Systems and methods for detecting malicious computing events
First Claim
1. A computer-implemented method for detecting malicious computing events, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- determining, for each of a plurality of computing events detected within an enterprise, an initial disposition score that indicates a likelihood that the computing event is malicious based on currently-available security information;
determining an initial classification of each computing event as malicious or non-malicious by comparing the initial disposition score of each computing event with a threshold disposition score that represents a minimum disposition score indicative of malicious computing events;
determining, for each computing event after the initial disposition score for the computing event has been determined;
an updated disposition score based on new security information that was not available when the initial disposition score was determined; and
an updated classification by comparing the updated disposition score with the threshold disposition score;
calculating a degree to which the threshold disposition score correctly identifies malicious computing events by;
determining a false positive rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of malicious and an updated classification of non-malicious; and
determining a false negative rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of non-malicious and an updated classification of malicious; and
protecting the enterprise from security threats by;
receiving, from the enterprise, a desired ratio of false positives to false negatives detected within the enterprise;
determining, based on a retrospective analysis of the initial disposition scores and the updated disposition scores of the plurality of computing events, an optimal threshold disposition score that produces the desired ratio of false positives to false negatives; and
implementing the optimal threshold disposition score within the enterprise.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for detecting malicious computing events may include (i) determining, for multiple computing events detected within an enterprise, an initial disposition score for each computing event based on currently-available security information, (ii) determining an initial classification of each computing event as malicious or non-malicious by comparing the initial disposition score of each computing event with a threshold disposition score, (iii) for each computing event, determining (a) an updated disposition score based on new security information (b) an updated classification, (iv) calculating a degree to which the threshold disposition score correctly identifies malicious computing events by determining a frequency with which the initial classification of each computing event matches the updated classification of the computing event, and (v) adjusting the threshold disposition score based on the degree to which the threshold disposition score correctly identifies malicious computing events.
21 Citations
18 Claims
-
1. A computer-implemented method for detecting malicious computing events, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
determining, for each of a plurality of computing events detected within an enterprise, an initial disposition score that indicates a likelihood that the computing event is malicious based on currently-available security information; determining an initial classification of each computing event as malicious or non-malicious by comparing the initial disposition score of each computing event with a threshold disposition score that represents a minimum disposition score indicative of malicious computing events; determining, for each computing event after the initial disposition score for the computing event has been determined; an updated disposition score based on new security information that was not available when the initial disposition score was determined; and an updated classification by comparing the updated disposition score with the threshold disposition score; calculating a degree to which the threshold disposition score correctly identifies malicious computing events by; determining a false positive rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of malicious and an updated classification of non-malicious; and determining a false negative rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of non-malicious and an updated classification of malicious; and protecting the enterprise from security threats by; receiving, from the enterprise, a desired ratio of false positives to false negatives detected within the enterprise; determining, based on a retrospective analysis of the initial disposition scores and the updated disposition scores of the plurality of computing events, an optimal threshold disposition score that produces the desired ratio of false positives to false negatives; and implementing the optimal threshold disposition score within the enterprise. - View Dependent Claims (2, 3, 4, 5, 6, 7, 17, 18)
-
-
8. A system for detecting malicious computing events, the system comprising:
-
a physical processor; a scoring module, executed by the physical processor, that determines, for each of a plurality of computing events detected within an enterprise; an initial disposition score that indicates a likelihood that the computing event is malicious based on currently-available security information; and an updated disposition score based on new security information that was not available when the initial disposition score was determined; a classification module, executed by the physical processor, that determines, for each computing event; an initial classification as malicious or non-malicious by comparing the initial disposition score of the computing event with a threshold disposition score that represents a minimum disposition score indicative of malicious computing events; and an updated classification by comparing the updated disposition score of the computing event with the threshold disposition score; a calculation module, executed by the physical processor, that calculates a degree to which the threshold disposition score correctly identifies malicious computing events by; determining a false positive rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of malicious and an updated classification of non-malicious; and determining a false negative rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of non-malicious and an updated classification of malicious; and a security module, executed by the physical processor, that protects the enterprise from security threats by; receiving, from the enterprise, a desired ratio of false positives to false negatives detected within the enterprise; determining, based on a retrospective analysis of the initial disposition scores and the updated disposition scores of the plurality of computing events, an optimal threshold disposition score that produces the desired ratio of false positives to false negatives; and implementing the optimal threshold disposition score within the enterprise. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
determine, for each of a plurality of computing events detected within an enterprise, an initial disposition score that indicates a likelihood that the computing event is malicious based on currently-available security information; determine an initial classification of each computing event as malicious or non-malicious by comparing the initial disposition score of each computing event with a threshold disposition score that represents a minimum disposition score indicative of malicious computing events; determine, for each computing event after the initial disposition score for the computing event has been determined; an updated disposition score based on new security information that was not available when the initial disposition score was determined; and an updated classification by comparing the updated disposition score with the threshold disposition score; calculate a degree to which the threshold disposition score correctly identifies malicious computing events by; determining a false positive rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of malicious and an updated classification of non-malicious; and determining a false negative rate produced by the threshold disposition score based on a percentage of computing events that have an initial classification of non-malicious and an updated classification of malicious; and protect the enterprise from security threats by; receiving, from the enterprise, a desired ratio of false positives to false negatives detected within the enterprise; determining, based on a retrospective analysis of the initial disposition scores and the updated disposition scores of the plurality of computing events, an optimal threshold disposition score that produces the desired ratio of false positives to false negatives; and implementing the optimal threshold disposition score within the enterprise. - View Dependent Claims (16)
-
Specification