CPC H04L 63/1416 (2013.01) [G06N 3/04 (2013.01); G06N 3/08 (2013.01)] | 21 Claims |
1. A method to detect anomalous behavior in a computing system, comprising:
receiving a semi-directed temporal graph derived from system-generated events;
deriving from the semi-directed temporal graph one or more process-centric subgraphs, wherein a process-centric subgraph comprises one or more system-generated events associated with a given process;
identifying from the one or more process-centric subgraphs one or more atomic operations, wherein an atomic operation comprises a set of system-generated events common to more than one process-centric subgraph;
modifying the semi-directed temporal graph by replacing edges in the semi-directed temporal graph with the one or more identified atomic operations while leaving nodes in the semi-directed temporal graph unchanged; and
training a machine learning model using the modified semi-directed temporal graph.
|