Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications

US 7,743,420 B2
Filed: 11/19/2004
Issued: 06/22/2010
Est. Priority Date: 12/02/2003
Status: Active Grant

First Claim

Patent Images

1. A method for fast protection of enterprise applications of a secured system, wherein the method comprises:

entering a learn mode of the secured system;

collecting, by a computer, enterprise application events by analyzing network level protocol attributes gathered and reconstructed by network sensors of the secured system and by polling information about recent enterprise application events from servers of the secured system;

analyzing the enterprise application events;

generating an adaptive normal behavior profile (NBP) by learning the normal behavior of users and the enterprises applications over time, wherein the adaptive NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a plurality of profile properties;

performing statistical analysis to determine if the adaptive NBP is stable, wherein the statistical analysis comprises;

computing a percentage of learning progress for each profile item and profile property out of the total number of the enterprise application events received over a predefined time; and

determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold; and

exiting the learn mode and entering a protect mode for the secured system.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A dynamic learning method and an adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications are disclosed. The adaptive NBP architecture includes a plurality of profile items. Each profile item includes a plurality of profile properties holding the descriptive values of the respective item. An application-level security system can identify and prevent attacks targeted at enterprise applications by matching application events against at least a single profile item in the adaptive NBP.

73 Citations

View as Search Results

49 Claims

1. A method for fast protection of enterprise applications of a secured system, wherein the method comprises:
- entering a learn mode of the secured system;
  
  collecting, by a computer, enterprise application events by analyzing network level protocol attributes gathered and reconstructed by network sensors of the secured system and by polling information about recent enterprise application events from servers of the secured system;
  
  analyzing the enterprise application events;
  
  generating an adaptive normal behavior profile (NBP) by learning the normal behavior of users and the enterprises applications over time, wherein the adaptive NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a plurality of profile properties;
  
  performing statistical analysis to determine if the adaptive NBP is stable, wherein the statistical analysis comprises;
  
  computing a percentage of learning progress for each profile item and profile property out of the total number of the enterprise application events received over a predefined time; and
  
  determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold; and
  
  exiting the learn mode and entering a protect mode for the secured system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the method further comprises distributing the stable adaptive NBP to the network sensors connected to at least one protected device.
  - 3. The method of claim 2, wherein the enterprise applications reside in the protected device.
  - 4. The method of claim 3, wherein the protected device is at least one of a web server and a database server.
  - 5. The method of claim 1, wherein each of the network sensors is at least one of a structured query language (SQL) sensor and a hypertext transfer protocol (HTTP) sensor.
  - 6. The method of claim 1, wherein the adaptive NBP is a hierarchic data structure.
  - 7. The method of claim 6, wherein the profile property comprises a descriptive value of its corresponding profile item.
  - 8. The method of claim 7, wherein the profile property further comprises maintenance information.
  - 9. The method of claim 8, wherein the maintenance information comprises at least one of a current state of the profile property, a creation time of the profile property, a link to another profile item, a timestamp of last update, an update sequence number and a number of observations of the corresponding profile item.
  - 10. The method of claim 9, wherein the current state is at least one of a learn state, an enforceable state and a non-enforceable state.
  - 11. The method of claim 6, wherein the profile item comprises at least one of a current state of the profile item and a distinguishable name.
  - 12. The method of claim 11, wherein the current state is at least one of a learn state, a protect state, a deleted state, a decayed state and a merged state.
  - 13. The method of claim 1, wherein the adaptive NBP represents at least one of a HTTP profile and a SQL profile.
  - 14. The method of claim 1, wherein analyzing the application events further comprises:
    - performing a lexical analysis; and
      
      performing a syntax analysis.
  - 15. The method of claim 14, wherein performing the lexical analysis comprises:
    - breaking each of the plurality of application events into tokens; and
      
      creating a representation of the application event using the tokens'"'"' properties.
  - 16. The method of claim 14, wherein performing the syntax analysis comprises:
    - breaking each of the enterprises application events into functional units; and
      
      classifying the functional units as identification units and property units.
  - 17. The method of claim 16, wherein the identification units are used for identifying the enterprise application event.
  - 18. The method of claim 16, wherein the property units describe the property of the enterprise application event.
  - 19. The method of claim 16, wherein generating the adaptive NBP further comprises:
    - gathering the property units having at least one similar identification unit to form the profile property; and
      
      attaching the profile property to its corresponding profile item.
  - 20. The method of claim 1, wherein the adaptive NBP is considered stable if at least one of the plurality of profile items or at least one of the plurality of profile properties of the adaptive NBP is stable.
  - 21. The method of claim 1, wherein performing the statistical analysis comprises computing the Bayesian probability for a mistake.

22. A computer program product, comprising non-transitory computer readable media with instructions to enable a computer to implement a method fast protection of enterprise applications of a secured system, wherein the method comprises:
- entering a learn mode of the secured system;
  
  collecting enterprise application events by analyzing network level protocol attributes gathered and reconstructed by network sensors of the secured system and by polling information about recent enterprise application events from servers of the secured system;
  
  analyzing the enterprise application events;
  
  generating an adaptive normal behavior profile (NBP) by learning the normal behavior of users and the enterprises applications over time, wherein the adaptive NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a plurality of profile properties;
  
  performing statistical analysis to determine if the adaptive NBP is stable, wherein the statistical analysis comprises;
  
  computing a percentage of learning progress for each profile item and profile property out of the total number of the enterprise application events received over a predefined time; and
  
  determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold; and
  
  exiting the learn mode and entering a protect mode for the secured system.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 23. The computer program product of claim 22, wherein the method further comprises distributing the stable adaptive NBP to the network sensors connected to at least one protected device.
  - 24. The computer program product of claim 22, wherein the adaptive NBP is a hierarchic data structure.
  - 25. The computer program product of claim 24, wherein the profile property comprises a descriptive value of its corresponding profile item.
  - 26. The computer program product of claim 25, wherein the profile property further comprises maintenance information.
  - 27. The computer program product of claim 26, wherein the maintenance information comprises at least one of a current state of the profile property, a creation time of the profile property, a link to another profile item, a timestamp of last update, an update sequence number and a number of observations of the corresponding profile item.
  - 28. The computer program product of claim 27, wherein the current state is at least one of a learn state, an enforceable state and a non-enforceable state.
  - 29. The computer program product of claim 24, wherein the profile item comprises at least one of a current state of the profile item and a distinguishable name.
  - 30. The computer program product of claim 29, wherein the current state is at least one of a learn state, a protect state, a deleted state, a decayed state and a merged state.
  - 31. The computer program product of claim 22, wherein the adaptive NBP represents at least one of a HTTP profile and a SQL profile.
  - 32. The computer program product of claim 22, wherein analyzing the application events comprises:
    - performing a lexical analysis; and
      
      performing a syntax analysis.
  - 33. The computer program product of claim 32, wherein performing the lexical analysis comprises:
    - breaking each of the plurality of application events into tokens; and
      
      creating a representation of the application event using the tokens'"'"' properties.
  - 34. The computer program product of claim 32, wherein performing the syntax analysis comprises:
    - breaking each of the plurality of enterprises application events into functional units; and
      
      classifying the functional units as identification units and property units.
  - 35. The computer program product of claim 34, wherein the identification units are used for identifying the enterprise application event.
  - 36. The computer program product of claim 34, wherein the property units describe the property of the enterprise application event.
  - 37. The computer program product of claim 34, wherein generating the adaptive NBP further comprises:
    - gathering the property units having at least one similar identification unit to form the profile property; and
      
      attaching the profile property to its corresponding profile item.
  - 38. The computer program product of claim 22, wherein the adaptive NBP is considered stable if at least one of the plurality of profile items or at least one of the plurality of profile properties of the adaptive NBP is stable.
  - 39. The computer program product of claim 22, wherein performing the statistical analysis comprises computing the Bayesian probability for a mistake.

40. A non-intrusive network security system, including a memory, that utilizes a dynamic process for learning the behavior of enterprise applications for the purpose of allowing the fast protection of the enterprise applications, wherein the security system comprises:
- a plurality of network sensors capable of collecting, reconstructing, and processing enterprise application events by analyzing network level protocol attributes and by polling information about recent enterprise application events from servers of the secured system, during a learn mode of the security system and storing in the memory;
  
  a secure server coupled to the plurality of network sensors, the secure server capable of building adaptive normal behavior profiles (NBPs) during the learn mode of the security system by learning the normal behavior of users and the enterprises applications over time, wherein the secure server further perform statistical analysis to determine if the adaptive NBP is stable, wherein the statistical analysis comprises;
  
  computing a percentage of learning progress for each profile item and profile property out of the total number of the enterprise application events received over a predefined time; and
  
  determining the respective profile item or the profile property as stable if the percentage of learning progress exceeds a predefined threshold; and
  
  connectivity means enabling the plurality of network sensors to monitor traffic directed to at least devices that require protection.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 41. The security system of claim 40, wherein the enterprise applications reside in the protected devices.
  - 42. The security system of claim 41, wherein each of the protected devices is at least one of a web server and a database server.
  - 43. The security system of claim 40, wherein each of the network sensors is at least one of a structured query language (SQL) sensor and a hypertext transfer protocol (HTTP) sensor.
  - 44. The security system of claim 40, wherein the adaptive NBP is a hierarchic data structure.
  - 45. The security system of claim 40, wherein the adaptive NBP comprises a plurality of profile items and each of the plurality of the profile items comprises a plurality of profile properties.
  - 46. The security system of claim 40, wherein the dynamic learning process comprises:
    - receiving the enterprise application events processed by the network sensors;
      
      analyzing the enterprise application events;
      
      generating the adaptive NBP; and
      
      performing statistical analysis to determine if the adaptive NBP is stable.
  - 47. The security system of claim 40, wherein the adaptive NBP is considered stable if at least one of the plurality of profile items or at least one of the plurality of profile properties of the adaptive NBP is stable.
  - 48. The security system of claim 40, wherein the secure sever is being further capable of distributing the stable adaptive NBP to the network sensors connected to at least one protected device.
  - 49. The security system of claim 40, wherein the adaptive NBP represents at least one of a HTTP profile and a SQL profile.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Boodaei, Michael, Kremer, Shlomo, Shulman, Amichai
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Paliwal; Yogesh

Application Number

US10/991,467
Publication Number

US 20050120054A1
Time in Patent Office

2,041 Days
Field of Search

726/25, 714/4, 707/102
US Class Current

726/25
CPC Class Codes

G06F 16/217   Database tuning G06F16/2282...

G06F 21/577   Assessing vulnerabilities a...

H04L 41/142   using statistical or mathem...

H04L 41/16   using machine learning or a...

H04L 43/00   Arrangements for monitoring...

H04L 43/106   using time related informat...

H04L 63/102   Entity profiles

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

73 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links