	US 11,736,505 B2
	Automated web traffic anomaly detection
John Hearty, Vancouver (CA); Jake Madison, Vancouver (CA); Zhi-Ping Ng, New Westminister (CA); and Nicholas Desmond, Port Moody (CA)
Assigned to MASTERCARD TECHNOLOGIES CANADA ULC, Vancouver (CA)
Filed by MASTERCARD TECHNOLOGIES CANADA ULC, Vancouver (CA)
Filed on Feb. 5, 2021, as Appl. No. 17/168,364.
Claims priority of provisional application 62/971,352, filed on Feb. 7, 2020.
Prior Publication US 2021/0250368 A1, Aug. 12, 2021
Int. Cl. H04L 9/40 (2022.01)

CPC H04L 63/1425 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1466 (2013.01); H04L 63/20 (2013.01)]

20 Claims

1. An anomaly detection system comprising:

a database; and

a server connected to the database, the server configured to identify anomalous web traffic of a client key from a first time period, the server including a processing unit and a memory, the server configured to:

receive the web traffic data from the database,

calculate, using the processing unit, a z-score metric for the client key, wherein the z-score metric indicates a deviation of at least one value of a first attribute of the client key with respect to other values of the first attribute (i) of the client key from other time periods or (ii) of other client keys,

calculate, using the processing unit, a change rate metric for the client key based on the at least one value of the first attribute from the first time period compared to another value of the first attribute of the client key from another time period,

calculate, using the processing unit, a failure metric for the client key, and

determine that the first time period is an anomalous time period based on the z-score metric, the change rate metric, and the failure metric.