主权项 |
1. A computer-implemented method of identifying suspicious usage of an object, the method comprising:
receiving a query from a client device regarding an object trusted as non-malicious by a security module executing on the client device, the query including an identifier of the object and a set of usage attributes describing a usage of the object on the client device; identifying a set of usage facts associated with the identified object, the set of usage facts describing typical usages of the identified object on a plurality of client devices; comparing, by a computer, the set of usage facts associated with the identified object and the set of usage attributes included in the query from the client device; responsive to a threshold number of usage attributes from the set of usage attributes not matching the set of usage facts associated with the identified object, classifying the usage of the identified object on the client device as suspicious; responsive to the threshold number of usage attributes from the set of usage attributes matching the set of usage facts associated with the identified object, classifying the usage of the identified object on the client device as non-suspicious; and providing a report to the client device including the classification of the usage of the identified object on the client device. |