| CPC G06F 21/566 (2013.01) [G06F 18/213 (2023.01); G06F 18/23 (2023.01); G06F 21/56 (2013.01); G06N 5/01 (2023.01); G06N 20/00 (2019.01)] | 20 Claims |
|
1. A computing apparatus for a service provider to provide triage for suspicious objects to an enterprise network, comprising:
a processor and a memory;
a data store having stored thereon trained models MGLOBAL and MENT, wherein model MGLOBAL comprises a clustering model of proximity and prevalence of a global body of computing objects, and MENT comprises a clustering model of proximity and prevalence of a body of computing objects for the enterprise network; and
instructions encoded within the memory to instruct the processor to:
receive from the enterprise network a set of objects requiring analysis, and select from the set an object under analysis;
apply a machine learning model to compute a global variance score between the object under analysis and MGLOBAL;
apply the machine learning model to compute an enterprise variance score between the object under analysis and MENT;
compute from the global variance score and the enterprise variance score a cross-sectional variance score;
assign the object under analysis an analysis priority according to the cross-sectional variance score; and
based on the cross-sectional variance score, determine that the object under analysis is a candidate advanced persistent threat (APT) directed toward the enterprise network, assign the object under analysis elevated analysis priority, and electronically notify the enterprise network that the object under analysis is a candidate APT directed toward the enterprise network and has elevated analysis priority.
|