Systems and methods for preventing intrusion at a web host

US 20040093407A1
Filed: 11/08/2002
Published: 05/13/2004
Est. Priority Date: 11/08/2002
Status: Active Grant

First Claim

Patent Images

1. A method for processing commands, comprising:

intercepting commands directed for a web server;

comparing the intercepted commands to a pre-designated set of commands that are known to be valid commands for the web server; and

dropping ones of the intercepted commands when the comparison of the intercepted commands does not generate a match to the pre-designated set of commands.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A web host intrusion prevention system includes a filter engine [302] and comparison tables [303]. The comparison tables [303] are populated with the set of valid commands that are to be received at a server. The filter engine [302] looks up received commands in the comparison tables [303]. Received commands that are not in the comparison table are rejected.

Citations

30 Claims

1. A method for processing commands, comprising:
- intercepting commands directed for a web server;
  
  comparing the intercepted commands to a pre-designated set of commands that are known to be valid commands for the web server; and
  
  dropping ones of the intercepted commands when the comparison of the intercepted commands does not generate a match to the pre-designated set of commands.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - forwarding ones of the intercepted commands to the web server when the comparison generates a match to the pre-designated set of commands.
  - 3. The method of claim 1, wherein comparing the intercepted commands to the pre-designated set of commands includes looking up the intercepted commands in a plurality of tables.
  - 4. The method of claim 3, wherein the plurality of tables includes separate tables for storing commands relating to different hyper-text transfer protocol (HTTP) commands.
  - 5. The method of claim 4, wherein the HTTP commands include GET and POST commands.
  - 6. The method of claim 1, further comprising:
    - monitoring resources of the web server; and
      
      throttling back resource usage of the web server when the monitored resources are being used above a threshold level.

7. A computing device comprising:
- a communication interface component configured to receive network traffic destined for the computing device;
  
  comparison tables configured to store at least one set of commands;
  
  web serving software configured to receive the network traffic from the communication interface and respond to commands in the network traffic; and
  
  a filter engine configured to perform lookups in the comparison tables based on the commands present in the received network traffic, the filter engine instructing the communication interface to refrain from forwarding the network traffic to the web server software when one of the commands in received network traffic does not correspond to a command in the at least one set of commands.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computing device of claim 7, wherein the comparison tables further include:
    - a plurality of tables, each of the plurality of tables dedicated to storing commands relating to a hyper-text transfer protocol (HTTP) command.
  - 9. The computing device of claim 8, wherein the HTTP commands include GET and POST commands.
  - 10. The computing device of claim 8, wherein at least one of the plurality of tables stores information relating to scripts called by the HTTP commands.
  - 11. The computing device of claim 7, further comprising:
    - a database coupled to the web serving software, the database containing information requested by the commands present in the network traffic.
  - 12. The computing device of claim 7, further comprising:
    - a resource manager configured to monitor resources of the computing device and throttle back resource usage of the computing device when the monitored resources are being used above a threshold level.
  - 13. The computing device of claim 12, wherein the monitored resources include at least one of processing capability, memory space, and network interface bandwidth.

14. A method for processing commands, comprising:
- examining files related to content information of a web server;
  
  generating tables that define valid commands for accessing the examined files;
  
  blocking received commands intended for the web server when the received commands are not present in the generated tables; and
  
  forwarding the received commands'"'"' to the web server when the received commands are present in the generated tables.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method of claim 14, wherein examining files related to content information of the web server includes recursively examining files in directories below a root directory of the web server.
  - 16. The method of claim 14, wherein examining files related to content information of the web server includes updating examination of the files related to content for the web server when the files are modified.
  - 17. The method of claim 14, wherein the examined files include static files.
  - 18. The method of claim 14, wherein the examined files include scripts.
  - 19. The method of claim 14, wherein the tables include separate tables for storing commands relating to different hyper-text transfer protocol (HTTP) commands.
  - 20. The method of claim 19, wherein the HTTP commands include GET and POST commands.
  - 21. The method of claim 14, further comprising:
    - monitoring resources of the web server; and
      
      throttling back resource usage of the web server when the monitored resources are being used above a threshold level.

22. A system comprising:
- means for examining commands destined for a web server;
  
  means for comparing the commands to a pre-designated set of commands that are known to be valid commands for the web server; and
  
  means for dropping ones of the commands when the means for comparing the commands does not generate a match to the pre-designated set of commands.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The system of claim 22, further comprising:
    - means for forwarding ones of the commands to the web server when the means for comparing generates a match to the pre-designated set of commands.
  - 24. The system of claim 22, further comprising:
    - means for generating tables that store the pre-designated set of commands.
  - 25. The system of claim 24, wherein the tables include separate tables for storing commands relating to different hyper-text transfer protocol (HTTP) commands.
  - 26. The system of claim 22, further comprising means for monitoring resources of the web server;
    - and means for throttling back resource usage of the web server when the monitored resources are being used above a threshold level.

27. A computer-readable medium containing instructions that when executed by a processor cause the processor to:
- intercept commands directed for a web server;
  
  compare the intercepted commands to a pre-designated set of commands that are known to be valid commands for the web server; and
  
  drop ones of the intercepted commands when the comparison of the intercepted commands does not generate a match to the pre-designated set of commands.
- View Dependent Claims (28, 29, 30)
- - 28. The computer-readable medium of claim 27, wherein the instructions further cause the processor to:
    - forward ones of the intercepted commands to the web server when the comparison generates a match to the pre-designated set of commands.
  - 29. The computer-readable medium of claim 27, wherein comparing the intercepted commands to the pre-designated set of commands includes looking up the intercepted commands in a plurality of tables.
  - 30. The computer-readable medium of claim 27, wherein the instructions further cause the processor to:
    - monitor resources of the web server; and
      
      throttle back resource usage of the web server when the monitored resources are being used above a threshold level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Federal Network Systems LLC (Jacobs Solutions, Inc.)
Inventors
Sample, Char

Granted Patent

US 7,376,732 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

Systems and methods for preventing intrusion at a web host

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for preventing intrusion at a web host

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links