| CPC H04L 63/1425 (2013.01) [G06F 16/285 (2019.01); H04L 63/1441 (2013.01); G06N 20/00 (2019.01)] | 18 Claims |
|
1. A method, comprising:
creating a baseline clustering model specific to a device based on a training data set including traffic data for the device, wherein the baseline clustering model includes a plurality of clusters, each cluster of the plurality of clusters representing a discrete state and including a plurality of first data points of the training data set;
sampling a plurality of second data points with respect to windows of time thereby creating at least one sample, each sample of the at least one sample including at least a portion of the plurality of second data points, wherein the plurality of second data points are related to traffic involving the device;
calculating, for each second data point of the plurality of second data points in the at least one sample, a risk factor score based on a vector representation of the respective second data point in a traffic feature space and a proximity of the respective second data point to one of the plurality of clusters in the baseline clustering model specific to the device;
determining, for each second data point in the at least one sample, whether the respective second data point is an outlier based on the plurality of clusters in the baseline clustering model specific to the device;
detecting anomalous traffic behavior of the device by identifying a second data point in the at least one sample as an anomalous data point based on the risk factor score of that second data point and that second data point being a determined outlier;
updating the plurality of clusters of the baseline clustering model based on the at least one sample and the risk factor score for each second data point of each sample, wherein the updating comprises adding each sample having a high risk factor score as a new cluster to the plurality of clusters; and
performing at least one mitigation action based on the detected anomalous traffic behavior.
|