Automatic stability determination and deployment of discrete parts of a profile representing normal behavior to provide fast protection of web applications
First Claim
1. A method performed by a network sensor implemented in a first device for protecting a server application, the method comprising:
- collecting, by the network sensor, application layer requests sent by clients to the server application;
providing, by the network sensor, the application layer requests to a secure server;
receiving, by the network sensor, one or more stable profile items of a plurality of different profile items of a normal behavior profile (NBP) that was generated by the secure server based at least in part on the provided application layer requests, wherein the NBP characterizes the server application and includes the plurality of different profile items, wherein the one or more stable profile items have been determined, by the secure server, as being sufficiently representative of application behavior to be able to be used for protecting the server application, wherein an additional one or more other profile items of the NBP are not stable and are not used for protecting the server application;
collecting, by the network sensor, an additional application layer request; and
identifying, by the network sensor, the additional application layer request as a potential attack based on comparison to the one or more stable profile items of the NBP.
4 Assignments
0 Petitions
Accused Products
Abstract
A system for automatic stability determination and deployment of discrete parts of a profile representing normal behavior to provide fast protection of web applications is disclosed. The system, in response to a sensor collecting from HTTP requests sent by the clients to the web application installed on the protected device, automatically creates for a web application a profile with discrete parts that will represent normal behavior so that deviations from the profile can be considered anomalous. The system automatically determines that a first of the discrete parts of the profile has become stable. The system then automatically deploys the first discrete part of the profile to the sensor that now will compare with the first discrete part of the profile subsequent HTTP requests sent by the clients to the web application to detect deviations from the normal behavior represented by the first discrete part.
23 Citations
17 Claims
-
1. A method performed by a network sensor implemented in a first device for protecting a server application, the method comprising:
-
collecting, by the network sensor, application layer requests sent by clients to the server application; providing, by the network sensor, the application layer requests to a secure server; receiving, by the network sensor, one or more stable profile items of a plurality of different profile items of a normal behavior profile (NBP) that was generated by the secure server based at least in part on the provided application layer requests, wherein the NBP characterizes the server application and includes the plurality of different profile items, wherein the one or more stable profile items have been determined, by the secure server, as being sufficiently representative of application behavior to be able to be used for protecting the server application, wherein an additional one or more other profile items of the NBP are not stable and are not used for protecting the server application; collecting, by the network sensor, an additional application layer request; and identifying, by the network sensor, the additional application layer request as a potential attack based on comparison to the one or more stable profile items of the NBP. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of a device, cause the device to implement a network sensor for protecting a server application by performing operations, the operations comprising:
-
collecting application layer requests sent by clients to the server application; providing, by the network sensor, the application layer requests to a secure server; receiving, by the network sensor, one or more stable profile items of a plurality of different profile items of a normal behavior profile (NBP) that was generated by the secure server based at least in part on the provided application layer requests, wherein the NBP characterizes the server application and includes the plurality of different profile items, wherein the one or more stable profile items have been determined, by the secure server, as being sufficiently representative of application behavior to be able to be used for protecting the server application, wherein an additional one or more other profile items of the NBP are not stable and are not used for protecting the server application; collecting an additional application layer request; and identifying the additional application layer request as a potential attack based on comparison to the one or more stable profile items of the NBP. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A system comprising:
-
a server application implemented by one or more electronic devices; and a network sensor implemented by the one or more electronic devices to protect the server application, the network sensor to; collect application layer requests sent by clients to the server application; provide the application layer requests to a secure server; receive one or more stable profile items of a plurality of different profile items of a normal behavior profile (NBP) that was generated by the secure server based at least in part on the provided application layer requests, wherein the NBP characterizes the server application and includes the plurality of different profile items, wherein the one or more stable profile items have been determined, by the secure server, as being sufficiently representative of application behavior to be able to be used for protecting the server application, wherein an additional one or more other profile items of the NBP are not stable and are not used for protecting the server application; collect an additional application layer request; and identify the additional application layer request as a potential attack based on comparison to the one or more stable profile items of the NBP. - View Dependent Claims (17)
-
Specification