What technology area does this patent fall under?

Primary CPC classification G06F11/0751. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Oct 08 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Reconstructing execution call flows to detect anomalies

US12111718B2 · US · B2

Patent metadata
Field	Value
Publication number	US-12111718-B2
Application number	US-202117373107-A
Country	US
Kind code	B2
Filing date	Jul 12, 2021
Priority date	May 26, 2021
Publication date	Oct 8, 2024
Grant date	Oct 8, 2024

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Systems and methods of reconstructing execution call flows to detect anomalies are provided. A device can establish call flows using information extracted from a log file. Each of the call flows can identify information from the log file of a call flowing through a plurality of modules. The device can identify a count of a number of occurrences of one or more keywords in information of each call flow. The device can generate a vector of numbers for each call flow based at least on the count for the one or more keywords for that call flow. The device can classify each call flow into one or more clusters that indicate whether an operation of the call flow is anomalous. The device can classify each call flow using the vector of numbers for each call flow.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: establishing, by one or more processors using information extracted from a log file, a plurality of call flows, each of the plurality of call flows identifying information from the log file of a call flowing through a plurality of modules in accessing an application, the one or more processors extracting the information from the log file for each call flow of the plurality of call flows based at least on a timestamp, each call flow having a common unique transaction identifier and information from the log file for each call flow identified by the common unique transaction identifier; identifying, by the one or more processors, a count of a number of occurrences of one or more natural language keywords from the log file in information of each call flow of the plurality of call flows; generate, by the one or more processors, a vector of numbers for each call flow based at least on the count for the one or more keywords for that call flow; and classifying, by the one or more processors using the vector of numbers for each call flow, each call flow into one or more clusters, each of the one or more clusters identifying which modules are performing better than other modules of the plurality of modules; and updating, by the one or more processors, a configuration of one or more of the other modules in accessing the application based at least on the one or more clusters. 2. The method of claim 1 , further comprising sorting, by the one or more processors, identifiers of modules for each call flow by the timestamps for each unique transaction identifier. 3. The method of claim 1 , further comprising converting, by the one or more processors, alpha numeric data from the extracted information for each call flow to a numeric representation of each call flow in the form of the vector of numbers. 4. The method of claim 1 , further comprising: establishing a dictionary of keywords for each call flow of the plurality of call flows based on common keywords of the call flow; and identifying the count of the number of occurrences for each keyword in the dictionary of keywords for the corresponding call flow. 5. The method of claim 1 , further comprising classifying, by the one or more processors, using a k-means clustering function each call flow of the plurality of call flows into the one or more clusters to identify call flows of the plurality of call flows with common characteristics. 6. The method of claim 1 , further comprising classifying, by the one or more processors, each call flow into a cluster of the one or more clusters based on a cosine similarity of each call flow to a baseline vector of each of the one or more clusters. 7. The method of claim 1 , further comprising: identifying, by the one or more processors, a mean cosine similarity for each of the one or more clusters; determining, by the one or more processors, a cosine similarity for a call flow of the plurality of call flows with each of the one or more clusters; and classifying, by the one or more processors, the call flow into a cluster of the one or more clusters based on the cosine similarity for the call flow with the cluster being greater than or equal to the mean cosine similarity for the cluster. 8. The method of claim 1 , further comprising identifying, by the one or more processors based at least on the one or more clusters, which one or more modules of the plurality of modules are operating anomalously. 9. A system to identify anomalous calls flowing through modules, comprising: a device comprising one or more processors coupled to memory, the device to: establish, using information extracted from a log file, a plurality of call flows, each of the plurality of call flows identifying information from the log file of a call flowing through a plurality of modules in accessing an application, wherein the information is extracted from the log file for each call flow of the plurality of call flows based at least on a timestamp, each call flow having a common unique transaction identifier and information from the log file for each call flow identified by the common unique transaction identifier; identify a count of a number of occurrences of one or more natural language keywords from the log file in information of each call flow of the plurality of call flows; generate a vector of numbers for each call flow based at least on the count for the one or more keywords for that call flow; classify, using the vector of numbers for each call flow, each call flow into one or more clusters that indicate whether an operation of the call flow is anomalous; and update a configuration of one or more of the other modules in accessing the application based at least on the one or more clusters. 10. The system of claim 9 , wherein the device is further configured to sort identifiers of modules for each call flow by the timestamps for each unique transaction identifier. 11. The system of claim 9 , wherein the device is further configured to convert alpha numeric data from the extracted information for each call flow to a numeric representation of each call flow in the form of the vector of numbers. 12. The system of claim 9 , wherein the device is further configured to: establish a dictionary of keywords for each call flow of the plurality of call flows based on common keywords of the call flow; and identify the count of the number of occurrences for each keyword in the dictionary of keywords for the corresponding call flow. 13. The system of claim 9 , wherein the device is further configured to classify, using a k-means clustering function, each call flow of the plurality of call flows into the one or more clusters to identify call flows of the plurality of call flows with common characteristics. 14. The system of claim 9 , wherein the device is further configured to classify each call flow into a cluster of the one or more clusters based on a cosine similarity of each call flow to a baseline vector of each of the one or more clusters. 15. The system of claim 9 , wherein the device is further configured to: identify a mean cosine similarity for each of the one or more clusters; determine cosine similarity for a call flow of the plurality of call flows with each of the one or more clusters; and classify the call flow into a cluster of the one or more clusters based on the cosine similarity for the call flow with the cluster being greater than or equal to the mean cosine similarity for the cluster. 16. The system of claim 9 , wherein the device is further configured to identify, based at least on the one or more clusters, which one or more modules of the plurality of modules are operating anomalously. 17. A non-transitory computer readable medium storing instructions that, when executed by one or more processors, cause the one or more processors to identify anomalous calls flowing through modules, the instructions comprising instructions to: establish, using information extracted from a log file, a plurality of call flows, each of the plurality of call flows identifying information from the log file of a call flowing through a plurality of modules, the information extracted from the log file for each call flow of the plurality of call flows based at least on a timestamp, each call flow having a common unique transaction identifier and information from the log file for each call flow identified by the common unique transaction identifier; identify a count of a number of occurrences of one or more natural language keywords from the log file in information of each call flow of t

Assignees

Citrix Systems Inc

Inventors

Classifications

G06F11/0721
within a central processing unit [CPU] · CPC title
G06F16/285
Clustering or classification · CPC title
H04L63/1425
Traffic logging, e.g. anomaly detection · CPC title
G06F11/0751Primary
Error or fault detection not based on redundancy (power supply failures G06F1/30; network fault management H04L41/06) · CPC title
G06N20/00Primary
Machine learning · CPC title

Patent family

Related publications grouped by family.

View patent family 76662504

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US12111718B2 cover?: Systems and methods of reconstructing execution call flows to detect anomalies are provided. A device can establish call flows using information extracted from a log file. Each of the call flows can identify information from the log file of a call flowing through a plurality of modules. The device can identify a count of a number of occurrences of one or more keywords in information of each cal…
Who is the assignee on this patent?: Citrix Systems Inc
What technology area does this patent fall under?: Primary CPC classification G06F11/0751. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Oct 08 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).

How to read this patent

Abstract

First claim

Assignees

Inventors

Classifications

Patent family

External sources

Related patents

Latent Intent Clustering in High Latent Spaces

Quality of service (qos) settings of volumes in a distributed storage system

Detecting behavior anomalies of cloud users

Cluster evaluation in unsupervised learning of continuous data

Systems and methods for identifying process flows from log files and visualizing the flow

Frequently asked questions