Methods, systems and computer program products for monitoring a server application

US 20050188221A1
Filed: 02/24/2004
Published: 08/25/2005
Est. Priority Date: 02/24/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for monitoring a server application in a computer network, the method comprising:

(a) monitoring communication data between a server application and a client;

(b) applying at least one detector to the communication data to identify at least one predetermined activity; and

(c) generating a threat score associated with the predetermined activity by comparing the identified predetermined activity with a security threshold criteria.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and computer program products are disclosed for monitoring a server application in a computer network. The methods, systems, and computer program products can monitor communication data between a server application and a client. The methods, systems, and computer program products can also include applying one or more detectors to the communication data to identify a variety of predetermined activity. Further, the methods, systems, and computer program products can include generating a threat score associated with the predetermined activity by comparing the identified predetermined activity with a security threshold criteria.

183 Citations

143 Claims

1. A method for monitoring a server application in a computer network, the method comprising:
- (a) monitoring communication data between a server application and a client;
  
  (b) applying at least one detector to the communication data to identify at least one predetermined activity; and
  
  (c) generating a threat score associated with the predetermined activity by comparing the identified predetermined activity with a security threshold criteria.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The method of claim 1, comprising selectively generating an alert based upon the threat score associated with the at least one detector.
  - 3. The method of claim 1, wherein steps (a)-(c) are performed transparent to the communication of data between the server application and the client.
  - 4. The method of claim 1, wherein the communication data is communicated over a network selected from the group consisting of a global communication network, a wide area network, a local area network, and a wireless network.
  - 5. The method of claim 1, wherein the communication data comprises an application protocol selected from the group consisting of hypertext transfer protocols, simple object access protocols, web distributed authoring and versioning protocols, simple mail transfer protocols, wireless application protocols, file transfer protocols, Internet message access protocols, post office protocols, web services protocols, simple mail transfer protocols, structured hypertext transfer protocols, and web-mail protocols.
  - 6. The method of claim 1, wherein the communication data can comprise HTTP requests from the client and HTTP responses from the server application.
  - 7. The method of claim 1, wherein the server application is implemented by a web server.
  - 8. The method of claim 1, wherein the client is implemented by a web-enabled device including a unique Internet protocol (IP) address.
  - 9. The method of claim 1, wherein the communication data comprises only transmission control protocol packets.
  - 10. The method of claim 1, comprising associating the at least one predetermined activity with a unique communication session between the server application and the client.
  - 11. The method of claim 10, wherein the unique communication session is a login session wherein the server application has been provided at least a user name and password from the client.
  - 12. The method of claim 1, wherein step (b) comprises associating the threat score with an object selected from the group consisting of the client, a computer, an IP address, a web user and/or session, an application, or a server client.
  - 13. The method of claim 1, wherein the at least one detector generates a threat score when the at least one predetermined activity deviates a predetermined amount from the security threshold criteria.
  - 14. The method of claim 13, wherein the security threshold criteria is an expected activity for the client.
  - 15. The method of claim 1, wherein the at least one detector identifies when the communication data from the client is associated with an predetermined user.
  - 16. The method of claim 1, wherein the predetermined activity is login activity.
  - 17. The method of claim 1, wherein the predetermined activity is form manipulation.
  - 18. The method of claim 1, wherein the predetermined activity is session cookie manipulation.
  - 19. The method of claim 1, wherein the predetermined activity is protocol activity.
  - 20. The method of claim 1, wherein the predetermined activity is URL encoding.
  - 21. The method of claim 1, wherein the at least one detector is a plurality of detectors.
  - 22. The method of claim 1, comprising adding the threat scores accumulated by the at least one detector to generate a total threat score.
  - 23. The method of claim 1, comprising displaying the alert to an operator.
  - 24. The method of claim 1, comprising displaying the threat score associated with the at least one detector.
  - 25. The method of claim 1, comprising providing a user interface for enabling an operator to configure the security threshold criteria.

26. A system for monitoring a server application in a computer network, the system comprising:
- (a) a network interface operable to monitor communication data between a server application and a client; and
  
  (b) a detector operable to identify at least one predetermined activity in the monitored communication data, and generate a threat score associated with the predetermined activity by comparing the identified predetermined activity with a security threshold criteria.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 27. The system of claim 26, a user interface operable to selectively generate an alert based upon the threat score associated with the detector.
  - 28. The system of claim 26, wherein the communication data is communicated over a network selected from the group consisting of a global communication network, a wide area network, a local area network, and a wireless network.
  - 29. The system of claim 26, wherein the communication data comprises an application protocol selected from the group consisting of hypertext transfer protocols, simple object access protocols, web distributed authoring and versioning protocols, simple mail transfer protocols, wireless application protocols, file transfer protocols, Internet message access protocols, post office protocols, web services protocols, simple mail transfer protocols, structured hypertext transfer protocols, and web-mail protocols.
  - 30. The system of claim 26, wherein the communication data can comprise HTTP requests from the client and HTTP responses from the server application.
  - 31. The system of claim 26, wherein the server application is implemented by a web server.
  - 32. The system of claim 26, wherein the client is implemented by a web-enabled device including a unique Internet protocol (IP) address.
  - 33. The system of claim 26, wherein the communication data comprises only transmission control protocol packets.
  - 34. The system of claim 26, comprising a session detector operable to associate the at least one predetermined activity with a unique communication session between the server application and the client.
  - 35. The system of claim 34, wherein the unique communication session is a login session wherein the server application has been provided at least a user name and password from the client.
  - 36. The system of claim 26, wherein the detector can associate the threat score with an object selected from the group consisting of the client, computer, IP address, web user and/or session, application, or server client.
  - 37. The system of claim 26, wherein the detector is operable to generate a threat score when the at least one predetermined activity deviates a predetermined amount from the security threshold criteria.
  - 38. The system of claim 37, wherein the security threshold criteria is an expected activity for the client.
  - 39. The system of claim 26, wherein the detector is operable to identify when the communication data from the client is associated with an predetermined user.
  - 40. The system of claim 26, wherein the predetermined activity is login activity.
  - 41. The system of claim 26, wherein the predetermined activity is form manipulation.
  - 42. The system of claim 26, wherein the predetermined activity is session cookie manipulation.
  - 43. The system of claim 26, wherein the predetermined activity is protocol activity.
  - 44. The system of claim 26, wherein the predetermined activity is URL encoding.
  - 45. The system of claim 26, wherein the detector is a plurality of detectors.
  - 46. The system of claim 26, comprising a display for displaying the alert to an operator.
  - 47. The system of claim 26, comprising a display for displaying the threat score associated with the at least one detector.
  - 48. The system of claim 26, comprising a user interface for enabling an operator to configure the security threshold criteria.

49. A computer program product comprising computer-executable instructions embodied in a computer-readable medium for performing steps comprising:
- (a) monitoring communication data between a server application and a client;
  
  (b) applying at least one detector to the communication data to identify at least one predetermined activity; and
  
  (c) generating a threat score associated with the predetermined activity by comparing the identified predetermined activity with a security threshold criteria.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73)
- - 50. The computer program product of claim 49, comprising selectively generating an alert based upon the threat score associated with the at least one detector.
  - 51. The computer program product of claim 49, wherein steps (a)-(c) are performed transparent to the communication of data between the server application and the client.
  - 52. The computer program product of claim 49, wherein the communication data is communicated over a network selected from the group consisting of a global communication network, a wide area network, a local area network, and a wireless network.
  - 53. The computer program product of claim 49, wherein the communication data comprises an application protocol selected from the group consisting of hypertext transfer protocols, simple object access protocols, web distributed authoring and versioning protocols, simple mail transfer protocols, wireless application protocols, file transfer protocols, Internet message access protocols, post office protocols, web services protocols, simple mail transfer protocols, structured hypertext transfer protocols, and web-mail protocols.
  - 54. The computer program product of claim 49, wherein the communication data can comprise HTTP requests from the client and HTTP responses from the server application.
  - 55. The computer program product of claim 49, wherein the server application is implemented by a web server.
  - 56. The computer program product of claim 49, wherein the client is implemented by a web-enabled device including a unique Internet protocol (IP) address.
  - 57. The computer program product of claim 49, wherein the communication data comprises only transmission control protocol packets.
  - 58. The computer program product of claim 49, comprising associating the at least one predetermined activity with a unique communication session between the server application and the client.
  - 59. The computer program product of claim 58, wherein the unique communication session is a login session wherein the server application has been provided at least a user name and password from the client.
  - 60. The computer program product of claim 49, wherein step (b) comprises associating the threat score with an object selected from the group consisting of the client, computer, IP address, web user and/or session, application, or server client.
  - 61. The computer program product of claim 49, wherein the at least one detector generates a threat score when the at least one predetermined activity deviates a predetermined amount from the security threshold criteria.
  - 62. The computer program product of claim 61, wherein the security threshold criteria is an expected activity for the client.
  - 63. The computer program product of claim 49, wherein the at least one detector identifies when the communication data from the client is associated with an predetermined user.
  - 64. The computer program product of claim 49, wherein the predetermined activity is login activity.
  - 65. The computer program product of claim 49, wherein the predetermined activity is form manipulation.
  - 66. The computer program product of claim 49, wherein the predetermined activity is session cookie manipulation.
  - 67. The computer program product of claim 49, wherein the predetermined activity is protocol activity.
  - 68. The computer program product of claim 49, wherein the predetermined activity is URL encoding.
  - 69. The computer program product of claim 49, wherein the at least one detector is a plurality of detectors.
  - 70. The computer program product of claim 49, comprising adding the threat scores accumulated by the at least one detector to generate a total threat score.
  - 71. The computer program product of claim 49, comprising displaying the alert to an operator.
  - 72. The computer program product of claim 49, comprising displaying the threat score associated with the at least one detector.
  - 73. The computer program product of claim 49, comprising providing a user interface for enabling an operator to configure the security threshold criteria.

74. A method for monitoring a server application in a computer network, the method comprising:
- (a) monitoring communication data between a server application and a client;
  
  (b) applying a plurality of detectors to the communication data, wherein each detector detects different predetermined activity associated with the data communication between the server application and the client;
  
  (c) generating an individual threat score for each detector based upon detection of the predetermined activity by each detector; and
  
  (d) generating an overall threat score for the client by combining the individual threat scores.
- View Dependent Claims (75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98)
- - 75. The method of claim 74, comprising selectively generating an alert based upon the overall threat score.
  - 76. The method of claim 74, wherein steps (a)-(d) are performed transparent to the communication of data between the server application and the client.
  - 77. The method of claim 74, wherein the communication data is communicated over a network selected from the group consisting of a global communication network, a wide area network, a local area network, and a wireless network.
  - 78. The method of claim 74, wherein the communication data comprises an application protocol selected from the group consisting of hypertext transfer protocols, simple object access protocols, web distributed authoring and versioning protocols, simple mail transfer protocols, wireless application protocols, file transfer protocols, Internet message access protocols, post office protocols, web services protocols, simple mail transfer protocols, structured hypertext transfer protocols, and web-mail protocols.
  - 79. The method of claim 74, wherein the communication data can comprise HTTP requests from the client and HTTP responses from the server application.
  - 80. The method of claim 74, wherein the server application is implemented by a web server.
  - 81. The method of claim 74, wherein the client is implemented by a web-enabled device including a unique Internet protocol (IP) address.
  - 82. The method of claim 74, wherein the communication data comprises only transmission control protocol packets.
  - 83. The method of claim 74, comprising associating the predetermined activity with a unique communication session between the server application and the client.
  - 84. The method of claim 83, wherein the unique communication session is a login session wherein the server application has been provided at least a user name and password from the client.
  - 85. The method of claim 74, wherein step (d) comprises associating the overall threat score with the client.
  - 86. The method of claim 74, wherein at least one of the detectors generates a threat score when the at least one predetermined activity deviates a predetermined amount from the security threshold criteria.
  - 87. The method of claim 86, wherein the security threshold criteria is an expected activity for the client.
  - 88. The method of claim 74, wherein at least one of the detectors identifies when the data communication from the client is associated with an predetermined user.
  - 89. The method of claim 74, wherein one of the predetermined activity is login activity.
  - 90. The method of claim 74, wherein one of the predetermined activity is form manipulation.
  - 91. The method of claim 74, wherein one of the predetermined activity is session cookie manipulation.
  - 92. The method of claim 74, wherein one of the predetermined activity is protocol activity.
  - 93. The method of claim 74, wherein one of the predetermined activity is URL encoding.
  - 94. The method of claim 74, comprising adding the threat scores accumulated by the detectors to generate a total threat score.
  - 95. The method of claim 74, comprising selectively generating an alert based upon the overall threat score.
  - 96. The method of claim 95, comprising displaying the alert to an operator.
  - 97. The method of claim 74, comprising displaying the individual threat scores associated with the detectors.
  - 98. The method of claim 74, comprising providing a user interface for enabling an operator to configure the detectors.

99. A system for monitoring a server application in a computer network, the system comprising:
- (a) a network interface operable to monitor communication data between a server application and a client; and
  
  (b) a plurality of detectors operable to detect different predetermined activity associated with the monitored communication data, generate an individual threat score for each detector based upon detection of the predetermined activity by each detector, and generate an overall threat score for the client by combining the individual threat scores.
- View Dependent Claims (100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118)
- - 100. The system of claim 99, comprising a user interface for selectively generating an alert based upon the overall threat score.
  - 101. The system of claim 99, wherein the communication data is communicated over a network selected from the group consisting of a global communication network, a wide area network, a local area network, and a wireless network.
  - 102. The system of claim 99, wherein the communication data comprises an application protocol selected from the group consisting of hypertext transfer protocols, simple object access protocols, web distributed authoring and versioning protocols, simple mail transfer protocols, wireless application protocols, file transfer protocols, Internet message access protocols, post office protocols, web services protocols, simple mail transfer protocols, structured hypertext transfer protocols, and web-mail protocols.
  - 103. The system of claim 99, wherein the communication data can comprise HTTP requests from the client and HTTP responses from the server application.
  - 104. The system of claim 99, wherein the server application is implemented by a web server.
  - 105. The system of claim 99, wherein the client is implemented by a web-enabled device including a unique Internet protocol (IP) address.
  - 106. The system of claim 99, wherein the communication data comprises only transmission control protocol packets.
  - 107. The system of claim 99, comprising a session detector operable to associate the predetermined activity with a unique communication session between the server application and the client.
  - 108. The system of claim 107, wherein the unique communication session is a login session wherein the server application has been provided at least a user name and password from the client.
  - 109. The system of claim 99, wherein at least one of the detectors generates a threat score when the at least one predetermined activity deviates a predetermined amount from the security threshold criteria.
  - 110. The system of claim 109, wherein the security threshold criteria is an expected activity for the client.
  - 111. The system of claim 99, wherein at least one of the detectors identifies when the communication data from the client is associated with an predetermined user.
  - 112. The system of claim 99, wherein one of the predetermined activity is login activity.
  - 113. The system of claim 99, wherein one of the predetermined activity is form manipulation.
  - 114. The system of claim 99, wherein one of the predetermined activity is session cookie manipulation.
  - 115. The system of claim 99, wherein one of the predetermined activity is protocol activity.
  - 116. The system of claim 99, wherein one of the predetermined activity is URL encoding.
  - 117. The system of claim 99, comprising a display displaying the individual threat scores associated with the detectors.
  - 118. The system of claim 99, comprising a user interface for enabling an operator to configure the detectors.

119. A computer program product comprising computer-executable instructions embodied in a computer-readable medium for performing steps comprising:
- (a) monitoring communication data between a server application and a client;
  
  (b) applying a plurality of detectors to the communication data, wherein each detector detects different predetermined activity associated with the data communication between the server application and the client;
  
  (c) generating an individual threat score for each detector based upon detection of the predetermined activity by each detector; and
  
  (d) generating an overall threat score for the client by combining the individual threat scores.
- View Dependent Claims (120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143)
- - 120. The computer program product of claim 119, comprising selectively generating an alert based upon the overall threat score.
  - 121. The computer program product of claim 119, wherein steps (a)-(d) are performed transparent to the communication of data between the server application and the client.
  - 122. The computer program product of claim 119, wherein the communication data is communicated over a network selected from the group consisting of a global communication network, a wide area network, a local area network, and a wireless network.
  - 123. The computer program product of claim 119, wherein the communication data comprises an application protocol selected from the group consisting of hypertext transfer protocols, simple object access protocols, web distributed authoring and versioning protocols, simple mail transfer protocols, wireless application protocols, file transfer protocols, Internet message access protocols, post office protocols, web services protocols, simple mail transfer protocols, structured hypertext transfer protocols, and web-mail protocols.
  - 124. The computer program product of claim 119, wherein the communication data can comprise HTTP requests from the client and HTTP responses from the server application.
  - 125. The computer program product of claim 119, wherein the server application is implemented by a web server.
  - 126. The computer program product of claim 119, wherein the client is implemented by a web-enabled device including a unique Internet protocol (IP) address.
  - 127. The computer program product of claim 119, wherein the communication data comprises only transmission control protocol packets.
  - 128. The computer program product of claim 119, comprising associating the predetermined activity with a unique communication session between the server application and the client.
  - 129. The computer program product of claim 119, wherein the unique communication session is a login session wherein the server application has been provided at least a user name and password from the client.
  - 130. The computer program product of claim 119, wherein step (d) comprises associating the overall threat score with the client.
  - 131. The computer program product of claim 119, wherein at least one of the detectors generates a threat score when the at least one predetermined activity deviates a predetermined amount from the security threshold criteria.
  - 132. The computer program product of claim 131, wherein the security threshold criteria is an expected activity for the client.
  - 133. The computer program product of claim 119, wherein at least one of the detectors identifies when the data communication from the client is associated with an predetermined user.
  - 134. The computer program product of claim 119, wherein one of the predetermined activity is login activity.
  - 135. The computer program product of claim 119, wherein one of the predetermined activity is form manipulation.
  - 136. The computer program product of claim 119, wherein one of the predetermined activity is session cookie manipulation.
  - 137. The computer program product of claim 119, wherein one of the predetermined activity is protocol activity.
  - 138. The computer program product of claim 119, wherein one of the predetermined activity is URL encoding.
  - 139. The computer program product of claim 119, comprising adding the threat scores accumulated by the detectors to generate a total threat score.
  - 140. The computer program product of claim 119, comprising selectively generating an alert based upon the overall threat score.
  - 141. The computer program product of claim 140, comprising displaying the alert to an operator.
  - 142. The computer program product of claim 119, comprising displaying the individual threat scores associated with the detectors.
  - 143. The computer program product of claim 119, comprising providing a user interface for enabling an operator to configure the detectors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Covelight Systems, Inc. (Radware Limited)
Original Assignee
Covelight Systems, Inc. (Radware Limited)
Inventors
Hargett, Byron Lee, Somerville, Garth Douglas, Hester, Douglas Wayne, Logan, David Byron, Motsinger, David Lee, Wall, Virgil Montgomery Jr., Gramley, Kenneth Robert, Choy, Albert Ming

Application Number

US10/785,242
Publication Number

US 20050188221A1
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Methods, systems and computer program products for monitoring a server application

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

183 Citations

143 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems and computer program products for monitoring a server application

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

183 Citations

143 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links