There are two broad ways to catch ransomware. You can write rules — if a process does X then Y then Z, flag it — or you can train a model on a large set of known ransomware and let it learn the patterns itself. The rule-based approach is precise but brittle; the learned approach is fuzzier but generalizes to samples no one anticipated. The industry has spent a decade moving toward the second.
The grant US10795994B2, "Detecting ransomware" (issued October 6, 2020, assigned to McAfee, LLC), sits firmly in that camp. Its CPC classifications pair the malware class G06F 21/56 with G06N 3/08 — the class for neural-network training methods — which is the unmistakable fingerprint of a machine-learning detector rather than a signature engine.
The mechanism worth understanding is generalization. A neural network trained on thousands of ransomware samples learns features that recur across the family — patterns in file access, in entropy changes, in the sequence of operations — even though no two samples are byte-identical. When a genuinely new variant appears, a well-trained model can place it close to what it already knows and flag it, where a signature engine would see nothing.
For defenders, the practical takeaway is to understand both the strength and the failure mode. Learned detectors catch novel variants, but they can be evaded by attackers who craft samples to sit just outside the model's learned boundary — adversarial evasion is a real and active arms race. The model is a powerful layer, not a guarantee.
What the patent represents, more than any single technique, is the maturation of ransomware defense into a machine-learning discipline. The interesting questions stopped being 'what's the signature' and became 'what features did the model learn, how do we keep it current, and how do we know when an attacker has figured out how to slip past it.'