TECHNIQUES FOR TRACKING ACTUAL USERS IN WEB APPLICATION SECURITY SYSTEMS

US 20070124806A1
Filed: 11/27/2006
Published: 05/31/2007
Est. Priority Date: 11/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method for tracking and identifying an identity of a user accessing a web application, the method comprising:

generating an application normal behavior profile (NBP), wherein said NBP includes a plurality of authentication identifiers of the web application;

determining using the NBP whether an authentication request submitted by the user was successful;

saving a first actionable data on a successful authentication request; and

saving a second actionable data on an unsuccessful authentication request.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for tracking and identifying an identity of a user accessing a web application. An application normal behavior profile (NBP), wherein said NBP includes a plurality of authentication identifiers of the web application is generated. It is determined using the NBP whether an authentication request submitted by the user was successful. A first actionable data on a successful authentication request is saved. A second actionable data on an unsuccessful authentication request is saved.

Citations

39 Claims

1. A method for tracking and identifying an identity of a user accessing a web application, the method comprising:
- generating an application normal behavior profile (NBP), wherein said NBP includes a plurality of authentication identifiers of the web application;
  
  determining using the NBP whether an authentication request submitted by the user was successful;
  
  saving a first actionable data on a successful authentication request; and
  
  saving a second actionable data on an unsuccessful authentication request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - attaching a corresponding user identification to each subsequent authentication request submitted by the user.
  - 3. The method of claim 1, wherein the plurality of authentication identifiers comprise at least:
    - an authentication form, a login pattern of the successful authentication request, a login pattern of the unsuccessful authentication request.
  - 4. The method of claim 3, wherein the authentication form is a hypertext markup language (HTML) form.
  - 5. The method of claim 3, wherein the login pattern includes at least one login indication and a value of said at least one login indication.
  - 6. The method of claim 5, wherein the login indication comprises at least one of:
    - a response code, existence of redirect directives, a target URL of redirect directives, and existence of the authentication form.
  - 7. The method of claim 3, wherein generating the NBP to include the plurality of authentication identifiers further includes:
    - identifying at least one authentication form in a reply to the submitted authentication request and identifying at least one login pattern in the reply.
  - 8. The method of claim 7, wherein identifying the authentication forms further includes:
    - analyzing said at least one authentication form in the reply;
      
      searching for at least one identifier parameter in the at least one authentication form;
      
      counting a number of occurrences of additional authentication forms that has the at least one identifier parameter during a predefined time interval; and
      
      adding the at least one authentication form to the NBP if the number of occurrences exceeds a predefined threshold.
  - 9. The method of claim 8, wherein the identifier parameter comprises at least one of:
    - an input field of type password, an input field of type text.
  - 10. The method of claim 7, wherein identifying the at least one login pattern further includes:
    - marking each combination of login indications found in the reply;
      
      counting a number of observations of each combination during a predefined time interval;
      
      determining a combination of login indications as the login pattern of a successful authentication request if a corresponding number of observations exceeds a predefined threshold; and
      
      determining a combination of login indications as the login pattern of an unsuccessful authentication request if a corresponding number of observations is below a predefined threshold.
  - 11. The method of claim 5, wherein determining whether the authentication request was successful further includes:
    - extracting values of the login indications from a response associated with the authentication request;
      
      checking if the extracted values of the login indications exist in the NBP; and
      
      determining that the authentication request was successful if the extracted values exist in the NBP.
  - 12. The method of claim 1, wherein the actionable data on the successful authentication request comprises at least one of:
    - a user identification, a session identification, a user name, an internet protocol address, actions preformed by the user.
  - 13. The method of claim 12, wherein the actionable data on the successful authentication request is utilized to track users across many sessions and days.
  - 14. The method of claim 1, wherein the first actionable data on the unsuccessful authentication request comprises at least one of:
    - a session identification, a user identification, an internet protocol address associated with the user.
  - 15. The method of claim 14, wherein second actionable data on the unsuccessful authentication request is utilized for detecting brute force attacks.

16. A computer program product including a computer-readable medium comprising instructions, said instructions when executed on a computer enables the computer to implement a method to track and identify identity of a user accessing a web application, the method comprising:
- generating an application normal behavior profile (NBP), wherein said NBP includes a plurality of authentication identifiers of the web application;
  
  determining using the NBP whether an authentication request submitted by the user was successful;
  
  saving a first actionable data on a successful authentication request; and
  
  saving a second actionable data on an unsuccessful authentication request.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The computer program product of claim 16, wherein the implemented method further comprises:
    - attaching a corresponding user identification to each subsequent authentication request submitted by the user.
  - 18. The computer program product of claim 16, wherein the plurality of authentication identifiers comprise at least:
    - an authentication form, a login pattern of the successful authentication request, a login pattern of the unsuccessful authentication request.
  - 19. The computer program product of claim 18, wherein the authentication form is a hypertext markup language (HTML) form.
  - 20. The computer program product of claim 18, wherein the login pattern includes at least one login indication and a value of said at least one login indication.
  - 21. The computer program product of claim 20, wherein the login indication comprises at least one of:
    - a response code, existence of redirect directives, a target URL of redirect directives, and existence of the authentication form.
  - 22. The computer program product of claim 18, wherein generating the NBP to include the plurality of authentication identifiers further includes:
    - identifying at least one authentication form in a reply to the submitted authentication request and identifying at least one login pattern in the reply.
  - 23. The computer program product claim 22, wherein identifying the authentication forms further includes:
    - analyzing said at least one authentication form in the reply;
      
      searching for at least one identifier parameter in the at least one authentication form;
      
      counting a number of occurrences of additional authentication forms that has the at least one identifier parameter during a predefined time interval; and
      
      adding the at least one authentication form to the NBP if the number of occurrences exceeds a predefined threshold.
  - 24. The computer program product of claim 23, wherein the identifier parameter comprises at least one of:
    - an input field of type password, an input field of type text.
  - 25. The computer program product of claim 22, wherein identifying the at least one login pattern further includes:
    - marking each combination of login indications found in the reply;
      
      counting a number of observations of each combination during a predefined time interval;
      
      determining a combination of login indications as the login pattern of a successful authentication request if a corresponding number of observations exceeds a predefined threshold; and
      
      determining a combination of login indications as the login pattern of an unsuccessful authentication request if a corresponding number of observations is below a predefined threshold.
  - 26. The computer program product of claim 20, wherein determining whether the authentication request was successful further includes:
    - extracting values of the login indications from a response associated with the authentication request;
      
      checking if the extracted values of the login indications exist in the NBP; and
      
      determining that the authentication request was successful if the extracted values exist in the NBP.
  - 27. The computer program product of claim 16, wherein the actionable data on the successful authentication request comprises at least one of:
    - a user identification, a session identification, a user name, an internet protocol address, actions preformed by the user.
  - 28. The computer program product of claim 27, wherein the actionable data on the successful authentication request is utilized to track users across many sessions and days.
  - 29. The computer program product of claim 16, wherein the first actionable data on the unsuccessful authentication request comprises at least one of:
    - a session identification, a user identification, an IP address associated with the user.
  - 30. The computer program product of claim 29, wherein the second actionable data on the unsuccessful authentication request is utilized for detecting brute force attacks.

31. A security system having user awareness capabilities for tracking and identifying the identity of users accessing a web application, the system comprises:
- a secure server coupled to a secure gateway and operable to generate an application normal behavior profile (NBP) that includes at least a plurality of authentication identifiers of the web application; and
  
  at least one secure gateway installed in a line of traffic between a client and a web server and operable to determine using the NBP whether an authentication request from the client was successful.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39)
- - 32. The security system of claim 31, wherein the authentication request is submitted by a user.
  - 33. The security system of claim 32, wherein secure gateway is further operable to save first actionable data on a successful authentication request and further operable to save second actionable data on an unsuccessful authentication request and labeling each authentication request with an identity of the actual user.
  - 34. The security system of claim 31, wherein the system is further operable to identify authentication forms in replies to submitted authentication requests and identify login patterns in replies to the submitted authentication requests.
  - 35. The security system of claim 32, wherein to determine whether the authentication request was successful, the system is operable to extract values of at least login indications from a response associated with the authentication request, and further operable to check if the extracted values of the login indications exist in the NBP;
    - and further operable to determine that the authentication request was successful if the extracted values exist in the NBP.
  - 36. The security system of claim 33, wherein the first actionable data on the successful authentication request comprises at least one of:
    - a user identification, a session identification, a user name, an internet protocol address, actions preformed by the user.
  - 37. The security system of claim 36, wherein the first actionable data actionable data on the successful authentication request is utilized to track users across many sessions and days.
  - 38. The security system of claim 33, wherein the second actionable data on the unsuccessful authentication request comprises at least one of:
    - a session identification, a user identification, an internet protocol address associated with the user.
  - 39. The security system of claim 38, wherein the second actionable data on the unsuccessful authentication request is utilized for detecting brute force attacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Shulman, Amichai, Shatz, Gur, Ryterski, Tal

Granted Patent

US 8,392,963 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

TECHNIQUES FOR TRACKING ACTUAL USERS IN WEB APPLICATION SECURITY SYSTEMS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUES FOR TRACKING ACTUAL USERS IN WEB APPLICATION SECURITY SYSTEMS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links