Use case description
A governmental organization suspected that its web servers are under stealthy attacks. This organization used several commercial security solutions that found many known attacks but the assumption was that many unknown zero-day targeted attacks are used against the governmental Web servers (e-payment servers, DB servers etc) and none of them is detected by the security solutions that they use.
Our challange was to mine the traffic to the web servers, identify malicious and stealthy attacks and provide defense mechanism to block them.

Our analysis
The network data that we analyzed included HTTP requests from Internet users to the governmental web servers. In each day of activity, thousands of requests were submitted to hundreds of governmental web servers. Each request was described by hundreds of numeric, nominal and textual parameters. For example, length of request, its textual fields, the parameters etc.
We used our technologies for data mining, text mining and anomaly detection to learn the normal behavior of each web server and then identify deviations that can be harmful. Each activity was evaluated in realtime and visualized in a 3D graph. In the following image we can see how our methods detected highly sophisticated SQL injection attacks. The half-circle manifold represents the normal behavior and the two anomalous points in the middle represent two SQL injection attacks that were performed against the governmental web server.

Conclusions and our solution
We developed and used several method for pre-processing of the data and then we used our data/text mining tools and anomaly detection methods to identify abnormal activity that can be associated to a stealthy attacker. The security systems that the ISP uses detected about 150 attacks against the tested web servers. In addition to that, our technology detected 80 zero-day unknown attacks.
We developed and adapted a solution for our client. This system enables detection of stealthy attacks and zero-day attacks against its web servers.