Deep Content Analysis

The MENDEL Content-based Analysis module uses multiple methods of artificial intelligence, machine learning, and advanced analysis to detect malicious, suspicious, and anomalous transactions on the Application Layer (OSI layer 7 — HTTP and SMB) in enterprise networks. The module autonomously learns the common behavior of defined applications and their users, and reports the anomalies, attacks, and other advanced threats to the MENDEL user.

Deep Content Analysis Detects

  • - Web application attacks
  • - SQL Injection
  • - Data theft attempts
  • - Lateral movement using SMB and Active Directory
  • - Password cracking and privilege escalations
  • - Unknown and Advanced Persistent Threats

Web Application Anomaly Detection

The HTTP Anomaly Detection is an extension of Network Traffic Analysis (NTA) and Network Behavior Analysis (NBA) to Web Application Firewall Technology (WAF). Based on HTTP requests, it learns a tree model of the application URLs, including their parameters, even those which are not visible in the address bar (POST) or embedded in the path itself (parameter rewrites).

A total of 15 statistical models and artificial intelligence methods are used for the web application model, including, for example; Markov’s Hidden Models (HMMs) to calculate how likely each request is. Based on the weight of each of these methods, the module can determine the resulting hazard score for each individual user of the web application.

SQL Injection Identification

Web application vulnerabilities are among the highest severity cybersecurity vulnerabilities. SQL Injection (SQLI) attacks have been rated as the number-one attack within web application threats according to the Open Web Application Security Project (OWASP). The objective of these attacks is to gain access to the database. Exploiting vulnerabilities in web applications allows attackers to bypass the authentication scheme, get access to sensitive data, make changes in database schema, use the compromised server, or attack other computers inside the network.

Our approach applies classification techniques for identification of injection characteristics in the HTTP query string, in addition to rule-based Intrusion Detection Systems and Anomaly Detection. We use Support Vector Machines and Multilayer Perceptron Neural Networks with multiple string analysis and other techniques as word embeddings for query string vectorization even when heavily obfuscated.

See our research article in the Mendel Soft Computing Journal: Machine Learning Blunts the Needle of Advanced SQL Injections.

SMB and Active Directory Anomaly Detection

Artificial Intelligence models and advanced SMB metadata analysis is used to detect anomalies and known harmful activities like lateral movement in a protected network, password cracking, privilege escalation, and other types of SMB attacks. We applied the principles of Gaussian Mixed Model (GMM) NBA methods to Layer 7. The detectors for HTTP analysis are modified to use the complex structure of commands and file paths depending on specific (pseudo-) repositories. Together with other custom-tailored detection methods, this technique is able to identify Advanced Persistent Threats even by state-sponsored attackers.


Project Advanced behavioural models of application layer for effective analysis of traffic in business networks was funded with state support of the Technology Agency of the Czech Republic within the ZETA Programme.