Systems and methods for A.I.-based malware analysis on offline endpoints in a network

The invention claimed is: 1 . A method for optimizing artificial intelligence (A.I)-based malware analysis on offline endpoints in a network, the method comprising: identifying a file that has not been executed on an endpoint system in a network comprising a plurality of endpoint systems; determining, from a plurality of classes, a class of the endpoint system; scanning the endpoint system to detect malicious behavior using a machine learning algorithm; in response to determining that the endpoint system does not exhibit malicious behavior based on the machine learning algorithm, enabling execution of the file; subsequent to the execution of the file, rescanning the endpoint system to detect malicious behavior using the machine learning algorithm; in response to determining that the endpoint system does exhibit malicious behavior subsequent to the execution, extracting attributes of the file; retraining the machine learning algorithm using the extracted attributes to detect malicious behavior associated with the file without having to execute the file; determining a match value by comparing the class of the endpoint system with classes of other endpoint systems of the plurality of endpoint systems; determining that the other endpoint systems are of a same class as the endpoint system from the plurality of classes when the match value exceeds a threshold match value; and transmitting the extracted attributes to other endpoint systems of the plurality of endpoint systems in response to determining that the other endpoint systems are of the same class as the endpoint system from the plurality of classes, wherein each other endpoint system is configured to receive and retrain each respective local machine learning algorithm based on the extracted attributes, and wherein the extracted attributes are not transmitted to any endpoint system of the plurality of endpoint systems that is from a class that does not match the class of the endpoint system. 2 . The method of claim 1 , further comprising: identifying another file that has not been executed on an endpoint system, wherein the another file shares attributes with the file; scanning the endpoint system to detect malicious behavior using the retrained machine learning algorithm; and in response to determining that the another file exhibits malicious behavior, inhibiting the another file from executing. 3 . The method of claim 1 , wherein the attributes are pre-execution attributes indicative of at least one of: (1) installation source, (2) installation time, (3) dependencies, (4) time spent on the endpoint system, (5) file type. 4 . The method of claim 3 , wherein retraining the machine learning algorithm comprises: generating a training vector that links the pre-execution attributes to presence of malicious behavior; and training the machine learning algorithm with the generated training vector. 5 . The method of claim 1 , wherein the endpoint system is an offline system that is part of the network comprising a plurality of endpoint systems, wherein each endpoint system has a respective local machine learning algorithm. 6 . The method of claim 5 , further comprising: detecting that the endpoint system is online; in response to further detecting that the endpoint system is online, transmitting the extracted attributes to the other endpoint systems of the plurality of endpoint systems. 7 . The method of claim 5 , further comprising: detecting that the endpoint system is online; in response to detecting that the endpoint system is online, querying other endpoint systems of the plurality of endpoint systems for updated attributes; receiving updated attributes for another file; and retraining the machine learning algorithm using the received updated attributes. 8 . The method of claim 7 , further comprising: scanning the endpoint system to detect malicious behavior using the retrained machine learning algorithm, wherein the another file is stored on the endpoint system; and determining that the endpoint system exhibits malicious behavior associated with the another file. 9 . A system for optimizing artificial intelligence (A.I)-based malware analysis on offline endpoints in a network, the system comprising: a hardware processor configured to: identify a file that has not been executed on an endpoint system in a network comprising a plurality of endpoint systems; determine, from a plurality of classes, a class of the endpoint system; scan the endpoint system to detect malicious behavior using a machine learning algorithm; in response to determining that the endpoint system does not exhibit malicious behavior based on the machine learning algorithm, enable execution of the file; subsequent to the execution of the file, rescan the endpoint system to detect malicious behavior using the machine learning algorithm; in response to determining that the endpoint system does exhibit malicious behavior subsequent to the execution, extract attributes of the file; retrain the machine learning algorithm using the extracted attributes to detect malicious behavior associated with the file without having to execute the file; determine a match value by comparing the class of the endpoint system with classes of other endpoint systems of the plurality of endpoint systems; determine that the other endpoint systems are of a same class as the endpoint system from the plurality of classes when the match value exceeds a threshold match value; and transmit the extracted attributes to other endpoint systems of the plurality of endpoint systems in response to determining that the other endpoint systems are of the same class as the endpoint system from the plurality of classes, wherein each other endpoint system is configured to receive and retrain each respective local machine learning algorithm based on the extracted attributes, and wherein the hardware processor is configured to not transmit the extracted attributes to any endpoint system of the plurality of endpoint systems that is from a class that does not match the class of the endpoint system. 10 . The system of claim 9 , wherein the hardware processor is further configured to: identify another file that has not been executed on an endpoint system, wherein the another file shares attributes with the file; scan the endpoint system to detect malicious behavior using the retrained machine learning algorithm; and in response to determining that the another file exhibits malicious behavior, inhibit the another file from executing. 11 . The system of claim 9 , wherein the attributes are pre-execution attributes indicative of at least one of: (1) installation source, (2) installation time, (3) dependencies, (4) time spent on the endpoint system, (5) file type. 12 . The system of claim 11 , wherein the hardware processor is further configured to retrain the machine learning algorithm by: generating a training vector that links the pre-execution attributes to presence of malicious behavior; and training the machine learning algorithm with the generated training vector. 13 . The system of claim 9 , wherein the endpoint system is an offline system that is part of the network comprising a plurality of endpoint systems, wherein each endpoint system has a respective local machine learning algorithm. 14 . The system of claim 13 , wherein the hardware processor is further configured to: detect that the endpoint system is online; in response to further detecting that the endpoint system is online, transmit the extracted attributes to other endpoint systems of the plurality of endpoint systems.