| CPC G06F 21/554 (2013.01) [G06F 21/60 (2013.01); G06N 20/00 (2019.01); G06F 2221/034 (2013.01)] | 18 Claims |
|
1. A method for detecting threats in a computing device that includes an operating system, the method comprising:
collecting data corresponding to a flow of the device, the flow including one or more data points corresponding to a behavior of the device;
organizing the collected data into pair data, wherein the pair data includes a process identifier and an action;
generating time series data from the pair data;
extracting features from the time series data;
inputting the features extracted from the time series data into time series models, wherein the time series models are configured to generate a predicted value for the features and each of the time series models corresponds to a feature;
determining residuals for each of the features by comparing the predicted values with actual values of the features;
inputting the residuals to a machine learning model to generate an output, wherein the output is a probability a threat is occurring, wherein the machine learning model configured to identify anomalous device behavior in the device and wherein the machine learning model is trained using data corresponding to normal device behavior;
identifying, using the process identifiers, one or more processes that contributed to the probability; and
stopping at least one process of the one or more processes that contributed to the probability when the output indicates a threat based on the detected anomalous device behavior.
|