Anomaly Detection
Behavior-based anomaly detection compares a profile of all allowed application behavior to actual traffic. Any deviation from the profile is flagged as a potential attack. It is commonly referred to as a positive security model because it seeks only to identify all "known good" behaviors and assumes that everything else is bad. Behavior anomaly detection has the potential to detect attacks of all kind – including "unknown" attacks on custom code.
Behavior anomaly detection can also lead to a high rate of false positives. For example, after a behavior profile is created, an application developer may change the application (a new URL, new parameter, etc.) without notifying the security team. In this case, behavior-based anomaly detection wrongly identifies access to these new parameters as potential attacks. Given the extreme complexity and dynamics of enterprise Web applications, the use of behavior anomaly detection as the sole basis for blocking attacks in real time is difficult without continuous tuning. This is why SecureSphere combines anomaly detection with signature detection and correlates all irregularities over time to accurately detect attacks without manual configuration or tuning.
- Administrative Interface Access
- Access of Internal Components
- Anomaly Detection
- Brute Force
- Buffer Overflow
- Cookie Poisoning
- Cross-Site Request Forgery
- Cross-Site Scripting
- Denial of Service (DoS)
- Directory Traversal
- Distributed Denial of Service (DDoS)
- File/Parameter Enumeration
- Forceful Browsing
- Google Hacking
- HTTP Verb Tampering
- Known Attacks
- LAND Attacks
- Malicious Encodings
- Parameter Tampering
- Pharming
- Server Takeover
- Session Hijacking
- Signature Detection
- Site Scanning/Probing
- Source Code Disclosure
- SQL Injection
- Stealth Commanding
- Unknown Attacks