Behavioral threat detection definition and compilation
US-12235960-B2 · Feb 25, 2025 · US
Behavioral threat detection definition and compilation
US12292968B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12292968-B2 |
| Application number | US-202418732193-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 3, 2024 |
| Priority date | Mar 27, 2019 |
| Publication date | May 6, 2025 |
| Grant date | May 6, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.
First claim
Opening claim text (preview).
The invention claimed is: 1. A system for threat mitigation comprising: a processor; and a non-transitory memory coupled to the processor and comprising instructions executable by the processor for: detecting an occurrence of an event; matching the event to a behavior rule associated with the event, the behavior rule comprising a plurality of behavior rule instructions and associated with a threat, each of the plurality of behavior rule instructions associated with an occurrence related to the event; and executing the behavior rule, comprising executing a first one of the plurality of behavior rule instructions of the behavior rule; detecting the occurrence associated with the first one of the behavior rule instructions of the behavioral rule and, in response; executing a second one of the plurality of behavior rule instructions of the behavioral rule, comprising; executing a threat mitigation action related to the event. 2. The system of claim 1 , wherein the behavior rule is associated with a computing context; and wherein, based on detecting the occurrence of the event, the behavior rule is executed within the computing context. 3. The system of claim 1 , further comprising: defining the behavior rule comprising: associating the event with the behavior rule comprising defining a set of parameters that define the event and match the event with the behavior rule; and defining the plurality of behavior rule instructions, the plurality of behavior rule instructions for identifying the threat. 4. The system of claim 1 , wherein executing a first one of the plurality of behavior rule instructions of the behavior rule comprises: pausing the executing of the behavior rule and resuming the executing of the behavior rule upon the detecting the occurrence associated with the first one of the behavior rule instructions of the behavioral rule. 5. The system of claim 1 , wherein the event comprises a triggering event associated with the behavior rule and the occurrence associated with the first one of the behavior rule instructions of the behavioral rule comprises a subsequent event associated with the behavior rule. 6. The system of claim 1 , wherein a portion of the behavior rule instructions is arranged in a hierarchy of behavior rule instructions, each branch of the hierarchy representing a sequence of the behavior rule instructions for the matched event. 7. The system of claim 6 , wherein at least one of the behavior rule instructions arranged in the hierarchy of behavior rule instructions represents a parent behavior rule instruction and at least two of the behavior rule instructions, different than the parent behavior rule instruction, arranged in the hierarchy of behavior rule instructions represent child behavior rule instructions, wherein the occurrence associated with the parent behavior rule instruction determines which of the two child behavior rule instructions to execute. 8. A method for threat mitigation, comprising: detecting an occurrence of an event; matching the event to a behavior rule associated with the event, the behavior rule comprising a plurality of behavior rule instructions and associated with a threat, each of the plurality of behavior rule instructions associated with an occurrence related to the event; and executing the behavior rule, comprising executing a first one of the plurality of behavior rule instructions of the behavior rule; detecting the occurrence associated with the first one of the behavior rule instructions of the behavioral rule and, in response; executing a second one of the plurality of behavior rule instructions of the behavioral rule, comprising; executing a threat mitigation action related to the event. 9. The method of claim 8 , wherein the behavior rule is associated with a computing context; and wherein, based on detecting the occurrence of the event, the behavior rule is executed within the computing context. 10. The method of claim 8 , further comprising: defining the behavior rule comprising: associating the event with the behavior rule comprising defining a set of parameters that define the event and match the event with the behavior rule; and defining the plurality of behavior rule instructions, the plurality of behavior rule instructions for identifying the threat. 11. The method of claim 8 , wherein executing a first one of the plurality of behavior rule instructions of the behavior rule comprises: pausing the executing of the behavior rule and resuming the executing of the behavior rule upon the detecting the occurrence associated with the first one of the behavior rule instructions of the behavioral rule. 12. The method of claim 8 , wherein the event comprises a triggering event associated with the behavior rule and the occurrence associated with the first one of the behavior rule instructions of the behavioral rule comprises a subsequent event associated with the behavior rule. 13. The method of claim 8 , wherein a portion of the behavior rule instructions is arranged in a hierarchy of behavior rule instructions, each branch of the hierarchy representing a sequence of the behavior rule instructions for the matched event. 14. The method of claim 13 , wherein at least one of the behavior rule instructions arranged in the hierarchy of behavior rule instructions represents a parent behavior rule instruction and at least two of the behavior rule instructions, different than the parent behavior rule instruction, arranged in the hierarchy of behavior rule instructions represent child behavior rule instructions, wherein the occurrence associated with the parent behavior rule instruction determines which of the two child behavior rule instructions to execute. 15. A computer program product for threat mitigation, the computer program product stored in a non-transitory computer readable medium and comprising instructions for: detecting an occurrence of an event; matching the event to a behavior rule associated with the event, the behavior rule comprising a plurality of behavior rule instructions and associated with a threat, each of the plurality of behavior rule instructions associated with an occurrence related to the event; and executing the behavior rule, comprising executing a first one of the plurality of behavior rule instructions of the behavior rule; detecting the occurrence associated with the first one of the behavior rule instructions of the behavioral rule and, in response; executing a second one of the plurality of behavior rule instructions of the behavioral rule, comprising; executing a threat mitigation action related to the event. 16. The computer programming product of claim 15 , further comprising: defining the behavior rule comprising: associating the event with the behavior rule comprising defining a set of parameters that define the event and match the event with the behavior rule; and defining the plurality of behavior rule instructions, the plurality of behavior rule instructions for identifying the threat. 17. The computer programming product of claim 15 , wherein executing a first one of the plurality of behavior rule instructions of the behavior rule comprises: pausing the executing of the behavior rule and resuming the executing of the behavior rule upon the detecting the occurrence associated with the first one of the behavior rule instructions of the behavioral rule. 18. The computer programming product of claim 15 , wherein the event comprises a triggering event associated with the behavior rule and the occurrence as
Assignees
Inventors
Classifications
involving event detection and direct action · CPC title
Test or assess a computer or a system · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
- G06F21/552Primary
involving long-term monitoring or reporting · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12292968B2 cover?
- Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In …
- Who is the assignee on this patent?
- Open Text Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/552. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 06 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 10 related publications on this page (citations in our corpus or others sharing the same primary CPC).