| CPC G06F 21/566 (2013.01) [G06F 21/53 (2013.01); G06F 21/577 (2013.01); G06N 3/08 (2013.01); G06F 2221/034 (2013.01)] | 21 Claims |
|
1. A non-transitory machine-readable medium storing computer-program instructions that when executed by one or more processors effectuate operations comprising:
a. obtaining, with one or more processors, device behavior data from a plurality of user devices, the device behavior data includes runtime activity information associated with respective user devices;
b. segmenting, with one or more processors, the device behavior data by categories of runtime activity information sources monitored on the user devices to obtain a plurality of by-category training data sets;
c. forming, with one or more processors, a plurality of records in a training data set based on the device behavior data corresponding respective user devices, a first subset of the records being labeled as malicious based on indications of a subset of user devices affected by ransomware and a second subset of the records being labeled as non-malicious based on indications of another subset of user devices not affected by ransomware;
d. training, with one or more processors, based on the training data set, a machine learning model to output an indication of whether runtime activity information obtained from the category of runtime activity information source corresponds to ransomware activity; and
e. transmitting, with one or more processors, the machine learning model and at least one other machine learning model for another category of runtime activity source to at least some of the user devices, wherein each of the at least some user devices execute a set of machine learning models to monitor a set of runtime activity information sources for ransomware activity.
|