| CPC G06F 21/552 (2013.01) [G06F 21/54 (2013.01)] | 17 Claims |
|
1. A method comprising:
receiving training data comprising a plurality of application programming interface (API) requests from a plurality of client devices;
generating a plurality of permissible API sessions based on the training data, wherein each of the permissible API sessions is associated with a corresponding client device of the plurality of client devices and includes a sequence of API requests originating from the corresponding client device;
prior to generating a plurality of embeddings:
determining whether each of the plurality of permissible API sessions includes a threshold number of API requests; and
responsive to determining one or more permissible API sessions included in the plurality of permissible API sessions includes less than the threshold number of API requests, removing the one or more permissible API sessions from the plurality of permissible API sessions;
applying a sequence embedding technique to the plurality of permissible API sessions to generate the plurality of embeddings;
applying a dimensionality reduction technique to the plurality of embeddings to generate a plurality of compact embeddings; and
storing each of the compact embeddings in a space partitioning data structure at storage locations within the space partitioning data structure that are determined based on similarities between the compact embeddings, wherein the space partitioning data structure is searchable to determine whether compact embeddings of future API sessions are abnormal based, at least in part, on a comparison of the compact embeddings of the future API sessions to one or more of the compact embeddings stored in the space partitioning data structure.
|