System and method to protect a webserver against application exploits and attacks

US 10,432,650 B2
Filed: 03/30/2017
Issued: 10/01/2019
Est. Priority Date: 03/31/2016
Status: Active Grant

First Claim

Patent Images

1. A method of protecting, from packet data communication exploits, a target computer server system having a request handling interface that responds to a data processing request of a packet data communication, the method comprising:

receiving over a data communication network a plurality of data processing requests;

identifying as being anomalous, by an automated anomaly analyzer, a first data processing request of the plurality of data processing requests, the first data processing request having been transmitted by a first packet data protocol sending device,wherein in response to the identifying as being anomalous, the automated anomaly analyzer;

(1) directs the first data processing request to a first diagnostic instrumented module configured to provide virtualization of the request handling interface in processing the first data processing request and to determine an anomaly severity of the first data processing request, and(2) performs a second data processing comprising;

(a) transmitting, to the first packet data protocol remote sending device, a packet data protocol redirect request for accessing the target computer server system,(b) transmitting, to the first packet data protocol sending device, a response to the first data processing request at a reduced content data byte per second rate compared with the rate of the response to the second data processing request, and(c) transmitting, to the first packet data protocol sending device, a response including invoking code requesting additional data from a network server resource other than the first packet data protocol sending device; and

identifying as being non-anomalous, by the automated anomaly analyzer, a second data processing request of the plurality of data processing requests,wherein in response to the identifying as being non-anomalous, the automated anomaly analyzer transmits the second data processing request to the target computer server system.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system of protecting a target computer server system from packet data communication exploits are described. Such a method may include: identifying as being anomalous a first data processing request, and in response: (1) directing the first data processing request to a first diagnostic instrumented module that provides virtualization of a target server or request handling interface and determines an anomaly severity of the first data processing request, and (2) transmitting to the sender of the first data processing request a packet data protocol redirect request for accessing the target computer server system or slow walks a response to the sender. A packet data communication exploit suspect may be determined based on processing of the first data processing request by the first diagnostic instrumented module. The first diagnostic instrumented module may be a virtual server or container virtualizing the server.

427 Citations

71 Claims

1. A method of protecting, from packet data communication exploits, a target computer server system having a request handling interface that responds to a data processing request of a packet data communication, the method comprising:
- receiving over a data communication network a plurality of data processing requests;
  
  identifying as being anomalous, by an automated anomaly analyzer, a first data processing request of the plurality of data processing requests, the first data processing request having been transmitted by a first packet data protocol sending device,wherein in response to the identifying as being anomalous, the automated anomaly analyzer;
  
  (1) directs the first data processing request to a first diagnostic instrumented module configured to provide virtualization of the request handling interface in processing the first data processing request and to determine an anomaly severity of the first data processing request, and(2) performs a second data processing comprising;
  
  (a) transmitting, to the first packet data protocol remote sending device, a packet data protocol redirect request for accessing the target computer server system,(b) transmitting, to the first packet data protocol sending device, a response to the first data processing request at a reduced content data byte per second rate compared with the rate of the response to the second data processing request, and(c) transmitting, to the first packet data protocol sending device, a response including invoking code requesting additional data from a network server resource other than the first packet data protocol sending device; and
  
  identifying as being non-anomalous, by the automated anomaly analyzer, a second data processing request of the plurality of data processing requests,wherein in response to the identifying as being non-anomalous, the automated anomaly analyzer transmits the second data processing request to the target computer server system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66)
- - 2. The method of claim 1, further comprising:
    - determining a packet data communication exploit suspect, based on processing by the first diagnostic instrumented module, of the first data processing request; and
      
      transmitting, in response to the determining, a detection signal indicating the first data processing request as being the packet data communication exploit suspect.
  - 3. The method of claim 1, further comprising:
    - determining a packet data communication exploit suspect, based on processing by the first diagnostic instrumented module, of the first data processing request; and
      
      modifying, in response to the determining, the first data processing request.
  - 4. The method of claim 1, wherein the first diagnostic instrumented module is a virtual server virtualizing the request handling interface.
  - 5. The method of claim 1, wherein the first diagnostic instrumented module is a container virtualizing the request handling interface.
  - 6. The method of claim 1, wherein the first data processing request comprises a request for data to be transmitted to the first packet data protocol remote sending device.
  - 7. The method of claim 1, wherein the transmitting of the packet data protocol redirect request is performed without the first data processing request being permitted to reach the target computer server system.
  - 8. The method of claim 1, further comprising:
    - transmitting, when the packet data protocol redirect request is transmitted, a data request to a third-party server for data to be provided to the first remote packet data protocol sending device.
  - 9. The method of claim 8, wherein the data request is for data to be included in an iframe.
  - 10. The method of claim 1, wherein the packet data protocol redirect request includes an exploit-flagged-URL.
  - 11. The method of claim 1, wherein the automated anomaly analyzer is a module running on a physical machine, and the first diagnostic instrumented module runs on the same physical machine.
  - 12. The method of claim 1, wherein the first diagnostic instrumented module is running on a diagnostic module comprising a plurality of diagnostic instrumented modules, each diagnostic instrumented module provide virtualization of the request handling interface, wherein the method further comprises:
    - receiving an indication of a processing load of the diagnostic module;
      
      assigning an anomaly severity representation to a third data processing request of the plurality of data processing requests according to an anomaly severity determined for the third data processing request; and
      
      determining whether to direct the third data processing request to the diagnostic module, according to the anomaly severity representation, wherein a determination of whether the third data processing request is sent to the diagnostic module or to the target computer server system is made in dependence on at least an anomaly severity and processing load of the diagnostic module.
  - 13. The method of claim 12, wherein when the processing load of the diagnostic module is determined to exceed a threshold and when the anomaly severity representation indicates a low anomaly severity, then the third data processing request is not directed to the diagnostic module and is sent to the target computer server system.
  - 14. The method of claim 12, wherein the diagnostic module is a server emulator, and each diagnostic instrumented module is a virtual server instance implementing virtualization of the request handling interface.
  - 15. The method of claim 12, wherein each diagnostic instrumented module is a container instance implementing virtualization of the request handling interface.
  - 16. The method of claim 12, wherein when the processing load of the diagnostic module is determined to be below the threshold and when the anomaly severity representation indicates the low anomaly severity, then the automated anomaly analyzer:
    - (1) directs the third data processing request to a second diagnostic instrumented module configured to provide virtualization of the request handling interface, and (2) transmits, to a packet data protocol remote sending device that had transmitted the third data processing request, the packet data protocol redirect request for accessing the target computer server system.
  - 17. The method of claim 1, further comprising:
    - identifying as being non-anomalous, by the automated anomaly analyzer, a third data processing request of the plurality of data processing requests, the third data processing request having been transmitted by a second packet data protocol sending device other than the packet data protocol sending device;
      
      directing, by the automated anomaly analyzer, the third data processing request to a third diagnostic instrumented module configured to provide virtualization of the request handling interface, the third diagnostic instrumented module configured to provide an operating system environment different from the diagnostic instrumented module; and
      
      transmitting, by the automated anomaly analyzer, to the packet data protocol remote sending device, the packet data protocol redirect request for accessing the target computer server system.
  - 18. The method of claim 1, further comprising:
    - setting a level of diagnostic instrumentation to be provided by the first diagnostic instrumented module according to an anomaly severity determined, by the automated anomaly analyzer, for the first data processing request.
  - 19. The method of claim 17, wherein the first diagnostic instrumented module is a container configured to virtualize the request handling interface, and the third diagnostic instrumented module is a container configured to virtualize the request handling interface running on a same physical device as the diagnostic instrumented module.
  - 20. The method of claim 19, wherein the first virtual server and the second virtual server are managed by a QEMU hypervisor and are run on the same physical machine.
  - 21. The method of claim 1, wherein the determined anomaly severity represents an Internet worm.
  - 22. The method of claim 1, wherein the determined anomaly severity represents a computer virus.
  - 23. The method of claim 1, wherein the determined anomaly severity represents an SQL injection attack.
  - 24. The method of claim 1, wherein the first data processing request comprises a malicious attack.
  - 25. The method of claim 1, wherein the first data processing request comprises a request for a webpage.
  - 53. The method of claim 1, wherein the automated anomaly analyzer is configured further to determine a first suspect in a resource exhaustion attack against the target computer server, the method further comprising:
    - monitoring a first plurality of data processing requests received over the data communication network from a first remote sender;
      
      identifying a first transition, dependent on a first sequence of data processing requests comprising a first data processing request of the first plurality of data processing requests and a second data processing request of the first plurality of data processing requests;
      
      determining a first anomaly profile for the remote sender based on a first anomaly representation assigned to the first transition and a second anomaly representation determined for the first remote sender;
      
      determining based on the first anomaly profile, that the first remote sender is the first suspect in the resource exhaustion attack; and
      
      based on the determining of the first suspect, taking action with the automated processor of at least one of;
      
      communicating a message dependent on the determining, and modifying at least one data processing request of the first plurality of data processing requests.
  - 54. The method of claim 53, further comprising identifying, as a second transition, a second sequence of data processing requests of the first plurality of data processing requests for the first remote sender, wherein the second anomaly representation is an anomaly representation assigned to the second transition.
  - 55. The method of claim 53, wherein the resource exhaustion attack is a distributed denial of service attack.
  - 56. The method of claim 53, wherein the first anomaly representation and the second anomaly representation are anomaly values retrieved from a transition anomaly matrix in dependence on the first and second transitions, respectively, and wherein the first anomaly profile for the first remote sender is determined by combining the first anomaly representation and the second anomaly representation.
  - 57. The method of claim 53, wherein the taking of the action is performed only after a resource use determination that at least one resource of target computer server is at least one of exhausted or substantially exhausted.
  - 58. The method of claim 53, further comprising:
    - monitoring a period of time between a time of the first transition and a time of the determination of the second anomaly representation, wherein the taking of the action is performed only when the period of time is shorter than a predetermined period of time.
  - 59. The method of claim 53, further comprising:
    - comparing the first anomaly profile with a first threshold, wherein the first remote sender is determined as the first suspect only when the first anomaly profile is greater than the first threshold.
  - 60. The method of claim 59, further comprising:
    - after the first suspect is determined, when at least one resource of the target computer server is at least one of exhausted or substantially exhausted, adjusting the first threshold; and
      
      determining a second suspect with a second anomaly profile by comparing the second anomaly profile with the adjusted threshold.
  - 61. The method of claim 53, further comprising assigning the second anomaly representation based on an overlapping range in packets received from the first remote sender.
  - 62. The method of claim 53, wherein the anomaly analyzer is positioned at a web server, the data communication network is the Internet, and each data processing request of the first plurality of data processing requests comprises a request for a webpage.
  - 63. The method of claim 53, wherein the taking the action comprises sending a signal to diminish a response to data processing requests of the first suspect.
  - 64. The method of claim 53, further comprising:
    - obtaining a plurality of sampling data processing requests received over the data communication network from a plurality of remote senders;
      
      identifying, as a first sampling transition, a first sequence of data processing requests comprising a first sampling data processing request of the plurality of sampling data processing requests and a second sampling data processing request of the plurality of data processing requests;
      
      identifying, as a second sampling transition, a second sequence of data processing requests comprising the second data processing request and a third data processing request of the plurality of sampling data processing requests; and
      
      assigning the first anomaly representation to the first sampling transition as a function of a frequency of the first sampling transition, and assigning the second anomaly representation to the second transition, as a function of a frequency of the second sampling transition.
  - 65. The method of claim 64, wherein the frequency of the first transition and the frequency of the second transition are calculated based on the frequency over a period of time of the first sampling transition and the second sampling transition with respect to a totality of the plurality of sampling data processing requests obtained.
  - 66. The method of claim 53, further comprising:
    - monitoring a first period of time between a time of the first transition and a time of the determination of the second anomaly representation; and
      
      degrading a first value assigned according to a length of the first period of time, the degrading performed according to the second anomaly representation such that an anomaly representation indicating a more anomalous representation results in a degradation of the first value smaller than degradation of the first value according to an anomaly representation indicating a less anomalous representation, wherein the taking of the action is performed only when the first value is greater than zero or a threshold time value.

26. A method of protecting from packet data communication exploits, a target computer server system having a request handling interface that responds to a data processing request of a packet data communication, the method comprising:
- receiving over a data communication network a plurality of data processing requests;
  
  identifying as being non-anomalous, by an automated anomaly analyzer, a second data processing request of the plurality of data processing requests,wherein in response to the identifying as being non-anomalous, the automated anomaly analyzer transmits the second data processing request to the target computer server system;
  
  identifying as being anomalous, by the automated anomaly analyzer, a first data processing request of the plurality of data processing requests, the first data processing request having been transmitted by a first packet data protocol sending device,wherein in response to the identifying as being anomalous, the automated anomaly analyzer;
  
  (1) directs the first data processing request to a diagnostic instrumented module configured to provide virtualization of the request handling interface in processing the first data processing request and to determine an anomaly severity of the first data processing request, and(2) performs a second data processing comprising;
  
  (a) transmitting, to the first packet data protocol remote sending device, a packet data protocol redirect request for accessing the target computer server system,(b) transmitting a response, to the first packet data protocol sending device, at a reduced content data byte per second rate compared with the rate of the response to the non-anomalous request, and(c) transmitting, to the first packet data protocol sending device, a response including invoking code requesting additional data from a network server resource other than the first packet data protocol sending device.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 27. The method of claim 26, wherein the transmitting at the reduced content data byte per second rate comprises generating packets with fewer bits of content data.
  - 28. The method of claim 26, further comprising:
    - determining a packet data communication exploit suspect, based on processing by the first diagnostic instrumented module, of the first data processing request; and
      
      transmitting, in response to the determining, a detection signal indicating the first data processing request as being the packet data communication exploit suspect, wherein the transmitting of the packet data protocol redirect request at the reduced content data byte per second rate is performed without the first data processing request being permitted to reach the request handling interface.
  - 29. The method of claim 26, wherein the first diagnostic instrumented module is a container virtualizing the request handling interface.
  - 30. The method of claim 26, wherein the first diagnostic instrumented module is running on a diagnostic module comprising a plurality of diagnostic instrumented modules, each diagnostic instrumented module providing virtualization of the request handling interface, wherein the method further comprises:
    - receiving an indication of a processing load of the diagnostic module;
      
      assigning an anomaly severity representation to a third data processing request of the plurality of data processing requests according to an anomaly severity determined for the third data processing request; and
      
      determining whether to direct the third data processing request to the diagnostic module, according to the anomaly severity representation, wherein a determination of whether the third data processing request is sent to the diagnostic module or to the target computer server system is in made in dependence on at least an anomaly severity and a processing load of the diagnostic module, such that when the processing load of the diagnostic module is determined to be below the threshold and when the anomaly severity representation indicates the low anomaly severity, then the automated anomaly analyzer;
      
      (1) directs the third data processing request to a second diagnostic instrumented module configured to provide virtualization of the request handling interface, and (2) transmits a response, to a packet data protocol remote sending device that had transmitted the third data processing request, at a reduced content data byte per second rate compared with a response to the non-anomalous request, and wherein when the processing load of the diagnostic module is determined to exceed a threshold and when the anomaly severity representation indicates a low anomaly severity, then the third data processing request is not directed to the diagnostic module and is sent to the target computer server system.
  - 31. The method of claim 26, wherein the diagnostic module is a virtual server emulator, and each diagnostic instrumented module is a virtual server instance implementing virtualization of the request handling interface.
  - 32. The method of claim 26, wherein each diagnostic instrumented module is a container instance implementing virtualization of the request handling interface.
  - 33. The method of claim 26, further comprising:
    - setting a level of diagnostic instrumentation to be provided by the diagnostic instrumented module according to an anomaly severity determined, by the automated anomaly analyzer, for the first data processing request.
  - 34. The method of claim 26, wherein the determined anomaly severity represents an Internet worm.
  - 35. The method of claim 26, wherein the determined maliciousness anomaly severity represents a computer virus.
  - 36. The method of claim 26, wherein the determined anomaly severity represents an SQL injection attack.
  - 37. The method of claim 26, wherein the first data processing request comprises a malicious attack.
  - 38. The method of claim 26, wherein the first data processing request comprises a request for a webpage.

39. A method of protecting from packet data communication exploits, a target computer server system having a request handling interface that responds to a data processing request of a packet data communication, the method comprising:
- receiving over a data communication network a plurality of data processing requests;
  
  identifying as being non-anomalous, by an automated anomaly analyzer, a second data processing request of the plurality of data processing requests, wherein in response to the identifying as being non-anomalous, the automated anomaly analyzer transmits the second data processing request to the target computer server system;
  
  identifying as being anomalous, by the automated anomaly analyzer, a first data processing request of the plurality of data processing requests, the first data processing request having been transmitted by a first packet data protocol sending device,wherein in response to the identifying as being anomalous, the automated anomaly analyzer;
  
  (1) directs the first data processing request to a diagnostic instrumented module configured to provide virtualization of the request handling interface in processing the first data processing request and to determine an anomaly severity of the first data processing request, and(2) the second data processing further performing;
  
  (a) transmitting, to the first packet data protocol remote sending device, a packet data protocol redirect request for accessing the target computer server system,(b) transmitting, to the first packet data protocol sending device, a response to the first data processing request at a reduced content data byte per second rate compared with the rate of the response to the second data processing request, and(c) transmitting, to the first packet data protocol sending device, a response including invoking code requesting additional data from a network server resource other than the first packet data protocol sending device,wherein a response to the non-anomalous request requesting a same data as the data requested by the first data processing request is free of the invoking code.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 40. The method of claim 39, wherein the invoking code comprises reload request.
  - 41. The method of claim 39, wherein the invoking code comprises at least one of a Javascript reload request and a Javascript docwrite request.
  - 42. The method of claim 39, further comprising:
    - determining a packet data communication exploit suspect, based on processing by the first diagnostic instrumented module, of the first data processing request; and
      
      transmitting, in response to the determining, a detection signal indicating the first data processing request as being the packet data communication exploit suspect, wherein the transmitting of the packet data protocol redirect request at the reduced content data byte per second rate is performed without the first data processing request being permitted to reach the request handling interface.
  - 43. The method of claim 39, wherein the first diagnostic instrumented module is a container virtualizing the request handling interface.
  - 44. The method of claim 39, wherein the first diagnostic instrumented module is running on a diagnostic module comprising a plurality of diagnostic instrumented modules, each diagnostic instrumented module providing virtualization of the request handling interface, wherein the method further comprises:
    - receiving an indication of a processing load of the diagnostic module;
      
      assigning an anomaly severity representation to a third data processing request of the plurality of data processing requests according to an anomaly severity determined for the third data processing request; and
      
      determining whether to direct the third data processing request to the diagnostic module, according to the anomaly severity representation, wherein a determination of whether the third data processing request is sent to the diagnostic module or to the target computer server system is in made in dependence on at least an anomaly severity and a processing load of the diagnostic module, such that when the processing load of the diagnostic module is determined to be below the threshold and when the anomaly severity representation indicates the low anomaly severity, then the automated anomaly analyzer;
      
      (1) directs the third data processing request to a second diagnostic instrumented module configured to provide virtualization of the request handling interface, and (2) transmits, to the first packet data protocol sending device, a response including the invoking code requesting additional data from a network server resource other than the first packet data protocol sending device, and wherein when the processing load of the diagnostic module is determined to exceed a threshold and when the anomaly severity representation indicates a low anomaly severity, then the third data processing request is not directed to the diagnostic module and is sent to the target computer server system.
  - 45. The method of claim 39, wherein the diagnostic module is a virtual server emulator, and each diagnostic instrumented module is a virtual server instance implementing virtualization of the request handling interface.
  - 46. The method of claim 39, wherein each diagnostic instrumented module is a container instance implementing virtualization of the request handling interface.
  - 47. The method of claim 39, further comprising:
    - setting a level of diagnostic instrumentation to be provided by the diagnostic instrumented module according to an anomaly severity determined, by the automated anomaly analyzer, for the first data processing request.
  - 48. The method of claim 39, wherein the determined anomaly severity represents an Internet worm.
  - 49. The method of claim 39, wherein the determined maliciousness anomaly severity represents a computer virus.
  - 50. The method of claim 39, wherein the determined anomaly severity represents an SQL injection attack.
  - 51. The method of claim 39, wherein the first data processing request comprises a malicious attack.
  - 52. The method of claim 39, wherein the first data processing request comprises a request for a webpage.

67. A system configured to protect a target computer server system against packet data communication exploits, the target computer server system having a request handling interface that responds to a data processing request of a packet data communication received over a data communication network from a first packet data protocol sending device, the system comprising:
- a network interface configured to receive over the data communication network a plurality of data processing requests;
  
  an automated anomaly analyzer configured to identify as being anomalous a first data processing request of the plurality of data processing requests, the first data processing request having been transmitted by the first packet data protocol sending device; and
  
  the automated anomaly analyzer configured to identify as being non-anomalous, a second data processing request of the plurality of data processing requests and, in response to the identifying the second data processing request as being non-anomalous, the automated anomaly analyzer transmits the second data processing request to the target computer server system for preparing a response to the second data processing request,wherein in response to the identifying the first data processing request as being anomalous, the automated anomaly analyzer;
  
  (1) directs the first data processing request to a first diagnostic instrumenter configured to provide virtualization of the request handling interface in processing the first data processing request, and(2) performs a second processing comprising;
  
  (a) transmitting, to the first packet data protocol remote sending device, a packet data protocol redirect request for accessing the target computer server system,(b) transmitting, to the first packet data protocol sending device, a response to the first data processing request at a reduced content data byte per second rate compared with the rate of the response to the second data processing request, and(c) transmitting, to the first packet data protocol sending device, a response including invoking code requesting additional data from a network server resource other than the first packet data protocol sending device,wherein the response to the second data processing request requesting a same data as the data requested by the first data processing request is free of the invoking code.
- View Dependent Claims (68, 69, 70, 71)
- - 68. The system of claim 67, further comprising the first diagnostic instrumenter.
  - 69. The system of claim 68, wherein the first diagnostic instrumenter is configured to determine an anomaly severity of the first data processing request, and to determine that the first data processing request is a packet data communication exploit suspect, based on the anomaly severity.
  - 70. The system of claim 68, wherein the automated anomaly analyzer runs on a physical machine, and the first diagnostic instrumenter runs on the same physical machine.
  - 71. The system of claim 67, wherein the transmitting of the packet data protocol redirect request and the second processing are performed without the first data processing request being permitted to reach the target computer server system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Stuart Staniford
Original Assignee
Stuart Staniford
Inventors
Staniford, Stuart
Primary Examiner(s)
Tabor, Amare F

Application Number

US15/474,178
Publication Number

US 20170289186A1
Time in Patent Office

915 Days
Field of Search

726 24
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

System and method to protect a webserver against application exploits and attacks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

427 Citations

71 Claims

Specification

Use Cases

Quick Links

Others

System and method to protect a webserver against application exploits and attacks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

427 Citations

71 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others