Microsoft Corporation
DISTRIBUTION-BASED DETECTION OF ABUSIVE REQUESTS

Abstract:

The disclosed embodiments provide a system for detecting abusive requests. During operation, the system generates, based on one or more primary signals, a first set of clusters of network requests spanning a first period and a second set of clusters of requests spanning a second period. Next, the system stores, in a snapshot, a signature representing primary signal values and a first distribution of secondary signals in a first cluster in the first set of clusters. The system matches primary signal values from a second cluster in the second set of clusters to the signature and calculates a divergence score representing a deviation of a second distribution of secondary signals in the second cluster from the first distribution. When the divergence score violates a threshold, the system generates output for identifying additional network requests that contain one or more primary and secondary signal values in the second cluster.