Malware detectionΒΆ

Because irregular behavior by itself is only indicative of a possible threat and may or may not need remediation, the Plixer ML Engine utilizes additional pre-trained ML models to classify the anomalies it observes through Plixer Scrutinizer and report whether the anomaly actually constitutes malicious activity.


The pre-trained models packaged with the Plixer ML Engine are IP-agnostic and allow Plixer Scrutinizer to alert users to potential threats without needing previously known domain or IP-based signatures.

This classification process is divided into four steps:

  1. The engine ingests flow data containing anomalous traffic streamed from Plixer Scrutinizer.

  2. The data is preprocessed by the Plixer ML Engine into feature vectors that can be used by the pre-trained ML models.

  3. The resulting data is used as the input for the different pre-trained ML models.

  4. Each ML model outputs a probability score, which represents the likelihood that the anomaly observed constitutes malicious behavior.

Once probability scores have been obtained, Plixer Scrutinizer compares them to a user-configurable threshold to determine whether or not an Alarm should be generated for the host.


The Plixer ML Engine regularly checks for updates that may include newer versions of the pre-trained ML models it uses.