FRAMEWORK FOR EXPLAINING ANOMALIES IN ACCESSING WEB APPLICATIONS
First Claim
1. A method for characterizing anomalous network traffic, comprising:
- receiving, by a device intermediary to a plurality of clients and a plurality of servers, network traffic, the network traffic including an anomaly;
determining, by the device, whether the network traffic satisfies at least one of the rules of a univariate policy based on a respective single independent network traffic feature;
determining, by the device, responsive to determining that the network traffic does not satisfy at least one of the rules of the univariate policy, that the network traffic satisfies a multivariate policy including a plurality of anomaly explanation tests;
selecting, by the device, responsive to determining that the network traffic satisfies the multivariate policy, an anomaly explanation; and
generating, by the device, an anomaly explanation output including the selected anomaly explanation.
7 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure is directed towards systems and methods for characterizing anomalous network traffic. The system includes a device intermediary to clients and servers. The device includes a network traffic engine to receive network traffic including an anomaly. The device includes a univariate policy manager to determine whether the network traffic satisfies at least one of the rules of a univariate policy based on a respective single independent network traffic feature. The device includes a multivariate policy manager to determine, responsive to determining that the network traffic does not satisfy the rules of the univariate policy, that the network satisfies a multivariate policy including a plurality of anomaly explanation tests. The device includes an anomaly explanation selector to select, responsive to determining that the network traffic satisfies the multivariate policy, an anomaly explanation. The device includes a message generator to generate an anomaly explanation output including the selected anomaly explanation.
109 Citations
20 Claims
-
1. A method for characterizing anomalous network traffic, comprising:
-
receiving, by a device intermediary to a plurality of clients and a plurality of servers, network traffic, the network traffic including an anomaly; determining, by the device, whether the network traffic satisfies at least one of the rules of a univariate policy based on a respective single independent network traffic feature; determining, by the device, responsive to determining that the network traffic does not satisfy at least one of the rules of the univariate policy, that the network traffic satisfies a multivariate policy including a plurality of anomaly explanation tests; selecting, by the device, responsive to determining that the network traffic satisfies the multivariate policy, an anomaly explanation; and generating, by the device, an anomaly explanation output including the selected anomaly explanation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for characterizing anomalous network traffic, comprising:
a device intermediary to a plurality of clients and a plurality of servers, the device including; a network traffic engine configured to receive network traffic, the network traffic including an anomaly; a univariate policy manager configured to determine whether the network traffic satisfies at least one of the rules of a univariate policy based on a respective single independent network traffic feature; a multivariate policy manager configured to determine, responsive to determining that the network traffic does not satisfy at least one of the rules of the univariate policy, that the network satisfies a multivariate policy including a plurality of anomaly explanation tests; an anomaly explanation selector configured to select, responsive to determining that the network traffic satisfies the multivariate policy, an anomaly explanation; and a message generator configured to generate an anomaly explanation output including the selected anomaly explanation. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
Specification