&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
          function printpage()
          {
          window.print()
          }
        </script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=12141280.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 12,141,280 B2</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Deep learning-based analysis of signals for threat detection</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Arie Agranonik,  Herzliya (IL);  Shay Kels,  Givatayim (IL); and  Ofer Raz,  Kfar Tavor (IL)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  Microsoft Technology Licensing, LLC,  Redmond, WA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  MICROSOFT TECHNOLOGY LICENSING, LLC,  Redmond, WA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Jun.  30, 2020, as Appl. No. 16/917,177.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Prior Publication US 2021/0406368 A1, Dec.  30, 2021</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>G06F 21/56</b></i> (2013.01); <i><b>G06F 9/54</b></i> (2006.01); <i><b>G06F 17/18</b></i> (2006.01); <i><b>G06N 3/08</b></i> (2023.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>G06F 21/56</b></i> (2013.01)&#xa0;[<i><b>G06F 9/542</b></i> (2013.01); <i><b>G06F 17/18</b></i> (2013.01); <i><b>G06N 3/08</b></i> (2013.01)]</td>
            <td class="table_data" align="right"><b>20 Claims</b></td>
          </tr>
        </table>
        <center><img src="US12141280-20241112-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A computer-implemented method comprising:<div class="claim_text">receiving process data from a client computer system based on activity and behaviors of the client computer system;</div>
                <div class="claim_text">generating a process tree based on parent and child relationships associated with the process data, wherein the process data is associated with a plurality of processes;</div>
                <div class="claim_text">associating, in the process tree, each of the plurality of processes with a corresponding signal associated with signal data;</div>
                <div class="claim_text">based on the process tree comprising the parent and child relationships and a chronology of execution of the plurality processes having corresponding signals, generating a vector of a sequence of events, wherein the vector is associated with scoring a probability that the sequence of events from the vector is malicious,</div>
                <div class="claim_text">the vector is a representation of the process tree comprising a first process that produces a first signal at a first time and a second process that produces a second signal at a second time, the first process and the second process have a parent and child relationship;</div>
                <div class="claim_text">inputting the vector into a trained model associated with registry-related features of a plurality of sequences of events that indicate malicious activity, the registry-related features of the plurality of sequences of events correspond to registry-related features in training process data, training signal data, and training chronology of execution and relationship between processes data,</div>
                <div class="claim_text">the trained model is configured to evaluate the vector for potentially malicious activity;</div>
                <div class="claim_text">based on inputting the vector into the trained model, generating a score that indicates whether the sequence of events represented by the vector is malicious, wherein the score is generated using the trained model, the parent and child relationships, chronology of execution of the plurality processes represented in the in the sequence of events of the vector, and registry-related features associated with the sequence of events; and</div>
                <div class="claim_text">based on the score satisfying an alert threshold, causing a security risk mitigation action.</div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>