Patent attributes
A method includes generating a static model for classifying transactions of a designated type, the static model being trained using predefined input data corresponding to a first set of features generic to transactions of the designated type, and generating a dynamic model for classifying transactions of the designated type, the dynamic model being trained using dynamic input data corresponding to a second set of features specific to subsets of transactions of the designated type. The method also includes combining the static and dynamic models to generate a combined model, detecting transactions of the designated type between client devices and an enterprise system, and utilizing the combined model to classify a given detected transaction between a given client device and the enterprise system as potentially malicious or benign. The method further includes modifying processing of the given detected transaction responsive to classifying the given detected transaction as potentially malicious.