Abstract: A method for protecting against malware when a client computer causes file operations at a server computer, comprising: gathering, by the server computer, information for each file operation performed into an event, the information including at least a identifier and a type of the operation, developing, not by the client computer, an event-level feature vector including at least two features which are numerical data representing an aspect of the gathered information for each event; grouping the event-level feature vectors into a file-level feature vector for each file; supplying, not by the client computer, the file-level feature vectors to a trained machine learning classifier and receiving as an output of the classifier at least one risk score indicating a likelihood of a presence of malware activity; and when malware activity is indicated by an aggregate risk score based on the at least one risk score, initiating incident handling.

Abstract: A method for protecting against malware when a client computer causes file operations at a server computer, comprising: gathering, by the server computer, information for each file operation performed into an event, the information including at least a identifier and a type of the operation, developing, not by the client computer, an event-level feature vector including at least two features which are numerical data representing an aspect of the gathered information for each event; grouping the event-level feature vectors into a file-level feature vector for each file; supplying, not by the client computer, the file-level feature vectors to a trained machine learning classifier and receiving as an output of the classifier at least one risk score indicating a likelihood of a presence of malware activity; and when malware activity is indicated by an aggregate risk score based on the at least one risk score, initiating incident handling.