&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
          function printpage()
          {
          window.print()
          }
        </script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=12333451.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 12,333,451 B2</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Interpretable supervised anomaly detection for determining reasons for unsupervised anomaly decision</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Sashka T. Davis,  Vienna, VA (US); and  Alex Zaslavsky,  Brookline, MA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  RSA Security USA, LLC,  Burlington, MA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  RSA Security LLC,  Bedford, MA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Nov.  27, 2019, as Appl. No. 16/697,483.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Prior Publication US 2021/0158193 A1, May   27, 2021</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>G06N 5/045</b></i> (2023.01); <i><b>G06N 5/046</b></i> (2023.01); <i><b>G06N 20/20</b></i> (2019.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>G06N 5/045</b></i> (2013.01)&#xa0;[<i><b>G06N 5/046</b></i> (2013.01); <i><b>G06N 20/20</b></i> (2019.01)]</td>
            <td class="table_data" align="right"><b>14 Claims</b></td>
          </tr>
        </table>
        <center><img src="US12333451-20250617-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A method, comprising:<div class="claim_text">receiving at a network monitoring device implemented by a cloud infrastructure values of one or more predefined features associated with a remote user device that is separate from the cloud infrastructure;</div>
                <div class="claim_text">applying the values of the one or more predefined features to an unsupervised anomaly detection model that generates an unsupervised anomaly decision by identifying at least one previously-unknown pattern in the values of the one or more features associated with the remote user device;</div>
                <div class="claim_text">applying the values of the one or more predefined features to a supervised anomaly detection model that generates a supervised anomaly decision based on at least one input-output pair in a labeled training dataset, wherein the supervised anomaly detection model is trained at least in part using anomalous training data based on known anomalies and supplemental training data that includes generated fraudulent attacks that are underrepresented in the anomalous training data;</div>
                <div class="claim_text">determining a third anomaly decision based on the supervised anomaly decision with the unsupervised anomaly decision using ensemble techniques;</div>
                <div class="claim_text">determining one or more reasons for the third anomaly decision by analyzing the supervised anomaly decision to identify one or more instances in which a value associated with a feature violated a rule of the supervised anomaly detection model,</div>
                <div class="claim_text">executing a predefined remediation step in response to the third anomaly decision, wherein the predefined remediation step includes restricting the remote user device from accessing a network in response to the third anomaly decision by autonomously adjusting a network permission that controls which resources the remote user device and a user account associated with the remote user device may access; and</div>
                <div class="claim_text">performing a feature importance analysis to identify one or more features that are most predictive in detecting an anomaly for a future anomaly detection instance, wherein the feature importance analysis includes a feature interaction analysis to identify two or more features that have a dependency relationship;</div>
                <div class="claim_text">wherein the method is performed by at least one processing device comprising a processor coupled to a memory.</div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>