What technology area does this patent fall under?

Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Sep 09 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 10 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Cyber threat detection based on threat context, threat changes, and/or impact status

US12413555B2 · US · B2

Patent metadata
Field	Value
Publication number	US-12413555-B2
Application number	US-202418932967-A
Country	US
Kind code	B2
Filing date	Oct 31, 2024
Priority date	Jun 12, 2023
Publication date	Sep 9, 2025
Grant date	Sep 9, 2025

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Aspects described herein may relate to cyber threat detection based on threat context and/or threat changes. Cyber threat intelligence (CTI) data may be received from a CTI provider. Endpoint data that indicates evidence that endpoints are cyber threats may be determined based on the CTI data. The endpoint data may be analyzed and/or compared to stored data associated with the endpoint. The analysis and/or comparison may be performed to determine whether evidence that the endpoint is a cyber threat has changed. Based on any changes, dispositions for the endpoint may be determined and sent. The dispositions may change how devices filter network traffic associated with the endpoint. Alternatives to default dispositions may be determined based on a impact of blocking potentially legitimate network traffic to and/or from the endpoints. Machine-learning models may assist in processing and analyzing CTI data, performing threat monitoring, and/or determining feeds that include the dispositions.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: receiving, from a provider of a plurality of providers and for a computer network configured to protect against cyber threats, cyber threat intelligence (CTI) data that includes a first indication of compromise (IOC that indicates an endpoint external to the computer network is a potential cyber threat; determining, based on the CTI data, first endpoint data that indicates the first IOC for the endpoint; based on an analysis of the first endpoint data and stored event data associated with the endpoint, determining that a threat status for the endpoint has changed, between receipt of the CTI data and receipt of the stored event data, from a prior threat status for the endpoint, wherein the stored event data indicates the endpoint is a potential cyber threat and indicates one or more second IOCs, received from the plurality of providers, used to determine the prior threat status for the endpoint; based on determining that the threat status for the endpoint has changed from the prior threat status, determining threat differential data for the endpoint that indicates the threat status for the endpoint has changed and that indicates one or more attributes that changed for the endpoint between the stored event data and the first endpoint data; determining, based on the threat differential data, a disposition for the endpoint; and sending, by a first computing device and to a second computing device, the disposition to cause the second computing device to filter network traffic for the computer network based on the disposition. 2. The method of claim 1 , wherein determining the disposition for the endpoint is based on how many of the plurality of providers have indicated an IOC for the endpoint. 3. The method of claim 1 , wherein determining the disposition for the endpoint is based on which of the plurality of providers have indicated an IOC for the endpoint. 4. The method of claim 1 , wherein determining the disposition for the endpoint is based on indications that one or more of the plurality of providers have repeatedly indicated the same IOC for the endpoint. 5. The method of claim 1 , wherein determining the disposition for the endpoint is based on how many of the plurality of providers have indicated the same IOC for the endpoint. 6. The method of claim 1 , wherein determining the disposition for the endpoint is based on one or more of a first confidence value associated with first IOC, a second confidence value associated with the one or more attributes, a third confidence value associated with the first provider. 7. The method of claim 1 , wherein the first endpoint data is in a second format, and wherein the method further comprises: training a plurality of machine-learning models for the plurality of providers, wherein after training the plurality of machine-learning models, each of the plurality of machine-learning models is configured to receive input in a format that a provider sends CTI data and to provide output in the second format; and wherein determining the first endpoint data is performed based on using a first machine-learning model of the plurality of machine-learning models and providing the CTI data as input to the first machine-learning model. 8. The method of claim 1 , further comprising: training a machine-learning model, wherein after training the machine-learning model, the machine-learning model is configured to output indications as to whether endpoints have changed based on input data associated with the endpoints; and wherein determining that the change for the endpoint has occurred is performed based on using the machine-learning model and providing the first endpoint data and the stored event data as input to the machine-learning model. 9. One or more non-transitory computer-readable media storing computer-executable instructions that, when executed, cause one or more computing devices to: receive, from a provider of a plurality of providers and for a computer network configured to protect against cyber threats, cyber threat intelligence (CTI) data that includes a first indication of compromise (IOC) for an endpoint external to the computer network is a potential cyber threat; determine, based on the CTI data, first endpoint data that indicates the first IOC for the endpoint; based on an analysis of the first endpoint data and stored event data associated with the endpoint, determine that a threat status for the endpoint has changed, between receipt of the CTI data and receipt of the stored event data, from a prior threat status for the endpoint, wherein the stored event data indicates the endpoint is a potential cyber threat and indicates one or more second IOCs, received from the plurality of providers, used to determine the prior threat status for the endpoint; based on determining that the threat status for the endpoint has changed from the prior threat status, determine threat differential data for the endpoint that indicates the threat status for the endpoint has changed and that indicates one or more attributes that changed for the endpoint between the stored event data and the first endpoint data; determine, based on the threat differential data, a disposition for the endpoint; and send, to a device, the disposition to cause the device to filter network traffic for the computer network based on the disposition. 10. The non-transitory computer-readable media of claim 9 , wherein the computer-executable instructions, when executed, cause the one or more computing devices to determine the disposition for the endpoint based on how many of the plurality of providers have indicated an IOC for the endpoint. 11. The non-transitory computer-readable media of claim 9 , wherein the computer-executable instructions, when executed, cause the one or more computing devices to determine the disposition for the endpoint based on which of the plurality of providers have indicated an IOC for the endpoint. 12. The non-transitory computer-readable media of claim 9 , wherein the computer-executable instructions, when executed, cause the one or more computing devices to determine the disposition for the endpoint based on indications that one or more of the plurality of providers have repeatedly indicated the same IOC for the endpoint. 13. The non-transitory computer-readable media of claim 9 , wherein the computer-executable instructions, when executed, cause the one or more computing devices to determine the disposition for the endpoint based on how many of the plurality of providers have indicated the same IOC for the endpoint. 14. The non-transitory computer-readable media of claim 9 , wherein the first endpoint data is in a second format, and wherein the computer-executable instructions, when executed, cause the one or more computing devices to: train a plurality of machine-learning models for the plurality of providers, wherein after training the plurality of machine-learning models, each of the plurality of machine-learning models is configured to receive input in a format that a provider sends CTI data and to provide output in the second format; and wherein the computer-executable instructions, when executed, cause the one or more computing devices to determine the first endpoint data based on using a first machine-learning model of the plurality of machine-learning models and providing the CTI data as input to the first machine-learning model. 15. The non-transitory computer-readable media of claim 9 , wherein the computer-executable instructions, when executed, cause the one or more computing devices to: train a machine-learning model, wher

Assignees

Centripetal Networks Llc

Inventors

Classifications

H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
H04L63/1416
Event detection, e.g. attack signature detection · CPC title
G06N20/00
Machine learning · CPC title
H04L63/1441
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
H04L63/0263Primary
Rule management · CPC title

Patent family

Related publications grouped by family.

View patent family 91856218

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US12413555B2 cover?: Aspects described herein may relate to cyber threat detection based on threat context and/or threat changes. Cyber threat intelligence (CTI) data may be received from a CTI provider. Endpoint data that indicates evidence that endpoints are cyber threats may be determined based on the CTI data. The endpoint data may be analyzed and/or compared to stored data associated with the endpoint. The ana…
Who is the assignee on this patent?: Centripetal Networks Llc
What technology area does this patent fall under?: Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Sep 09 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 10 related publications on this page (citations in our corpus or others sharing the same primary CPC).