SYSTEM AND METHOD OF SECURING NETWORKS AGAINST APPLICATIONS THREATS

US 20080047009A1
Filed: 07/20/2006
Published: 02/21/2008
Est. Priority Date: 07/20/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method of securing a Web application, the method comprising:

receiving Web traffic;

verifying the traffic against a profile of acceptable behavior for a user of the application and identifying anomalous user traffic;

analyzing the anomalous traffic by at least one threat-detection engine; and

correlating and results from the at least one threat-detection engine to determine if there is a threat to the Web application.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for protection of Web based applications are described. A Web application security system is included within a computer network to monitor traffic received from a wide area network, such as the Internet, and determine if there is a threat to the Web application. The Web application security system monitors web traffic in a non-inline configuration and identifies any anomalous traffic against a profile that identifies acceptable behavior of a user of the application. Any anomalous traffic is analyzed and appropriate protective action is taken to secure the Web application against an attack.

188 Citations

30 Claims

1. A method of securing a Web application, the method comprising:
- receiving Web traffic;
  
  verifying the traffic against a profile of acceptable behavior for a user of the application and identifying anomalous user traffic;
  
  analyzing the anomalous traffic by at least one threat-detection engine; and
  
  correlating and results from the at least one threat-detection engine to determine if there is a threat to the Web application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as defined in claim 1, wherein the at least one threat-detection engine comprises a signature analysis engine.
  - 3. The method as defined in claim 1, wherein the at least one threat-detection engine comprises a protocol violation engine.
  - 4. The method as defined in claim 1, wherein the at least one threat-detection engine comprises a session manipulation engine.
  - 5. The method as defined in claim 1, wherein the at least one threat-detection engine comprises a usage analysis engine.
  - 6. The method as defined in claim 1, wherein the at least one threat-detection engine comprises an exit control engine.
  - 7. The method as defined in claim 1, wherein the at least one threat-detection engine comprises a web services analysis engine.
  - 8. The method as defined in claim 1, wherein verifying the traffic comprises analyzing the traffic with a behavior analysis engine.
  - 9. The method as defined in claim 1, wherein the profile of acceptable behavior is automatically developed.
  - 10. The method as defined in claim 1, wherein the profile of acceptable behavior is automatically updated as users interact with the application.

11. A method of profiling acceptable behavior of a user of a Web application, the method comprising:
- monitoring traffic of the use as the user interacts with the Web application;
  
  identifying interaction between the user and the application thereby determining a profile of acceptable behavior of a user while interacting with the application; and
  
  continuing monitoring of traffic of users and modifying the profile if additional acceptable behavior is identified.
- View Dependent Claims (12, 13)
- - 12. The method as defined in claim 11, further comprising using the profile in a collaborative detection engine to identify anomalous user behavior.
  - 13. The method as defined in claim 11, wherein the profile of acceptable behavior is determined during an initialization period.

14. A Web application security system comprising:
- a correlation detection module adapted to analyze Web traffic against a profile of acceptable user behavior for interacting with the Web applications and to identify and analyze anomalous user behavior and to output results of the analysis;
  
  an adaption module adapted to monitor user behavior and modify the profile during the life of the application; and
  
  a correlation engine adapted to analyze the outputs of the collaborative detection module to determine if there is a threat.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The security system as defined in claim 14, wherein the correlation detection module comprises a behavioral analysis engine.
  - 16. The security system as defined in claim 15, wherein the behavioral analysis engine determines anomalous user behavior.
  - 17. The security system as defined in claim 14, wherein the correlation detection module comprises threat-detection engines.
  - 18. The security system as defined in claim 17, wherein the threat-detection engines analyze anomalous user behavior to determine if the user behavior represents a specific type of threat.
  - 19. The security system as defined in claim 14, wherein the adaption module determines an initial profile of acceptable behavior during an initialization period.
  - 20. The security system as defined in claim 14, wherein the correlation engine evaluates results from multiple threat-detection engines to determine if there is a threat pattern present.
  - 21. The security system as defined in claim 14, further comprising a security policy module adapted to provide policies to the collaborative detection module to assist in identification in anomalous user behavior.
  - 22. The security system as defined in claim 14, further comprising a security policy module adapted to provide policies to the correlation engine to assist in determining if there is a threat pattern present.
  - 23. The security system as defined in claim 14, further comprising a security policy module adapted to provide a type of responsive action the security system is to take in response to a particular threat pattern.

24. A collaborative detection module comprising:
- a behavioral analysis engine adapted to evaluate users interaction with an application, to compare the interaction with a profile of acceptable behavior, and to identify anomalous user behavior; and
  
  at least one threat-detection engine adapted to be notified of anomalous user behavior by the behavioral analysis engine, wherein when notified the at least one threat-detection engine analyzes the user behavior to determine if it is a pattern of behavior indicative of a threat associated with the at least one threat-detection engine and to output a result of the analysis.
- View Dependent Claims (25, 26)
- - 25. The collaborative detection module as defined in claim 24, further comprising receiving the profile of acceptable behavior from an adaption module.
  - 26. The collaborative detection module as defined in claim 25, wherein the profile of acceptable behavior is modified as users continue to interact with the application.

27. A correlation engine comprising:
- a first input adapted to receive threat-detection results and to correlate the results to determine if there is a threat pattern;
  
  a second input adapted to receive security policies and to determine an appropriate response if there is a threat pattern; and
  
  an output adapted to provide correlation results to an event database.
- View Dependent Claims (28, 29)
- - 28. The correlation engine as defined in claim 27, wherein the threat-detection results are received from a plurality of threat-detection engines.
  - 29. The correlation engine as defined in claim 28, wherein the threat-detection results from at least two of the plurality of threat-detection engines are correlated to determine if there is a threat pattern.

30. An adaption module comprising:
- an input adapted to monitoring traffic of users as the user interacts with a Web application;
  
  a profiler adapted to identify interaction between the user and the application thereby determining a profile of acceptable behavior of a user while interacting with the application, wherein the profile is modified if additional acceptable behavior is identified; and
  
  an output adapted to communicate the profile to a security profile module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Efron (Njtzan), Galit, Kolton, Doron, Wexler, Asaf, Zahavi, Yoram, Gavrieli, Netta, Delikat, Kate, Mizrahi, Rami, Overcash, Kevin

Application Number

US11/458,965
Publication Number

US 20080047009A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/1408   by monitoring network traff...

H04L 63/166   at the transport layer

SYSTEM AND METHOD OF SECURING NETWORKS AGAINST APPLICATIONS THREATS

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

188 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD OF SECURING NETWORKS AGAINST APPLICATIONS THREATS

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

188 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links