| CPC G06F 21/552 (2013.01) [G06F 2221/034 (2013.01); G06N 3/0455 (2023.01)] | 17 Claims |
|
1. A computer-implemented method, the method comprising:
receiving login event data of a customer for a predetermined time period, wherein the login event data comprises login requests;
labeling each login request of the event data as non-anomalous or anomalous;
performing aggregate feature extraction for each login request using a queue-based mechanism to extract and calculate, in real-time, aggregated features of login requests in a most recent hourly segment of the login event data, wherein the aggregated features comprise failure count per IP address, failure percentage per IP address, failure percent per customer in last x minutes, and number of failed login attempts after a last successful login per user;
filtering data of anomalous login requests from data of non-anomalous login requests;
training an autoencoder machine learning (ML) model using the data of non-anomalous login requests to learn non-anomalous login request behavior, wherein the data of non-anomalous login requests comprises aggregated features of the non-anomalous login requests, and wherein output from the autoencoder ML model comprises root mean square error (RMSE) values for each input login request;
passing the data of anomalous login requests through the trained autoencoder ML model to obtain enriched data comprising the data of anomalous login requests with corresponding RMSE values; and
training a classifier model using the enriched data to identify anomalous login requests and output a classification with corresponding confidence value.
|