| CPC G06F 21/561 (2013.01) [G06F 11/1451 (2013.01); G06F 16/128 (2019.01); G06F 16/164 (2019.01); G06F 21/568 (2013.01); G06N 20/00 (2019.01); G06F 2201/80 (2013.01); G06F 2201/82 (2013.01); G06F 2221/033 (2013.01)] | 20 Claims |
|
1. A computer-implemented method performed by a computer system having a memory and at least one hardware processor, the computer-implemented method comprising:
generating a first prediction that a file system comprising a plurality of files has been attacked by ransomware based on snapshot metadata of the file system using a snapshot-level machine learning prediction model, the snapshot metadata comprising a plurality of file change data indicating a plurality of file change events that have been performed on the file system;
in response to the first prediction that the file system has been attacked by the ransomware using the snapshot-level machine learning prediction model, generating a corresponding classification for each one of the plurality of files in the file system based on the plurality of file change data using a file-level machine learning prediction model that is different from the snapshot-level machine learning prediction model, the corresponding classification indicating whether the corresponding one of the plurality of files has been targeted by the ransomware for encryption;
determining that one or more of the plurality of files have been targeted by the ransomware for encryption based on the corresponding classification for each one of the one or more of the plurality of files; and
causing the corresponding classification for each one of the one or more of the plurality of files to be displayed on a computing device of a user.
|