| 摘要 |
According to one embodiment, a computerized method comprises, accessing information associated with one or more observed events, wherein one or more of the observed events constitutes an anomalous behavior; accessing a reference model based on a first plurality of events, the reference model comprises a first event of the first plurality of events, a second event of the first plurality of events and a relationship that identifies that the second event of the first plurality of events is based on the first event of the first plurality of events, wherein at least one of the first event and the second event constitutes an anomalous behavior; and comparing the information associated with the one or more observed events with the reference model to determine whether at least one observed event of the one or more observed events matches at least one of the first event of the first plurality of events or the second event of the first plurality of events that constitutes the anomalous behavior is provided. |
| 主权项 |
1. A computerized method for detecting malware comprising:
accessing information associated with one or more observed events, wherein at least one of the one or more of the observed events includes an observed anomalous behavior; accessing a reference model, the reference model is based on a first plurality of events and comprises a first event of the first plurality of events, a second event of the first plurality of events and a relationship that identifies that the second event of the first plurality of events is based on the first event of the first plurality of events, wherein at least one of the first event and the second event includes a first anomalous behavior and the relationship included in the first plurality of events includes a second anomalous behavior; and analyzing, using a machine learning technique, (i) the information associated with the one or more observed events and (ii) the reference model to determine whether a level of correlation between the one or more observed events and the reference model is at least a first predetermined threshold; responsive to determining the level of correlation is at least the first determined threshold, determining the one or more observed events are associated with malware; and inferring that at least a third event has occurred without detection based on the reference model, wherein the third event is absent from the information associated with the one or more observed events, wherein each of the one or more observed events, the first event of the first plurality of events, the second event of the first plurality of events, and the third event are each associated with at least one of: a process, a non-executable file, an address or a location within a storage module of an electronic device, a website address, or an Internet Protocol (IP) address. |
