Scaled-out, distributed applications are made up of a large number of application instances. These application instances have their own data in cache and memory of a processor on which these applications run. A large number of such application instances communicate with each other and process data in parallel to create an aggregate output. Communication mechanisms, such as data sockets, are used by the applications to exchange messages and data with other applications. Enterprise-level applications generate huge amounts of communication traffic from internet-based clients as well as within the applications in a data center.
These types of scaled-out applications are extremely vulnerable to application breaches, data thefts from cache and memory by scraping, and other methods of illicitly obtaining data from the applications, cache, and/or memory. In data centers which cater to important applications and data types, such as Personally Identifiable Information (PII), Payment Card Industry (PCI) data, medical information that falls under Health Insurance Portability and Accountability Act (HIPAA), military and Government critical tasks, any application and/or data breach is very destructive and expensive to contain and/or resolve. Therefore, it is beneficial to attempt to prevent such breaches.
Typically, application security in data centers is attempted by applying policies and rules at various levels using security appliances installed in the data center. However, in spite of providing layers of security appliances to create a security perimeter around the data center, malware and malicious software still enters inside the servers in the data center to steal data and attack applications.
In most cases of data breaches, data and application instances that utilize flows in the East-West (E-W) direction, i.e., communication between servers and application instances inside of the data center, are attacked. This is different from North-South (N-S) flows which are protected by conventional data security appliances. Since the edge of the data center where all the servers are connected is considered the safest place, many times, applications communicate with each other in clear data without protecting the data. A huge amount of data is shared across applications and application tiers in the E-W direction within the data center.
Some types of malware have capabilities to inject applets into underlying application code which is then configured to interact with local and remote applications through standard communication channels, such as data sockets, to attack applications and their data. One current attempted solution to overcome these attacks is to use behavior-based analysis to understand exceptions in application behavior to protect applications from such attacks. However, this method has multiple deficiencies since application behavior is highly dynamic, behavior analysis is not performed in real time nor deterministic, and behavior analysis generates a large number of false positives, which reduces the performance of applications in a data center.