Invented by Brautbar; Michael Avraham, Kiraly; Daniel Constant, Petronaci; Michael, CrowdStrike, Inc.

Cybersecurity is getting harder every day. New threats show up all the time, and the number of alerts keeps growing. The patent application we explore today introduces a smart way to sort and prioritize these alerts using machine learning and real-time data from computers across the network. Let’s break it down step by step, so you’ll understand what’s new, why it matters, and how it works.

Background and Market Context

Cybersecurity teams are swamped. On a typical day, even a small business might see dozens of security alerts. Large companies and security providers may get thousands or even millions of alerts in a single day. These alerts can be about viruses, hacking attempts, or strange computer behavior. Each alert could be a real attack or just a false alarm.

Today, many businesses use security software called “cybersecurity sensory agents.” These are small programs that live on computers and look for trouble. When they see something odd, they send a report to a central service, usually in the cloud. This cloud service collects alerts from all the computers in the organization.

But here’s the problem: most alerts are not important. Many are harmless, or even mistakes. Human experts are needed to review these alerts and decide which ones are real threats. But with so many alerts, it is impossible for humans to check them all quickly. Dangerous threats can get lost in the noise, while experts waste time chasing harmless ones.

This is a big challenge for everyone in the industry. If teams can’t find the real threats quickly, hackers can do a lot of damage. Companies need a better way to sift through the alerts and find the ones that matter most. That’s where the idea from this patent comes in.

The solution is to use machine learning to help sort and rank the alerts, so the most dangerous problems get attention first. With this new approach, the system learns what “normal” looks like for each computer and can spot when something is truly out of the ordinary. This helps teams focus their time and resources on the real threats, not the false alarms.

With more devices, more software, and more users, the number of alerts keeps going up. The market is hungry for smart solutions that can help security teams keep up. This invention is both timely and needed, as it promises to make security operations faster, more accurate, and less stressful for humans.

Scientific Rationale and Prior Art

Let’s talk about how threat detection worked before and why this new approach is different.

Traditional threat detection systems use rules and signatures. A rule might say, “If a file looks like this known virus, raise an alert.” Or, “If someone tries to log in from a new country, warn the security team.” These rules work, but they only catch threats that fit known patterns. Hackers can get around the rules by changing their methods. Also, these systems often create lots of alerts about harmless activity, which wastes time.

Some systems try to use “behavioral analysis.” They look for actions that seem odd, like a user suddenly downloading lots of files. But even these systems don’t always know what’s normal for each computer, user, or business. What’s odd for one person might be normal for another. If the system is too strict, it makes too many false alarms. If it’s too loose, it misses real attacks.

Machine learning has started to appear in cybersecurity. Some tools use it to spot new types of malware or to block phishing emails. But most machine learning systems in security work in one of two ways: either they look at the content of files (is this file like a known virus?) or they look at activity patterns across the network (is someone trying to break in?). They don’t usually combine the full context of the machine—the hardware, software, user behavior, and recent events—to make decisions.

Another challenge with older systems is that they treat all alerts the same. A virus alert from a test computer is treated just like one from a key server that holds sensitive data. But in reality, not all computers are equal. Some run important business apps, some hold sensitive data, and some are just used for simple tasks. Security teams need to know which alerts are most urgent, based on where they come from and what the machine is doing.

The prior art does not fully address this context. Most systems don’t track machine context over time, and don’t use machine learning to profile what’s normal for each machine and then compare alerts to this profile. The new invention closes this gap. It uses machine learning to build a profile of normal behavior for each device, based on lots of real data. When an alert comes in, the system compares the machine’s current state to its normal profile. If it’s a big difference, the alert gets a high priority. If it’s just business as usual, the alert is lowered in the queue. This approach reduces false alarms and puts real threats at the top of the list.

In summary, this invention builds on earlier ideas of using rules and behavior analysis, but it goes further. It uses machine learning to capture the full context of each device, tracks history, and adapts as things change. This is a smarter, more flexible way to help security teams spot real threats faster.

Invention Description and Key Innovations

Now let’s get to the heart of the invention. What does this patent cover, and what makes it unique?

The patent describes a computer system—usually in the cloud—that collects security alerts and detailed context from millions of devices. Each device runs a sensory agent. When something odd happens, the agent sends two kinds of data: the detection (what it saw) and the machine context (what’s happening on the device at that moment).

Machine context is a big idea here. It means not just what program triggered the alert, but also things like:

• The hardware and software on the device (make, model, OS version)
• What apps are running
• Who is logged in, and how often
• Network activity, like open ports or recent connections
• Any known vulnerabilities
• Whether the device holds important or sensitive info
• Patterns of normal activity (for example, does this user usually log in at this time?)

When a new alert comes in, the cloud service compares the current machine context to what’s normal for that device. “Normal” is learned over time by a machine learning model. The model is trained using lots of historical data from the company’s own devices, and it can even include human expert input. The system builds a “profile” for each machine—a statistical picture of what’s safe and expected.

If the incoming context matches the normal profile, the alert is probably not urgent. If it’s way outside the normal range, the system bumps up the priority. For example, if a server that never installs new software is suddenly installing lots of new programs, that’s suspicious. But if a test machine does this every day, it’s normal.

The invention also tracks “detection counts”—how many alerts each device has seen in a given time. If a device suddenly reports many more alerts than normal, that’s a sign of trouble. The system uses this count along with the machine context to decide which alerts are urgent.

All this info is logged in a database. Over time, the system keeps learning. It remembers which alerts were real (true positives) and which were false alarms. Human experts can review alerts and give feedback, which helps train the model to get even better.

The invention can work in two ways: in the cloud, or even locally on each device. The local agent can make quick decisions by itself, or it can send data to the cloud for deeper analysis. This gives flexibility for different setups—some businesses want fast local action, while others want central control.

Another clever part of the system is that it can assign simple, clear priorities—like a number from 1 to 5, or labels like “high,” “medium,” or “low.” This makes it easy for humans to see which alerts need action first. The system can even escalate urgent alerts to human experts right away, or trigger automatic responses like isolating a computer from the network.

Finally, the invention includes ways to measure how well it’s working. It uses “cyberprobabilities” and “cybererrors” to see how likely an alert is to be a real threat, and to check if the model is making good predictions. This helps keep the system accurate and trustworthy.

By bringing all these ideas together—machine learning, detailed machine context, historical tracking, and clear prioritization—the invention offers a smarter, faster, and more reliable way to manage cybersecurity alerts. It helps organizations protect themselves better, save time, and react to real threats before they cause damage.

Conclusion

Cybersecurity teams are fighting a losing battle against too many alerts and not enough time. This new invention, described in the patent application, gives them a powerful new tool. By using machine learning to build a profile of each device, tracking every bit of context, and learning from experience, the system can sort alerts so that real threats are found and stopped quickly.

This approach is different from older systems that relied on fixed rules or simple behavior analysis. It adapts to each machine, learns what’s normal, and uses this knowledge to spot real problems. The system can work in the cloud or locally, and it keeps getting smarter over time with feedback from human experts.

If you’re in charge of cybersecurity or just interested in how new technology is making a difference, keep an eye on this kind of invention. It’s a big step forward in making security smarter, faster, and more effective for everyone.

Click here https://ppubs.uspto.gov/pubwebapp/ and search 20250335582.