Technical Field of the Invention
The present invention relates generally to comprehensive security systems, and more particularly, to dynamic learning methods and adaptive normal behavior profile (NBP) architectures utilized by comprehensive security systems.
Description of the Related Art
Accessibility, ubiquity and convenience of the Internet rapidly changed the how people access information. The World Wide Web (“WWW”), usually referred to as “the web”, is the most popular means for retrieving information on the Internet. The web enables user access to practically an infinite number of resources, such as interlinked hypertext documents accessed by a hypertext transfer protocol (HTTP), or extensible markup language (XML) protocols from servers located around the world.
Enterprises and organizations expose their business information and functionality on the web through software applications, usually referred to as “enterprise applications”. The enterprise applications use the Internet technologies and infrastructures. A typical enterprise application is structured as a three-layer system, comprising a presentation layer, a business logic layer and a data access layer. The multiple layers of the enterprise application are interconnected by application protocols, such as HTTP and structured query language (SQL). Enterprise applications provide great opportunities for an organization. However, at the same time, these applications are vulnerable to attack from malicious, irresponsible or criminally minded individual. An application level security system is required to protect enterprise applications from web hackers.
In related art, application level security systems prevent attacks by restricting the network level access to the enterprises applications, based on the applications' attributes. Specifically, the security systems constantly monitor requests received at interfaces and application components, gather application requests from these interfaces, correlate the application requests and match them against predetermined application profiles. These profiles comprise a plurality of application attributes, such as uniform resource locators (URLs), cookies, users' information, Internet protocol (IP) addresses, query statements and others. These attributes determine the normal behavior of the protected application. Application requests that do not match the application profile are identified as potential attacks.
An application profile is created during a learning period through which the security system monitors and learns the normal behavior of users and applications over time. The security system can apply a protection mechanism, only once the profile of a protected application is completed, i.e., when sufficient data is gathered for all attributes comprised in the profile. In addition, some security systems require that the application profile be manually defined. These requirements limit the ability of those security systems to provide a fast protection, since substantial time is required (usually days) in order to complete the application profile. Furthermore, this technique limits security systems from being adaptive to changes in application's behavior.
Therefore, in the view of the limitations introduced in the related art, it would be advantageous to provide a solution that enables a fast protection of enterprise applications by an application level security system.