Application layer security method and system

US 20030204719A1
Filed: 05/28/2003
Published: 10/30/2003
Est. Priority Date: 03/16/2001
Status: Active Grant

First Claim

Patent Images

1. An application layer security method comprising the steps of:

receiving an operation request to be executed by an application, identifying an application attribute of said operation request, identifying an application path associated with said identified application attribute, and directing said operation request to said identified application path.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides an application layer security method and system to secure trusted computer applications from executing out of their intended and authorized scope caused by illegal or harmful operation requests received from a distrusted environment. In an embodiment of the invention, a protective layer is implemented in between a trusted application and distrusted application operation requests. In operation, the protective layer identifies an application path of each operation request. Depending on the application path identified, one or more security pipes scrutinize the application contents of the operation request to determine if the operation request is illegal or harmful to the application or a surrounding environment.

239 Citations

30 Claims

1. An application layer security method comprising the steps of:
- receiving an operation request to be executed by an application, identifying an application attribute of said operation request, identifying an application path associated with said identified application attribute, and directing said operation request to said identified application path.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein said step of identifying an application path comprises the step of comparing said identified application attribute to a predefined list of confirmed application attributes.
  - 3. The method of claim 2, wherein said identified application path is a trusted application path to said application.
  - 4. The method of claim 2, wherein said identified application path is a default application path.
  - 5. The method of claim 1, further comprising the step of applying one or more pipes to said operation request, wherein a number and each individual type of said one or more pipes are defined according to said identified application path.
  - 6. The method of claim 5, wherein one of said one or more pipes comprises the step of inspecting said operation request for improper database request syntax or the existence of one or more embedded database commands.
  - 7. The method of claim 5, wherein one of said one or more pipes comprises the step of inspecting said operation request for a known vulnerability pattern.
  - 8. The method of claim 5, wherein one of said one or more pipes comprises the step of blocking said operation request if said identified application path is designated as restricted by an owner of said application.
  - 9. The method of claim 5, wherein one of said one or more pipes comprises the step of blocking said operation request from being forwarded to a specified zone within a trusted network of said application.
  - 10. The method of claim 5, wherein one of said one or more pipes comprises the step of validating a parameter of said operation request according to predefined expression rules.
  - 11. The method of claim 5, wherein one of said one or more pipes comprises the step of protecting attribute values in said operation request, which are set by said application, from being modified.
  - 12. The method of claim 5, wherein one of said one or more pipes comprises the step of validating web service definitions and data structures of said operation request.
  - 13. The method of claim 5, wherein said step of directing said operation request to said identified application path is implemented by an application-level switch.

14. An application security system for protecting a trusted application comprising:
- an application attribute identifier, wherein said application attribute identifier identifies an application attribute of a message directed to or from said trusted application and identifies an application path associated with said identified application attribute;
  
  a message router, wherein said message router routes each message to said identified application path associated with said message; and
  
  a number of security pipes, wherein a portion of said number of security pipes are associated with said identified application path and are implemented on said message upon routing of said message to said application path.
- View Dependent Claims (15, 16, 17)
- - 15. The application security system of claim 14, wherein said application attribute identifier and said message router are employed within an application-level switch.
  - 16. The application security system of claim 14, further comprising a message identifier, wherein said message identifier comprises a list of confirmed messages and compares said message to said list of confirmed messages to identify if said message is a confirmed message.
  - 17. The application security system of claim 16, wherein said message router routes a confirmed message to an application path having zero security pipes implemented thereon.

18. An application security method comprising the steps of:
- classifying an application attribute of a message directed to or from a trusted application and implementing on said message a predetermined number of security pipes based on said classification of said application attribute.
- View Dependent Claims (19, 20)
- - 19. The application security method of claim 18, wherein said message is a request and further comprising the step of comparing said request to a list of confirmed requests and if said request matches one of said list of confirmed requests, said predetermined number is zero.
  - 20. The application security method of claim 19, further comprising the step of dynamically updating said list of confirmed requests with another confirmed request.

21. A method for protecting at least one application attribute in a message comprising the steps of:
- intercepting a message directed toward a recipient, wherein said message comprises at least one application attribute;
  
  encrypting said at least one application attribute to generate an encrypted application attribute;
  
  modifying said message by substituting said encrypted application attribute for said at least one application attribute; and
  
  forwarding said modified message to said recipient.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The method of claim 21, wherein said recipient is a client of an application.
  - 23. The method of claim 21, wherein said step of encrypting is performed using a first encryption key.
  - 24. The method of claim 23, further comprising the step of encrypting said first encryption key using a second encryption key.
  - 25. The method of claim 24, further comprising the step of appending said encrypted first encryption key to said modified message.
  - 26. The method of claim 21, further comprising the step of decrypting said encrypted application attribute using said first encryption key.

27. A method for protecting application at least one application attribute in a message comprising the steps of:
- intercepting a message directed toward a recipient, wherein said message comprises at least one encrypted application attribute;
  
  decrypting said at least one encrypted application attribute;
  
  modifying said message by substituting said decrypted application attribute for said at least one encrypted application attribute; and
  
  forwarding said modified message to said recipient.
- View Dependent Claims (28, 29, 30)
- - 28. The method of claim 27, wherein said recipient is an application.
  - 29. The method of claim 27, wherein said step of decrypting is performed using a first encryption key.
  - 30. The method of claim 29, wherein said first encryption key is obtained from said intercepted message in an encrypted form and further comprising the step of decrypting said encrypted first encryption key using a second encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kavado, Inc. (Xcelera Inc.)
Original Assignee
Kavado, Inc. (Xcelera Inc.)
Inventors
Ben-Itzhak, Yuval

Granted Patent

US 7,882,555 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/152
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/168   above the transport layer

Application layer security method and system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

239 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Application layer security method and system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

239 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links