Web security continues to be an increasingly critical issue as usage of the Internet for the transport of data increases and new business applications, e-commerce, and extranets are deployed. With these new capabilities, however, comes increased risk. As most organizations have already deployed firewalls to protect the network, the focus of hacking attempts has switched to the only remaining entry point which needs to be left wide open: web applications over port 80 and 443. As a result, 80% of all corporate hacks specifically target web applications (Gartner).

Gilian Application IDS (G-IDS) is an innovative detection and protection system providing organizations with transparent, constant and automatic web application security. Complementary to traditional firewalls, scanners and intrusion detection systems, G-IDS allows organizations to extend their intrusion detection capabilities from the network level to the application level enabling one of the best-accepted security methodologies in Fortune 500 companies,  “Intrusion Detection”, to now detect and protect business critical applications from attack.

How Does G-IDS Work?
The G-IDS is a network-based appliance, which continuously monitors all inbound and outbound HTTP and HTTP/S traffic over ports 80 and 443. In order to detect application related security events, G-IDS automatically learns how normal users work with the application and how the application behaves in response to users, and alerts on what appears to be abnormal activity.

Initially, the G-IDS builds a Normal Behavior Policy that includes all items that reflect the footprint of the page itself, the structure of the application, its elements and how a normal user utilizes it. The Behavior Policy is then used as the baseline for real time comparison of all inbound and outbound traffic.

If an anomaly is identified, the event is logged for further event correlation and analysis, and response by the IDS/IPS system. If the G-IDS determines that the deviation from the Normal Behavior Policy is in fact legitimate traffic, the policy is modified with the incremental changes. This process guarantees that the longer G-IDS is in operation the tighter the Normal Behavior Policy becomes and the fewer alerts and events are generated over time.

However, if the G-IDS determines the abnormal behavior to be a real security event, application tampering, confidential information leakage etc., then a TCP reset on the connection can be initiated and an alert can automatically be sent to the security administrator. The G-IDS Event Management system enables easy manipulation, filtering and sorting of the events, and each event may initiate multiple response options including alerting, blocking, masking and recovery.

See Gilian's Security Advantages