Methods and Systems for Using an Expectation-Maximization (EM) Machine Learning Framework for Behavior-Based Analysis of Device Behaviors
First Claim
1. A method of generating behavior classifier models for use in a behavior monitoring system of a computing device, comprising:
- applying a plurality of behavior vectors that each characterize one of a known normal and a known abnormal behavior to a current classifier model to generate first analysis results;
using the first analysis results to determine confidence values for classifying each of the plurality of behavior vectors as one of normal and abnormal;
filtering behavior vectors having confidence values that are above a confidence threshold;
generating a new classifier model that includes decision nodes that test conditions relevant to the filtered behavior vectors;
setting the new classifier model as the current classifier model; and
using the current classifier model in the behavior monitoring system to classify a computing device behavior.
1 Assignment
0 Petitions
Accused Products
Abstract
A computing device processor may be configured with processor-executable instructions to implement methods that include using expectation-maximization (EM) machine learning techniques to continuously, repeatedly, or recursively generate, train, improve, focus, or refine the machine learning classifier models that are used by a behavior-based monitoring and analysis system (or behavior-based security system) of the computing device to better identify and respond to various conditions or behaviors that may have a negative impact on its performance, power utilization levels, network usage levels, security and/or privacy over time.
49 Citations
30 Claims
-
1. A method of generating behavior classifier models for use in a behavior monitoring system of a computing device, comprising:
-
applying a plurality of behavior vectors that each characterize one of a known normal and a known abnormal behavior to a current classifier model to generate first analysis results; using the first analysis results to determine confidence values for classifying each of the plurality of behavior vectors as one of normal and abnormal; filtering behavior vectors having confidence values that are above a confidence threshold; generating a new classifier model that includes decision nodes that test conditions relevant to the filtered behavior vectors; setting the new classifier model as the current classifier model; and using the current classifier model in the behavior monitoring system to classify a computing device behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computing device, comprising:
-
means for applying a plurality of behavior vectors that each characterize one of a known normal and a known abnormal behavior to a current classifier model to generate first analysis results; means for using the first analysis results to determine confidence values for classifying each of the plurality of behavior vectors as one of normal and abnormal; means for filtering behavior vectors having confidence values that are above a confidence threshold; means for generating a new classifier model that includes decision nodes that test conditions relevant to the filtered behavior vectors; means for setting the new classifier model as the current classifier model; and means for using the current classifier model to classify a computing device behavior. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A computing device, comprising:
a processor configured with processor-executable instructions to perform operations comprising; applying a plurality of behavior vectors that each characterize one of a known normal and a known abnormal behavior to a current classifier model to generate first analysis results; using the first analysis results to determine confidence values for classifying each of the plurality of behavior vectors as one of normal and abnormal; filtering behavior vectors having confidence values that are above a confidence threshold; generating a new classifier model that includes decision nodes that test conditions relevant to the filtered behavior vectors; setting the new classifier model as the current classifier model; and using the current classifier model in a behavior monitoring system to classify a computing device behavior. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
24. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor of a computing device to perform operations comprising:
-
applying a plurality of behavior vectors that each characterize one of a known normal and a known abnormal behavior to a current classifier model to generate first analysis results; using the first analysis results to determine confidence values for classifying each of the plurality of behavior vectors as one of normal and abnormal; filtering behavior vectors having confidence values that are above a confidence threshold; generating a new classifier model that includes decision nodes that test conditions relevant to the filtered behavior vectors; setting the new classifier model as the current classifier model; and using the current classifier model in a behavior monitoring system to classify a computing device behavior. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
Specification