公开(公告)号：US11303652B2

公开(公告)日：2022-04-12

申请号：US17154135

申请日：2021-01-21

Applicant: Verint Systems Ltd.

Inventor： Ziv Katzir ,  Gershon Celniker ,  Hed Kovetz

IPC: H04L29/06 ,  G06N20/00 ,  G06N20/10 ,  G06N5/00

Abstract: Embodiments for generating appropriate data sets for learning to identify user actions. A user uses one or more applications over a suitable period of time. As the user uses the applications, a monitoring device, acting as a “man-in-the-middle,” intermediates the exchange of encrypted communication between the applications and the servers that serve the applications. The monitoring device obtains, for each action performed by the user, two corresponding (bidirectional) flows of communication: an encrypted flow, and an unencrypted flow. Since the unencrypted flow indicates the type of action that was performed by the user, the correspondence between the encrypted flow and the unencrypted flow may be used to automatically label the encrypted flow, without decrypting the encrypted flow. Features of the encrypted communication may then be stored in association with the label to automatically generate appropriately-sized learning set for each application of interest.

公开(公告)号：US20180260705A1

公开(公告)日：2018-09-13

申请号：US15911223

申请日：2018-03-05

Applicant: Verint Systems Ltd.

Inventor： Rami Puzis ,  Asaf Shabtai ,  Gershon Celniker ,  Liron Rosenfeld ,  Ziv Katzir ,  Edita Grolman

IPC: G06N3/08 ,  G06N3/04

CPC classification number: G06N3/08 ,  G06N3/0454 ,  G06Q30/02 ,  H04L67/22 ,  H04W4/21

Abstract: Methods and systems for analyzing encrypted traffic, such as to identify, or “classify,” the user actions that generated the traffic. Such classification is performed, even without decrypting the traffic, based on features of the traffic. Such features may include statistical properties of (i) the times at which the packets in the traffic were received, (ii) the sizes of the packets, and/or (iii) the directionality of the packets. To classify the user actions, a processor receives the encrypted traffic and ascertains the types (or “classes”) of user actions that generated the traffic. Unsupervised or semi-supervised transfer-learning techniques may be used to perform the classification process. Using transfer-learning techniques facilitates adapting to different runtime environments, and to changes in the patterns of traffic generated in these runtime environments, without requiring the large amount of time and resources involved in conventional supervised-learning techniques.