| CPC G06F 21/552 (2013.01) [G06F 18/24 (2023.01); G06F 21/316 (2013.01); G06F 21/6218 (2013.01); G06F 40/242 (2020.01); G06F 40/279 (2020.01); G06F 40/284 (2020.01); G06V 10/56 (2022.01); G06V 10/764 (2022.01); G06V 10/776 (2022.01); G06V 40/20 (2022.01); H04L 43/045 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); G06F 40/205 (2020.01)] | 11 Claims |
|
1. A method for flagging suspicious file access behavior, the method comprising:
calculating, by a processing resource, a file access metric based at least in part on a first file access path, a second file access path, and a third file access path, wherein
the first file access path, the second file access path, and the third file access path each indicate respective file access attempts performed using an endpoint device;
the file access metric is a file access variance indicating a variance across at least the first file access path, the second file access path, and the third file access path; and wherein an increase in the value of the file access metric indicates a greater likelihood that the endpoint device has been used for malicious file accesses;
calculating the file access metric includes calculating: a first distance between the first file access path and the second file access path, a second distance between the first file access path and the third file access path, a third distance between the second file access path and the third file access path; and
calculating the first distance includes: calculating a first root distance between a root and a file indicated in the first file access path, calculating a second root distance between the root and a file indicated in the second file access path, calculating a third root distance between the root and a farthest common ancestor in both the first file access path and the second file access path, and combining the first root difference, the second root difference, and the third root distance to yield the first distance.
|