| CPC H04L 63/1425 (2013.01) [G06F 9/45558 (2013.01); G06F 16/953 (2019.01); G06F 18/214 (2023.01); G06F 21/566 (2013.01); G06F 21/577 (2013.01); G06N 20/00 (2019.01); H04L 63/1416 (2013.01); H04L 63/1433 (2013.01); G06F 2009/4557 (2013.01); G06F 2009/45595 (2013.01)] | 20 Claims |
|
1. A computer-implemented method performed by a computer system having a memory and at least one hardware processor, the computer-implemented method comprising:
instantiating a plurality of virtual machines that are loaded with corresponding file systems;
simulating ransomware on the plurality of virtual machines;
simulating a plurality of user actions on the plurality of virtual machines based at least in part on the simulated ransomware, the simulating of the ransomware and the plurality of user actions on the plurality of virtual machines causing changes to the corresponding file systems of the plurality of virtual machines, and wherein simulating the plurality of user actions comprises:
executing a computer program that simulates a plurality of interactions between a user and the plurality of virtual machines in the presence of the simulated ransomware;
for each virtual machine of the plurality of virtual machines, generating a corresponding metadata file comprising training data for a ransomware detection model based on one or more corresponding snapshots of the virtual machine, the one or more corresponding snapshots indicating the changes, to the corresponding file system of the virtual machine, that are based on the simulating of the ransomware and the plurality of user actions; and
training the ransomware detection model using a machine learning algorithm and the training data of the corresponding metadata files that are generated for the plurality of virtual machines.
|