| CPC H04L 63/1425 (2013.01) [G06N 3/08 (2013.01); H04L 63/1416 (2013.01)] | 20 Claims |
|
1. A system comprising:
a plurality of nodes, wherein a first node comprises:
a memory configured to store:
a request rate threshold; and
a block list, wherein the block list comprises a list of malicious parameter values associated with parameters of malicious requests, and wherein a malicious request comprises a request that originates from a malicious user; and
a processor communicatively coupled to the memory, the processor configured to implement a neural network module, wherein the processor is configured to:
intercept a plurality of requests directed to a service provider system from a respective geographical region for a first duration, wherein each request comprises a request for a service from the service provider system;
analyze the plurality of requests to identify authenticated requests from the plurality of requests, wherein the authenticated requests originate from one or more authenticated users;
identify remaining requests as suspicious requests;
analyze each suspicious request to determine respective geolocation information of a respective location from which each suspicious request originates;
group the suspicious requests into a plurality of request groups based on the determined geolocation information, wherein:
a first request group is associated with a first geolocation information and comprises a first plurality of suspicious requests associated with the first geolocation information; and
a second request group is associated with a second geolocation information and comprises a second plurality of suspicious requests associated with the second geolocation information, wherein the second geolocation information is different from the first geolocation information;
determine a first rate of requests for the first request group;
determine a second rate of requests for the second request group; and
in response to determining that the first rate of requests for the first request group is less than or equal to the request rate threshold:
analyze parameters of a first suspicious request of the first request group to determine values of the parameters of the first suspicious request; and
in response to determining that the value of the parameters of the first suspicious request do not match with respective malicious parameter values:
analyze the first suspicious request using the neural network module to identify if the first suspicious request is legitimate or malicious; and
in response to identifying that the first suspicious request is malicious:
send a first notification that the first suspicious request is identified as malicious;
add the values of the parameters of the first suspicious request to the block list; and
synchronize the block list with other nodes of the plurality of nodes.
|