Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications
First Claim
Patent Images
1. A method for fast protection of enterprise applications of a secured system, wherein the method comprises:
- entering a learn mode of the secured system;
collecting, by a computer, enterprise application events by analyzing network level protocol attributes gathered and reconstructed by network sensors of the secured system and by polling information about recent enterprise application events from servers of the secured system;
analyzing the enterprise application events;
generating an adaptive normal behavior profile (NBP) by learning the normal behavior of users and the enterprises applications over time, wherein the adaptive NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a plurality of profile properties;
performing statistical analysis to determine if the adaptive NBP is stable, wherein the statistical analysis comprises;
computing a percentage of learning progress for each profile item and profile property out of the total number of the enterprise application events received over a predefined time; and
determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold; and
exiting the learn mode and entering a protect mode for the secured system.
5 Assignments
0 Petitions
Accused Products
Abstract
A dynamic learning method and an adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications are disclosed. The adaptive NBP architecture includes a plurality of profile items. Each profile item includes a plurality of profile properties holding the descriptive values of the respective item. An application-level security system can identify and prevent attacks targeted at enterprise applications by matching application events against at least a single profile item in the adaptive NBP.
73 Citations
49 Claims
-
1. A method for fast protection of enterprise applications of a secured system, wherein the method comprises:
-
entering a learn mode of the secured system; collecting, by a computer, enterprise application events by analyzing network level protocol attributes gathered and reconstructed by network sensors of the secured system and by polling information about recent enterprise application events from servers of the secured system; analyzing the enterprise application events; generating an adaptive normal behavior profile (NBP) by learning the normal behavior of users and the enterprises applications over time, wherein the adaptive NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a plurality of profile properties; performing statistical analysis to determine if the adaptive NBP is stable, wherein the statistical analysis comprises;
computing a percentage of learning progress for each profile item and profile property out of the total number of the enterprise application events received over a predefined time; and
determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold; andexiting the learn mode and entering a protect mode for the secured system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer program product, comprising non-transitory computer readable media with instructions to enable a computer to implement a method fast protection of enterprise applications of a secured system, wherein the method comprises:
-
entering a learn mode of the secured system; collecting enterprise application events by analyzing network level protocol attributes gathered and reconstructed by network sensors of the secured system and by polling information about recent enterprise application events from servers of the secured system; analyzing the enterprise application events; generating an adaptive normal behavior profile (NBP) by learning the normal behavior of users and the enterprises applications over time, wherein the adaptive NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a plurality of profile properties; performing statistical analysis to determine if the adaptive NBP is stable, wherein the statistical analysis comprises;
computing a percentage of learning progress for each profile item and profile property out of the total number of the enterprise application events received over a predefined time; and
determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold; andexiting the learn mode and entering a protect mode for the secured system. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A non-intrusive network security system, including a memory, that utilizes a dynamic process for learning the behavior of enterprise applications for the purpose of allowing the fast protection of the enterprise applications, wherein the security system comprises:
-
a plurality of network sensors capable of collecting, reconstructing, and processing enterprise application events by analyzing network level protocol attributes and by polling information about recent enterprise application events from servers of the secured system, during a learn mode of the security system and storing in the memory; a secure server coupled to the plurality of network sensors, the secure server capable of building adaptive normal behavior profiles (NBPs) during the learn mode of the security system by learning the normal behavior of users and the enterprises applications over time, wherein the secure server further perform statistical analysis to determine if the adaptive NBP is stable, wherein the statistical analysis comprises;
computing a percentage of learning progress for each profile item and profile property out of the total number of the enterprise application events received over a predefined time; and
determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold; andconnectivity means enabling the plurality of network sensors to monitor traffic directed to at least devices that require protection. - View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
-
Specification