| CPC G06F 9/455 (2013.01) [G06F 9/44505 (2013.01); G06F 9/45558 (2013.01); G06F 16/2379 (2019.01); G06F 18/214 (2023.01); G06F 21/51 (2013.01); G06F 21/53 (2013.01); G06F 21/54 (2013.01); G06N 20/00 (2019.01); H04L 63/20 (2013.01); G06F 2009/45583 (2013.01); G06F 2009/45587 (2013.01); G06F 2009/45591 (2013.01); G06F 2009/45595 (2013.01)] | 20 Claims |
|
1. A method comprising:
training a machine learning model to detect normal behavior of one or more services running on a cloud native virtual machine (VM), wherein the machine learning model is trained to detect normal behavior on training data comprising a plurality of discrete behaviors of the one or more services and indications of whether each of the plurality of discrete behaviors corresponds to normal or abnormal behavior;
defining capabilities that indicate at least one of allowed behaviors and denied behaviors for each of the one or more services based, at least in part, on behaviors for the one or more services that the trained machine learning model has detected as normal or abnormal;
generating a normal behavior model according to the defined capabilities and the trained machine learning model; and
detecting a behavior at the cloud native VM that deviates from the normal behavior model, wherein detecting a behavior that deviates from the normal behavior model comprises at least one of,
detecting the behavior as an abnormal behavior with the trained machine learning model,
detecting the behavior as not corresponding to an allowed behavior for a defined capability, and
detecting the behavior as corresponding to a denied behavior for a defined capability.
|