US 11,057,414 B1
Asynchronous hidden markov models for internet metadata analytics
Edward J Giorgio, Naples, FL (US); Clifford C Cocks, Cheltenham (GB); O Patrick Kreidl, Atlantic Beach, FL (US); Jeffrey S Prisner, Neshanic Station, NJ (US); Alan G Richter, Cocoa Beach, FL (US); and Richard A Wisniewski, Williamsburg, VA (US)
Assigned to Bridgery Technologies, LLC, Naples, FL (US)
Filed by Bridgery Technologies, LLC, Naples, FL (US)
Filed on Aug. 5, 2020, as Appl. No. 16/986,252.
Claims priority of provisional application 62/883,050, filed on Aug. 5, 2019.
Int. Cl. H04L 9/00 (2006.01); H04L 29/06 (2006.01); G06F 16/901 (2019.01); H03M 7/30 (2006.01); G06N 20/00 (2019.01); G06N 7/00 (2006.01)
CPC H04L 63/1425 (2013.01) [G06F 16/9024 (2019.01); G06N 7/005 (2013.01); G06N 20/00 (2019.01); H03M 7/3059 (2013.01); H04L 63/1416 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer-implemented method for detecting anomalies in computer network traffic, executed by one or more processors, the method comprising:
monitoring, by the one or more processors, network traffic metadata transmitted on a computer network during a first time interval by obtaining, from the one or more processors, a plurality of samples of the metadata of the network traffic during the first time interval, the metadata representing events to be monitored;
parsing the metadata representing events to extract a set of features from the samples of the network traffic;
inputting the parsed metadata to one or more of a long-term incremental signal transformation or a short-term concurrent snapshot using a lossy compressing algorithm;
constructing, in a computer memory coupled to the one or more processors, a multi-partite graph of nodes and edges, based on one or more of the long-term incremental signal transformation or the short-term concurrent snapshot, wherein the nodes and edges are comprised of extracted features or aggregates of features from the metadata of the network traffic;
updating the multi-partite graph with additional extracted features obtained during successive time intervals using the incremental signal transformation;
generating streaming analytics based on the multi-partite graph, wherein the streaming analytics represent a likelihood that network traffic associated with a specified network component is infected with malware, wherein the streaming is performed by the use of at least one spatial and at least one temporal model, wherein each of the models are configured to update the parameters for underlying probability models based on a current metadata record and available enrichment data; and
storing, by the one or more processors, data in the computer memory indicating the likelihood that the specified network component is infected with malware.