Systems and methods for evaluating infection risks based on profiled user behaviors
First Claim
1. A computer-implemented method for evaluating infection risks based on profiled user behaviors, at least a portion of the method being performed by a computing device comprising at least one hardware processor, the method comprising:
- collecting, by the computing device comprising the at least one hardware processor, a plurality of user-behavior profiles that comprises at least one of;
a plurality of labeled profiles that comprises at least one of;
a plurality of infected profiles, wherein each of the plurality of infected profiles comprises a profile of user behaviors that occurred at an associated infected computing system that is known to have encountered malware;
ora plurality of clean profiles, wherein each of the plurality of clean profiles comprises a profile of user behaviors that occurred at an associated clean computing system that is known to be free of malware;
ora plurality of unlabeled profiles, wherein each of the plurality of unlabeled profiles comprises a profile of user behaviors that occurred at an associated computing system that is not known to have encountered malware and not known to be free of malware;
training, using features and labels of the plurality of user-behavior profiles, a decision tree to distinguish infected profiles from clean profiles by;
determining, at each internal node in the decision tree, whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node; and
selecting, from a plurality of splitting rules based on whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node, a suitable splitting rule to apply at the internal node; and
using the decision tree to predict at least one of;
a likelihood that a computing system of a user will become infected based at least in part on a profile of user behaviors of the user;
ora likelihood that a user behavior in the plurality of user-behavior profiles will result in a computing-system infection.
6 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for evaluating infection risks based on profiled user behaviors may include (1) collecting user-behavior profiles that may include labeled profiles (e.g., infected profiles and/or clean profiles) and/or unlabeled profiles, (2) training a classification model to distinguish infected profiles from clean profiles using features and labels of the user-behavior profiles, and (3) using the classification model to predict (a) a likelihood that a computing system of a user will become infected based on a profile of user behaviors of the user and/or (b) a likelihood that a user behavior in the user-behavior profiles will result in a computing-system infection. Various other methods, systems, and computer-readable media are also disclosed.
60 Citations
19 Claims
-
1. A computer-implemented method for evaluating infection risks based on profiled user behaviors, at least a portion of the method being performed by a computing device comprising at least one hardware processor, the method comprising:
-
collecting, by the computing device comprising the at least one hardware processor, a plurality of user-behavior profiles that comprises at least one of; a plurality of labeled profiles that comprises at least one of; a plurality of infected profiles, wherein each of the plurality of infected profiles comprises a profile of user behaviors that occurred at an associated infected computing system that is known to have encountered malware;
ora plurality of clean profiles, wherein each of the plurality of clean profiles comprises a profile of user behaviors that occurred at an associated clean computing system that is known to be free of malware;
ora plurality of unlabeled profiles, wherein each of the plurality of unlabeled profiles comprises a profile of user behaviors that occurred at an associated computing system that is not known to have encountered malware and not known to be free of malware; training, using features and labels of the plurality of user-behavior profiles, a decision tree to distinguish infected profiles from clean profiles by; determining, at each internal node in the decision tree, whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node; and selecting, from a plurality of splitting rules based on whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node, a suitable splitting rule to apply at the internal node; and using the decision tree to predict at least one of; a likelihood that a computing system of a user will become infected based at least in part on a profile of user behaviors of the user;
ora likelihood that a user behavior in the plurality of user-behavior profiles will result in a computing-system infection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for evaluating infection risks based on profiled user behaviors, the system comprising:
-
a hardware processor; a collecting module, with instructions stored in memory and executed by the hardware processor, that collects a plurality of user-behavior profiles that comprises at least one of; a plurality of labeled profiles that comprises at least one of; a plurality of infected profiles, wherein each of the plurality of infected profiles comprises a profile of user behaviors that occurred at an associated infected computing system that is known to have encountered malware;
ora plurality of clean profiles, wherein each of the plurality of clean profiles comprises a profile of user behaviors that occurred at an associated clean computing system that is known to be free of malware;
ora plurality of unlabeled profiles, wherein each of the plurality of unlabeled profiles comprises a profile of user behaviors that occurred at an associated computing system that is not known to have encountered malware and not known to be free of malware; a training module, with instructions stored in memory and executed by the hardware processor, that trains, using features and labels of the plurality of user-behavior profiles, a decision tree to distinguish infected profiles from clean profiles by; determining, at each internal node in the decision tree, whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node; and selecting, from a plurality of splitting rules based on whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node, a suitable splitting rule to apply at the internal node; and a risk-evaluating module, with instructions stored in memory and executed by the hardware processor, that uses the decision tree to predict at least one of; a likelihood that a computing system of a user will become infected based at least in part on a profile of user behaviors of the user;
ora likelihood that a user behavior in the plurality of user-behavior profiles will result in a computing-system infection. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one hardware processor of a computing device, cause the computing device to:
-
collect a plurality of user-behavior profiles that comprises at least one of; a plurality of labeled profiles that comprises at least one of; a plurality of infected profiles, wherein each of the plurality of infected profiles comprises a profile of user behaviors that occurred at an associated infected computing system that is known to have encountered malware;
ora plurality of clean profiles, wherein each of the plurality of clean profiles comprises a profile of user behaviors that occurred at an associated clean computing system that is known to be free of malware;
ora plurality of unlabeled profiles, wherein each of the plurality of unlabeled profiles comprises a profile of user behaviors that occurred at an associated computing system that is not known to have encountered malware and not known to be free of malware; train, using features and labels of the plurality of user-behavior profiles, a decision tree to distinguish infected profiles from clean profiles by; determining, at each internal node in the decision tree, whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node; and selecting, from a plurality of splitting rules based on whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node, a suitable splitting rule to apply at the internal node; and use the decision tree to predict at least one of; a likelihood that a computing system of a user will become infected based at least in part on a profile of user behaviors of the user;
ora likelihood that a user behavior in the plurality of user-behavior profiles will result in a computing-system infection.
-
Specification