Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications

US 20050120054A1
Filed: 11/19/2004
Published: 06/02/2005
Est. Priority Date: 12/02/2003
Status: Active Grant

First Claim

Patent Images

1. A method for dynamic learning the behavior of enterprise applications for providing the fast protection of the enterprise applications, wherein the method comprises:

receiving enterprise application events processed by network sensors;

analyzing the enterprise application events;

generating an adaptive normal behavior profile (NBP), the adaptive NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a plurality of profile properties; and

performing statistical analysis to determine if the adaptive NBP is stable.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A dynamic learning method and an adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications are disclosed. The adaptive NBP architecture includes a plurality of profile items. Each profile item includes a plurality of profile properties holding the descriptive values of the respective item. An application-level security system can identify and prevent attacks targeted at enterprise applications by matching application events against at least a single profile item in the adaptive NBP.

133 Citations

70 Claims

1. A method for dynamic learning the behavior of enterprise applications for providing the fast protection of the enterprise applications, wherein the method comprises:
- receiving enterprise application events processed by network sensors;
  
  analyzing the enterprise application events;
  
  generating an adaptive normal behavior profile (NBP), the adaptive NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a plurality of profile properties; and
  
  performing statistical analysis to determine if the adaptive NBP is stable.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, wherein the method further comprises distributing the stable adaptive NBP to the network sensors connected to at least one protected device.
  - 3. The method of claim 2, wherein the enterprise applications reside in the protected device.
  - 4. The method of claim 3, wherein the protected device is at least one of a web server and a database server.
  - 5. The method of claim 1, wherein each of the network sensors is at least one of a structured query language (SQL) sensor and a hypertext transfer protocol (HTTP) sensor.
  - 6. The method of claim 1, wherein the adaptive NBP is a hierarchic data structure.
  - 7. The method of claim 6, wherein the profile property comprises a descriptive value of its corresponding profile item.
  - 8. The method of claim 7, wherein the profile property further comprises maintenance information.
  - 9. The method of claim 8, wherein the maintenance information comprises at least one of a current state of the profile property, a creation time of the profile property, a link to another profile item, a timestamp of last update, an update sequence number and a number of observations of the corresponding profile item.
  - 10. The method of claim 9, wherein the current state is at least one of a learn state, an enforceable state and a non-enforceable state.
  - 11. The method of claim 6, wherein the profile item comprises at least one of a current state of the profile item and a distinguishable name.
  - 12. The method of claim 11, wherein the current state is at least one of a learn state, a protect state, a deleted state, a decayed state and a merged state.
  - 13. The method of claim 1, wherein the adaptive NBP represents at least one of a HTTP profile and a SQL profile.
  - 14. The method of claim 1, wherein analyzing the application events further comprises:
    - performing a lexical analysis; and
      
      performing a syntax analysis.
  - 15. The method of claim 14, wherein performing the lexical analysis comprises:
    - breaking each of the plurality of application events into tokens; and
      
      creating a representation of the application event using the tokens'"'"' properties.
  - 16. The method of claim 14, wherein performing the syntax analysis comprises:
    - breaking each of the enterprises application events into functional units; and
      
      classifying the functional units as identification units and property units.
  - 17. The method of claim 16, wherein the identification units are used for identifying the enterprise application event.
  - 18. The method of claim 16, wherein the property units describe the property of the enterprise application event.
  - 19. The method of claim 16, wherein generating the adaptive NBP further comprises:
    - gathering the property units having at least one similar identification unit to form the profile property; and
      
      attaching the profile property to its corresponding profile item.
  - 20. The method of claim 1, wherein the adaptive NBP is considered stable if at least one of the plurality of profile items or at least one of the plurality of profile properties of the adaptive NBP is stable.
  - 21. The method of claim 1, wherein performing the statistical analysis comprises computing the Bayesian probability for a mistake.
  - 22. The method of claim 1, wherein the statistical analysis comprises:
    - computing a percentage of learning progress for each profile item and profile property out of the total number of the enterprise application events received over a predefined time; and
      
      determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold.

23. A computer program product, comprising computer-readable media with instructions to enable a computer to implement a method for dynamic learning the behavior of enterprise applications for providing fast the protection of the enterprise applications, wherein the method comprises:
- receiving enterprise application events processed by network sensors;
  
  analyzing the enterprise application events;
  
  generating an adaptive normal behavior profile (NBP), the adaptive NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a plurality of profile properties; and
  
  performing statistical analysis to determine if the adaptive NBP is stable.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 24. The computer program product of claim 23, wherein the method further comprises distributing the stable adaptive NBP to the network sensors connected to at least one protected device.
  - 25. The computer program product of claim 23, wherein the adaptive NBP is a hierarchic data structure.
  - 26. The computer program product of claim 25, wherein the profile property comprises a descriptive value of its corresponding profile item.
  - 27. The computer program product of claim 26, wherein the profile property further comprises maintenance information.
  - 28. The computer program product of claim 27, wherein the maintenance information comprises at least one of a current state of the profile property, a creation time of the profile property, a link to another profile item, a timestamp of last update, an update sequence number and a number of observations of the corresponding profile item.
  - 29. The computer program product of claim 28, wherein the current state is at least one of a learn state, an enforceable state and a non-enforceable state.
  - 30. The computer program product of claim 25, wherein the profile item comprises at least one of a current state of the profile item and a distinguishable name.
  - 31. The computer program product of claim 30, wherein the current state is at least one of a learn state, a protect state, a deleted state, a decayed state and a merged state.
  - 32. The computer program product of claim 23, wherein the adaptive NBP represents at least one of a HTTP profile and a SQL profile.
  - 33. The computer program product of claim 23, wherein analyzing the application events comprises:
    - performing a lexical analysis; and
      
      performing a syntax analysis.
  - 34. The computer program product of claim 33, wherein performing the lexical analysis comprises:
    - breaking each of the plurality of application events into tokens; and
      
      creating a representation of the application event using the tokens'"'"' properties.
  - 35. The computer program product of claim 33, wherein performing the syntax analysis comprises:
    - breaking each of the plurality of enterprises application events into functional units; and
      
      classifying the functional units as identification units and property units.
  - 36. The computer program product of claim 35, wherein the identification units are used for identifying the enterprise application event.
  - 37. The computer program product of claim 35, wherein the property units describe the property of the enterprise application event.
  - 38. The computer program product of claim 35, wherein generating the adaptive NBP further comprises:
    - gathering the property units having at least one similar identification unit to form the profile property; and
      
      attaching the profile property to its corresponding profile item.
  - 39. The computer program product of claim 23, wherein the adaptive NBP is considered stable if at least one of the plurality of profile items or at least one of the plurality of profile properties of the adaptive NBP is stable.
  - 40. The computer program product of claim 23, wherein performing the statistical analysis comprises computing the Bayesian probability for a mistake.
  - 41. The computer program product of claim 23, wherein the statistical analysis comprises:
    - computing a percentage of learning progress for each profile item and profile property out of the total number of the enterprise application events received over a predefined time; and
      
      determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold.

42. A non-intrusive network security system that utilizes a dynamic process for learning the behavior of enterprise applications for the purpose of allowing the fast protection of the enterprise applications, wherein the security system comprises:
- a plurality of network sensors capable of collecting, reconstructing, and processing enterprise application events;
  
  a secure server capable of building adaptive normal behavior profiles (NBPs); and
  
  connectivity means enabling the plurality of network sensors to monitor traffic directed to at least devices that require protection.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 43. The security system of claim 42, wherein the enterprise applications reside in the protected devices.
  - 44. The security system of claim 43, wherein each of the protected devices is at least one of a web server and a database server.
  - 45. The security system of claim 42, wherein each of the network sensors is at least one of a structured query language (SQL) sensor and a hypertext transfer protocol (HTTP) sensor.
  - 46. The security system of claim 42, wherein the adaptive NBP is a hierarchic data structure.
  - 47. The security system of claim 42, wherein the adaptive NBP comprises a plurality of profile items and each of the plurality of the profile items comprises a plurality of profile properties.
  - 48. The security system of claim 42, wherein the dynamic learning process comprises:
    - receiving the enterprise application events processed by the network sensors;
      
      analyzing the enterprise application events;
      
      generating the adaptive NBP; and
      
      performing statistical analysis to determine if the adaptive NBP is stable.
  - 49. The security system of claim 42, wherein the adaptive NBP is considered stable if at least one of the plurality of profile items or at least one of the plurality of profile properties of the adaptive NBP is stable.
  - 50. The security system of claim 42, wherein the secure sever is being further capable of distributing the stable adaptive NBP to the network sensors connected to at least one protected device.
  - 51. The security system of claim 42, wherein the adaptive NBP represents at least one of a HTTP profile and a SQL profile.

52. An adaptive normal behavior profile (NBP) architecture enabling the fast protection of enterprise applications, the architecture comprising at least:
- a plurality of profile items; and
  
  each of the plurality of profile items comprises a plurality of profile properties.
- View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
- - 53. The architecture of claim 52, wherein the normal behavior profile (NBP) architecture is a hierarchic data structure.
  - 54. The architecture of claim 52, wherein each of the plurality of profile properties comprises a descriptive value of its corresponding profile item.
  - 55. The architecture of claim 52, wherein each of the plurality of profile properties further comprises maintenance information.
  - 56. The architecture of claim 55, wherein the maintenance information comprises at least one of a current state of the profile property, a creation time of the profile property, a link to another profile item, a timestamp of last update, an update sequence number and a number of observations of the corresponding profile item.
  - 57. The architecture of claim 56, wherein the current state is at least one of a learn state, an enforceable state and a non-enforceable state.
  - 58. The architecture of claim 52, wherein each of the plurality of profile items comprises at least a current state of the profile item and a distinguishable name.
  - 59. The architecture of claim 58, wherein the current state comprises at least one of a learn state, a protect state, a deleted state, a decayed state and a merged state.
  - 60. The architecture of claim 52, wherein the adaptive NBP represents at least one of a HTTP profile and a SQL profile.
  - 61. The architecture of claim 60, wherein the profile items of the HTTP profile comprise at least a web server group, a web application, a virtual folder, a URL, a cookie and a parameter.
  - 62. The architecture of claim 61, wherein the profile property corresponding to a web server group items comprises at least a list of acceptable web application aliases.
  - 63. The architecture of claim 61, wherein the profile properties corresponding to the virtual folder item comprise at least a list of sub-folders of the virtual folder, an indication as whether the virtual folder is directly accessible and properties corresponding to a URL item.
  - 64. The architecture of claim 61, wherein the profile properties corresponding to the URL item comprise at least a first indication as whether the URL maintained by the URL item generates a binding HTML form, a second indication as whether the URL maintained by the URL item is used as the first URL of a new session, broken links and broken references.
  - 65. The architecture of claim 61, wherein the profile properties corresponding to the cookie item comprise at least one of a length restriction on a cookie value and an indication as whether the cookie item represents a set of actual cookies with the same prefix.
  - 66. The architecture of claim 61, wherein the profile properties corresponding to the parameter item comprise at least one of a list of allowed aliases for the parameter name, a length restriction on the parameter'"'"'s value, a parameter type, a first indication as whether the parameter is bounded to a HTTP response, a second indication as whether the parameter is required for a URL and a third indication as whether the parameter represents a set of actual parameters with a same prefix.
  - 67. The architecture of claim 60, wherein the profile items of the SQL profile comprise at least one of a database server group, a source group, a table access and a query.
  - 68. The architecture of claim 67, wherein the profile properties corresponding to the source group items comprise at least a list of source IP addresses, a list of client applications, a list of database accounts, a list of tables and views for the source group, a first indication as whether an access profile should be enforced for the source group, a second indication as whether to allow database manipulation commands for the source group, a third indication as whether to allow access to a system administrator, a fourth indication as whether to allow access to tables in non-default schemas and a fifth indication as whether to allow access to tables in non-default schemas.
  - 69. The architecture of claim 67, wherein the profile property corresponding to the table access item comprises at least an enforcement mode for each type of query.
  - 70. The architecture of claim 67, wherein the profile property corresponding to the query item comprises at least the SQL query.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Boodaei, Michael, Kremer, Shlomo, Shulman, Amichai

Granted Patent

US 7,743,420 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/217   Database tuning G06F16/2282...

G06F 21/577   Assessing vulnerabilities a...

H04L 41/142   using statistical or mathem...

H04L 41/16   using machine learning or a...

H04L 43/00   Arrangements for monitoring...

H04L 43/106   using time related informat...

H04L 63/102   Entity profiles

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

133 Citations

70 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

133 Citations

70 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links