Patent attributes
Systems and methods for detecting suspicious malware by analyzing data such as transfer protocol data or logs from a host within an enterprise is provided. The systems and methods include a database for storing current data and historical data obtained from the network and a detection module and an optional display. The embodiments herein extract information from non-encrypted transfer protocol metadata, determine a plurality of features, utilize an outlier detection model that is based on historical behaviors, calculate a suspiciousness score, and create alerts for analysis by users when the score exceeds a threshold. In doing so, the systems and methods of the present invention improve the ability to identify suspicious outliers or potential malware on an iterative basis over time.