| CPC H04L 63/1425 (2013.01) [H04L 63/1416 (2013.01); H04L 63/145 (2013.01)] | 20 Claims |
|
1. A system comprising:
a processor; and
a memory device that stores program code executable by the processor, the program code comprising:
a machine learning (ML) model configured to:
receive a network session record, the network session record indicative of a network event associated with a network session in a computing network, the network event occurring at a first timestamp; and
generate an indication of whether the network session record evidences malware activity;
a correlation score calculator configured to, in response to an indication by the ML model that the network session record evidences malware activity:
calculate a first correlation score indicative of a correlation between the network session record and a first process session record, the first process session record indicative of a first process creation event with respect to a first resource of the computing network at a second timestamp, the first correlation score indicative of a proximity of the first timestamp to the second timestamp; and
a malware activity alert generator configured to:
determine the first correlation score indicates the first process session record is indicative of the evidenced malware activity; and
generate a malware activity alert in response to the determination that the first correlation score indicates the first process session record is indicative of the evidenced malware activity.
|