Abstract: In one set of embodiments, a computer system can receive one or more application programming interface (API) call traces comprising metadata of API calls made by a microservice-based application and can evaluate the one or more API call traces against a baseline of normal API call behavior for the application. The computer system can then generate, based on the evaluation, a prediction for each of the one or more API call traces indicating whether the API call corresponding to the API call trace is normal or anomalous.

Abstract: In one set of embodiments, a computer system can determine that one or more attacks have been or are in the process of being perpetrated against an anomaly detection system, where the anomaly detection system comprises a set of machine learning (ML) models trained to detect anomalous application programming interface (API) call behavior in a microservice-based application based on API call traces collected from the application. In response to this determination, the computer system can initiate one or more actions for securing the anomaly detection system against the one or more attacks.

Abstract: In one set of embodiments, a computer system can receive one or more application programming interface (API) call traces comprising metadata of API calls made by an application and can extract features from the one or more API call traces, the extracting resulting in one or more feature vectors. The computer system can then provide the one or more feature vectors as input to one or more machine learning (ML) models, where the one or more ML models are configured to generate a prediction for each of the one or more API call traces indicating whether the API call corresponding to the API call trace is normal or anomalous.

Abstract: A method for detecting a malicious network activity. The method includes extracting, based on a pre-determined criterion, a plurality of protection phase feature sequences extracted from a first plurality of network traffic sessions exchanged during a protection phase between a server device and a first plurality of client devices of a network, comparing the plurality of protection phase feature sequences and a plurality of profiling phase feature sequences to generate a comparison result, where the plurality of profiling phase feature sequences were extracted from a second plurality of network traffic sessions exchanged during a profiling phase prior to the protection phase between the server device and a second plurality of client devices of the network, and generating, in response to detecting a statistical measure of the comparison result exceeding a pre-determined threshold, an alert indicating the malicious network activity.

Abstract: A method for detecting a malicious activity in a network. The method includes obtaining file download flows from the network, analyzing, the file download flows to generate malicious indications using a pre-determined malicious behavior detection algorithm, extracting a file download attribute from a suspicious file download flow of a malicious indication, wherein the file download attribute represents one or more of the URL, the FQDN, the top-level domain name, the URL path, the URL file name, and the payload of the suspicious file download flow, determining the file download attribute as being shared by at least two suspicious file download flows, identifying related suspicious file download flows and determining a level of association between based at least on the file download attribute, computing a malicious score of the suspicious file download flow based on the level of association, and presenting the malicious score to an analyst user of the network.