I need an algorithm that can collect threat information from an attack on critical infrastructures on a daily operational basis which reveals the domain that has been taken over by a threat actor. It includes the systems in the organisation that has been infected with a malware virus. The algorithm should be able to detect anomaly activities and attacks in real-time. This information gathered can further help the organisation to take precautions and apply appropriate controls. The threat information include denial of service attack, remote access, spearphishing email etc.