US Patent 10116674 Framework for explaining anomalies in accessing web applications

The present disclosure is directed towards systems and methods for characterizing anomalous network traffic. The system includes a device intermediary to clients and servers. The device includes a network traffic engine to receive network traffic including an anomaly. The device includes a univariate policy manager to determine whether the network traffic satisfies at least one of the rules of a univariate policy based on a respective single independent network traffic feature. The device includes a multivariate policy manager to determine, responsive to determining that the network traffic does not satisfy the rules of the univariate policy, that the network satisfies a multivariate policy including a plurality of anomaly explanation tests. The device includes an anomaly explanation selector to select, responsive to determining that the network traffic satisfies the multivariate policy, an anomaly explanation. The device includes a message generator to generate an anomaly explanation output including the selected anomaly explanation.