| CPC H04L 63/1425 (2013.01) [G06F 9/547 (2013.01); G06N 20/20 (2019.01); H04L 41/16 (2013.01)] | 20 Claims |
|
1. A non-transitory machine readable medium storing instructions, which when executed by one or more processing resources of a cluster of a container orchestration platform, cause an application running within the cluster to:
extract data logged by an application programming interface (API) server of the cluster of the container orchestration platform for each event of a set of events within the cluster, wherein the data includes information regarding a request made to an API exposed by the API server with which the event is associated and a user of a plurality of users associated with the application by which the event was initiated;
combine the data with another data source including, for each API call to an API of the application, information regarding a path of the API call and a user of the plurality of users by which the API call was initiated;
augment the combined data with information indicative of a role of a plurality of user roles associated with the user and an anomaly threshold specified for the role;
learn, by a machine-learning (ML) algorithm, normal behavior of respective roles of the plurality of user roles by processing the augmented data;
responsive to processing of the augmented data for a particular event of the set of events, determine, by the ML algorithm, an anomaly score, indicative of a degree of deviation from the normal behavior of the role, associated with the particular event; and
based on a comparison between the anomaly score and the anomaly threshold specified for the role, trigger a predefined or configurable action.
|