| CPC H04L 63/1416 (2013.01) [H04L 63/145 (2013.01); H04L 63/20 (2013.01)] | 2 Claims |
|
1. A method for detecting security threats in a networked computing environment, comprising:
monitoring, by a threat detection system executing on a computing device within the networked computing environment, process actions of the computing device to identify an indication of a security threat to operation of the computing device, wherein the process actions include system-level operations initiated by software processes running on an operating system of the computing device;
analyzing, by the threat detection system, the monitored process actions to determine a type and a number of process calls to application programming interface functions, wherein the type includes a specific identifier of each application programming interface function called and the number represents a total count of calls to each identified application programming interface function over a predefined time period;
tracking, by the threat detection system, a frequency of directory change operations initiated by the process calls to the application programming interface functions, wherein the directory change operations modify a working directory of a process executing on the computing device, and wherein the frequency is calculated as a rate of directory change operations per unit of time based on timestamps associated with each operation;
analyzing, by the threat detection system, the monitored process actions to determine a type and a number of process calls to registry key functions and application programming interface functions, wherein the type of registry key functions includes specific registry key access operations and the number represents a total count of such operations over the predefined time period;
analyzing, by the threat detection system, the monitored process actions to determine a type and a number of process calls to registry key functions, application programming interface functions, and executable binaries, wherein the type of executable binaries includes identifiers of executable files launched and the number represents a total count of launches over the predefined time period;
generating, by the threat detection system, a threat score based on the type and the number of process calls to the application programming interface functions, the type and the number of process calls to the registry key functions, the type and the number of process calls to the executable binaries, and the frequency of directory change operations exceeding a predefined directory change threshold, wherein generating the threat score is performed by executing a machine learning model using at least the monitored process actions as inputs to generate an output, wherein the machine learning model is trained on historical data of benign and malicious process actions to assign weighted values to each determined type and number of process calls and the frequency of directory change operations;
comparing, by the threat detection system, the generated threat score to a predefined threat threshold, wherein the predefined threat threshold is a numerical value established based on historical threat detection data specific to the networked computing environment;
responsive to determining that the generated threat score meets or exceeds the predefined threat threshold, generating, by the threat detection system, a warning message indicating the security threat, wherein the warning message includes a description of the detected threat, an identifier of the computing device, and a timestamp of detection;
responsive to determining that the generated threat score meets or exceeds the predefined threat threshold, restricting, by the threat detection system, network connectivity of the computing device to prevent lateral movement of the security threat within the networked computing environment, wherein restricting network connectivity includes blocking outbound network traffic from the computing device to other devices in the networked computing environment;
responsive to determining that the generated threat score meets or exceeds the predefined threat threshold, disabling, by the threat detection system, a user account associated with the computing device, wherein disabling the user account includes revoking authentication credentials of the user account within an active directory of the networked computing environment;
quarantining, by the threat detection system, the computing device from a network connection based on the indication of the security threat, wherein quarantining includes isolating the computing device to a restricted network segment that prohibits communication with operational systems in the networked computing environment; and
automatically initiating, by the threat detection system, a threat remediation process for the computing device, wherein the threat remediation process includes executing an antivirus scan on the computing device and reviewing a log of user account activities from a time prior to detection of the security threat to identify a source of the security threat.
|