Monitoring the flow of a data stream

US 20030140140A1
Filed: 01/16/2003
Published: 07/24/2003
Est. Priority Date: 01/18/2002
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring the flow of a data stream between a client and a server, wherein the data stream is carrying representation data on a connection-oriented carrier protocol, comprising the steps of:

analyzing a first data stream travelling from the server to the client in order to identify at least one response descriptor therein, storing the identified response descriptors in a set associated with said client;

analyzing a second data stream travelling from the client to the server in order to identify at least one request descriptor therein;

comparing said request descriptors with said set; and

, generating a monitoring result responsive to said step of comparing.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to the monitoring of the flow of a data stream travelling between a client and a server system. The invention is intended particularly for such communications protocols carrying representation data above some connection-oriented protocol layer. The objective of the present invention is to bring about a flow monitoring mechanism enhancing system security. This is achieved by analyzing a data stream travelling from the server to the client in order to identify at least one response descriptor in the data stream. The identified response descriptors are stored in a set of available states for said client. Then the data stream travelling from the client to the server is analyzed in order to identify at least one request descriptor. The request descriptors identified are compared with the set of available states for said client, and in response to the comparing step, a monitoring result is generated.

115 Citations

View as Search Results

25 Claims

1. A method for monitoring the flow of a data stream between a client and a server, wherein the data stream is carrying representation data on a connection-oriented carrier protocol, comprising the steps of:
- analyzing a first data stream travelling from the server to the client in order to identify at least one response descriptor therein, storing the identified response descriptors in a set associated with said client;
  
  analyzing a second data stream travelling from the client to the server in order to identify at least one request descriptor therein;
  
  comparing said request descriptors with said set; and
  
  , generating a monitoring result responsive to said step of comparing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 24, 25)
- - 2. A method according to claim 1, further comprising the step of performing a predetermined action at least partially based on the monitoring result.
  - 3. A method according to claim 2, wherein said action comprises matching the second data stream against known misuse patterns, if at least one request descriptor fails to match the stored response descriptors in the set.
  - 4. A method according to claim 2, wherein said action comprises allowing the second data stream passage if the request descriptors match the stored response descriptors in the set, and restricting the data stream if at least one request descriptor fails to match the stored response descriptors in the set.
  - 5. A method according to claim 2, wherein said action comprises generating an alarm event, which is selected at least partially on the basis of the monitoring result.
  - 6. A method according to claim 1, further comprising the steps of:
    - storing a host identifier from a carrier protocol part of the first data stream; and
      
      using said stored host identifier to select a set associated with said client.
  - 7. A method according to claim 1, further comprising the steps of:
    - storing a client identifier from the first data stream and using said stored client identifier to select a set associated with said client.
  - 8. A method according to claim 1, further comprising the steps of:
    - storing a host identifier from a carrier protocol part of the first data stream;
      
      storing a client identifier from the first data stream, comparing a client identifier from the second data stream to the stored client identifiers in order to select a set associated with said client; and
      
      , if the client identifier of the second data stream does not correspond to the stored client identifiers, comparing a host identifier from the second data stream to the stored host identifiers, in order to select a set associated with said client.
  - 9. A method according to claim 1, wherein the analyzing step of said first data stream comprises analyzing different possible states of macro definition, or form definition, or a combination thereof, included in said first data stream for identifying at least one response descriptor therein, or deriving at least one response descriptor therefrom.
  - 10. A method according to claim 9, wherein the analyzing step of different possible states comprises executing a macro in order to identify at least one response descriptor therein, or deriving at least one response descriptor therefrom.
  - 24. A method according to claim 1, wherein the connection-oriented carrier protocol is HyperText Transfer Protocol (HTTP), Wireless Application Protocol (WAP) or Simple Object Access Protocol (SOAP).
  - 25. A method according to claim 1, wherein the representation data is in HyperText Markup Language (HTML), Wireless Markup Language (WML), Extensible Markup Language (XML), or Web Services Description Language (WSDL) format.

11. A system for monitoring the flow of a data stream travelling from a client to a server, wherein the data stream is carrying representation data on a connection-oriented carrier protocol, the system comprising:
- a first analyzing block adapted to analyze a first data stream travelling from the server to the client in order to identify at least one response descriptor therein, a storing block coupled to said first analyzing block, and adapted to store response descriptors identified in a set associated with said client, a second analyzing block adapted to analyze a second data stream travelling from the client to the server in order to identify at least one request descriptor therein, a comparing block for comparing said request descriptors with said set and, a block coupled to said comparing block, adapted to generate a monitoring result.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. A system according to claim 11, further comprising an execution block for performing a predetermined action at least partially based on the monitoring result.
  - 13. A system according to claim 12, wherein said execution block comprises a module adapted to compare the second data stream with known misuse patterns, if at least one request descriptor fails to match the stored response descriptors in the set.
  - 14. A system according to claim 12, wherein said execution block is further adapted to allow the second data stream passage, if the request descriptors match the stored response descriptors in the set, and a module adapted to restrict the second data stream, if at least one request descriptor fails to match the stored response descriptors in the set.
  - 15. A system according to claim 12, wherein said execution block is further adapted to generate an alarm event, including a module to select the event at least partially based on the monitoring result.
  - 16. A system according to claim 11, wherein said storing block being further adapted to store a host identifier from the carrier protocol part of the first data stream between the client and the server, the system further comprises a block, adapted to use said stored host identifier to select the set associated with said client.
  - 17. A system according to claim 11, wherein said storing block being further adapted to store a client identifier from the first data stream between the client and the server, wherein the system further comprises a block adapted to use said stored client identifier to identify the set for said client.
  - 18. A system according to claim 11, wherein said storing block being further adapted to store a client identifier and a host identifier from the first data stream between the client and the server, wherein the system further comprises:
    - a first comparing block adapted to compare a client identifier of a second data stream to the client identifiers stored in the storing block in order to select a set associated with said client; and
      
      a second comparing block adapted to compare a host identifier of the second data stream to the host identifiers stored in the storing block in order to select a set associated with said client, if the client identifier of the second data stream does not correspond to the client identifiers stored.
  - 19. A system according to claim 11, characterized in that the first analyzing block is further adapted to analyze different possible states of a macro definition or a form definition, or a combination thereof, included in said first data stream for identifying at least one response descriptor therein, or deriving at least one response descriptor therefrom.
  - 20. A system according to claim 19, characterized in that the first analyzing block is further adapted to execute a macro file in order to identify at least one response descriptor therein, or derive at least one response descriptor therefrom.

21. A computer program product stored on a computer readable storage medium, the product being adapted, when executed on a computer, to perform monitoring of the flow of a data stream between a client and a server, wherein the data stream is carrying representation data on a connection-oriented carrier protocol, said monitoring comprising the steps of:
- analyzing a first data stream travelling from the server to the client in order to identify at least one response descriptor therein, responsive to the analyzing step, storing response descriptors identified into a set associated with said client, analyzing a second data stream travelling from the client to the server in order to identify at least one request descriptor therein, comparing said request descriptors with said set, and generating a monitoring result responsive to said step of comparing.

22. A method for monitoring the flow of a data stream between a client and a server, wherein the data stream is carrying representation data on a connection-oriented carrier protocol, comprising the steps of:
- dynamically identifying a set of expected requests on the basis of server responses within a first client-server connection, said set being associated with said client;
  
  comparing requests from the client within a second client-server connection with the set of expected requests, or a portion thereof; and
  
  generating a monitoring result responsive to said step of comparing.
- View Dependent Claims (23)
- - 23. A method according to claim 22, further comprising transferring a request from the client for additional testing, if the request does not conform to parameters associated with said expected request set;
    - and, transferring a request from the client to the server, if the request conforms to parameters associated with said expected request set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Stonesoft Corporation
Inventors
Lahtinen, Jesse

Granted Patent

US 7,302,480 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 41/28   Restricting access to netwo...

H04L 43/00   Arrangements for monitoring...

H04L 63/0254   Stateful filtering

H04L 63/0281   Proxies

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/168   above the transport layer

Monitoring the flow of a data stream

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring the flow of a data stream

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links