The AppFlow-based behavior analysis uses statistical and data mining techniques to determine the current operating region of the application and also projects its behavior in the near future. The operating point (OP) of an application can be defined as a point in an n-dimensional space with respect to well-defined attributes. An acceptable operating zone for an application can be defined by combining the normal operating values for each attribute. At runtime, the OP of an application moves from one zone to another and that point might move to a region where the application does not meet its security requirements. For example, the AppFlow (black dotted curve in Figure 4) moves outside the green sub-cube due to a software failure or cyberattack. By continuously monitoring the operating point of an application and using statistical and data mining techniques to project the trend of the operating point in the near future, we can proactively predict and detect the anomalous behaviors that might have been caused by malicious attacks. Furthermore, once it is determined that the application operating point is moving outside the normal region, it will consult a decision support system to determine the appropriate proactive management policy that brings the application behavior back into a normal operating region.

We have used AppFlow to predict the behavior of a multi-tier web-based ecommerce application that implements ecommerce transactions based on the TPC-W benchmark [1]. We have also used the AppFlow based anomaly behavior analysis to detect attacks against DNS, TCP, WiFi, and Modbus protocols [1, 3, 4, 5, 6, 7]. AVIRTEK has extended the AppFlow concept to develop novel data structures Cyber-Footprints  that can model the users, physical and logical resources.  Figure 5 shows an example of a User Cyber Footprint (UCF) data structure.