US 12,413,608 B2
Enterprise cybersecurity AI platform
Thomas M. Siebel, Woodside, CA (US); Aaron W. Brown, Chicago, IL (US); Varun Badrinath Krishna, Redwood City, CA (US); Nikhil Krishnan, San Carlos, CA (US); and Ansh J. Hirani, New York City, NY (US)
Assigned to C3.ai, Inc., Redwood City, CA (US)
Filed by C3.ai, Inc., Redwood City, CA (US)
Filed on Mar. 10, 2022, as Appl. No. 17/654,371.
Prior Publication US 2023/0291755 A1, Sep. 14, 2023
Int. Cl. H04L 9/40 (2022.01); G06N 20/00 (2019.01)
CPC H04L 63/1425 (2013.01) [G06N 20/00 (2019.01); H04L 63/1441 (2013.01)] 36 Claims
OG exemplary drawing
 
1. A method comprising:
obtaining data associated with operation of a monitored system, the monitored system comprising electronic devices and one or more networks, the obtained data associated with events involving the electronic devices and the one or more networks;
using one or more first machine learning models to identify anomalies in the monitored system based on the obtained data, each anomaly identifying an anomalous behavior of at least one of the electronic devices or at least one of the one or more networks;
using multiple second machine learning models to classify each of at least some of the identified anomalies into one of multiple classifications, different ones of the classifications associated with different types of cyberthreats to the monitored system, the multiple second machine learning models comprising multiple classification models configured to generate multiple values for each of at least some of the anomalies, each classification model trained differently from the other classification models in order to recognize a single different classification of anomalies among the multiple classifications, each classification model configured to generate a value identifying a likelihood that an associated one of the anomalies is classifiable into the single different classification associated with that classification model, the identified anomalies classified based on risk scores determined by using machine learning to combine the multiple values from the multiple classification models;
performing graph-based response identification based on a directed graph that represents components of the monitored system as nodes and that represents network traffic or events involving the components of the monitored system as directed edges; and
identifying, for each of at least some of the anomalies, one or more actions to be performed in order to counteract the cyberthreat associated with the anomaly;
wherein performing the graph-based response identification comprises, for at least one node of the directed graph:
generating edge statistics of one or more directed edges going into the at least one node of the directed graph;
generating edge statistics of one or more directed edges going out of the at least one node of the directed graph; and
providing the edge statistics to the multiple second machine learning models to identify actions to be taken to isolate the at least one node of the directed graph.