Traditional intrusion detection encodes human knowledge into rules: an expert decides what malicious traffic looks like and writes a signature for it. The approach works for known attacks but inherits a hard ceiling — it can only catch what someone thought to specify. Novel attacks, subtle ones, attacks that look benign in any single packet but malicious across a pattern, fall through the gaps that hand-built rules inevitably leave.
The grant US11611588B2, "Deep learning network intrusion detection" (issued March 21, 2023, assigned to Kyndryl, Inc.), takes the learned approach. Its CPC classifications combine the intrusion-detection classes H04L 63/1416 and H04L 63/1425 with the deep-learning classes G06N 3/0454 and G06N 3/088 — neural networks applied to network traffic.
The mechanism worth understanding is that deep networks learn features humans don't have to specify. Given enough labeled traffic, a neural network discovers the patterns that distinguish malicious from benign — including subtle, distributed patterns no analyst would think to write a rule for. The model isn't limited to the attacks its designers anticipated; it generalizes from examples to recognize variations and novel forms.
For defenders, the practical takeaway is a different coverage profile. Deep-learning detection complements rule-based systems: rules catch the known with precision and explainability, while the learned model catches the unanticipated. Together they cover more than either alone, which is why mature detection stacks layer both.
The well-known costs are interpretability and adversarial fragility. A neural network's verdict is harder to explain than a rule's, which matters when an analyst has to justify a response, and learned models can be fooled by inputs crafted to exploit their blind spots. The patent reflects the field's deepening commitment to learned detection while those trade-offs remain live and actively researched.