Palo Alto Networks, Inc.
CONJOINING MALWARE DETECTION MODELS FOR DETECTION PERFORMANCE AGGREGATION

Abstract:

To leverage the higher detection rate of a supplemental model and manage the higher false positive rate of that model, an activation range is tuned for the candidate model to operate in conjunction with an incumbent model. The activation range is a range of output values for the incumbent model that activates the supplemental model. Inputs having benign output values from the incumbent model that are within the activation range are fed into the supplemental model. Thus, the lower threshold of the activation range corresponds to the malware detection threshold of the incumbent model and the upper threshold determines how many benign classified outputs from the incumbent model activate the supplemental model. This conjoining of models with a tuned activation range manages overall false positive rate of the conjoined detection models while the malware detection rate increases over the incumbent detection model alone.