The ongoing development, maintenance, and expansion of network systems involve an increasing number of servers communicating with an increasing number of client devices. This can present a challenge in securing the network system from malicious servers and large numbers of new malware types and instances.
Classifiers (and detectors based on such classifiers) can be designed based on collected samples with known and well-understood behaviors. However, training a classifier typically requires a large number of malware samples with sufficiently high variation in order to ensure high precision and recall. In most networking environments, although there may be a great number of malicious servers, the majority of the servers are legitimate. An overwhelming amount of servers, the imbalance of the behavioral data they create, and a tedious labeling process make training a classifier challenging.
In accordance with common practice various features shown in the drawings may not be drawn to scale, as the dimensions of various features may be arbitrarily expanded or reduced for clarity. Moreover, the drawings may not depict all of the aspects and/or variants of a given system, method or apparatus admitted by the specification. Finally, like reference numerals are used to denote like features throughout the figures.