Search

US-12619717-B2 - Systems and methods for detecting malicious activity using a machine learning model tuned to a specific endpoint device

US12619717B2US 12619717 B2US12619717 B2US 12619717B2US-12619717-B2

Abstract

Disclosed herein are systems and method for detecting malicious activity using a tuned machine learning model. In one aspect, a method includes receiving a plurality of logs indicative of software behavior from a plurality of endpoint devices and generating a plurality of event sequences from the plurality of logs. The method includes training a global machine learning model using the plurality of event sequences to predict resultant events for a sequence of lead up events and classify whether the resultant events indicate malicious activity. The method includes, for each respective endpoint device of the plurality of endpoint devices, generating a testing dataset comprising a plurality of benign event sequences that occurred on the respective endpoint device. The method includes generating a tuned machine learning model for the respective endpoint device by retraining the global machine learning model using the testing dataset. The method includes executing the tuned machine learning model.

Inventors

  • Candid Wüest
  • Philipp Gysel
  • Dinil Mon DIVAKARAN
  • Andrey USTYUZHANIN
  • Kenneth Nwafor
  • Serg Bell
  • Stanislav Protasov

Assignees

  • ACRONIS INTERNATIONAL GMBH

Dates

Publication Date
20260505
Application Date
20231217

Claims (19)

  1. 1 . A method for detecting malicious activity using a tuned machine learning model, the method comprising: receiving a plurality of logs indicative of software behavior from a plurality of endpoint devices; generating a plurality of event sequences from the plurality of logs, wherein a subset of the plurality of event sequences comprises malicious events that occurred over the plurality of endpoint devices, wherein each respective sequence of the plurality of event sequences comprises a first plurality of lead up events and a second plurality of resultant events; training a global machine learning model using the plurality of event sequences to predict the second plurality of resultant events based on the first plurality of lead up events and classify whether the resultant events indicate malicious activity, wherein training the global machine learning model comprises: masking, for each respective sequence of the plurality of event sequences, the second plurality of resultant events; and adjusting parameters of the global machine learning model to output the second plurality of resultant events for an input comprising the first plurality of lead up events; and for each respective endpoint device of the plurality of endpoint devices: generating, using logs specific to the respective endpoint device from the plurality of logs, a testing dataset comprising a plurality of benign event sequences that occurred on the respective endpoint device; generating a tuned machine learning model for the respective endpoint device by retraining the global machine learning model using the testing dataset; and executing the tuned machine learning model on the respective endpoint device to detect malicious activity.
  2. 2 . The method of claim 1 , wherein retraining the global machine learning model comprises: determining that a benign event sequence of the plurality of benign event sequences is incorrectly classified by the global machine learning model as indicative of malicious activity; and adjusting parameters of the global machine learning model such that the benign event sequence is correctly classified by the global machine learning model as indicative of benign activity, wherein the tuned machine learning model is the global machine learning model with adjusted parameters.
  3. 3 . The method of claim 1 , wherein generating the testing dataset comprises including, in the testing dataset, a plurality of malicious event sequences originating from the plurality of endpoint devices aside from the respective endpoint device.
  4. 4 . The method of claim 3 , wherein generating the testing dataset comprises applying a boosting algorithm on one or both of the plurality of benign event sequences and the plurality of malicious event sequences.
  5. 5 . The method of claim 1 , wherein each benign event sequence of the plurality of benign event sequences comprises at least one object not found in the plurality of endpoint devices aside from the respective endpoint device.
  6. 6 . The method of claim 1 , further comprising detecting the malicious activity by applying the tuned machine learning model on an input sequence of events of the respective endpoint device.
  7. 7 . The method of claim 1 , wherein a first tuned machine learning model for a first endpoint device of the plurality of endpoint devices has different parameters than a second tuned machine learning model for a second endpoint device of the plurality of endpoint devices.
  8. 8 . The method of claim 1 , wherein generating the plurality of event sequences comprises: generating, based on the plurality of logs, a plurality of provenance graphs that each represent relationships between different types of data objects on an endpoint device by linking a plurality of data objects by a plurality of actions; detecting a plurality of trigger actions in the plurality of provenance graphs; and generating, for each respective trigger action of the plurality of trigger actions, an event sequence that contributed to an occurrence of the respective trigger action.
  9. 9 . The method of claim 8 , wherein generating a respective provenance graph of the plurality of provenance graphs comprises: identifying, in a first log, a source object, an action performed by the source object, and a target object on which the action was performed; and linking, on the respective provenance graph, a first identifier of the source object, a second identifier of the action, and a third identifier of the target object.
  10. 10 . A system for detecting malicious activity using a tuned machine learning model, comprising: at least one memory; and at least one hardware processor coupled with the at least one memory and configured, individually or in combination, to: receive a plurality of logs indicative of software behavior from a plurality of endpoint devices; generate a plurality of event sequences from the plurality of logs, wherein a subset of the plurality of event sequences comprises malicious events that occurred over the plurality of endpoint devices, wherein each respective sequence of the plurality of event sequences comprises a first plurality of lead up events and a second plurality of resultant events; train a global machine learning model using the plurality of event sequences to predict the second plurality of resultant events based on the first plurality of lead up events and classify whether the resultant events indicate malicious activity, wherein training the global machine learning model comprises: masking, for each respective sequence of the plurality of event sequences, the second plurality of resultant events; and adjusting parameters of the global machine learning model to output the second plurality of resultant events for an input comprising the first plurality of lead up events; and for each respective endpoint device of the plurality of endpoint devices: generate, using logs specific to the respective endpoint device from the plurality of logs, a testing dataset comprising a plurality of benign event sequences that occurred on the respective endpoint device; generate a tuned machine learning model for the respective endpoint device by retraining the global machine learning model using the testing dataset; and execute the tuned machine learning model on the respective endpoint device to detect malicious activity.
  11. 11 . The system of claim 10 , wherein the at least one hardware processor is configured to retrain the global machine learning model by: determining that a benign event sequence of the plurality of benign event sequences is incorrectly classified by the global machine learning model as indicative of malicious activity; and adjusting parameters of the global machine learning model such that the benign event sequence is correctly classified by the global machine learning model as indicative of benign activity, wherein the tuned machine learning model is the global machine learning model with adjusted parameters.
  12. 12 . The system of claim 10 , wherein the at least one hardware processor is configured to generate the testing dataset by including, in the testing dataset, a plurality of malicious event sequences originating from the plurality of endpoint devices aside from the respective endpoint device.
  13. 13 . The system of claim 12 , wherein the at least one hardware processor is configured to generate the testing dataset by applying a boosting algorithm on one or both of the plurality of benign event sequences and the plurality of malicious event sequences.
  14. 14 . The system of claim 10 , wherein each benign event sequence of the plurality of benign event sequences comprises at least one object not found in the plurality of endpoint devices aside from the respective endpoint device.
  15. 15 . The system of claim 10 , wherein the at least one hardware processor is configured to detect the malicious activity by applying the tuned machine learning model on an input sequence of events of the respective endpoint device.
  16. 16 . The system of claim 10 , wherein a first tuned machine learning model for a first endpoint device of the plurality of endpoint devices has different parameters than a second tuned machine learning model for a second endpoint device of the plurality of endpoint devices.
  17. 17 . The system of claim 10 , wherein the at least one hardware processor is configured to generate the plurality of event sequences by: generating, based on the plurality of logs, a plurality of provenance graphs that each represent relationships between different types of data objects on an endpoint device by linking a plurality of data objects by a plurality of actions; detecting a plurality of trigger actions in the plurality of provenance graphs; and generating, for each respective trigger action of the plurality of trigger actions, an event sequence that contributed to an occurrence of the respective trigger action.
  18. 18 . The system of claim 17 , wherein the at least one hardware processor is configured to generate a respective provenance graph of the plurality of provenance graphs by: identifying, in a first log, a source object, an action performed by the source object, and a target object on which the action was performed; and linking, on the respective provenance graph, a first identifier of the source object, a second identifier of the action, and a third identifier of the target object.
  19. 19 . A non-transitory computer readable medium storing thereon computer executable instructions for detecting malicious activity using a tuned machine learning model, including instructions for: receiving a plurality of logs indicative of software behavior from a plurality of endpoint devices; generating a plurality of event sequences from the plurality of logs, wherein a subset of the plurality of event sequences comprises malicious events that occurred over the plurality of endpoint devices, wherein each respective sequence of the plurality of event sequences comprises a first plurality of lead up events and a second plurality of resultant events; training a global machine learning model using the plurality of event sequences to predict the second plurality of resultant events based on the first plurality of lead up events and classify whether the resultant events indicate malicious activity, wherein training the global machine learning model comprises: masking for each respective sequence of the plurality of event sequences, the second plurality of resultant events; and adjusting parameters of the global machine learning model to output the second plurality of resultant events for an input comprising the first plurality of lead up events; and for each respective endpoint device of the plurality of endpoint devices: generating, using logs specific to the respective endpoint device from the plurality of logs, a testing dataset comprising a plurality of benign event sequences that occurred on the respective endpoint device; generating a tuned machine learning model for the respective endpoint device by retraining the global machine learning model using the testing dataset; and executing the tuned machine learning model on the respective endpoint device to detect malicious activity.

Description

FIELD OF TECHNOLOGY The present disclosure relates to the field of data security, and, more specifically, to systems and methods for detecting malicious activity using a machine learning model tuned to a specific endpoint device. BACKGROUND Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions have several limitations in regards to providing tailored protection based on specific customer needs. This is because these solutions apply one global detection model to all customers, regardless of their local uniqueness. This problem creates a need for a more versatile and customizable detection system capable of continuously analyzing, learning, and adapting to the unique features of individual customer networks while keeping the data of the client within its network perimeter in order to provide more accurate, private, and efficient malware identification and mitigation. SUMMARY In one exemplary aspect, the techniques described herein relate to a method for detecting malicious activity using a tuned machine learning model, the method including: receiving a plurality of logs indicative of software behavior from a plurality of endpoint devices; generating a plurality of event sequences from the plurality of logs, wherein a subset of the plurality of event sequences includes malicious events that occurred over the plurality of endpoint devices; training a global machine learning model using the plurality of event sequences to predict resultant events for a sequence of lead up events and classify whether the resultant events indicate malicious activity; and for each respective endpoint device of the plurality of endpoint devices: generating, using logs specific to the respective endpoint device from the plurality of logs, a testing dataset including a plurality of benign event sequences that occurred on the respective endpoint device; generating a tuned machine learning model for the respective endpoint device by retraining the global machine learning model using the testing dataset; and executing the tuned machine learning model on the respective endpoint device to detect malicious activity. In some aspects, the techniques described herein relate to a method, wherein retraining the global machine learning model includes: determining that a benign event sequence of the plurality of benign event sequences is incorrectly classified by the global machine learning model as indicative of malicious activity; and adjusting parameters of the global machine learning model such that the benign event sequence is correctly classified by the global machine learning model as indicative of benign activity, wherein the tuned machine learning model is the global machine learning model with adjusted parameters. In some aspects, the techniques described herein relate to a method, wherein generating the testing dataset includes including, in the testing dataset, a plurality of malicious event sequences originating from the plurality of endpoint devices aside from the respective endpoint device. In some aspects, the techniques described herein relate to a method, wherein generating the testing dataset includes applying a boosting algorithm on one or both of the plurality of benign event sequences and the plurality of malicious event sequences. In some aspects, the techniques described herein relate to a method, wherein each benign event sequence of the plurality of benign event sequences includes at least one object not found in the plurality of endpoint devices aside from the respective endpoint device. In some aspects, the techniques described herein relate to a method, further including detecting the malicious activity by applying the tuned machine learning model on an input sequence of events of the respective endpoint device. In some aspects, the techniques described herein relate to a method, wherein a first tuned machine learning model for a first endpoint device of the plurality of endpoint devices has different parameters than a second tuned machine learning model for a second endpoint device of the plurality of endpoint devices. In some aspects, the techniques described herein relate to a method, wherein generating the plurality of event sequences includes: generating, based on the plurality of logs, a plurality of provenance graphs that each represent relationships between different types of data objects on an endpoint device by linking a plurality of data objects by a plurality of actions; detecting a plurality of trigger actions in the plurality of provenance graphs; and generating, for each respective trigger action of the plurality of trigger actions, an event sequence that contributed to an occurrence of the respective trigger action. In some aspects, the techniques described herein relate to a method, wherein each respective sequence of the plurality of event sequences includes a first plurality of lead up events and a second plurality of resultant events, and wherein training the glob