False positive detection reduction system for network-based attacks

US 10,187,403 B2
Filed: 12/02/2015
Issued: 01/22/2019
Est. Priority Date: 12/02/2015
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a security attack through a network-based application, comprising:

receiving, by a processing device, a runtime request for invocation of a function;

determining, by the processing device, whether the function is included in a stored list of functions that are associated with a network attack;

intercepting, by the processing device, the runtime request prior to the invocation of the function and in response to determining that the function is included in the stored list of functions;

storing, by the processing device, information associated with the runtime request in response to determining that the function is included in the list of functions;

performing, by the processing device, a hash operation on the runtime request in response to determining that the function is included in the list of functions, wherein performing the hash operation comprises;

extracting, by the processing device, values from a memory stack associated with the runtime request; and

performing, by the processing device, the hash operation on the extracted values; and

determining, by the processing device, whether the runtime request is a legitimate request prior to the invocation of the function and based on a resultant output value of the hash operation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system detects a security attack through a network-based application. The system receives a runtime request for invocation of a function and dynamically determines if the request for invocation of the function is associated with a cross-site scripting attack. In response to determine the function is associated with a cross-site scripting attack, the system stores information associated with the request, which is used for determining if the request is a legitimate request or a cross-site scripting attack.

Citations

20 Claims

1. A method of detecting a security attack through a network-based application, comprising:
- receiving, by a processing device, a runtime request for invocation of a function;
  
  determining, by the processing device, whether the function is included in a stored list of functions that are associated with a network attack;
  
  intercepting, by the processing device, the runtime request prior to the invocation of the function and in response to determining that the function is included in the stored list of functions;
  
  storing, by the processing device, information associated with the runtime request in response to determining that the function is included in the list of functions;
  
  performing, by the processing device, a hash operation on the runtime request in response to determining that the function is included in the list of functions, wherein performing the hash operation comprises;
  
  extracting, by the processing device, values from a memory stack associated with the runtime request; and
  
  performing, by the processing device, the hash operation on the extracted values; and
  
  determining, by the processing device, whether the runtime request is a legitimate request prior to the invocation of the function and based on a resultant output value of the hash operation.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the list of functions comprises functions that exhibit one or more of the characteristics of being document object model idempotent, being debuggable or resulting in visual changes in response to execution of the functions.
  - 3. The method of claim 1, further comprising:
    - extracting, by the processing device, a runtime signature from the runtime request in response to determining that the function is included in the list of functions; and
      
      determining, by the processing device, whether the runtime request is a legitimate request based on the extracted runtime signature.
  - 4. The method of claim 3, wherein determining whether the runtime request is a legitimate request comprises comparing, by the processing device, the extracted runtime signature to a stored list of trusted signatures.
  - 5. The method of claim 1, further comprising invoking the function in response to determining that the runtime request is the legitimate request based on the resultant output value of the hash operation.
  - 6. The method of claim 1, wherein performing the hash operation produces a signature associated with the runtime request, wherein the method further comprises:
    - comparing, by the processing device, the signature to a plurality of trusted signatures stored in a trusted signature repository; and
      
      determining whether the signature matches a trusted signature of the plurality of trusted signatures based on the comparison, wherein determining whether the runtime request is a legitimate request includes determining, by the processing device, that the runtime request is the legitimate request in response to determining that the signature matches the trusted signature.

7. An apparatus, comprising:
- a processing device; and
  
  a memory device coupled to the processing device, the memory device having instructions stored thereon that, in response to execution by the processing device, cause the processing device to perform operations comprising;
  
  receiving a runtime request for invocation of a function;
  
  determining whether the function is a predetermined function associated with a cross-site scripting attack;
  
  storing information associated with the runtime request in response to determining that the function is the predetermined function;
  
  intercepting the runtime request prior to the invocation of the function and in response to determining that the function is the predetermined function; and
  
  determining whether the runtime request is legitimate prior to the invocation of the function.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The apparatus of claim 7, wherein the apparatus further comprises a display device, and wherein execution of the predetermined function results in a visual change of a display on the display device.
  - 9. The apparatus of claim 7, wherein the operations further comprise:
    - extracting elements from a memory stack in response to determining the function is the predetermined function;
      
      performing a hash operation with the elements; and
      
      comparing a resultant value from the hash operation to trusted values for determining whether the runtime request is legitimate.
  - 10. The apparatus of claim 9, wherein the operations further comprise removing domain names from the elements, and wherein the hash operation is performed on the elements with the domain names removed.
  - 11. The apparatus of claim 7, wherein the operations further comprise:
    - generating a runtime signature based on the information associated with the runtime request; and
      
      comparing the runtime signature to one or more trusted signatures to determine whether the runtime request is legitimate.
  - 12. The apparatus of claim 7, wherein the operations further comprise determining whether the runtime request is legitimate based on a stack length associated with the function.
  - 13. The apparatus of claim 7, wherein the operations further comprise determining whether the runtime request is legitimate based on one or more functions performed precedent to receiving the runtime request.

14. A computer program stored on a non-transitory tangible medium for a database system, the computer program comprising a set of instructions operable to:
- receive, by the database system, a function call;
  
  dynamically determine, by the database system, whether the function call is directed to a function associated with a cross-site scripting attack;
  
  store, by the database system, identification information associated with the function call in response to determining the function call is directed to the function;
  
  intercept, by the database system, the function call prior to invocation of the function and in response to determination that the function call is directed to the function; and
  
  determine, by the database system, whether the function call is legitimate prior to invocation of the function.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer program of claim 14, wherein invocation of the function adds a value to an accessible log.
  - 16. The computer program of claim 14, wherein the function is idempotent.
  - 17. The computer program of claim 14, wherein the set of instructions are further operable to:
    - generate, by the database system, a signature based on the identification information; and
      
      compare, by the database system, the signature to one or more trusted signatures to determine whether the function call is legitimate.
  - 18. The computer program of claim 17, wherein the identification information comprises one or more values extracted from a memory stack associated with the function call.
  - 19. The computer program of claim 17, wherein generating the signature comprises performing, by the database system, a hash operation on the identification information.
  - 20. The computer program of claim 14 wherein the identification information comprises one or more cookies associated with the function, and wherein the set of instructions are further operable to:
    - generate, by the database system, a signature based on the one or more cookies; and
      
      compare, by the database system, the signature to one or more trusted signatures to determine whether the function call is legitimate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Gopalakrishnan, Amalkrishnan Chemmany, Prado, Angel, Kim, Sun Hwan, Kulkarni, Omkar Ramesh, Chabbewal, Harsimranjit Singh
Primary Examiner(s)
Powers, William S

Application Number

US14/957,490
Publication Number

US 20170163663A1
Time in Patent Office

1,147 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

H04L 67/02   based on web technology, e....

False positive detection reduction system for network-based attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

False positive detection reduction system for network-based attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links