| CPC G06F 21/566 (2013.01) [G06F 21/552 (2013.01); H04L 63/14 (2013.01); H04L 63/1416 (2013.01); G06N 20/00 (2019.01)] | 16 Claims |
|
1. A system comprising:
a processor;
a communications interface;
a memory having stored thereon a security agent including a matcher that recognizes a pattern of behavior (PoB), the PoB including an empty field, wherein the empty field was generated by removing a portion of the PoB;
the memory further having a first definition stored in a first definition file thereon, the first definition including a first value corresponding to the empty field; and
wherein the security agent, when executed by the processor, configures the system to perform operations including:
obtaining, via the communications interface, a second definition file including the first definition and a second definition that includes a second value corresponding to the empty field;
obtaining behavior information regarding behavior exhibited by a computing device and corresponding to the PoB;
accumulating the behavior information into a test pattern based at least in part on detecting that the behavior information corresponds with at least part of the PoB; and
determining whether the test pattern matches a first union of the PoB with the empty field populated by the first value or a second union of the PoB with the empty field populated by the second value.
|