Ammune™ identifies and prioritizes “patterns” from “unlabeled” data. Classification or categorization is not included in the observations, so only its possible impact on the system health is analyzed.

No pre-training rules are required by the process. As Ammune™ doesn’t require any sample data, no external evaluation is made for the accuracy of the generated “patterns”, unlike “supervised learning” and “reinforcement learning”, which demand examples to perform. Interestingly, the correlation process between “patterns” and damages is reminiscent of other natural processes such as the essential co-“firing” of neurons seen in neural networks.


1. Collecting Traffic Samples

Ammune™ continuously collects samples of web traffic at layers 3/4 and 7. The sampled traffic can be encrypted or open/decrypted and is used to detect attacks coming through:

  • Network layers (3/4) attacks – DDoS attacks detected through encrypted or open / decrypted network traffic.

  • Application layer (7) attacks – This class of attacks are usually made by bots. The attacks may cause system operation disruption by applicative DDoS attacks, still data by scrapping the web pages or cause other damages. It is detected by analyzing open/decrypted network traffic.

2. Monitoring System Health

Ammune™ monitors the health of the web systems through identifying changes its responsiveness-related calculated features at a given time frame (made out of the sampled traffic). As the system responsiveness seems to damaged, Ammune™ moves to its next stage for investigating for the causes of the damage.

3. Analyzing Root-Cause of Attacks

As responsiveness damage is detected, patterns are extracted from the sampled input data (header, URL, parameters), used previously for the health monitoring. Relevant patterns are distinguished from normal traffic by correlation with the health damage at hand. When an appropriate pattern(s) is identified, Ammune™ continues to its next stage of generating optimized signatures. Otherwise, the system may alert on other types of possible causes.

4. Generating optimized signatures

As patterns related to a given attacks were generated, Ammune™ performs an optimization process in which patterns may serve as part of signatures. The major consideration during this process is for signatures to be able to distinguish normal from malicious traffic while still being relevant to a significant portion of the attacking traffic.