Malicious software detection in a computing system
First Claim
1. A computer system comprising:
- one or more computer-readable storage devices including computer executable instructions; and
one or more hardware computer processors configured to execute the computer executable instructions in order to;
identify connection records each associated with a respective device identifier for a computerized device within a local network with an outbound connection to a respective locational reference to a resource external to the local network;
perform one or more filtering operations on the connection records to identify, within the connection records, a first subset of the connection records associated with locational references more likely to be malicious than locational references associated with connection records not included in the first subset of connection records;
score at least some of the first subset of connection records using a machine learning model incorporating a factor relating to the locational references associated with the first subset of connection records; and
perform one or more additional filtering operations on the scored first subset of connection records to identify a second subset of connection records that is fewer in number than the scored first subset of connection records.
8 Assignments
0 Petitions
Accused Products
Abstract
A computer system identifies malicious Uniform Resource Locator (URL) data items from a plurality of unscreened data items that have not been previously identified as associated with malicious URLs. The system can execute a number of pre-filters to identify a subset of URLs in the plurality of data items that are likely to be malicious. A scoring processor can score the subset of URLs based on a plurality of input vectors using a suitable machine learning model. Optionally, the system can execute one or more post-filters on the score data to identify data items of interest. Such data items can be fed back into the system to improve machine learning or can be used to provide a notification that a particular resource within a local network is infected with malicious software.
788 Citations
20 Claims
-
1. A computer system comprising:
-
one or more computer-readable storage devices including computer executable instructions; and one or more hardware computer processors configured to execute the computer executable instructions in order to; identify connection records each associated with a respective device identifier for a computerized device within a local network with an outbound connection to a respective locational reference to a resource external to the local network; perform one or more filtering operations on the connection records to identify, within the connection records, a first subset of the connection records associated with locational references more likely to be malicious than locational references associated with connection records not included in the first subset of connection records; score at least some of the first subset of connection records using a machine learning model incorporating a factor relating to the locational references associated with the first subset of connection records; and perform one or more additional filtering operations on the scored first subset of connection records to identify a second subset of connection records that is fewer in number than the scored first subset of connection records. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A filtering system for filtering connection records, the filtering system including:
a computer-readable storage device storing computer executable instructions and one or more hardware computer processors configured to execute the computer executable instructions in order to; identify connection records indicating outbound communications each associated with a respective device identifier for a computerized device within the local network outbound to a respective locational reference to a resource external to the local network; perform one or more filtering operations on the connection records to identify, within the connection records, a first subset of connection records more likely to be associated with malicious locational references than connection records not included in the first subset of connection records; assign a score to at least some of the first subset of connection records based on a plurality of factors relating to the locational references associated with the first subset of connection records; and perform one or more different filtering operations on the first scored subset of connection records to identify a second subset of connection records that is fewer in number than the scored first subset of connection records, wherein the second subset of connection records is more likely to be associated with malicious locational references than connection records that are included in the first scored subset of connection records but are not included in the second subset of connection records. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
Specification