| CPC H04L 63/1416 (2013.01) [H04L 63/20 (2013.01)] | 17 Claims |
|
1. A method comprising:
determining one or more access attempts of a compute resource, wherein a first stage classifier is associated with the compute resource;
determining, based on the first stage classifier operating on the one or more access attempts, a security event indicative of a possible cyberattack on the compute resource, wherein the first stage classifier generates security events that indicates possible cyberattacks based on one or more of statistical analysis, textual analysis, or signature matching applied to individual access attempts;
in response to the determination of the possible cyberattack by the first stage classifier:
determining, from among a plurality of second stage classifiers, a second stage classifier associated with a first period of time, wherein
the plurality of second stage classifiers comprise a classifier that operates on event data periods of five seconds or less and another classifier that operates on event periods of more than five seconds;
aggregating multiple security events in the first period of time into a security event dataset, wherein the security event is in the first period of time;
determining, based on the second stage classifier operating on the security event dataset associated with the first period of time, a cyberattack on the compute resource; and
blocking the cyberattack or one or more subsequent access attempts associated with the cyberattack based on the determination of the cyberattack by the second stage classifier.
|