CPC G06Q 10/0635 (2013.01) [G06F 9/542 (2013.01); G06F 11/079 (2013.01); G06F 16/955 (2019.01); G06F 17/18 (2013.01); G06F 18/214 (2023.01); G06F 18/2178 (2023.01); G06F 18/23213 (2023.01); G06F 18/24143 (2023.01); G06F 21/554 (2013.01); G06F 21/56 (2013.01); G06F 21/562 (2013.01); G06F 21/565 (2013.01); G06N 5/01 (2023.01); G06N 5/022 (2013.01); G06N 5/04 (2013.01); G06N 5/046 (2013.01); G06N 7/00 (2013.01); G06N 20/00 (2019.01); G06N 20/20 (2019.01); G06Q 10/06395 (2013.01); G06V 20/52 (2022.01); H04L 63/0227 (2013.01); H04L 63/0263 (2013.01); H04L 63/1408 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01); H04L 63/20 (2013.01); G06Q 30/0185 (2013.01); G06Q 30/0283 (2013.01)] | 19 Claims |
1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
providing a model for evaluating a likelihood that a threat sample is at least one of safe or malicious based on a training set of known threat samples;
identifying a new threat sample exceeding predetermined likelihood of being malicious according to the model;
identifying one or more relevant features of the new threat sample associated with an inference of malicious code using a random forest over human-interpretable features of the training set of known threat samples;
identifying similar threat samples including one or more safe threat samples similar to the new threat sample and one or more malicious threat samples similar to the new threat sample based on a supervised learning algorithm;
presenting a description of the new threat sample, the one or more relevant features, the similar threat samples, and a graphical map of a feature composition of the new threat sample and the similar threat samples in a user interface; and
receiving user input through the user interface categorizing the new threat sample as safe, unsafe, or undetermined.
|