Abstract: A computer-implemented method for generating a threat classifier is described. A parameter collection module is distributed to a plurality of client processing systems. The module comprises a set of rules to detect a behavior in the client processing systems. If one or more of the set of rules are satisfied, input data indicative of a plurality of client processing parameters is received. The input data is scaled to provide a plurality of parameter vectors. Each of the parameter vectors are classified as a threat or a non-threat. A machine learning process is performed on at least one of the classified parameter vectors. The threat classifier is generated from the machine learning process. The threat classifier is transferred to at least one client processing system. The threat classifier is configured to automatically determine if a process to be performed in a client processing system is malicious.

Abstract: An origin of a file of interest on a computer system is determined by monitoring file origin events on the computer system. A file of interest resulting from one of the file origin events may then be selected for tracing. A precursor file from which the file of interest emanates as a result of one of the file origin events is then identified. By iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the file of interest, an origin file with no further precursor file may thus be identified. It is thus possible to trace back a given process or file of interest to a file container and/or location that initially introduced it into the computer system and any intermediate files or forms the process or file of interest may have assumed.

Abstract: An origin of a file of interest on a computer system is determined by monitoring file origin events on the computer system. A file of interest resulting from one of the file origin events may then be selected for tracing. A precursor file from which the file of interest emanates as a result of one of the file origin events is then identified. By iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the file of interest, an origin file with no further precursor file may thus be identified. It is thus possible to trace back a given process or file of interest to a file container and/or location that initially introduced it into the computer system and any intermediate files or forms the process or file of interest may have assumed.