CPC H04L 63/1425 (2013.01) [H04L 63/1441 (2013.01)] | 17 Claims |
1. A system comprising:
(a) a Data Collector and Mediator Unit, to monitor network traffic, and to generate datasets of network traffic; wherein each dataset includes network traffic that was monitored within a time-slot having a particular fixed time-length;
(b) a Predictor Unit, comprising:
a Features Extractor unit, to extract a plurality of features from said datasets;
a Machine Learning (ML) unit, to run said features through a ML model and to classify a particular traffic-portion as being either (I) an anomalous traffic-portion that is associated with fraudulent or malicious activity, or (II) a non-anomalous traffic-portion that is not-associated with fraudulent or malicious activity;
wherein the ML unit operates on both (i) anomalies in traffic patterns, and (ii) anomalies of user behavior or device behavior;
(c) a fraud and malicious activity mitigation unit, configured to trigger activation of one or more pre-defined mitigation operations with regard to traffic-portions that were classified by the ML unit as being an anomalous traffic-portions that are associated with fraudulent or malicious activity;
(d) a Machine Learning Re-Training Unit, configured to periodically perform re-training of the ML model used by the ML unit;
(e) an Auto-Encoder Unit comprising a Convolution Neural Network (CNN), configured to apply a convolution to smoothen data of each time series, and to generate a distances vector, and to generate a square matrix corresponding to a recurrent plot image;
wherein the Auto-Encoder Unit is configured to generate said recurrent plot image by converting data into a three-channel format, that corresponds to Red Green Blue (RGB) image format;
wherein the three-channel format comprises:
(I) a first channel which is a Requests Channel, indicating a total number of Internet access requests performed within said time-slot;
(II) a second channel which is a Frequent Categories channel, indicating the N most visited categories of sites or destinations that were accessed during said time-slot, wherein N is a pre-defined integer; and
(III) a third channel which is a Suspicious Categories channel, indicating whether an accessed Internet destination is (i) categorized as associated with fraudulent or malicious activity, or (ii) not categorized as associated or as unassociated with fraudulent or malicious activity.
|