| CPC H04L 63/1441 (2013.01) | 18 Claims |
|
1. A method comprising:
analyzing a plurality of attacks detected by a machine learning (ML) web application firewall (WAF) to determine a set of attacks of the plurality of attacks that were not identified as an attack by a rule-based WAF;
for each attack of the set of attacks that were not identified as an attack by the rule-based WAF, determining feature contribution data of the attack;
grouping, using a clustering algorithm, the set of attacks into one or more clusters based on feature contribution data of each of the set of attacks; and
for each of the one or more clusters:
determining, by a processing device, one or more features that have a high feature contribution to an attack probability of at least a threshold number of attacks of the cluster, wherein the high feature contribution of the one or more features are identified either as
a) top contributing features in a number of split classification requests that is higher than a threshold number of the split classification requests, or
b) features whose contribution to the attack probability is higher than a mean contribution of all of the one or more features in the number of the split classification requests that is higher than the threshold number of the split classification requests;
identifying, by the processing device, a new attack vector based on the one or more features of each attack in the cluster; and
generating a new rule for use by the rule-based WAF to identify the new attack vector.
|