US 11,888,881 B2
Context informed abnormal endpoint behavior detection
Shai Meir, Tzur Yitzhak (IL); Dany Cohen, Tel-Aviv (IL); Arkady Miasnikov, Netanya (IL); and Ohad Ohayon, Kadima-Zoran (IL)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Sep. 12, 2022, as Appl. No. 17/931,253.
Application 17/931,253 is a division of application No. 16/557,549, filed on Aug. 30, 2019, granted, now 11,483,326.
Prior Publication US 2023/0007037 A1, Jan. 5, 2023
Int. Cl. H04L 9/40 (2022.01); G06N 20/00 (2019.01)
CPC H04L 63/1425 (2013.01) [G06N 20/00 (2019.01); H04L 63/1416 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method comprising,
generating a plurality of profiles for a first process for a plurality of hierarchical endpoint scopes, wherein the first process is executing on one or more endpoints indicated in the plurality of hierarchical endpoint scopes, wherein generating the plurality of profiles for the first process comprises, for each endpoint scope in the plurality of hierarchical endpoint scopes,
determining importance qualifiers for event data for the first process at the endpoint scope;
filtering the event data according to the importance qualifiers;
normalizing the filtered event data to generate normalized event data;
determining, for the first process, a plurality of classifiers for process activities of the first process that satisfy a criterion of normal activity for the first process at the endpoint scope, wherein the determination of the plurality of classifiers for process activities that satisfy the criterion of normal activity is based, at least in part, on statistics from the normalized event data for the first process at the endpoint scope; and
generating a profile with the plurality of classifiers and associating the profile with the endpoint scope.