| CPC H04L 63/1441 (2013.01) [G06F 21/53 (2013.01); H04L 41/16 (2013.01)] | 20 Claims |
|
1. A computer-implemented method, comprising:
intercepting, by a cloud-based network security system, a request to access a document;
obtaining, by the cloud-based network security system, the document;
detonating, by the cloud-based network security system, the document in a sandbox of the cloud-based network security system;
in response to the detonating, extracting, by the cloud-based network security system, dynamic information about the document;
extracting, by the cloud-based network security system, character strings from images in the document during the detonating in the sandbox;
providing, by the cloud-based network security system, the dynamic information as input to an artificial intelligence model trained to provide an output indicating a prediction of whether the document contains malware based on the input;
generating, by the cloud-based network security system, a heuristic score based on comparing the character strings extracted from the document to a batch of phishing keywords;
providing, by the cloud-based network security system, the output of the artificial intelligence model and the heuristic score as input to a verdict engine, wherein the verdict engine combines the output of the artificial intelligence model and the heuristic score to classify the document as one of malicious or clean; and
implementing, by the cloud-based network security system, a security policy based at least in part on the classification of the document.
|