Modeling malicious behavior that occurs in the absence of users
First Claim
1. A method of identifying malicious events occurring on computer devices in the absence of users, the method comprising:
- training an anomaly detection model using attributes associated with a first plurality of events representing system activity that occurs when users are not present on one or more first clean computer devices;
utilizing the anomaly detection model to remove benign events from a second plurality of events captured from infected computer devices when users are not present;
utilizing malicious events from the second plurality of events and benign events from a third plurality of events on one or more second clean computer devices to train a classifier; and
utilizing the classifier to identify a first set of attributes which are able to predict if an event is malicious with a predictive power greater than a threshold.
4 Assignments
0 Petitions
Accused Products
Abstract
Systems, apparatuses, methods, and computer readable mediums for modeling malicious behavior that occurs in the absence of users. A system trains an anomaly detection model using attributes associated with a first plurality of events representing system activity on one or more clean machines when users are not present. Next, the system utilizes the trained anomaly detection model to remove benign events from a second plurality of events captured from infected machines when users are not present. Then, the system utilizes malicious events, from the second plurality of events, to train a classifier. Next, the classifier identifies a first set of attributes which are able to predict if an event is caused by malware with a predictive power greater than a threshold.
-
Citations
20 Claims
-
1. A method of identifying malicious events occurring on computer devices in the absence of users, the method comprising:
-
training an anomaly detection model using attributes associated with a first plurality of events representing system activity that occurs when users are not present on one or more first clean computer devices; utilizing the anomaly detection model to remove benign events from a second plurality of events captured from infected computer devices when users are not present; utilizing malicious events from the second plurality of events and benign events from a third plurality of events on one or more second clean computer devices to train a classifier; and utilizing the classifier to identify a first set of attributes which are able to predict if an event is malicious with a predictive power greater than a threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
a memory; and one or more processors coupled to the memory; wherein the system is configured to; train an anomaly detection model using attributes associated with a first plurality of events representing system activity that occurs when users are not present on one or more first clean computer devices; utilize the anomaly detection model to remove benign events from a second plurality of events captured from infected computer devices when users are not present; utilize malicious events from the second plurality of events and benign events from a third plurality of events on one or more second clean computer devices to train a classifier; and utilize the classifier to identify a first set of attributes which are able to predict if an event is malicious with a predictive power greater than a threshold. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable storage medium storing program instructions, wherein the program instructions are executable by a processor to:
-
train an anomaly detection model using attributes associated with a first plurality of events representing system activity that occurs when users are not present on one or more first clean computer devices; utilize the anomaly detection model to remove benign events from a second plurality of events captured from infected computer devices when users are not present; utilize malicious events from the second plurality of events and benign events from a third plurality of events on one or more second clean computer devices to train a classifier; and utilize the classifier to identify a first set of attributes which are able to predict if an event is malicious with a predictive power greater than a threshold. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification