Methods for detecting and mitigating malicious network behavior and devices thereof
First Claim
1. A method for network security implemented by a network traffic management system comprising one or more anomaly detection apparatuses, server devices, or client devices, the method comprising:
- receiving a first set of network traffic;
applying a web application model and an anomaly detection model to the received first set of network traffic to generate, respectively, one or more likelihood scores and at least one flow score based on the likelihood scores, wherein sub-models of the web application model are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed;
determining when the flow score exceeds a threshold; and
initiating, based on a stored policy, a mitigation action with respect to the first set of network traffic, when the determination indicates that the flow score exceeds the threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, non-transitory computer readable media, anomaly detection apparatuses, and network traffic management systems that generate, based on the application of one or more models and for a first flow associated with a received first set of network traffic, one or more likelihood scores and at least one flow score based on the likelihood scores. One or more of the one or more models are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed. A determination is made when the flow score exceeds a threshold. A mitigation action is initiated, based on a stored policy, with respect to the first set of network traffic, when the determining indicates that the flow score exceeds the established threshold.
-
Citations
16 Claims
-
1. A method for network security implemented by a network traffic management system comprising one or more anomaly detection apparatuses, server devices, or client devices, the method comprising:
-
receiving a first set of network traffic; applying a web application model and an anomaly detection model to the received first set of network traffic to generate, respectively, one or more likelihood scores and at least one flow score based on the likelihood scores, wherein sub-models of the web application model are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed; determining when the flow score exceeds a threshold; and initiating, based on a stored policy, a mitigation action with respect to the first set of network traffic, when the determination indicates that the flow score exceeds the threshold. - View Dependent Claims (2, 3, 4)
-
-
5. A non-transitory computer readable medium having stored thereon instructions for network security comprising executable code which when executed by one or more processors, causes the one or more processors to:
-
apply a web application model and an anomaly detection model to a received first set of network traffic to generate, respectively, one or more likelihood scores and at least one flow score based on the likelihood scores, wherein sub-models of the web application model are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed; determine when the flow score exceeds a threshold; and initiate, based on a stored policy, a mitigation action with respect to the first set of network traffic, when the determination indicates that the flow score exceeds the threshold. - View Dependent Claims (6, 7, 8)
-
-
9. An anomaly detection apparatus, comprising:
-
memory comprising programmed instructions stored thereon; and one or more processors configured to be capable of executing the stored programmed instructions to; apply a web application model and an anomaly detection model to a received first set of network traffic to generate, respectively, one or more likelihood scores and at least one flow score based on the likelihood scores, wherein sub-models of the web application model are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed; determine when the flow score exceeds a threshold; and initiate, based on a stored policy, a mitigation action with respect to the first set of network traffic, when the determination indicates that the flow score exceeds the threshold. - View Dependent Claims (10, 11, 12)
-
-
13. A network traffic management system, comprising:
-
one or more anomaly detection apparatuses, server devices, or client devices with memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to; apply a web application model and an anomaly detection model to a received first set of network traffic to generate, respectively, one or more likelihood scores and at least one flow score based on the likelihood scores, wherein sub-models of the web application model are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed; determine when the flow score exceeds a threshold; and initiate, based on a stored policy, a mitigation action with respect to the first set of network traffic, when the determination indicates that the flow score exceeds the threshold. - View Dependent Claims (14, 15, 16)
-
Specification