| CPC H04L 63/1416 (2013.01) [G06N 5/04 (2013.01); G06N 20/00 (2019.01)] | 17 Claims |
|
1. A method of handling sessions between client devices and one or more server based on session classifications, comprising:
identifying, by a device comprising one or more processors and memory, a time series of security metrics corresponding to one or more requests received during a session established by a client device to access a resource provided by one or more servers;
generating, by the device, a plurality of security features from the time series of security metrics based on one or more time windows;
training a classifier to classify the session as the one of anomalous or genuine by:
receiving, for a predetermined classification, a plurality of training violation records with time stamps that occurred during a time interval of a training session,
converting the plurality of training violation records to a training time series of security metrics,
generating training security features based on the training time series of security metrics, the training security features indicating a number of occurrences of a security metric during the time interval, and
training the classifier with the training security features with an indication of the predetermined classification to cause the classifier to classify the session as the one of anomalous or genuine based on the plurality of security features;
classifying, by the device via the classifier, the session as one of anomalous or genuine using the plurality of security features generated from the time series of security metrics based on the one or more time windows; and
handling, by the device, a request received during the session based on the classification of the session as the one of anomalous or genuine.
|