DYNAMIC LEARNING METHOD AND ADAPTIVE NORMAL BEHAVIOR PROFILE (NBP) ARCHITECTURE FOR PROVIDING FAST PROTECTION OF ENTERPRISE APPLICATIONS

US 20100251377A1
Filed: 06/14/2010
Published: 09/30/2010
Est. Priority Date: 12/02/2003
Status: Active Grant

First Claim

Patent Images

1. An architecture for fast protection of enterprise applications, the architecture comprising at least:

a secure server;

a plurality of network sensors connected to the secure server, each network sensor placed on each network segment that is coupled to servers to be protected by the architecture, wherein the network sensors passively gather and reconstruct network level protocol attributes; and

at least one adaptive normal behavior profile (NBP) for the servers to be protected by the architecture, by learning the normal behavior of users and enterprise applications over time, wherein the at least one NBP comprises at least a plurality of profile items created responsive of information provided by the plurality of network sensors andeach of the plurality of profile items comprises a plurality of profile properties, and wherein a statistical analysis is performed on the at least one NBP to determine it is stable, the statistical analysis comprises;

computing a percentage of learning progress for each profile item and profile property out of the total number of to enterprise application events received over a predefined time, and determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold;

such that a security system using the architecture can compare the at least one NBP to real-time communications with the servers to be protected by the architecture.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications are disclosed. The adaptive NBP architecture includes a plurality of profile items. Each profile item includes a plurality of profile properties holding the descriptive values of the respective item. An application-level security system can identify and prevent attacks targeted at enterprise applications by matching application events against at least a single profile item in the adaptive NBP.

37 Citations

View as Search Results

22 Claims

1. An architecture for fast protection of enterprise applications, the architecture comprising at least:
- a secure server;
  
  a plurality of network sensors connected to the secure server, each network sensor placed on each network segment that is coupled to servers to be protected by the architecture, wherein the network sensors passively gather and reconstruct network level protocol attributes; and
  
  at least one adaptive normal behavior profile (NBP) for the servers to be protected by the architecture, by learning the normal behavior of users and enterprise applications over time, wherein the at least one NBP comprises at least a plurality of profile items created responsive of information provided by the plurality of network sensors andeach of the plurality of profile items comprises a plurality of profile properties, and wherein a statistical analysis is performed on the at least one NBP to determine it is stable, the statistical analysis comprises;
  
  computing a percentage of learning progress for each profile item and profile property out of the total number of to enterprise application events received over a predefined time, and determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold;
  
  such that a security system using the architecture can compare the at least one NBP to real-time communications with the servers to be protected by the architecture.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The architecture of claim 1, wherein the normal behavior profile (NBP) architecture is a hierarchic data structure stored in memory of the secure server.
  - 3. The architecture of claim 1, wherein each of the plurality of profile properties comprises a descriptive value of its corresponding profile item.
  - 4. The architecture of claim 1, wherein each of the plurality of profile properties further comprises maintenance information.
  - 5. The architecture of claim 4, wherein the maintenance information comprises at least one of:
    - a current state of the profile property, a creation time of the profile property, a link to another profile item, a timestamp of last update, an update sequence number and a number of observations of the corresponding profile item.
  - 6. The architecture of claim 5, wherein the current state of the profile property is at least one of:
    - a learn state, an enforceable state and a non-enforceable state.
  - 7. The architecture of claim 1, wherein each of the plurality of profile items comprises at least a current state of the profile item and a distinguishable name.
  - 8. The architecture of claim 7, wherein the current state comprises at least one of:
    - a learn state, a protect state, a deleted state, a decayed state and a merged state.
  - 9. The architecture of claim 1, wherein the adaptive NBP represents at least one of:
    - a HTTP profile and a SQL profile.
  - 10. The architecture of claim 9, wherein the profile items of the HTTP profile comprise at least a web server group, a web application, a virtual folder, a URL, a cookie and a parameter.
  - 11. The architecture of claim 10, wherein the profile property corresponding to a web server group items comprises at least a list of acceptable web application aliases.
  - 12. The architecture of claim 10, wherein the profile properties corresponding to the virtual folder item comprise at least a list of sub-folders of the virtual folder, an indication as whether the virtual folder is directly accessible and properties corresponding to a URL item.
  - 13. The architecture of claim 10, wherein the profile properties corresponding to the URL item comprise at least a first indication as whether the URL maintained by the URL item generates a binding HTML form, a second indication as whether the URL maintained by the URL item is used as the first URL of a new session, broken links and broken references.
  - 14. The architecture of claim 10, wherein the profile properties corresponding to the cookie item comprise at least one of a length restriction on a cookie value and an indication as whether the cookie item represents a set of actual cookies with the same prefix.
  - 15. The architecture of claim 10, wherein the profile properties corresponding to the parameter item comprise at least one of a list of allowed aliases for the parameter name, a length restriction on the parameter'"'"'s value, a parameter type, a first indication as whether the parameter is bounded to a HTTP response, a second indication as whether the parameter is required for a URL and a third indication as whether the parameter represents a set of actual parameters with a same prefix.
  - 16. The architecture of claim 9, wherein the profile items of the SQL profile comprise at least one of a database server group, a source group, a table access and a query.
  - 17. The architecture of claim 16, wherein the profile properties corresponding to the source group items comprise at least a list of:
    - source IP addresses, a list of client applications, a list of database accounts, a list of tables and views for the source group, a first indication as whether an access profile should be enforced for the source group, a second indication as whether to allow database manipulation commands for the source group, a third indication as whether to allow access to a system administrator, a fourth indication as whether to allow access to tables in non-default schemas and a fifth indication as whether to allow access to tables in non-default schemas.
  - 18. The architecture of claim 16, wherein the profile property corresponding to the table access item comprises at least an enforcement mode for each type of query.
  - 19. The architecture of claim 16, wherein the profile property corresponding to the query item comprises at least the SQL query.
  - 20. The architecture of claim 1, wherein the network sensors are connected to the secure server through one of:
    - a conventional network or through an out-of-band network (OOB).
  - 21. The architecture of claim 1, wherein servers to be protected by the architecture are at least one of:
    - web servers or database servers.
  - 22. The architecture of claim 1, wherein the network sensors are at least one of:
    - a structured query language (SQL) sensor or a hypertext transfer protocol (HTTP) sensor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Boodaei, Michael, Kremer, Shlomo, SHULMAN, Amichai

Granted Patent

US 8,713,682 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 16/217   Database tuning G06F16/2282...

G06F 21/577   Assessing vulnerabilities a...

H04L 41/142   using statistical or mathem...

H04L 41/16   using machine learning or a...

H04L 43/00   Arrangements for monitoring...

H04L 43/106   using time related informat...

H04L 63/102   Entity profiles

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

DYNAMIC LEARNING METHOD AND ADAPTIVE NORMAL BEHAVIOR PROFILE (NBP) ARCHITECTURE FOR PROVIDING FAST PROTECTION OF ENTERPRISE APPLICATIONS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC LEARNING METHOD AND ADAPTIVE NORMAL BEHAVIOR PROFILE (NBP) ARCHITECTURE FOR PROVIDING FAST PROTECTION OF ENTERPRISE APPLICATIONS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links