&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
          function printpage()
          {
          window.print()
          }
        </script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=12316664.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 12,316,664 B1</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Intelligent search network for time-based detection of compromised network nodes</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Elise C. Soderholm,  Eagan, MN (US);  Sarah Margaret Bettendorf Larson,  Clearwater, MN (US);  Adam Michael Tangen,  Minneapolis, MN (US);  Christopher Kallas,  Grafton, WI (US); and  Xiaoqiao Wei,  Rancho Mission Viejo, CA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  U.S. Bancorp, National Association,  Minneapolis, MN (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  U.S. Bancorp, National Association,  Minneapolis, MN (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Jan.  29, 2025, as Appl. No. 19/040,705.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>H04L 9/40</b></i> (2022.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>H04L 63/1425</b></i> (2013.01)&#xa0;[<i><b>H04L 63/1416</b></i> (2013.01)]</td>
            <td class="table_data" align="right"><b>18 Claims</b></td>
          </tr>
        </table>
        <center><img src="US12316664-20250527-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A system for isolating compromised edge nodes in a computing device network based on tracking event patterns in off-network data, the system comprising one or more processors and one or more non-transitory machine-readable media storing program instructions that, when executed by the one or more processors, causes the one or more processors to perform operations comprising:<div class="claim_text">obtaining, from an out-of-network data source, a malicious anomaly indication for an event type associated with a set of event participant identifiers indicated by temporal sequences for a network, wherein each respective temporal sequence indicates a respective subset of events for a respective edge node of the network;</div>
                <div class="claim_text">generating sets of event rate gradients by determining, for each respective time block of a respective set of time blocks in a respective sequence of the temporal sequences, a respective event rate gradient corresponding with the event type for the respective temporal sequence;</div>
                <div class="claim_text">determining a set of compromised nodes by:<div class="claim_text">selecting a set of time blocks for which an associated set of event rate gradients falls below an acceleration threshold to identify a set of candidate compromised nodes,</div>
                  <div class="claim_text">filtering the set of candidate compromised nodes by a shared geographic identifier to detect a preliminary set of compromised nodes;</div>
                  <div class="claim_text">determining an expanded time window based on an earliest time block of the preliminary set of compromised nodes satisfying an event rate threshold;</div>
                  <div class="claim_text">performing a search through the temporal sequences based on the expanded time window and the event type to obtain the set of compromised nodes,</div>
                  <div class="claim_text">wherein obtaining the set of compromised nodes further comprises:<div class="claim_text">scoring the set of candidate compromised nodes based on the event rates to determine a first score associated with a first edge node; and</div>
                    <div class="claim_text">adding a second edge node to the set of compromised nodes based on a shared association between a geographic location category and the first edge node; and</div>
                  </div>
                </div>
                <div class="claim_text">restricting network access for the set of compromised nodes.</div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>