Malicious software detection in a computing system
First Claim
1. A computer-implemented method to identify connection records associated with malicious locational references, the method comprising:
- as implemented by one or more computer readable storage devices configured to store one or more software modules including computer executable instructions, and by one or more hardware computer processors in communication with the one or more computer readable storage devices configured to execute the one or more software modules,identifying connection records, stored in the one or more computer readable storage devices, indicating communications involving a local network, each of the connection records associated with a respective device identifier for a computerized device within the local network, a respective locational reference to a resource external to the local network, and a respective time of communication,performing one or more filtering operations on the connection records to identify, within the connection records, first connection records more likely to be associated with malicious locational references than connection records not included in the first connection records, such that, once initiated, the one or more filtering operations are performed with the one or more computer readable storage devices and the one or more hardware computer processors and without the need for manually performing the filtering operations;
numerically scoring at least some of the first connection records using a machine learning model incorporating a plurality of factors relating to the locational references associated with the first connection records;
filtering the scored first connection records to identify, within the first connection records, second connection records more likely to be associated with malicious locational references than first connection records not included in the second connection records;
receiving a disposition generated by a user regarding one or more of the second connection records; and
applying the disposition to the machine learning model.
8 Assignments
0 Petitions
Accused Products
Abstract
A computer system identifies malicious Uniform Resource Locator (URL) data items from a plurality of unscreened data items that have not been previously identified as associated with malicious URLs. The system can execute a number of pre-filters to identify a subset of URLs in the plurality of data items that are likely to be malicious. A scoring processor can score the subset of URLs based on a plurality of input vectors using a suitable machine learning model. Optionally, the system can execute one or more post-filters on the score data to identify data items of interest. Such data items can be fed back into the system to improve machine learning or can be used to provide a notification that a particular resource within a local network is infected with malicious software.
651 Citations
20 Claims
-
1. A computer-implemented method to identify connection records associated with malicious locational references, the method comprising:
-
as implemented by one or more computer readable storage devices configured to store one or more software modules including computer executable instructions, and by one or more hardware computer processors in communication with the one or more computer readable storage devices configured to execute the one or more software modules, identifying connection records, stored in the one or more computer readable storage devices, indicating communications involving a local network, each of the connection records associated with a respective device identifier for a computerized device within the local network, a respective locational reference to a resource external to the local network, and a respective time of communication, performing one or more filtering operations on the connection records to identify, within the connection records, first connection records more likely to be associated with malicious locational references than connection records not included in the first connection records, such that, once initiated, the one or more filtering operations are performed with the one or more computer readable storage devices and the one or more hardware computer processors and without the need for manually performing the filtering operations; numerically scoring at least some of the first connection records using a machine learning model incorporating a plurality of factors relating to the locational references associated with the first connection records; filtering the scored first connection records to identify, within the first connection records, second connection records more likely to be associated with malicious locational references than first connection records not included in the second connection records; receiving a disposition generated by a user regarding one or more of the second connection records; and applying the disposition to the machine learning model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-implemented method to identify connection records associated with malicious locational references, the method comprising:
-
as implemented by one or more computer readable storage devices configured to store one or more software modules including computer executable instructions, and by one or more hardware computer processors in communication with the one or more computer readable storage devices configured to execute the one or more software modules, identifying connection records, stored in the one or more computer readable storage devices, indicating communications involving a local network, each of the connection records associated with a respective device identifier for a computerized device within the local network, a respective locational reference to a resource external to the local network, and a respective time of communication, performing one or more filtering operations on the connection records to identify, within the connection records, first connection records more likely to be associated with malicious locational references than connection records not included in the first connection records, such that, once initiated, the one or more filtering operations are performed with the one or more computer readable storage devices and the one or more hardware computer processors and without the need for manually performing the filtering operations; assigning a score to at least some of the first connection records based on a plurality of factors relating to the locational references associated with the first connection records; and based on the scoring, generating a notification that a particular connection record of the first connection records is associated with a malicious locational reference. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification