&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
          function printpage()
          {
          window.print()
          }
        </script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=11843631.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 11,843,631 B2</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Detecting triggering events for distributed denial of service attacks</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Karl Ackerman,  Topsfield, MA (US);  Mark David Harris,  Oxon (GB);  Simon Neil Reed,  Wokingham (GB);  Andrew J. Thomas,  Oxfordshire (GB); and  Kenneth D. Ray,  Seattle, WA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  Sophos Limited,  Abingdon (GB)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  Sophos Limited,  Abingdon (GB)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Jul.  8, 2021, as Appl. No. 17/370,895.</b></td>
          </tr>
          <tr>
            <td colspan="3" class="table_data" align="center"><b>Application 17/370,895 is a continuation of application No. 15/479,476, filed on Apr.  5, 2017, granted, now 11,102,238.</b></td>
          </tr>
          <tr>
            <td colspan="3" class="table_data" align="center"><b>Application 15/479,476 is a continuation of application No. PCT/US2016/040094, filed on Jun.  29, 2016.</b></td>
          </tr>
          <tr>
            <td colspan="3" class="table_data" align="center"><b>Application PCT/US2016/040094 is a continuation in part of application No. 15/136,687, filed on Apr.  22, 2016, granted, now 11,277,416.</b></td>
          </tr>
          <tr>
            <td colspan="3" class="table_data" align="center"><b>Application 15/136,687 is a continuation in part of application No. 15/136,762, filed on Apr.  22, 2016, granted, now 10,938,781, issued on Mar.  2, 2021.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Prior Publication US 2021/0344707 A1, Nov.  4, 2021</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>This patent is subject to a terminal disclaimer.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>G06F 21/55</b></i> (2013.01); <i><b>H04L 9/40</b></i> (2022.01); <i><b>G06F 21/56</b></i> (2013.01); <i><b>G06F 21/57</b></i> (2013.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>H04L 63/1458</b></i> (2013.01)&#xa0;[<i><b>H04L 63/1416</b></i> (2013.01); <i><b>H04L 63/1425</b></i> (2013.01)]</td>
            <td class="table_data" align="right"><b>20 Claims</b></td>
          </tr>
        </table>
        <center><img src="US11843631-20231212-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A computer program product for protecting against distributed denial of service attacks from an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:<div class="claim_text">detecting a potential trigger event on an endpoint in the enterprise network for a distributed denial of service attack;</div>
                <div class="claim_text">in response to detecting the potential trigger event, monitoring outbound traffic from the endpoint for an increase in network traffic from the endpoint directed to a known, good reputation network address over a predetermined time;</div>
                <div class="claim_text">in response to the potential trigger event followed by the increase in network traffic over the predetermined time, identifying the endpoint as having a compromised state in which the endpoint serves as a distributed denial of service bot for the distributed denial of service attack; and</div>
                <div class="claim_text">preventing all network traffic from the endpoint to the known, good reputation network address until the compromised state is remediated.</div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>