Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications
First Claim
Patent Images
1. A method performed by network sensors and a secure server for protection of applications residing on servers of a secured system, wherein the method comprises:
- entering a learn mode of the secured system;
collecting, by the network sensors, application events by one or more of analyzing network level protocol attributes to reconstruct application requests and polling information about recent application events from the servers on which the applications reside;
analyzing the application events;
generating a normal behavior profile (NBP) based on the analysis of the application events, wherein the NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a profile property;
performing in the secure server analysis on the NBP, wherein the analysis comprises;
computing a percentage of learning progress for each profile item out of the total number of the application events received over a predefined time; and
determining the respective profile item is stable if the percentage of learning progress exceeds a predefined threshold; and
exiting the learn mode and entering a protect mode for the secured system for at least the profile items determined to be stable.
4 Assignments
0 Petitions
Accused Products
Abstract
An adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications are disclosed. The adaptive NBP architecture includes a plurality of profile items. Each profile item includes a plurality of profile properties holding the descriptive values of the respective item. An application-level security system can identify and prevent attacks targeted at enterprise applications by matching application events against at least a single profile item in the adaptive NBP.
-
Citations
272 Claims
-
1. A method performed by network sensors and a secure server for protection of applications residing on servers of a secured system, wherein the method comprises:
-
entering a learn mode of the secured system; collecting, by the network sensors, application events by one or more of analyzing network level protocol attributes to reconstruct application requests and polling information about recent application events from the servers on which the applications reside; analyzing the application events; generating a normal behavior profile (NBP) based on the analysis of the application events, wherein the NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a profile property; performing in the secure server analysis on the NBP, wherein the analysis comprises; computing a percentage of learning progress for each profile item out of the total number of the application events received over a predefined time; and determining the respective profile item is stable if the percentage of learning progress exceeds a predefined threshold; and exiting the learn mode and entering a protect mode for the secured system for at least the profile items determined to be stable. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
-
38. A non-transitory, tangible computer-readable media which has stored in it instructions, which when executed by a secure server of a secured system for protection of applications, cause the secure server to perform the steps of:
-
entering a learn mode; generating a normal behavior profile (NBP) based on an analysis of application events collected by network sensors that one or more of analyze network level protocol attributes to reconstruct application requests and poll information about recent application events from servers, wherein the NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a profile property; performing analysis on the NBP, wherein the analysis comprises; computing a percentage of learning progress for each profile item out of the total number of the application events received over a predefined time; and determining the respective profile item is stable if the percentage of learning progress exceeds a predefined threshold; and exiting the learn mode and entering a protect mode for at least the profile items determined to be stable. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74)
-
-
75. A method performed by network sensors and a secure server for protection of an application of a secured system, wherein the application resides on a server, wherein the method comprises:
-
entering a learn mode of the secured system; collecting application events gathered and reconstructed by the network sensors of the secured system analyzing network level protocol attributes; analyzing the application events; generating a normal behavior profile (NBP) based on the analysis of the application events, wherein the NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a profile property; performing in the secure server analysis on the NBP, wherein the analysis comprises; computing a percentage of learning progress for each profile item out of the total number of the application events received over a predefined time; and determining the respective profile item is stable if the percentage of learning progress exceeds a predefined threshold; and exiting the learn mode and entering a protect mode for the secured system for at least the profile items determined to be stable. - View Dependent Claims (76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104)
-
-
105. A non-transitory, tangible computer-readable media which has stored in it instructions, which when executed by a secure server of a secured system for protection of an application, cause the secure server to perform the steps of:
-
entering a learn mode; generating a normal behavior profile (NBP) based on an analysis of application events gathered and reconstructed by network sensors of the secured system analyzing network level protocol attributes, wherein the NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a profile property; performing analysis on the NBP, wherein the analysis comprises; computing a percentage of learning progress for each profile item out of the total number of the application events received over a predefined time; and determining the respective profile item is stable if the percentage of learning progress exceeds a predefined threshold; and exiting the learn mode and entering a protect mode for at least the profile items determined to be stable. - View Dependent Claims (106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134)
-
-
135. A network security system that utilizes a dynamic learning process for protection of applications, wherein the security system comprises:
-
a plurality of network sensors, placed on each network segment that is coupled to servers the applications reside on, configured to collect application events by one or more of analyzing network level protocol attributes and polling one or more of the applications for information about recent application events, during a learn mode; a computer coupled to the plurality of network sensors, the computer configured to generate normal behavior profiles (NBPs) during the learn mode of the security system, wherein the computer further configured to perform an analysis to determine, for each of the NBPs, if the NBP is stable, wherein the analysis comprises; a computation of a percentage of learning progress for each profile item in the NBP out of the total number of the application events received over a predefined time; and a determination that the respective profile item is stable if the percentage of learning progress exceeds a predefined threshold. - View Dependent Claims (136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158)
-
-
159. A network security system that utilizes a dynamic learning process for protection of an application, wherein the security system comprises:
-
a plurality of network sensors, placed on each network segment that is coupled to a server the application resides on, configured to collect application events by analyzing network level protocol attributes, during a learn mode; a computer coupled to the plurality of network sensors, the computer configured to generate a normal behavior profile (NBP) during the learn mode of the security system, wherein the computer is further configured to perform an analysis to determine, for each of the NBPs, if the NBP is stable, wherein the analysis comprises; a computation of a percentage of learning progress for each profile item in the NBP out of the total number of the application events received over a predefined time; and a determination that the respective profile item is stable if the percentage of learning progress exceeds a predefined threshold. - View Dependent Claims (160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176)
-
-
177. A method, performed by a sensor and a secure server, for protecting an application installed on a server, the method comprising:
-
collecting in the sensor from an application layer protocol application requests sent by clients to the application installed on the server; automatically building, based on the collected application requests, a normal behavior profile (NBP), wherein the NBP characterizes the application; automatically performing analysis to determine that at least part of the NBP is stable, wherein the performing comprises; computing a percentage of learning progress for different parts of the NBP; and determining the respective part is stable if the percentage of learning progress exceeds a predefined threshold; deploying by the secure server at least the stable part of the NBP to the sensor; collecting an additional application request in the sensor; and identifying the additional application request as a potential attack based on comparison to the stable part of the NBP. - View Dependent Claims (178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193)
-
-
194. A non-transitory, tangible computer-readable media which has stored in it instructions, which when executed by a computer of a secured system for protection of applications, cause the computer to perform the steps of:
-
receiving application events processed by sensors coupled between clients and servers on which the applications reside; analyzing the application events; generating a normal behavior profile (NBP) based on results of the step of analyzing the application events, the NBP comprises at least a plurality of profile items and each of the plurality profile items comprises a profile property; automatically performing analysis to determine if any of the profile items of the NBP are stable, wherein a given one of said profile items is considered stable when it is ready to detect anomalous application events, and wherein the performing comprises; computing a percentage of learning progress for the profile items of the NBP; and determining the respective profile item is stable if the percentage of learning progress exceeds a predefined threshold; deploying the stable profile items of the NBP to the sensors to use for detecting anomalous application events. - View Dependent Claims (195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220)
-
-
221. A network security system that utilizes a dynamic learning process for protection of applications, wherein the security system comprises:
-
a plurality of network sensors, coupled between clients and servers on which the applications reside, configured to collect application events; and a computer, coupled to the plurality of network sensors, configured to automatically generate a normal behavior profiles (NBP) based on the collected application events, to automatically perform analysis to determine if at least part of that NBP is stable, and to deploy at least the stable parts of the NBP to the network sensors to use for detecting anomalous application events, wherein the analysis comprises; a computation of a percentage of learning progress for different parts of the NBP; and a determination that the respective part is stable if the percentage of learning progress exceeds a predefined threshold. - View Dependent Claims (222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241)
-
-
242. An application level security system to protect a web server and a database server comprising:
-
a first network sensor, coupled between a client and the web server, to collect HTTP requests sent by the client to the web server; a second network sensor, coupled between the web server and the database server, to collect any SQL requests sent to the database server as a consequence of the HTTP requests; a computer coupled to the first network sensor and the second network sensor, to execute a profiling process to automatically generate a first and second normal behavior profile (NBP) respectively for the web server and the database server based respectively on the collected HTTP requests and the collected SQL requests, to automatically perform analysis to determine whether the first and second NBP comprise at least one stable profile item useable to detect anomalies, and to upload copies of the NBPs with at least one stable profile item, wherein the first NBP characterizes the web server and a copy is uploaded to the first network sensor, wherein the second NBP characterizes the database server and a copy is uploaded to the second network sensor, wherein the analysis comprises; a computation of a percentage of learning progress for each profile item in the NBP; and a determination that the respective profile item is stable if the percentage of learning progress exceeds a predefined threshold. - View Dependent Claims (243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262)
-
-
263. A network security system that utilizes a dynamic learning process for protection of a web application on a web server, wherein the security system comprises:
a computer configured to automatically generate a normal behavior profiles (NBP) based on application events collected by a sensor coupled to receive HTTP requests sent from clients to the web application, to automatically perform analysis to determine when different profile items within the NBP become stable such that they are usable to detect anomalies, and to automatically deploy the stable profile items of the NBP to the sensor to use for detecting anomalous HTTP requests, wherein the analysis comprises; a computation of a percentage of learning progress for each profile item in the NBP; and a determination that the respective profile item is stable if the percentage of learning progress exceeds a predefined threshold. - View Dependent Claims (264, 265, 266, 267, 268, 269, 270, 271, 272)
Specification