What technology area does this patent fall under?

Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jan 06 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Systems and methods for detecting malicious activity on a web server

US12519808B2 · US · B2

Patent metadata
Field	Value
Publication number	US-12519808-B2
Application number	US-202318494065-A
Country	US
Kind code	B2
Filing date	Oct 25, 2023
Priority date	Oct 25, 2023
Publication date	Jan 6, 2026
Grant date	Jan 6, 2026

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Disclosed herein are systems and method for detecting malicious activity on a web server. A method may include: retrieving a first backup and a second backup of a web server from a backup archive that stores a plurality of backups of the web server, wherein the first backup was generated at a first time and the second backup was generated at a second time; detecting at least one change between the first backup and the second backup; determining whether the at least one change is associated with malicious activity based on a plurality of security rules and a plurality of machine learning models and a severity of the malicious activity; and in response to determining that the severity is greater than a threshold severity, executing a rollback function of the web server to a backup that does not include the malicious activity.

First claim

Opening claim text (preview).

The invention claimed is: 1 . A method for detecting malicious activity on a web server, the method comprising: retrieving a first backup and a second backup of a web server from a backup archive that stores a plurality of backups of the web server, wherein the first backup was generated at a first time and the second backup was generated at a second time; detecting at least one change between the first backup and the second backup; determining whether the at least one change is associated with malicious activity based on a plurality of security rules and a plurality of machine learning models, by: determining a rule verdict on whether the at least one change violates one or more of the plurality of security rules; inputting a file corresponding to the at least one change in a first machine learning model configured to verify whether an input change originates from an authorized channel; inputting the file in a second machine learning model configured to verify if a webpage associated with the file is a phishing webpage; inputting the rule verdict, an output of the first machine learning model, and an output of the second machine learning model into a third machine learning model configured to generate a severity of malicious activity on the web server; and in response to determining that the severity is greater than a threshold severity, executing a rollback function of the web server to a backup that does not include the malicious activity. 2 . The method of claim 1 , wherein the file is an image, and wherein determining whether the at least one change is associated with the malicious activity further comprises: inputting the file in a fourth machine learning model configured to determine whether the file comprises an authentic logo; and inputting an output of the fourth machine learning model in the third machine learning model. 3 . The method of claim 1 , wherein determining whether the at least one change is associated with the malicious activity further comprises: inputting the file in a fifth machine learning model configured to determine whether the file comprises malicious binaries; and inputting an output of the fifth machine learning model in the third machine learning model. 4 . The method of claim 1 , wherein the web server comprises a plurality of websites, wherein each of the plurality of websites comprises one or more web pages, and wherein the first backup and the second backup comprise files of a specific website of the plurality of websites. 5 . The method of claim 1 , wherein detecting at least one change between the first backup and the second backup further comprises executing a sixth machine learning model that detects changes across one or more input backups. 6 . The method of claim 1 , wherein detecting at least one change between the first backup and the second backup comprises: detecting that a hash value of the file in the first backup differs from a hash value of the file in the second backup. 7 . The method of claim 1 , wherein detecting at least one change between the first backup and the second backup comprises: detecting that a file version number of the file in the first backup differs from a file version number of the file in the second backup. 8 . The method of claim 1 , further comprising: identifying a webpage associated with the file corresponding to the at least one change; executing the webpage in a sandbox; determining a verdict of whether the webpage comprises malicious activity; and inputting the verdict in the third machine learning model. 9 . The method of claim 1 , wherein the web server is part of a plurality of web servers, further comprising: identifying each web server of the plurality of web servers that comprises the file; and executing the rollback function on each of the plurality of web servers. 10 . A system for detecting malicious activity on a web server, comprising: at least one memory; at least one hardware processor coupled with the at least one memory and configured, individually or in combination, to: retrieve a first backup and a second backup of a web server from a backup archive that stores a plurality of backups of the web server, wherein the first backup was generated at a first time and the second backup was generated at a second time; detect at least one change between the first backup and the second backup; determine whether the at least one change is associated with malicious activity based on a plurality of security rules and a plurality of machine learning models, by: determining a rule verdict on whether the at least one change violates one or more of the plurality of security rules; inputting a file corresponding to the at least one change in a first machine learning model configured to verify whether an input change originates from an authorized channel; inputting the file in a second machine learning model configured to verify if a webpage associated with the file is a phishing webpage; inputting the rule verdict, an output of the first machine learning model, and an output of the second machine learning model into a third machine learning model configured to generate a severity of malicious activity on the web server; and in response to determining that the severity is greater than a threshold severity, execute a rollback function of the web server to a backup that does not include the malicious activity. 11 . The system of claim 10 , wherein the file is an image, and wherein determining whether the at least one change is associated with the malicious activity further comprises: inputting the file in a fourth machine learning model configured to determine whether the file comprises an authentic logo; and inputting an output of the fourth machine learning model in the third machine learning model. 12 . The system of claim 10 , wherein determining whether the at least one change is associated with the malicious activity further comprises: inputting the file in a fifth machine learning model configured to determine whether the file comprises malicious binaries; and inputting an output of the fifth machine learning model in the third machine learning model. 13 . The system of claim 10 , wherein the web server comprises a plurality of websites, wherein each of the plurality of websites comprises one or more web pages, and wherein the first backup and the second backup comprise files of a specific website of the plurality of websites. 14 . The system of claim 10 , wherein detecting at least one change between the first backup and the second backup further comprises executing a sixth machine learning model that detects changes across one or more input backups. 15 . The system of claim 10 , wherein detecting at least one change between the first backup and the second backup comprises: detecting that a hash value of the file in the first backup differs from a hash value of the file in the second backup. 16 . The system of claim 10 , wherein detecting at least one change between the first backup and the second backup comprises: detecting that a file version number of the file in the first backup differs from a file version number of the file in the second backup. 17 . The system of claim 10 , further comprising: identifying a webpage associated with the file corresponding to the at least one change; executing the webpage in a sandbox; determining a verdict of whether the webpage comprises malicious activity; and inputting the verdict in the third machine learning model. 18 . The system of

Assignees

Acronis Int Gmbh

Inventors

Classifications

H04L63/20
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
G06F11/1464
for networked environments · CPC title
G06F2201/84
Using snapshots, i.e. a logical point-in-time copy of the data · CPC title
G06F11/1451
by selection of backup contents · CPC title
H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title

Patent family

Related publications grouped by family.

View patent family 95483216

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US12519808B2 cover?: Disclosed herein are systems and method for detecting malicious activity on a web server. A method may include: retrieving a first backup and a second backup of a web server from a backup archive that stores a plurality of backups of the web server, wherein the first backup was generated at a first time and the second backup was generated at a second time; detecting at least one change between …
Who is the assignee on this patent?: Acronis Int Gmbh
What technology area does this patent fall under?: Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jan 06 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).