| CPC H04L 63/1416 (2013.01) [G06F 21/56 (2013.01); G06N 5/022 (2013.01); H04W 12/12 (2013.01); G06N 20/00 (2019.01); H04L 63/0245 (2013.01); H04L 63/1425 (2013.01)] | 20 Claims |
|
1. A system for implementing machine learning using communications over respective unique server and port combinations within a network environment, the system comprising:
a metadata processing element that extracts metadata from network traffic for client-server sessions;
a learning module generating and storing a plurality of behavior models for respective unique combinations of a server and a port from the client-server sessions, a respective behavior model of the plurality of behavior models being generated during a training period by:
storing a first baseline pattern for a first communication of a respective unique combination in the respective behavior model corresponding to the respective unique combination,
comparing one or more additional baseline patterns for one or more additional communications to any existing baseline patterns for the respective unique combination to generate a similarity score, and
storing respective additional baseline patterns for the one or more additional communications of a respective unique combination in the respective behavior model corresponding to the respective unique combination based on the similarity score; and
an update module updating the plurality of behavior models for the respective unique combinations of the server and the port from the client-server sessions, the respective behavior model of the plurality of behavior models being updated outside of the training period by:
comparing one or more new baseline patterns for one or more new communications to any existing baseline patterns for the respective unique combination to generate a similarity score, and
storing respective new baseline patterns for the one or more new communications of a respective unique combination in the respective behavior model corresponding to the respective unique combination based on the similarity score and a threshold number of occurrences, wherein the similarity score is calculated using a hamming distance between two baseline patterns.
|