System and method of detecting anomalous events based on known safe events

摘要

A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device. If the determined popularity is below a threshold value, the method determines that the detected event is an anomalous event.