False positive detection reduction system for network-based attacks
First Claim
Patent Images
1. A method of detecting a security attack through a network-based application, comprising:
- receiving, by a processing device, a runtime request for invocation of a function;
determining, by the processing device, whether the function is included in a stored list of functions that are associated with a network attack;
intercepting, by the processing device, the runtime request prior to the invocation of the function and in response to determining that the function is included in the stored list of functions;
storing, by the processing device, information associated with the runtime request in response to determining that the function is included in the list of functions;
performing, by the processing device, a hash operation on the runtime request in response to determining that the function is included in the list of functions, wherein performing the hash operation comprises;
extracting, by the processing device, values from a memory stack associated with the runtime request; and
performing, by the processing device, the hash operation on the extracted values; and
determining, by the processing device, whether the runtime request is a legitimate request prior to the invocation of the function and based on a resultant output value of the hash operation.
2 Assignments
0 Petitions
Accused Products
Abstract
A system detects a security attack through a network-based application. The system receives a runtime request for invocation of a function and dynamically determines if the request for invocation of the function is associated with a cross-site scripting attack. In response to determine the function is associated with a cross-site scripting attack, the system stores information associated with the request, which is used for determining if the request is a legitimate request or a cross-site scripting attack.
-
Citations
20 Claims
-
1. A method of detecting a security attack through a network-based application, comprising:
-
receiving, by a processing device, a runtime request for invocation of a function; determining, by the processing device, whether the function is included in a stored list of functions that are associated with a network attack; intercepting, by the processing device, the runtime request prior to the invocation of the function and in response to determining that the function is included in the stored list of functions; storing, by the processing device, information associated with the runtime request in response to determining that the function is included in the list of functions; performing, by the processing device, a hash operation on the runtime request in response to determining that the function is included in the list of functions, wherein performing the hash operation comprises; extracting, by the processing device, values from a memory stack associated with the runtime request; and performing, by the processing device, the hash operation on the extracted values; and determining, by the processing device, whether the runtime request is a legitimate request prior to the invocation of the function and based on a resultant output value of the hash operation. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus, comprising:
-
a processing device; and a memory device coupled to the processing device, the memory device having instructions stored thereon that, in response to execution by the processing device, cause the processing device to perform operations comprising; receiving a runtime request for invocation of a function; determining whether the function is a predetermined function associated with a cross-site scripting attack; storing information associated with the runtime request in response to determining that the function is the predetermined function; intercepting the runtime request prior to the invocation of the function and in response to determining that the function is the predetermined function; and determining whether the runtime request is legitimate prior to the invocation of the function. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A computer program stored on a non-transitory tangible medium for a database system, the computer program comprising a set of instructions operable to:
-
receive, by the database system, a function call; dynamically determine, by the database system, whether the function call is directed to a function associated with a cross-site scripting attack; store, by the database system, identification information associated with the function call in response to determining the function call is directed to the function; intercept, by the database system, the function call prior to invocation of the function and in response to determination that the function call is directed to the function; and determine, by the database system, whether the function call is legitimate prior to invocation of the function. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification