Computing networks are frequently attacked by emerging malware threats that cannot be adequately identified and countered by common signature-based detection systems. Accordingly, heuristic detection models are increasingly utilized in the fight against malware. These heuristic models often utilize multiple forest models to evaluate files for potential threats. Forest models have grown in size over time and multiple forest models are often used simultaneously to more accurately classify files and identify threats.
A broad sample of data is commonly used to build and train forest models. The data is often obtained from a wide variety of files and locations, including multiple different organizations. Such an approach may produce forest models that are able to be utilized by a wide variety of end users and organizations. However, the forest models may perform better for some end users and organizations than for others. The instant disclosure, therefore, identifies and addresses a need for systems and methods for improving forest-based malware detection within an organization.