| CPC G06F 21/6218 (2013.01) [G06F 21/604 (2013.01)] | 18 Claims |
|
1. A method comprising:
collecting, by a software agent connected to a target application, a first set of observations of executing the target application while in a logging mode, wherein the first set of observations identifies a first plurality of instances of a first plurality of operations of the target application, wherein the target application is assumed to be in a trusted environment in the logging mode causing the first set of observations to be assumed benign;
transmitting the first set of observations to a security service;
receiving an allow list and a confidence estimator model from the security service, wherein the security service generalizes the first plurality of operations into a plurality of general operations in the allow list and trains the confidence estimator model based on the first set of observations;
transitioning, by the software agent, to a blocking mode after collecting the first set of observations to initiate updating filters of operations; and
controlling, according to the allow list and the confidence estimator model, performance by the target application of a second plurality of instances of a second plurality of operations while in the blocking mode, wherein controlling performance by the target application comprises:
receiving a first instance of a first operation in the second plurality of operations;
making a first determination that the first operation is in the allow list;
generating, by the confidence estimator model, a first confidence level that the first determination is accurate; and
allowing the first operation responsive to the first determination and the first confidence level satisfying a confidence threshold.
|