Patent attributes
Methods, storage systems and computer program products implement embodiments of the present invention that include identifying multiple host computers executing respective instances of a specific software application, each given instance on each given host computer including a set of program instructions loaded, by the host computer, from a respective storage device. Information on actions performed by the executing instances is collected from the host computers, and features are computed based on the information collected from the multiple host computers. The collected information for a given instance are compared to the features so as to classify the given instance as benign or suspicious, and an alert s generated for the given instance only upon classifying the given instance as suspicious.