Patents by Inventor Michael Roytman

Michael Roytman has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 12657310
    Abstract: In one aspect, a method includes creating a polymorphic variant of a sample of malware, analyzing the polymorphic variant of the sample of malware by a security management service to determine if the polymorphic variant of the sample of malware evades detection by the security management service, when the security management service fails to detect the polymorphic variant during the analysis of the polymorphic variant, detonating the polymorphic variant in a virtualized environment to identify characterizations of the polymorphic variant, and training the security management service to detect the polymorphic variant based on the characterizations.
    Type: Grant
    Filed: July 27, 2023
    Date of Patent: June 16, 2026
    Assignee: Cisco Technology, Inc.
    Inventors: Vincent Parla, Andrew Zawadowskiy, Blake Anderson, Hugo Mike Latapie, Oleg Bessonov, David Arthur McGrew, Michael Roytman, Tian Bu, William Michael Hudson, Jr., Nancy Cam-Winget
  • Patent number: 12615292
    Abstract: A system and method are provided for detecting malicious messages using a two-step Bayesian approach. A discrimination engine determines for each of the messages a first score and a second score. The first score represents a likelihood that the respective messages are malicious messages, and the second score represents a likelihood that they were generated by a machine learning (ML) method, such as a large language model (LLM). Using a combination of these two scores, message with a high probability of being malicious message are discriminated and marked as such. For example, messages for which the first and second scores exceed respective thresholds are marked as suspicious.
    Type: Grant
    Filed: July 12, 2023
    Date of Patent: April 28, 2026
    Assignee: Cisco Technology, Inc.
    Inventor: Michael Roytman
  • Patent number: 12554861
    Abstract: Techniques for determining a tag for a security deficiency (e.g., a security vulnerability and/or exposure) using a generative machine learning model. In examples, a system may perform the following operations: (i) identifying a deficiency identifier associated with the security deficiency, (ii) retrieving one or more texts that correspond to the deficiency identifier, (iii) generating a prompt for a generative model to process the text(s) to detect a tag, (iv) providing the prompt to the generative machine learning model, (v) receiving the output of the machine learning model, (vi) determine whether the output satisfies one or more output constraints (e.g., one or more output constraints specified by format and/or content requirements specified in the prompt), and (vii) if the output satisfies the output constraint(s), determine the tag based on the validated output.
    Type: Grant
    Filed: March 15, 2024
    Date of Patent: February 17, 2026
    Assignee: Cisco Technology, Inc.
    Inventors: Tian Bu, Girish Pulprayil Chandranmenon, Yi Hong, Jerry Wayne Gamblin, Michael Roytman
  • Patent number: 12499221
    Abstract: In one embodiment, a method includes receiving a historical text document that is associated with a breach event. The method also includes searching for an attack tactic within the historical text document using a machine learning algorithm. The method further includes generating a probability that the attack tactic exists within the historical text document, comparing the probability to a predetermined probability threshold, and categorizing the historical text document based on the probability.
    Type: Grant
    Filed: July 15, 2022
    Date of Patent: December 16, 2025
    Assignee: CISCO TECHNOLOGY, INC.
    Inventors: Michael Roytman, Edward Thayer Bellis, IV
  • Patent number: 12438900
    Abstract: Systems and methods for computing times to remediate for asset vulnerabilities are described herein. In an embodiment, a server computer receives first vulnerability data for a plurality of entities identifying asset vulnerabilities and timing data corresponding to the vulnerability data indicating an amount of time between identification of an asset vulnerability and a result of the asset vulnerability. The server computer identifies a strict subset of the first vulnerability data that belongs to a particular category of a first plurality of categories. The server computer receives second vulnerability data for a particular entity identifying asset vulnerabilities. The server computer identifies a strict subset of the second vulnerability data the belongs to the particular category. Based, at least in part, on the strict subset of the first vulnerability data, the server computer computes a time to remediate the asset vulnerabilities in the strict subset of the second vulnerability data.
    Type: Grant
    Filed: January 29, 2024
    Date of Patent: October 7, 2025
    Assignee: Kenna Security LLC
    Inventors: Michael Roytman, Edward T. Bellis, Jason Rolleston
  • Publication number: 20250291932
    Abstract: Techniques for determining a tag for a security deficiency (e.g., a security vulnerability and/or exposure) using a generative machine learning model. In examples, a system may perform the following operations: (i) identifying a deficiency identifier associated with the security deficiency, (ii) retrieving one or more texts that correspond to the deficiency identifier, (iii) generating a prompt for a generative model to process the text(s) to detect a tag, (iv) providing the prompt to the generative machine learning model, (v) receiving the output of the machine learning model, (vi) determine whether the output satisfies one or more output constraints (e.g., one or more output constraints specified by format and/or content requirements specified in the prompt), and (vii) if the output satisfies the output constraint(s), determine the tag based on the validated output.
    Type: Application
    Filed: March 15, 2024
    Publication date: September 18, 2025
    Applicant: Cisco Technology, Inc.
    Inventors: Tian Bu, Girish Pulprayil Chandranmenon, Yi Hong, Jerry Wayne Gamblin, Michael Roytman
  • Publication number: 20250286914
    Abstract: A system and method are provided for providing guidance to SOC professionals regarding follow-up response actions to detection incidents. A machine-learning (ML) model is trained to receive incident data for security incidents/detections. The ML model then classifies the incidents/detections and determines thereby follow-on actions. Using the trained ML model to automatically generate follow-on actions enables the Security Operation Center (SOC) to timely triage and remediate a high volume of security incidents/detections. Reinforcement training data is generated based on user feedback generated when the SOC reviews the generated follow-on actions and then responds to the incident. The reinforcement training data is used to update and improve the ML model, allowing the ML model to adapt to evolving security threats and conform to current best practices.
    Type: Application
    Filed: August 19, 2024
    Publication date: September 11, 2025
    Inventors: Michael Roytman, Tian Bu
  • Publication number: 20250023913
    Abstract: A system and method are provided for detecting malicious messages using a two-step Bayesian approach. A discrimination engine determines for each of the messages a first score and a second score. The first score represents a likelihood that the respective messages are malicious messages, and the second score represents a likelihood that they were generated by a machine learning (ML) method, such as a large language model (LLM). Using a combination of these two scores, message with a high probability of being malicious message are discriminated and marked as such. For example, messages for which the first and second scores exceed respective thresholds are marked as suspicious.
    Type: Application
    Filed: July 12, 2023
    Publication date: January 16, 2025
    Inventor: Michael Roytman
  • Publication number: 20240419812
    Abstract: Generation of one or more models is caused based on selecting training data comprising a plurality of features including a prevalence feature for each vulnerability of a first plurality of vulnerabilities. The one or more models enable predicting whether an exploit will be developed for a vulnerability and/or whether the exploit will be used in an attack. The one or more models are applied to input data comprising the prevalence feature for each vulnerability of a second plurality of vulnerabilities. Based on the application of the one or more models to the input data, output data is received. The output data indicates a prediction of whether an exploit will be developed for each vulnerability of the second plurality. Additionally or alternatively, the output data indicates, for each vulnerability of the second plurality, a prediction of whether an exploit that has yet to be developed will be used in an attack.
    Type: Application
    Filed: August 28, 2024
    Publication date: December 19, 2024
    Inventors: Edward T. BELLIS, Michael ROYTMAN, Jeffrey HEUER
  • Publication number: 20240330480
    Abstract: A system and method are provided for predicting risks related to software vulnerabilities and thereby triaging said vulnerabilities. Input data (e.g., bug reports) are applied to a prediction engine (e.g., a machine learning (ML) method such as a large language model, a transformer neural network, or a classifier model), which outputs two or more scores for each vulnerability. A first score represents a likelihood of an exploit being developed (a threat), a second score represents a likelihood of being attacked (a greater threat), and a third score represents a likelihood of becoming a published common vulnerability and exposure (an even greater threat). Based on these scores, the vulnerabilities are triaged. Because the prediction engine is trained to make predictions using the unstructured data in bug reports, the vulnerabilities can be triaged soon after discovery, reducing the time to remediate vulnerabilities predicted to be significant threats.
    Type: Application
    Filed: July 20, 2023
    Publication date: October 3, 2024
    Inventor: Michael Roytman
  • Publication number: 20240330481
    Abstract: A system and method are provided for predicting the method of exploitation and impact/scope of software vulnerabilities, thereby enabling improved remediation of the software vulnerabilities. A machine learning (ML) method receives threat-intelligence information of the software vulnerabilities and generates a threat vector based on a security category and a data or schema category of the software vulnerability. The ML method can include a first portion constrained to predict a first intermediary result corresponding to the security category of the software vulnerability. The ML method can include a second portion constrained to predict a second intermediary result corresponding to the data or schema category of the software vulnerability.
    Type: Application
    Filed: October 25, 2023
    Publication date: October 3, 2024
    Inventors: Michael Roytman, Vincent Parla, Andrew Zawadowskiy, William Michael Hudson, JR.
  • Publication number: 20240333747
    Abstract: In one aspect, a method includes creating a polymorphic variant of a sample of malware, analyzing the polymorphic variant of the sample of malware by a security management service to determine if the polymorphic variant of the sample of malware evades detection by the security management service, when the security management service fails to detect the polymorphic variant during the analysis of the polymorphic variant, detonating the polymorphic variant in a virtualized environment to identify characterizations of the polymorphic variant, and training the security management service to detect the polymorphic variant based on the characterizations.
    Type: Application
    Filed: July 27, 2023
    Publication date: October 3, 2024
    Inventors: Vincent Parla, Andrew Zawadowskiy, Blake Anderson, Hugo Mike Latapie, Oleg Bessonov, David Arthur McGrew, Michael Roytman, Tian Bu, William Michael Hudson, JR., Nancy Cam-Winget
  • Patent number: 12079346
    Abstract: Generation of one or more models is caused based on selecting training data comprising a plurality of features including a prevalence feature for each vulnerability of a first plurality of vulnerabilities. The one or more models enable predicting whether an exploit will be developed for a vulnerability and/or whether the exploit will be used in an attack. The one or more models are applied to input data comprising the prevalence feature for each vulnerability of a second plurality of vulnerabilities. Based on the application of the one or more models to the input data, output data is received. The output data indicates a prediction of whether an exploit will be developed for each vulnerability of the second plurality. Additionally or alternatively, the output data indicates, for each vulnerability of the second plurality, a prediction of whether an exploit that has yet to be developed will be used in an attack.
    Type: Grant
    Filed: March 14, 2022
    Date of Patent: September 3, 2024
    Inventors: Edward T. Bellis, Michael Roytman, Jeffrey Heuer
  • Publication number: 20240171603
    Abstract: Systems and methods for computing times to remediate for asset vulnerabilities are described herein. In an embodiment, a server computer receives first vulnerability data for a plurality of entities identifying asset vulnerabilities and timing data corresponding to the vulnerability data indicating an amount of time between identification of an asset vulnerability and a result of the asset vulnerability. The server computer identifies a strict subset of the first vulnerability data that belongs to a particular category of a first plurality of categories. The server computer receives second vulnerability data for a particular entity identifying asset vulnerabilities. The server computer identifies a strict subset of the second vulnerability data the belongs to the particular category. Based, at least in part, on the strict subset of the first vulnerability data, the server computer computes a time to remediate the asset vulnerabilities in the strict subset of the second vulnerability data.
    Type: Application
    Filed: January 29, 2024
    Publication date: May 23, 2024
    Inventors: Michael Roytman, Edward T. Bellis, Jason Rolleston
  • Patent number: 11888887
    Abstract: Systems and methods for computing times to remediate for asset vulnerabilities are described herein. In an embodiment, a server computer receives first vulnerability data for a plurality of entities identifying asset vulnerabilities and timing data corresponding to the vulnerability data indicating an amount of time between identification of an asset vulnerability and a result of the asset vulnerability. The server computer identifies a strict subset of the first vulnerability data that belongs to a particular category of a first plurality of categories. The server computer receives second vulnerability data for a particular entity identifying asset vulnerabilities. The server computer identifies a strict subset of the second vulnerability data the belongs to the particular category. Based, at least in part, on the strict subset of the first vulnerability data, the server computer computes a time to remediate the asset vulnerabilities in the strict subset of the second vulnerability data.
    Type: Grant
    Filed: April 27, 2021
    Date of Patent: January 30, 2024
    Inventors: Michael Roytman, Edward T. Bellis, Jason Rolleston
  • Patent number: 11861016
    Abstract: Generation of a first prediction model is caused based on first training data, where the first prediction model enables determining whether an exploit to be developed for software vulnerabilities will be used in an attack. For each training instance in the first training data, the first prediction model is used to generate a score. Each training instance is added to second training data if the score is greater than a threshold value. The second training data is a subset of the first training data. Generation of a second prediction model is caused based on the second training data, where the second prediction model enables determining whether an exploit to be developed for software vulnerabilities will be used in an attack.
    Type: Grant
    Filed: April 6, 2021
    Date of Patent: January 2, 2024
    Inventors: Michael Roytman, Jay Jacobs
  • Publication number: 20230316192
    Abstract: In one embodiment, a method includes determining an attack tactic risk score for one or more attack tactics based on a dataset of actual loss events and determining an incident risk score for an incident based on the one or more attack tactic risk scores. The method also includes determining a priority value for an asset. The asset is associated with the incident. The method further includes generating an asset risk score for the asset based on the priority value of the asset and the incident risk score.
    Type: Application
    Filed: July 7, 2022
    Publication date: October 5, 2023
    Inventors: Michael Roytman, Edward Thayer Bellis, IV
  • Publication number: 20230315844
    Abstract: In one embodiment, a method includes receiving a historical text document that is associated with a breach event. The method also includes searching for an attack tactic within the historical text document using a machine learning algorithm. The method further includes generating a probability that the attack tactic exists within the historical text document, comparing the probability to a predetermined probability threshold, and categorizing the historical text document based on the probability.
    Type: Application
    Filed: July 15, 2022
    Publication date: October 5, 2023
    Inventors: Michael Roytman, Edward Thayer Bellis, IV
  • Publication number: 20220207152
    Abstract: Generation of one or more models is caused based on selecting training data comprising a plurality of features including a prevalence feature for each vulnerability of a first plurality of vulnerabilities. The one or more models enable predicting whether an exploit will be developed for a vulnerability and/or whether the exploit will be used in an attack. The one or more models are applied to input data comprising the prevalence feature for each vulnerability of a second plurality of vulnerabilities. Based on the application of the one or more models to the input data, output data is received. The output data indicates a prediction of whether an exploit will be developed for each vulnerability of the second plurality. Additionally or alternatively, the output data indicates, for each vulnerability of the second plurality, a prediction of whether an exploit that has yet to be developed will be used in an attack.
    Type: Application
    Filed: March 14, 2022
    Publication date: June 30, 2022
    Inventors: Edward T. Bellis, Michael Roytman, Jeffrey Heuer
  • Publication number: 20220156385
    Abstract: Techniques related to vulnerability assessment based on machine inference are disclosed. A vulnerability assessment server may receive, from a client device, a set of metadata corresponding to a program stored on the client device. Further, the vulnerability assessment server may extract a program name from the set of metadata. Still further, the vulnerability assessment server may determine one or more vulnerabilities of the program based on searching for the program name in one or more storage systems that maintain sets of vulnerability data.
    Type: Application
    Filed: February 4, 2022
    Publication date: May 19, 2022
    Inventors: Edward T. Bellis, Michael Roytman, David Bortz, Jared Davis