Application-layer security method and system

[0037]FIG. 1 depicts conventional security methods and the protocol layers that they operate in.

[0038] FIGS. 2(a)-2(e) illustrate an application layer security system in a web application configuration according to a preferred embodiment of the invention.

[0039]FIGS. 3 and 4 illustrate an application layer security method according to an embodiment of the invention.

[0040]FIG. 5 illustrates an application layer security system according to an embodiment of the invention.

[0041]FIG. 6 illustrates a first pipe process according to an embodiment of the invention.

[0042]FIG. 7 illustrates a second pipe process according to an embodiment of the invention.

[0043]FIGS. 8 and 9 illustrate a third pipe process according to an embodiment of the invention.

[0044]FIG. 10 illustrates a fourth pipe process according to an embodiment of the invention.

[0045]FIG. 11 illustrates a fifth pipe process according to an embodiment of the invention.

[0046]FIG. 12 illustrates a sixth pipe process according to an embodiment of the invention.

[0047]FIGS. 13 and 14 illustrate an eighth pipe process according to an embodiment of the invention.

[0048] FIGS. 15(a)-15(c) illustrate an example implementation of the invention.

[0049] The preferred embodiments of the invention are now described with reference to the figures where like reference numbers indicate like elements. Also in the figures, the left most digit of each reference number corresponds to the figure in which the reference number is first used.

[0050] The preferred embodiments of the invention may be employed in Internet, Intranet, mobile communication, interactive TV networks, or any other application environment that uses application protocols, such as, but not limited to, hypertext transport protocol (“HTTP”), HTTPs, HTTPd, SOAP, WebDAV, and SMTP. However, the inventive concept can be practiced in any type of communication system where information is exchanged between a trusted application and a distrusted network. The invention is particularly suitable for protecting application service provider (“ASP”), business to commerce, and business to business network environments.

[0051] In the present invention, an application-layer security system, method, and computer readable medium are implemented to protect an application, a shared application, a distributed application, or multi-applications from being requested to execute out of their intended scope of operation, i.e., preventing such applications from damaging themselves, data files, buffers, other applications, performance, or confidentiality of information. Particularly, requests that are received from distrusted sources are subjected to one or more security techniques that check the contents of the requests to identify if the requests are illegal or harmful. The request'"'"'s contents comprise the message header, message body, query string, encoding type, and the uniform resource identifier (“URI”). Requests that are identified to be illegal or harmful are rejected entirely or modified into, or replaced with, a legal request. Thus, only legal or harmless requests will pass to an application for execution.

[0052] In an embodiment of the invention, a security system is positioned in front of an application in a trusted environment. The security system implements a protective layer, i.e., application layer, between the application and the incoming application operation requests that are received from an unknown or distrusted environment. The protective layer, herein also referred to as an operation reverse engineering layer, checks the requests for either form, content, or both, to insure that only legal and harmless requests will pass to the given application. The security tunnel system may comprise hardware, software, or both, to implement the operation reverse engineering layer.

[0053] The invention complements conventional security technologies. For example, in an embodiment of the system a firewall is placed in between the distrusted network and the security system allowing the firewall to implement its security methods on the operation requests before they are passed along to the security system of the present invention. In alternative embodiments, the invention can be combined with any lower layer security technologies, such as, SSL or PKI.

[0054]FIG. 2(a) illustrates a security system, according to a preferred embodiment of the invention which is configured for a web environment. Particularly, security system 210 is placed between a distrusted network and one or more applications located on one or more web servers 230 in a trusted environment. Security system 210 employs an operation reverse engineering layer between applications and incoming operation requests originating in the distrusted environment, e.g., a transmission control protocol/internet protocol (“TCP/IP”) network. For example, incoming operations may be received as external HTTP traffic received via one or more ports 240. System 210 provides tunneling to support distributed, shared, or virtual applications. Applications can be installed on a single, distributed, shared, or hosted servers and can represent html documents, cgi scripts, perl scripts, or anything executing on the server(s). Each application path represents a virtual directory or logical name on a web server representing a physical location of the application(s) on the server(s). For example, FIG. 2(b) depicts the virtual subdirectory /My App that comprises subdirectory /Images and /DOCS. Each one of these virtual directories represents an application path.

[0055] A tunnel is a protocol based, e.g., TCP/IP, connection between the distrusted and trusted zones. Network traffic traveling through a tunnel is separated into application paths using the requested message content. For example, in HTTP, an application path is a virtual directory defined on a web server that can be access via a specific tunnel. Each tunnel type implements and validates a different type of application protocol. For example, application protocols may be HTTP, HTTPs, SOAP, WebDAV, FTP, Telnet, and the like, or just a simple tunnel to forward incoming and outgoing streams.

[0056]FIG. 2(c) depicts an example tunnel. Particularly, the tunnel communicates information between a listen address and port, on the distrusted network, and a connect local address, in the trusted network. The listen address and port receives incoming protocol, e.g., TCP/IP, requests. The connect local address receives information received through the tunnel and forwards it to the back-end application listening at its connect address and port. FIG. 2(d) depicts an example tunnel implementation. In this example, tunnel #3 is associated with subdirectory IDOCS. Therefore, a request for the display of an application, such as GET /DOCS in HTTP protocol, is transmitted through tunnel #3 to the respective application.

[0057] System 210 further comprises pipes 250. In the present invention, a pipe is a security component provided to protect or monitor functionality of the trusted applications. For example, a first pipe might protect against known application vulnerabilities, a second prevents database manipulations, and a third prevents parameters poisoning. One of ordinary skill can recognize that further pipes may represent additional security components. One or more pipes 250 may be implemented in one, several, or all application paths or tunnels in the system.

[0058] As depicted in FIGS. 2(a) and 2(e), security web applications 220 are logical entities wrapping or grouping tunnels, application paths, and pipes that together represent a protected application. When protecting an application distributed on several web servers, i.e., each html page is on a different machine, a single Web application entity represents the distribution. Web applications 220 provide specific security protection and monitoring to all traffic over selected application paths. A default web application is a logical entity representing security protection on all traffic over all tunnels not defined in of web applications 220. One or more pipes 250 are executed on traffic running in a tunnel. Further, web applications 250 can customize pipe execution to specific application paths.

[0059] System 210 may comprise hardware, software, or both to implement the operation reverse engineering layer. In an embodiment of the invention, system 210 is a stand-alone server positioned in between a distrusted and trusted network. In an alternative embodiment, system 210 is “plug and play” hardware, or the like, that can be installed on an existing server. In another embodiment of the invention, system 210 comprises only software components.

[0060] Security system 210 employs a method to implement the operation reverse engineering layer. In a preferred embodiment of the invention, the security method comprises the step of checking the contents of received requests for information that would classify the request as illegal or that would cause an application to execute out of its intended scope. Illegal or harmful requests can be rejected or replaced with or modified into a legal request. A request'"'"'s contents comprises the message header, message body, query string, and the uniform resource identifier (“URI”) and particularly the environment variables, commands, or parameters that the application will execute or interpret. The contents do not refer to the format or communications protocol that the message is transported in. However, the method may further comprise the step of checking the format of the received request. Content checking comprises the step of applying one or more pipes, i.e., security components, wherein each provides a specific protection or monitoring functionality. For example, a first pipe protects against known application vulnerabilities, a second prevents database manipulations, and a third prevents parameters poisoning.

[0061] In another embodiment of the invention, security method 300, depicted in FIGS. 3 and 4, is employed to provide the operation reverse engineering layer. Particularly, FIG. 3 depicts the steps that are implemented prior to processing of the operation request by the application. FIG. 4 depicts the steps that occur after processing of the request and during the return of an application reply to the distrusted environment.

[0062] Referring to the left side of FIG. 3, destination identification and tunnel construction is first performed (steps 305-345) on the operation request. When a request for an application operation is sent from a distrusted network, the request is first received (step 305) at a queued socket server. This type of server is preferable because it prevents denial of services caused by buffer over-flow attacks, i.e., a large number of redundant or illegal requests that are received in a given time exceed the number that a server can handle causing a denial of service to legal requests or allowing the overflow requests to proceed unauthorized. In less preferable embodiments, other types of receiving means that are able to receive information from a network may be used. Upon reception of the request, a binary stream reader reads (step 210) the request from the server queue. An available internal entity, i.e., network session object that handles each message in its lifetime in the system, is allocated.

[0063] A protocol message constructor takes the received distrusted operation request which may be formatted to any type of protocol, and constructs, i.e., formats, (step 315) the distrusted request into a well-formatted internal message according to a desired protocol specification 320. Protocol specfication 320 can be any type of application protocol used by a trusted application. This is also referred to as tunnel construction, where the operation request is embedded into the data format of the protocol of the trusted network and application. Desired protocol specification 320 can be any protocol, e.g., HTTP, HTTPs, SOAP, HTTPd, FTP, WebDAV, employed by the requested application(s).

[0064] Tunnel construction is implemented by encapsulating or wrapping the operation request from the received protocol in the protocol of the trusted application. This step avoids protocol restrictions. Construction of the operation request into a well-formatted internal message may result with a failure to format the stream, thereby, leading to an immediate total stream rejection. Failure can result from the inability to create a legal protocol message due to, for example, missing or extra parameters.

[0065] Upon successful formatting of the request into an internal message, the message is indexed (step 325) and stored to allow later analysis. This step allows information to be gathered from the request and accumulated, in a temporary buffer or permanent storage device, for later comparison to the corresponding reply returned from an application'"'"'s execution of the request or to other operation requests and respective replies. If rejection does not occur, the message is translated (step 330) into a known encoding language that is understood by the pipe components. The known encoding language can be any type of encoding language.

[0066] In a preferred embodiment of the invention, the encoding language used is American Standard Code for Information Interchange (“ASCII”). ASCII is preferred when using a HTTP application protocol. In operation, each message is translated to ASCII characters which are known and expected by the system. Therefore, if a received request is encoded in Unicode, for example, or any other encoding standard, the message is translated into ASCII. The step of translating further provides an isolated and independent inspection of the operation request by determining if any symbols contained in the request are unexpected. In other words, any request that contains unexpected characters may be rejected in its entirety. The use of ASCII encoding, as the message base encoding type, is based on the HTTP standard in Request for Comments (“RFC”) document number 2068. In an embodiment of the invention, any update of a protocol standard will lead to an immediate update in the supported message base encoding type.

[0067] The encoding reliability of the message is critical to the next stage. As mentioned, any failure in the constructing or translating steps can lead to an immediate total message reject. The step of translating insures that the remaining security process is performed on an expected encoding standard, thereby minimizing the risk of security compromises due to unexpected characters. Further, translation isolates the original message from the translated, i.e., converted, message to insure that all pipes will execute properly on the converted internal message.

[0068] Successful constructing, indexing, and translating steps converts a distrusted operation request into a well formatted protocol message in, for example, ASCII encoding. These steps act as a preliminary screening of the format of the request before the requests are passed along for intensive scrutiny of the contents by applying one or more pipes. Alternatively stated, the above steps filter out request that are blatantly surprising or unexpected before checking the requests'"'"' contents for concealed or not readably identifiable illegalities and harmfulness.

[0069] Following translation, the destination of the simple internal message is resolved (step 335) and compared to all known application paths. If the determined message destination is known, i.e., a match was found with a known application path, a destination tag is incorporated into the internal message, and the message is routed (step 340) through the appropriate tunnel, hence applying the relevant pipes specified, for that application path. If the destination can not be resolved, or does not match any known application path, the message is routed (step 345) through a default tunnel to a pre-defined default destination.

[0070] Upon successful identification of the destination of the distrusted message, one or more pipes are applied serially (steps 350-355) to the message to intensively scrutinize the message contents, e.g., instructions, commands, URI, query string, environmental variables, and parameters contained within the request, thereby, further insuring that the request is legal and harmless. These steps are depicted on the right side of FIG. 3. Each pipe provides a different type of specific security protection or monitoring functionality. The number of pipes is dependent on the amount of security deemed necessary, based on the type and needs of each tunnel and/or application path. For example, one tunnel may have three pipes applied, while another tunnel may only have two applied.

[0071] For safety precautions all available pipes are applied to the default tunnel. The default tunnel may further transmit any message that was found to have a security problem. The default destination may be any web error page, security alert page, or similar functioning way to alert that an error has occurred or to redirect a malicious attack away from the trusted application.

[0072] Pipes are generally categorized into static, dynamic, and learning types. Static pipes scrutinize the contents associated with the requested operation. Particularly, the contents of a distrusted request are compared to statically stored requests that are related to known vulnerabilities. If a match is found, the request is rejected, modified, or replaced. Dynamic pipes, however, scrutinize both the request and the corresponding reply, and the possibly changing, i.e., dynamic, relationship between them. Learning pipes apply techniques which gather information from the requests and replies to “fine tune” their scope of security. Specific pipes are described in the following pages.

[0073] Upon application of pipes (steps 350-360), the legality and harmfulness of the operation request will be determined. If the operation request is deemed to be legal and harmless, and sent (step 365) to the trusted application for execution (step 370). Once the application processes the request, a respective reply is generated for return to the requesting client. For example, the reply may be a html document, image, database information, file, or any other information accessible through an information server.

[0074] Referring to FIG. 4, the steps of method 300 that occur after the execution of the operation request are shown. This reply is read (step 405) and then constructed (step 410) into an internal message based on the specified application protocol 420. In a preferred embodiment of the invention, application protocol 420 is identical to application protocol 320.

[0075] If any of the pipes applied to the operation request required inspection of the return reply, the following steps are executed. The reply message is indexed (step 425) back to the original request if comparison between the two is necessary for any of the pipes implemented. Upon indexing the message, the reply message is translated to (step 430) the encoding language used previously by the pipes (step 330).

[0076] Outgoing replies are validated (step 435) using the translated indexed request stored previously and the translated and indexed reply messages. Particularly, this step insures that the outgoing reply is trivial in nature. For example, the reply contains only information that is authorized for release from the server and that is associated with the incoming request. Further, information gained from the reply is used to update any necessary dynamic or learning pipes (steps 440-445). Upon updating, the translated reply is reconstructed (step 450) into a message according to protocol 455, if necessary, and is sent to the client requesting the operation. In a preferred embodiment, protocol 455 is identical to protocol 320.

[0077] If the operation request did not have any pipes applied that require inspection of the reply, steps 425-450 are skipped.

[0078]FIG. 5 illustrates a security tunnel system having a hardware configuration according to an embodiment of the invention. Particularly, security tunnel system 510 is positioned in between trusted computer application 520 and a distrusted network environment. Security system 510 employs an operation reverse engineering layer to prevent unauthorized use of application 520.

[0079] In an embodiment of the invention, security system 210 comprises reverse engineering processor 530 and pipes component 540. Reverse engineering processor performs initial tunnel construction, indexing, and translation as described above via internal entities that isolate the operation requests sent from the distrusted environment from the trusted application. The internal entities escort the distrusted requests to destination identification module 534 and method analysis module 538 for validation.

[0080] Destination identification module 534 applies every existing application node on the incoming request stream to identify the operation request'"'"'s desired destination in the application, as well as the value of the parameters, if any. Pipes module 538 applies one or more pipes and learning techniques, stored in pipers component 540, to secure against known and unknown vulnerabilities, buffer overflow vulnerabilities, poisoning attacks, database manipulations, or any other type of illegal or harmful request.

[0081] The following represents a detailed description of the specific pipes which may be applied alone, or in combination, to incoming operation requests.

[0082] 1. Marabu

[0083] In an embodiment of the invention, a first pipe, herein referred to as “Marabu,” is applied to one or more application paths. Marabu is a driven pipe aimed at finding patterns that show malicious intentions in an operation request. Marabu is preferably applied to application paths involving database operations. Particularly, Marabu inspects an incoming request'"'"'s contents for permitted syntax based on the type of database used and the existence of one or more embedded harmful SQL commands. Harmful commands are determined by the failure to find a match to a plurality of stored database commands deemed acceptable for the type of requested database, e.g., SQL type databases or Oracle type databases. If a match to a legal command is not found, the request will be rejected or reengineered, i.e., modified, into or replaced with an acceptable form that is legal and harmless. This pipe catches well-formed and partial SQL commands that are deemed to be harmful to the application environment.

[0084] In an embodiment of the invention, a database query parser engine is implemented to identify the form and function of each expression of the operation request. The parser engine parses out individual expressions, i.e., elements, for separate analysis. As it is impossible to define all malicious inputs, Marabu focuses on insuring that the syntax of each expression is straightforward and credulous. This type of syntax is enforced by applying a ‘state-automate’ and limited alphabet.

[0085] In an embodiment of the invention, Marabu employs a method to enforce proper syntax comprising the steps of: building a state-automate; inspecting each and every expression according to permitted syntax and a limited alphabet, and applying the state-automate. Particularly, a state-automate is a correlation of nodes representing present and other possible states of the application. Each node may have connections to other nodes based on conditions that would change the state of the application. For example, a first node representing a present state of the application is connected to another node representing a possible state reached from the present state when a certain condition occurs, e.g., a DELETE command is found. All connections are one-way connections, i.e., once a state changes to another state, that change is irreversible. The alphabet contains: letters, digits, and other encoded characters, for example: a, b, c, _, '"'"', etc.; blocks of letters, such as DELETE or ALTER; and groups of blocks, such as an SQL group comprising DELETE, ALTER and CREATE as members.

[0086] Each expression within an operation request is scanned one or more times. If the expression consists of a sequence of letters and digits, the expression is approved and pipe execution stops. If the expression does not consist of letters and digits, the remarks, i.e., the database specific character that represents a remark, such as MSSQL - /* */ or --, inside the expression is omitted and the expression is inspected by applying the automate. Particularly, every predefined alphabet letter associated with an expression or a function argument moves the current state of the automate to a connecting possible state. The states automate algorithm is designed to eliminate unnecessary checking and to increase the pipe'"'"'s processing speed by implementing best practice information of executed SQL commands.

[0087] If the automate reached a Boolean-state, check if the expression is always true using expression trees. For example, the expressions ‘15’=‘1’+‘5’ or ‘6>5 OR 5=5′’ are always true. To validate if an expression is always true the expression is recursively broken into a tree having nodes as operators, e.g., AND, OR, =, and the like; or variables such as a field. After the tree is built, different values are inserted. A post-order scan will eventually give a TRUE or FALSE value. Wisely sampling values to the variables will cover the range of all possible solutions, thereby answering if the expression is always true.

[0088] If the automate reached a SQL-state, validate the expression using SQL prototypes stored in a dictionary. The prototypes are implemented using a graph of different states connect by arcs. The two-way-arcs will allow recursive expressions, i.e., states with arcs pointing to themselves, and ‘stretching’ in order to try to fit the input.

[0089] If the automate reaches a Trap-state, the expression is denied and execution of the pipe is halted. If none of these states occur or inspection of the above states does not result in denial of the expression, the expression is approved and pipe execution stops.

[0090]FIG. 6 illustrates process 600 for implementing the Marabu pipe according to an embodiment of the invention. Configuration parameters for the supported database, e.g., SQL version, are loaded (step 610) into a reverse engineering processor. Refinements are loaded (step 620). The operation request is then loaded (step 630) and parsed into elements to identify (step 640) an operation request parameter or expression. Marabu is applied (step 650) to the parameter to determine (step 660) if the element is illegal or harmful. If illegal, the entire operation request is rejected (step 670). If not, it is determined (step 680) whether or not the parameter is the last parameter. If the parameter is not the last parameter, steps 640-680 are repeated. If the parameter is the last parameter, and no illegal or harmful elements are identified, the operation request is accepted (step 690) and allowed to proceed.

[0091] The following are two common types of database attacks that are wide spread across the internet that are typical of manipulation types that are caught by this pipe. The first represents a request to delete all records in a table. The second represents a request to login to a database without using a password.

[0092] For example, in the delete all records attack, an original link, such as

[0093] http://www.yoursite.com/phones/phonelist.cgi?phoneid=34

[0094] which executes a SQL command on a database server to select and report the contents of “http://www.yoursite.com/phones” where “phoneid” equals 34, may be changed into a modified link concatenating a DELETE command, such as

[0095] http://www.yoursite.com/phones/phonelist.cgi?phoneid=34;DELETE

[0096] The latter executes a SQL command on the database to delete the contents of “http://www.yoursite.com/phones” where “phoneid” equals 34. In applying this pipe, the DELETE command is recognized as an unauthorized command and hence, may either reject the request entirely or replace the request with a legal request such as the original link.

[0097] In a second type of illegal request, login is attempted without using a password. For example, an original link, such as

[0098] http://www.yoursite.com/logon.asp?login=yourname;pws=123

[0099] executes a SQL command on the database server to select a name from a user list where login=‘yourname’ and the password=‘123’. A modified link adds an ‘always true’ Boolean phrase, for example

[0100] http://www.yoursite.com/logon.asp?login=yourname’ or ‘1’=‘1’; pws=8

[0101] executed a SQL command on the database server to select a name from a user list where login--‘yourname’ or ‘1’=‘1’ and the password=‘123’. When applying this pipe, the ‘1’=‘1’ partial command is recognized as invalid and the request is not allowed to achieve its intended execution.

[0102] Full database protection is provided against users and client applications manipulating an application database. Particularly, the Marabu pipe acts as a shield against data manipulation that can damage information stored within the database. Further, it provides database system administrators with an additional level of protection when combined with other pipes and it insures that application bugs will not effect a back office database.

[0103] 2. Minime

[0104] In an embodiment of the invention, a second pipe, herein referred to as “Minime,” is applied to one or more application paths. Minime is a deterministic type pipe that inspects an incoming operation request for known vulnerability patterns. In an embodiment of the invention, all known application vulnerabilities, and the respective requests that take advantage thereof, are stored and compared to the incoming request. If the comparison results in a match, the incoming request is blocked and is not allowed to proceed to the application. Further, the pipe may shield applications against unknown vulnerabilities by eliminating the use of executables, methods, and scripts, e.g., format.exe which formats a storage space or cmd.exe which enables a command-line input prompt, that if accessed or executed, could negatively affect or allow illegal access to the application environment or servers.

[0105] In a preferred embodiment of the invention, the stored vulnerability information may be updated as future vulnerabilities are found. Particularly, the stored information may be updated with information downloaded from an information source, for example, a dedicated centralized server or multiple web servers from commercial or government sources. For example, a current data file includes over 350 patterns grouped by server types and locations.

[0106] In an embodiment of the invention, the Minime pipe employs an exact pattern matching method. Particularly, the method comprises the steps of: computing a hash value for every four (4) consecutive characters in an operation request and comparing each computed has value against a list of patterns known to be associated with illegal or harmful requests. For example, the first four characters of an operation request is inputted into a four (4) character window. Each of the four characters is converted to an 8 bit binary code, for example:

[0107] abcd=[01000001][01000010][01000011][01000100]

[0108] A first hash value is then calculated from the 32 bit string (4 characters×8 bits/character). A second hash value is calculated by shifting the window one (1) character, i.e., characters 2 through 5. A third hash value is calculated by shifting the window again by one character, i.e., using characters 3 through 6. Additional hash values are calculated in such a way until all the characters in the operation request have been exhausted. Thus, if there are n characters in an operation request, n-3 has values will be calculated.

[0109] Every pattern has the following structure:

[0110] {text, Left Hash Value, Right Hash Value, Right Offset, Gap Between Left and Right}

[0111] The Left and Right Hash values are calculated from the 4 character sub-string taken from the pattern. “Right Offset” is the position of the right sub-string. The “Gap Between Left and Right” is the offset between the two patterns.

[0112] A Table (Bit Map) in the length of the number of values to match is built. Every index in the table represents hash Modulu of the number. The structure of every index is as follows:

[0113] {Is Occupied, Number Of Patterns, Patterns List}

[0114] “Is Occupied” indicates if the certain index represent the hash value (modulu . . . ) of one of the patterns. “Number Of Patterns” is the number of patterns having this index to represent them (should be a very small number). “Pattern List” is an array containing the patterns.

[0115] While sliding on the text (and easily updating the hash value by shift and or), this pipes determines if the hash value is represented in the table (IsOccupied is on). If so, the list of patterns is analyzed and attached (PatternList, NumOfPatterns). Check an array containing last match index (−1 at the start). If the GAP between the two indexes is different then the gap between the two patterns, the last match index is updated. Otherwise, the pattern is suspected to appear in the text, i.e., the two patterns are in the exact gap between them as expected.

[0116] In a preferred embodiment of the invention, the above method is applied to an operation request constructed in HTTP protocol. The operation request is divided into 4 scanning zones based on: (1) the message URI; (2) Query string; (3) message headers; and (4) message body. Each pattern is directed to a specific zone or zones. Therefore performance is increased while false alarms are decreased. If a string is determined to be a suspect, full simple string matching is performed.

[0117]FIG. 7 illustrates process 700 for implementing the Minime pipe according to an embodiment of the invention. Known vulnerability patterns are loaded (step 710) into a reverse engineering processor. These patterns are processed (step 720) into hash indexes and tables. Four different scanning zones are built (step 730), each using its relevant patterns. The incoming message is loaded (step 740). Message zones are scanned (step 750) to determine (step 760) if a vulnerability pattern matches. If a pattern is found, the message is rejected (step 770). If a pattern is not found, accept (step 780) the message. For any subsequent operation request, steps 740-780 are reapplied.

[0118] The following are three common Microsoft Internet Information Server (Version 4) vulnerabilities that this pipe blocks: (1) view any file on your web server hard disk,

[0119] http://www.yoursite.com/msadc/Samples/SELECTOR/ showcode.asp?source=/msadc/Samples/../../../../ boot.ini

[0120] (2) use this page to execute any SQL command directly to your database,

[0121] http://www.yoursite.com/msadc/samples/adctest.asp

[0122] (3) using CodeBrws.asp, it is possible to view Outlook mail folders:

[0123] http://www.yoursite.com/iissamples/exair/howitworks/ codebrws.asp?source=/../../winnt/Profiles/Administrator/ Application%20Data/Microsoft/Outlook%20Express/Mail/inbox.mbx

[0124] The Minime pipe provides the following benefits: it protects applications from remote users attempting to hack a system using application vulnerabilities; it provides IT administrators with an immediate protection to their applications until a patch is available and installed on the production server; it provides a second layer of protection against unknown vulnerabilities; it allows IT administrators to add custom patterns and to remove existing patterns from the data file.

[0125] 3. Hide & Seek

[0126] In an embodiment of the invention, a third pipe, herein referred to as “Hide & Seek,” is applied to one or more application paths. Hide & Seek is a HTML/WML/XML driven pipe whose purpose is to insure that an application operates as designed and implemented by the application owner. Particularly, the pipe checks each outgoing HTML/WML/XML reply for its internal URLs and parameters values, then validates the next user request to match one of the stored URLs and parameters. This method insures that subsequent user requests to the application are only those that the application previously allowed.

[0127] This pipe implements a method that comprises the following steps: identify a single client to interact with the application; determine the parameter names and values that the client received from the application; and check if a client request to the application includes any parameter, if so, check its value. Only if the value sent by the client is equal to the value that the client received from the application, will the request be forwarded to the application.

[0128] In order to identify a client in a state-less protocol, i.e., a protocol that is only concerned with the source and destination but not the contents of the message, the pipe utilizes a session-based cookie. In order to identify the application reply, an on-line parser reads each reply coming from the application and searches for specific HTML/WML/XML elements in the reply document. For each HTML/WML/XML element, e.g., input, select, form, etc., the parser determines the element value. All parsed values are stored in a session object running in the server, wherein each session is related to a single client.

[0129] After identifying the client and attaching to the request the session object, an additional parser operates on the request. At this stage, a comparator is used to match the request with the reply based on the HTML/WML/XML specification. Based on the HTML/WML/XML element type, the reply parser can determine if the parameter name can be changed by the client on his next request. If so, it permits a client to send any value with this parameter. For example, if the application reply includes an <INPUT>html tag, the parser expects the client to enter a value. Thus, the client'"'"'s request is not checked for an exact match. To insure HTML elements like the <INPUT>element and others will not allow any value to be submitted to the application. The pipe uses a refinement file to declare the type of parameters that the pipe will check, e.g., integer, long, string. The pipe may further compose application session tracking information. Caching techniques also may be integrated.

[0130] In a particular embodiment of invention, the following algorithm performs HTML/WML/XML parsing on a reply document and generates a knowledge ‘basket’ of all HTML/WML/XML tags that are sent by the user on a next subsequent request. The algorithm also validates the next request to exactly match its knowledge ‘basket’ content.

[0131] A HTML/WML/XML parser that is used that will support the latest HTML/WML/XML version. The parser receives a reply HTML/WML/XML document (the document going from the web server to the client), parses it based on a specified HTML/WML/XML Request For Comments (“RFC”) document and will fills the knowledge ‘basket’ with all HTML/WML/XML tags that, based on the HTML/WML/XML RFC, can be sent back to the server on a user'"'"'s next request. Examples of supported HTML tags are, but not limited to, <FORM>, <INPUT>, <SELECT>, <TEXTAREA>, <A>, and <IMAGE>.

[0132] In order to identify a single user in a stateless protocol environment, the Hide & Seek pipe uses a cookie mechanism. Cookies must be enabled on a client'"'"'s web browser. If cookies are not enabled by the client, the Hide & Seek pipe can not store information in the knowledge ‘basket.’ For security purposes, a client without cookies enabled is considered as a ‘new’ or unauthorized user who is limited to minimal application activities.

[0133] The following is a simple example of a Hide & Seek implementation. A typical HTML document for login and password is: