Endpoint detection and response utilizing machine learning
First Claim
Patent Images
1. A method for implementation by one or more dataprocessors forming part of at least one computing device, the method comprising:
- monitoring, by at least one data processor, a plurality of events associated with each of a plurality of computing nodes forming part of a network topology, the network topology comprising antivirus tools to detect malicious software prior to it accessing one of the computing nodes;
determining, by a least one data processor using at least one machine learning model, that at least one of the events is indicative of malicious activity that has circumvented or bypassed the antivirus tools; and
automatically exploring the computing nodes of the network topology;
providing, by a software tool, recommended ML packs based on the automatic exploring;
andselecting the ML based on the provided recommended ML packs providing, by at least one data processor, data characterizing the determination;
wherein;
the at least one machine learning model is embodied in a plurality of machine learning (ML) packs, each pack being separate and distinct and identifying different types of malicious activity;
at least one of the ML packs executing on a first of the plurality of computing nodes automatically and without human intervention changes its parameters and propagates such changes to at least one other computing node when a threat is detected on the first node.
1 Assignment
0 Petitions
Accused Products
Abstract
A plurality of events associated with each of a plurality of computing nodes that form part of a network topology are monitored. The network topology includes antivirus tools to detect malicious software prior to it accessing one of the computing nodes. Thereafter, it is determined that, using at least one machine learning model, at least one of the events is indicative of malicious activity that has circumvented or bypassed the antivirus tools. Data is then provided that characterizes the determination. Related apparatus, systems, techniques and articles are also described.
-
Citations
19 Claims
-
1. A method for implementation by one or more data
processors forming part of at least one computing device, the method comprising: -
monitoring, by at least one data processor, a plurality of events associated with each of a plurality of computing nodes forming part of a network topology, the network topology comprising antivirus tools to detect malicious software prior to it accessing one of the computing nodes; determining, by a least one data processor using at least one machine learning model, that at least one of the events is indicative of malicious activity that has circumvented or bypassed the antivirus tools; and automatically exploring the computing nodes of the network topology; providing, by a software tool, recommended ML packs based on the automatic exploring; and selecting the ML based on the provided recommended ML packs providing, by at least one data processor, data characterizing the determination; wherein; the at least one machine learning model is embodied in a plurality of machine learning (ML) packs, each pack being separate and distinct and identifying different types of malicious activity; at least one of the ML packs executing on a first of the plurality of computing nodes automatically and without human intervention changes its parameters and propagates such changes to at least one other computing node when a threat is detected on the first node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
Specification