1. Field
The present disclosure is directed to technology for monitoring software in a computing environment.
2. Background
The growing presence of the Internet as well as other computer networks such as intranets and extranets has brought many new applications in e-commerce, education and other areas. Organizations increasingly rely on such applications to carry out their business or other objectives, and devote considerable resources to ensuring that they perform as expected. Naturally, security measures are taken to protect valuable resources, such as content of databases. Unfortunately, some may attempt to take advantage of security vulnerabilities. Therefore, network intrusion detection software has been developed to detect possible attempts to breach security.
Some network intrusion detection software primarily relies on an analysis of a cross-section of network traffic at a single logical point in end-user interactions. As one example, packets that enter a network may be “sniffed”. As another example, web server access logs can be analyzed. Security software can analyze these end-user interactions for patterns in the data that may indicate certain types of attacks.
To improve their effectiveness, some security software may increase the sophistication of the pattern recognition algorithms used to detect possible attempts to breach security. These sophisticated algorithms may benefit from rich sources of input data. However, too much data may overwhelm the algorithms to the point of diminishing their utility.
Also, one of the hardest problems is detecting insider security threats. Most often, the raw data needed to identify insider threats is much more difficult to capture since insiders usually do not go through the same level of application security as external users. Insider threats may also come from malicious custom software that takes advantage of embedded programmatic interfaces that are inherently unexposed to the outside world but that are still vulnerable to insiders with more intimate knowledge of information technology (IT) systems. A simple example might be a rogue programmer that utilizes a remote Enterprise JAVA Beans (EJB) call to initiate a fraudulent transaction that would normally be accessed through HTTP interfaces which may be logged and more proactively secured.
Thus, improvements are desired in detecting possible attempts to breach security of a computer network. While substantial amounts of data may be available to be mined for use in network intrusion detection, using too much data and/or data at too granular of a level may lessen the effectiveness of network intrusion detection algorithms. Further, techniques that are better at detecting insider security threats are desired.