Patent attributes
An Active Intelligence method and system are provided for detecting malicious servers using an automated machine-learning active intelligence manager. The Active Intelligence method and system automatically and covertly extract forensic data and intelligence related to a selected server in real time to determine whether the server is part of a cybercrime infrastructure. An automated machine-learning active intelligence manager is provided that collects or gathers one or more types of forensic intelligence related to the operation of the server under investigation. The active intelligence manager combines the collected one or more types of forensic intelligence, extracts features from the combined forensic intelligence, and classifies the server as malicious or benign based on the extracted features.