Process risk classification
First Claim
1. A computer-implemented method comprising:
- obtaining (i) a set of one or more initial features that are associated with an initial execution of a particular process, and (ii) a set of one or more subsequent features that are associated with a subsequent execution of a particular process;
providing (i) the set of one or more initial features that are associated with an initial execution of a particular process, and (ii) the set of one or more subsequent features that are associated with a subsequent execution of a particular process, to a process risk classifier that is trained, based on (i) a given set of one or more initial features that are associated with an initial execution of a given process and (ii) a given set of one or more subsequent features that are associated with a subsequent execution of a given process, to output a risk score that quantifies an estimated amount of risk associated with the given process;
in response to providing (i) the set of one or more initial features that are associated with an initial execution of a particular process, and (ii) the set of one or more subsequent features that are associated with a subsequent execution of a particular process, receiving, from the process risk classifier, a particular risk score that quantifies an estimated amount of risk associated with the particular process; and
selectively placing the subsequent or later executions of the particular process in an isolating computing environment based at least on the particular risk score that quantifies the estimated amount of risk associated with the particular process.
1 Assignment
0 Petitions
Accused Products
Abstract
In one implementation, a computer-implemented method includes receiving, at a process risk classifier running on a computer system, a request to determine a risk level for a particular process; accessing one or more signatures that provide one or more snapshots of characteristics of the particular process at one or more previous times; identifying one or more differences between the particular process in its current form and the one or more signatures; accessing information identifying previous usage of the computer system'"'"'s resources by the particular process; determining a current risk score for the particular process based, at least in part, on (i) the one or more signatures for the particular process, (ii) the one or more differences between the particular process in its current form and the one or more signatures, and (iii) the previous usage of the resources; and providing the current risk score for the particular process.
46 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
obtaining (i) a set of one or more initial features that are associated with an initial execution of a particular process, and (ii) a set of one or more subsequent features that are associated with a subsequent execution of a particular process; providing (i) the set of one or more initial features that are associated with an initial execution of a particular process, and (ii) the set of one or more subsequent features that are associated with a subsequent execution of a particular process, to a process risk classifier that is trained, based on (i) a given set of one or more initial features that are associated with an initial execution of a given process and (ii) a given set of one or more subsequent features that are associated with a subsequent execution of a given process, to output a risk score that quantifies an estimated amount of risk associated with the given process; in response to providing (i) the set of one or more initial features that are associated with an initial execution of a particular process, and (ii) the set of one or more subsequent features that are associated with a subsequent execution of a particular process, receiving, from the process risk classifier, a particular risk score that quantifies an estimated amount of risk associated with the particular process; and selectively placing the subsequent or later executions of the particular process in an isolating computing environment based at least on the particular risk score that quantifies the estimated amount of risk associated with the particular process. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
one or more computers; and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising; obtaining (i) a set of one or more initial features that are associated with an initial execution of a particular process, and (ii) a set of one or more subsequent features that are associated with a subsequent execution of a particular process; providing (i) the set of one or more initial features that are associated with an initial execution of a particular process, and (ii) the set of one or more subsequent features that are associated with a subsequent execution of a particular process, to a process risk classifier that is trained, based on (i) a given set of one or more initial features that are associated with an initial execution of a given process and (ii) a given set of one or more subsequent features that are associated with a subsequent execution of a given process, to output a risk score that quantifies an estimated amount of risk associated with the given process; in response to providing (i) the set of one or more initial features that are associated with an initial execution of a particular process, and (ii) the set of one or more subsequent features that are associated with a subsequent execution of a particular process, receiving, from the process risk classifier, a particular risk score that quantifies an estimated amount of risk associated with the particular process; and selectively placing the subsequent or later executions of the particular process in an isolating computing environment based at least on the particular risk score that quantifies the estimated amount of risk associated with the particular process. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable storage device storing instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising:
-
obtaining (i) a set of one or more initial features that are associated with an initial execution of a particular process, and (ii) a set of one or more subsequent features that are associated with a subsequent execution of a particular process; providing (i) the set of one or more initial features that are associated with an initial execution of a particular process, and (ii) the set of one or more subsequent features that are associated with a subsequent execution of a particular process, to a process risk classifier that is trained, based on (i) a given set of one or more initial features that are associated with an initial execution of a given process and (ii) a given set of one or more subsequent features that are associated with a subsequent execution of a given process, to output a risk score that quantifies an estimated amount of risk associated with the given process; in response to providing (i) the set of one or more initial features that are associated with an initial execution of a particular process, and (ii) the set of one or more subsequent features that are associated with a subsequent execution of a particular process, receiving, from the process risk classifier, a particular risk score that quantifies an estimated amount of risk associated with the particular process; and selectively placing the subsequent or later executions of the particular process in an isolating computing environment based at least on the particular risk score that quantifies the estimated amount of risk associated with the particular process. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification