feature vector with respect to legitimate or low-interest activity;</div>
                <div class="claim_text">(e) performing steps (a)-(d) for a plurality of security alerts from the plurality of alert-generation sources;</div>
                <div class="claim_text">(f) ranking the security alerts based on the calculated probabilities; and</div>
                <div class="claim_text">(g) displaying the ranked security alerts, wherein the alert ranking includes alerts from a plurality of alert-generation sources.</div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>