DYNAMIC LEARNING METHOD AND ADAPTIVE NORMAL BEHAVIOR PROFILE (NBP) ARCHITECTURE FOR PROVIDING FAST PROTECTION OF ENTERPRISE APPLICATIONS
First Claim
Patent Images
1. An architecture for fast protection of enterprise applications, the architecture comprising at least:
- a secure server;
a plurality of network sensors connected to the secure server, each network sensor placed on each network segment that is coupled to servers to be protected by the architecture, wherein the network sensors passively gather and reconstruct network level protocol attributes; and
at least one adaptive normal behavior profile (NBP) for the servers to be protected by the architecture, by learning the normal behavior of users and enterprise applications over time, wherein the at least one NBP comprises at least a plurality of profile items created responsive of information provided by the plurality of network sensors andeach of the plurality of profile items comprises a plurality of profile properties, and wherein a statistical analysis is performed on the at least one NBP to determine it is stable, the statistical analysis comprises;
computing a percentage of learning progress for each profile item and profile property out of the total number of to enterprise application events received over a predefined time, and determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold;
such that a security system using the architecture can compare the at least one NBP to real-time communications with the servers to be protected by the architecture.
4 Assignments
0 Petitions
Accused Products
Abstract
An adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications are disclosed. The adaptive NBP architecture includes a plurality of profile items. Each profile item includes a plurality of profile properties holding the descriptive values of the respective item. An application-level security system can identify and prevent attacks targeted at enterprise applications by matching application events against at least a single profile item in the adaptive NBP.
37 Citations
22 Claims
-
1. An architecture for fast protection of enterprise applications, the architecture comprising at least:
-
a secure server; a plurality of network sensors connected to the secure server, each network sensor placed on each network segment that is coupled to servers to be protected by the architecture, wherein the network sensors passively gather and reconstruct network level protocol attributes; and at least one adaptive normal behavior profile (NBP) for the servers to be protected by the architecture, by learning the normal behavior of users and enterprise applications over time, wherein the at least one NBP comprises at least a plurality of profile items created responsive of information provided by the plurality of network sensors and each of the plurality of profile items comprises a plurality of profile properties, and wherein a statistical analysis is performed on the at least one NBP to determine it is stable, the statistical analysis comprises;
computing a percentage of learning progress for each profile item and profile property out of the total number of to enterprise application events received over a predefined time, and determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold;such that a security system using the architecture can compare the at least one NBP to real-time communications with the servers to be protected by the architecture. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification