US 12,132,744 B2
Method for processing web requests
David Fricker, Manchester (GB); Matthew Jackson, Manchester (GB); John Modin, Manchester (GB); Matthew Wedge-Roberts, Manchester (GB); and Georgios Soteriou, Manchester (GB)
Assigned to NETACEA LIMITED, Manchester (GB)
Filed by NETACEA LIMITED, Manchester (GB)
Filed on Jan. 11, 2022, as Appl. No. 17/572,738.
Claims priority of application No. 2100372 (GB), filed on Jan. 12, 2021.
Prior Publication US 2022/0222302 A1, Jul. 14, 2022
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1408 (2013.01) 12 Claims
OG exemplary drawing
 
1. A method of processing web requests directed to a website, the method including, at a system for processing web requests:
(i) for each of a plurality of web requests directed to a website, determining a request vector corresponding to the web request by applying a hash function to each web request to convert multiple predetermined features of each request into a request vector of a predefined size using hash values output by the hash function as indices of the request vector, wherein each request vector represents the multiple predetermined features of the respective web request;
(ii) clustering the request vectors by respectively assigning each request vector to one of a plurality of clusters using a clustering algorithm such that request vectors deemed to be similar to each other are assigned to a same cluster of the plurality clusters;
(iii) repeatedly updating the clustering of request vectors using the clustering algorithm such that the plurality of clusters dynamically change over time;
(iv) monitoring cluster metadata associated with each cluster as the plurality of clusters dynamically change over time, wherein the monitored cluster metadata associated with each cluster represents a current state of the cluster;
(v) identifying, based on the monitoring, any cluster meeting a predetermined anomaly criterion indicating that the cluster is displaying anomalous behaviour; and
(vi) triggering an investigation of a cluster identified as meeting the predetermined anomaly criterion,
wherein cluster metadata associated with each cluster includes a cluster vector based on the request vectors represented by the respective cluster, and a cluster weight based on a number of request vectors represented by the respective cluster, and
wherein updating the clustering of the request vectors includes:
updating the cluster metadata to reflect a current state of the cluster by applying a time decay algorithm to each cluster vector, wherein the time decay algorithm causes a magnitude of the cluster vector to decay with time; and
for each cluster vector: discarding a value of one or more indices of the cluster vector when the value is deemed insignificant.