Correlated Attack Validation
Unparalleled Accuracy
Imperva SecureSphere incorporates a multi-layer security architecture that enables precise attack protection without the need for manual tuning. SecureSphere's security architecture incorporates both dynamic positive (white list) and dynamic negative (black list) security models. Robust enforcement algorithms draw on both security models to identify and block even the most sophisticated attacks.
Dynamic Positive and Negative Security Models
Imperva's Dynamic Profiling technology creates and maintains the profile that is the heart of SecureSphere's dynamic positive security model. The positive security model also includes network firewall white lists and HTTP and SQL protocol checks. Together, these models form a complete picture of normal behavior that extends from the valid network IP addresses to high-level application and database operations.
SecureSphere's dynamic negative security model include network firewall black lists, Snort®-compatible signatures across all protocols, and advanced signatures from the Application Defense Center (ADC) – Imperva's own international security research organization. The SecureSphere Security Update Service provides regular updates to ensure the most up-to-date protection is continuously enforced.
Correlated Attack Validation (CAV)
Imperva's unique Correlated Attack Validation (CAV) technology addresses complex attacks that are ambiguous in nature. Correlated Attack Validation (CAV) examines multiple pieces of information at the network, protocol and application level over time to distinguish between attacks and valid user traffic. By basing decisions on multiple observations rather than a single event, CAV delivers a highly accurate and completely automated defense system—achieving overall accuracy that cannot be matched by several standalone data security products.
Correlated Attack Validation effectively blocks multi-stage Web and database application attacks. These attacks cannot be prevented through simple signature matches because they consist of several events or multiple components within a single request or query. For example, HTTP request smuggling combines a Web application attack with two or more Content-Length values in the HTTP request header. Vulnerable Web servers and proxy servers will receive the request and process the content indicated by the first Content-Length value. Malicious content in the remainder of the HTTP request can poison a Web proxy cache or include a cross-site scripting or session hijacking attack.
Sophisticated Signature Analysis Leads to Stronger Data Security
SecureSphere categorizes attack signatures based on attack severity and likelihood of a false positive. If an attack signature has a high probability of false positives, then SecureSphere may be configured to alert but not block an HTTP request that contains the signature. However, with a HTTP smuggling attack, SecureSphere will detect that the HTTP request contains multiple Content-Length fields, correlate this information with the attack signature to accurately identify and block the attack
Combining these data security layers creates an unparalleled level of protection for critical databases and applications.
Click to enlarge
SecureSphere's Correlated Attack Validation tracks and correlates multiple events to accurately identify and block sophisticated attacks.