METHODS AND APPARATUS TO IDENTIFY MALICIOUS ACTIVITY IN A NETWORK
First Claim
1. A method comprising:
- assigning weights of a distance function to respective statistical features, the distance function to calculate a distance between a pair of entities in a network based on respective calculated values of the statistical features corresponding to the pair of entities;
iteratively calculating, with a processor, the distance function to adjust the weights (1) to cause a reduction in a first distance calculated according to the distance function for a first pair of entities in a reference group associated with malicious activity and (2) to cause an increase in a second distance calculated according to the distance function for a first one of the entities included in the reference group and a second entity not included in the reference group; and
determining whether a first statistical feature is indicative of malicious activity based on a respective adjusted weight of the first statistical feature determined after calculating the distance function for a number of iterations.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, apparatus, systems and articles of manufacture are disclosed to learn malicious activity. An example method includes assigning weights of a distance function to respective statistical features; iteratively calculating, with a processor, the distance function to adjust the weights (1) to cause a reduction in a first distance calculated according to the distance function for a first pair of entities in a reference group associated with malicious activity and (2) to cause an increase in a second distance calculated according to the distance function for a first one of the entities included in the reference group and a second entity not included in the reference group; and determining whether a first statistical feature is indicative of malicious activity based on a respective adjusted weight of the first statistical feature determined after calculating the distance function for a number of iterations.
39 Citations
20 Claims
-
1. A method comprising:
-
assigning weights of a distance function to respective statistical features, the distance function to calculate a distance between a pair of entities in a network based on respective calculated values of the statistical features corresponding to the pair of entities; iteratively calculating, with a processor, the distance function to adjust the weights (1) to cause a reduction in a first distance calculated according to the distance function for a first pair of entities in a reference group associated with malicious activity and (2) to cause an increase in a second distance calculated according to the distance function for a first one of the entities included in the reference group and a second entity not included in the reference group; and determining whether a first statistical feature is indicative of malicious activity based on a respective adjusted weight of the first statistical feature determined after calculating the distance function for a number of iterations. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
a memory to store machine readable instructions; and a processor to execute the instructions to perform operations comprising; assigning weights of a distance function to respective statistical features, the distance function to calculate a distance between a pair of entities in a network based on respective calculated values of the statistical features corresponding to the pair of entities; iteratively calculating the distance function to adjust the weights (1) to cause a reduction in a first distance calculated according to the distance function for a first pair of entities in a reference group associated with malicious activity and (2) to cause an increase in a second distance calculated according to the distance function for a first one of the entities included in the reference group and a second entity not included in the reference group; and determining whether a first statistical feature is indicative of malicious activity based on a respective adjusted weight of the first statistical feature determined after calculating the distance function for a number of iterations. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A tangible machine readable storage medium comprising instructions which, when executed, cause a machine to perform operations comprising:
-
assigning weights of a distance function to respective statistical features, the distance function to calculate a distance between a pair of entities in a network based on respective calculated values of the statistical features corresponding to the pair of entities; iteratively calculating the distance function to adjust the weights (1) to cause a reduction in a first distance calculated according to the distance function for a first pair of entities in a reference group associated with malicious activity and (2) to cause an increase in a second distance calculated according to the distance function for a first one of the entities included in the reference group and a second entity not included in the reference group; and determining whether a first statistical feature is indicative of malicious activity based on a respective adjusted weight of the first statistical feature determined after calculating the distance function for a number of iterations. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification