Abstract: Systems and methods for accurate detection and identification of application-level threats in a computer network include one or more nodes instantiated at protected systems and a network-based security platform communicatively coupled to receive data collected by the one or more nodes. Each node is configured to inspect application-level requests in inbound network traffic to a respective protected system. The security platform includes a three-layer machine learning engine to iteratively reconstruct each protected system's application business logic, identify associated application endpoints, data boundaries, and customary user behaviors based on the data collected by the one or mode nodes, and to create customized profiles for the protected systems and make those profiles available to the nodes instantiated at the protected systems. The security platform detects anomalies in the data provided by the nodes through comparisons with the behavior profile.

Abstract: Systems and methods for targeted attack detection. A protection system intercepts traffic destined for a protected system and only traffic identified as non-malicious is allowed to pass thereto. Data collection agents (DCAs) instantiated at protected systems report information concerning protected system resources to the protection system, which creates from that information a set of threat attack detection metrics (TADMs) by which it evaluates payloads of the intercepted traffic. In particular, the intercepted traffic is assessed using conventional threat detection approaches to identify suspect payloads. The suspect payloads are additionally evaluated against the TADMs to determine if they contain any references to specific resources of the protected system. For those of the suspect payloads for which the TADM evaluation reveals positive results, the protection system provides an alert that a targeted attack has been recognized.