| CPC H04L 63/1425 (2013.01) [H04L 63/145 (2013.01)] | 19 Claims |
|
1. A system comprising:
one or more processors; and
programming instructions configured to be executed by the one or more processors to perform operations comprising:
receiving, from one or more monitored devices, events data for training data;
presenting false-negative data of the events data based on a labeled indicator of the false-negative data incorrectly labeled as false-negative or false-positive;
generating labeled data by relabeling one or more processes in the false-negative data;
storing the labeled data as the training data;
determining that the events data is associated with a malicious process;
determining to map individual events from the events data onto a behavioral activity pattern;
aggregating multiple events of the individual events into a single artifact, the multiple events produced by the malicious process;
generating a malware classifier based at least in part on extracting behavioral artifacts including the single artifact from the behavioral activity pattern and building a feature vector associated with the extracted behavior artifacts used for the malware classifier;
transmitting, to the one or more monitored devices, the malware classifier; and
receiving, from the one or more monitored devices, additional events data for additional training data.
|