When servers face risks from unknown process execution, traditional rules cannot cover all anomalous behaviors. Intelligent behavior analysis uses AI to automatically learn normal process behavior on servers and identify anomalies, achieving zero-trust security protection. This topic describes how to create analysis policies, manage allowlists, switch running modes, and handle security alerts.
Overview
Intelligent behavior analysis uses AI to learn normal process behavior on servers and build a process allowlist. When a server executes a process outside the allowlist, the system triggers an alert or blocks the process based on the current running mode, identifying and handling potential security threats.
Anomalous process detection: When malware or cryptomining trojans are implanted on a server, anomalous process behavior triggers a system alert or automatic blocking.
Compliance auditing: Records all process behavior on servers to meet security compliance auditing requirements.
Zero-trust protection: By default, only allowlisted processes are allowed to run, preventing unknown program execution at the source.
How it works
Running flow
Intelligent behavior analysis includes two phases:
Learning phase
After you create an analysis policy, the AI model records all process behavior on the server. During learning, the system does not block any processes. You can customize the learning duration in the policy settings.
Protection phase
After learning completes, the system builds a process allowlist based on the learned normal process behavior. When a server executes a process outside the allowlist, the system handles it based on the current running mode:
Alert mode (default): Generates alerts for anomalous processes without blocking them.
Block mode: Blocks anomalous processes immediately.
WarningEnforcement mode blocks anomalous processes directly. We recommend verifying the completeness of the allowlist before switching to enforcement mode to avoid blocking legitimate business processes.
Running status
A server has the following running statuses in intelligent behavior analysis:
Status | Description | Available actions |
Learning | The model is learning process behavior on the server. | View details, Relearn, Switch Mode |
Alerting | Learning is complete. Anomalous process behavior triggers alerts. | View details, Start Incremental Learning, Relearn, Switch Mode |
Enforcing | Learning is complete. Anomalous process behavior is blocked immediately. | View details, Start Incremental Learning, Relearn, Switch Mode |
Before you begin
Security Center agent installed on the target server.
Server OS and kernel versions meeting the AliHips requirements, with the AliHips process running normally.
Activate Agent Endpoint Detection and Response(Agent EDR)
To use the intelligent behavior analysis feature, you must first purchase and activate Agent Endpoint Detection and Response.
Subscription
Visit the or Agent EDR purchase page, and complete the following configurations:
Intelligent Host Detection and Response: Select the number of standard seats to purchase.
Subscription Duration: The service duration.
NoteWe recommend selecting auto-renewal to avoid service interruption due to expiration. After enabling, auto-renewal occurs monthly, and the system deducts payment at the current price before the instance expires. You can cancel auto-renewal at any time. See Renew expiring resources.
After completing the configuration, click Buy Now.
Pay-as-you-go
Go to the Security Center console - Overview page.
In the Pay-as-you-go section, turn on the Agent Endpoint Detection and Response switch.
Hybrid billing
The hybrid billing mode (Burstable Protection) is currently in limited beta. To activate it, please contact your business representative.
Purchase the Agent Endpoint Detection and Response subscription service.
Go to the Security Center console - Overview page.
In the Subscription section, turn on the Burstable Protection switch.
Bind quotas
You must bind an EDR seats to each server before you can use Intelligent Behavior Analysis for learning and protection.
Go to the Security Center console - Overview page.
Go to the authorization page. The entry point varies by billing model:
Subscription / Hybrid billing: In the Subscription section, click Manage next to Agent Endpoint Detection and Response.
Pay-as-you-go: In the pay-as-you-go Pay-as-you-go section, click Quota Management next to Agent Endpoint Detection and Response.
In the Quota Management dialog box, Select Server Location (Chinese Mainland or Outside Chinese Mainland) to locate the target server.
For the target server, turn on the switch in the Agentic EDR Seat column.
ImportantTo automatically bind EDR seats to new servers, in the Automatically Add New Servers to Security Center section, select Automatically Enable Agentic EDR for New Hosts.
Create an analysis policy
Before enabling intelligent behavior analysis, you must create a protection policy to define the learning duration, allowlist mode, and target servers.
Access the Security Center console - Mitigation Settings - Host Protection - Intelligent Behavior Analysis. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.
On the intelligent behavior analysis page, click Intelligent Behavior Analysis Settings.
In the dialog box, click Create Policy.
Configure the following parameters:
Parameter
Description
Policy Name
A custom name to identify the policy, for easy recognition and management.
Learning Duration
The number of days for the model to learn after initial setup. During learning, the system records all process behavior.
NoteWe recommend at least 7 days to ensure the learning covers a complete business cycle.
If the server has strong business periodicity (for example, runs a scheduled task once a week), we recommend 14 days or more.
Automatic End
If no new behaviors are detected for N consecutive days, learning ends automatically and Alert mode is enabled.
Whitelist Mode
The allowlist matching method.
Process Path: Matches by process file path (default).
Process Hash: Matches by file MD5 hash value.
Server selection
The scope of servers the policy applies to. Supports selecting all assets or by asset group. You can search by server name, public IP, or private IP.
Click OK.
Verify that the selected servers show the Learning status.
After the policy is created, the selected servers enter the learning phase. We recommend creating the policy during normal business hours to ensure the model captures a complete set of normal process behavior.
Manage the allowlist
After learning finishes, the system generates a process allowlist. View, add, or remove allowlisted process paths as needed.
View the allowlist
On the Intelligent Behavior Analysis page, click Details in the Actions column for the target server.
View all allowlisted process paths for the server.
NoteUse the filter and search box to locate specific process paths.
Add to the allowlist
Method | Supported allowlist modes | Applicable scenario |
Batch add | Process Path, Process Hash | Add trusted items to multiple servers at once. |
Single add | Process Path only | Add a specific path to a single server. |
Batch add
On the Intelligent Behavior Analysis page, select one or more servers from the server list.
In the batch operations area, click Add Process Behavior.
Enter the Process Path or Process Hash, then click OK.
Verify that the process path appears in the allowlist.
Single add
On the Intelligent Behavior Analysis page, click Details in the Actions column for the target server.
On the Process Path page, click AddProcess Path.
In the dialog box, enter the Process Path, then click OK.
Verify that the process path appears in the allowlist.
Remove from the allowlist
On the Intelligent Behavior Analysis page, click Details in the Actions column for the target server.
In the process path list, click Delete in the Actions column for the target process.
Verify that the process path no longer appears in the allowlist.
After removal, the process is flagged as anomalous. The system generates an alert, and the process is blocked immediately in Block mode.
Switch protection mode
The default protection mode after learning is Alert. Switch between modes as needed.
Before switching from Alert to Block mode, verify that the allowlist covers all legitimate business processes to avoid accidental blocking.
In the server list, click Switch Mode in the Actions column for the target server.
Select Alert or Block mode.
Click OK.
Verify that the Running status column reflects the new mode.
View and handle alerts
When a process is not in the allowlist, the system generates a security alert. View and handle alerts using the Alerts feature.
In the navigation pane on the left, select . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
NoteIf you have activated the Agentic SOC service, the navigation pane entry changes to .
On the CWPP tab, click the number below Host Abnormal Behavior Alert to open the alert list.
Alert statuses:
Alert mode: Alert status is Alerts, requiring manual review.
Block mode: The process is blocked automatically. Alert status is Blocked.
For each alert, choose one of the following handling methods:
Dimension
Ignore
Add to Business Model
Alert status after action
Changes to Ignored.
No change.
Alert on next occurrence
Yes. The system generates another alert the next time the same process runs.
No. The process is allowed without generating an alert the next time it runs.
Allowlist change
No change.
The process is added to the allowlist.
Applicable scenario
Temporary tasks or suspected behavior that requires ongoing monitoring.
Confirmed legitimate business processes where you want to reduce alert noise.
Relearn process behavior
When business needs change, relearn process behavior to update the allowlist. Two methods are available:
Comparison | Start Incremental Learning | Relearn |
Limitations | Available only for servers in Alerting or Enforcing status. Not available during Learning. | No restrictions. |
Data processing | Preserves the existing allowlist and learns only new process behaviors. | Clears all allowlist data and rebuilds from scratch. |
Protection status | Blocking and alerting are not in effect. | Blocking and alerting are not in effect. |
Applicable scenario | Minor business changes with a small number of new processes or services, routine maintenance. | Major business changes, such as new services or software upgrades, where the existing model no longer applies. |
On the Intelligent Behavior Analysis page, click Relearn or Start Incremental Learning in the Actions column for the target server.
After the operation, the Status changes to Learning.
ImportantDuring Learning status, neither blocking nor alerting is in effect.
Billing
Subscription:
Billing method: Billed based on the number of seat authorizations that you purchase. Binding one server consumes one seat authorization.
Billing rules:USD 6.876066 per seat per month.
Pay-as-you-go:
Billing method: Billed based on the number of seat authorizations and the actual usage duration. Binding one server consumes one seat authorization. Servers without bound policies automatically stop billing.
Billing cycle: Billed daily.
Price: USD 0.014325 per seat per hour.
Hybrid billing:
Billing method: Billed based on the number of seat authorizations that you purchase. Binding one server consumes one seat authorization.
Billing rules: After Burstable Protection is enabled, when the actual number of bound seats exceeds the subscription standard seats quota, the excess seats are billed as elastic protection seats.
ImportantAfter the subscription expires, Burstable Protection is automatically disabled, and billing for elastic protection seats also stops automatically.
Agentic EDR standard seats: USD 6.876066 per seat per month.
Agentic EDR elastic protection seats: USD 0.014325 per seat per hour.
Close and Unsubscribe Service
If you no longer need the EDR service, refer to the following instructions based on your billing model.
Close the entire service:
Subscription: Go to the or Refund Management page to submit a refund request for the EDR order. For details, see Refund policy.
Pay-as-you-go: On the Security Center console - Overview page, in the Pay-as-you-go section, turn off the Agent Endpoint Detection and Response switch.
Close elastic protection:
Method 1: On the Security Center console - Overview page, in the Subscription section, turn off the Burstable Protection switch.
Method 2: After unsubscribing the subscription service, the Burstable Protection is also automatically disabled.
Data cleanup
After you close the service, unsubscribe from Agent EDR instances, or if your account is overdue, intelligent behavior analysis stops immediately. Data is retained as follows:
Scenario | Data retention | |
Subscription instances | Unsubscription |
|
Expiration | ||
Pay-as-you-go instances | Closure | |
Overdue payment | ||
FAQ
Does a Security Center instance expiration affect Agent EDR?
No. Reasons:
Independent billing: Agent EDR is an independent billing module, billed separately from the Security Center instance.
Continued availability: As long as the Agent EDR instance is within its validity period, you can still use learning, server binding, and other features even if the Security Center instance has expired.
Why can't I see the Burstable Protection switch?
Burstable Protection is currently in the private preview phase. Contact your sales representative to enable it.
Why is the allowlist empty after learning completes?
An empty allowlist means no process activity was recorded during learning. Check the following, then click Relearn:
Is the server running and the Security Center agent online?
Is the AliHips process running? If not, check whether the OS and kernel versions meet the AliHips requirements.
Was there actual business traffic on the server during the learning phase?
How do I prevent legitimate business processes from being blocked in enforcement mode?
Before switching to Block mode, verify that the learning duration was sufficient and the allowlist covers all legitimate processes.
Run in Alert mode first to check for false alerts on legitimate processes.
If a process is blocked, add it to the allowlist, then click Relearn or use incremental learning.
Start Incremental Learning vs Relearn: What is the difference?
Incremental learning preserves the existing allowlist and learns only new behaviors. Suitable for minor business changes, and carries low risk.
Relearning clears all data and starts from scratch. Suitable for major business changes where the existing model no longer applies, and carries higher risk.