ENHANCED SERVER TO CLIENT SESSION INSPECTION

US 20080098477A1
Filed: 09/17/2007
Published: 04/24/2008
Est. Priority Date: 09/17/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a client request for data from a server, the request including a specification of one or more forms of transforming response data sent by the server in response to the request;

modifying the request in a manner designed to prevent the server from transforming the response data in accordance with the specification;

sending the modified request to the server;

receiving response data from the server;

if the response data is not transformed in accordance with the specification, inspecting the response data for malicious content; and

if the response data is transformed in accordance with the specification, taking one or more predetermined actions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a technique for enhancing the inspection of data sent from a server is provided. By modifying a client request in an effort to prevent the transformation (e.g., encoding and/or compression) of data by the server, unencoded data may be received, which can be inspected without the overhead associated with first decoding the data. Further, in the event the data is encoded despite modifying the client request to prevent such encoding, the server may be untrustworthy and one or more appropriate actions may be taken.

Citations

20 Claims

1. A method comprising:
- receiving a client request for data from a server, the request including a specification of one or more forms of transforming response data sent by the server in response to the request;
  
  modifying the request in a manner designed to prevent the server from transforming the response data in accordance with the specification;
  
  sending the modified request to the server;
  
  receiving response data from the server;
  
  if the response data is not transformed in accordance with the specification, inspecting the response data for malicious content; and
  
  if the response data is transformed in accordance with the specification, taking one or more predetermined actions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the one or more forms of transforming response data comprise one or more forms of compression.
  - 3. The method of claim 1, further comprising, if the response data is not transformed in accordance with the specification and malicious content is found in the response data, removing the malicious content from the response data prior to forwarding the response data.
  - 4. The method of claim 1, further comprising, if the response data is not transformed in accordance with the specification and malicious content is found in the response data, preventing the response data from being forwarded.
  - 5. The method of claim 1, wherein:
    - the specification comprises one or more fields in a Hypertext Transfer Protocol (HTTP) header; and
      
      modifying the request in a manner designed to prevent the server from transforming the response data in accordance with the specification comprises at least one of modifying or deleting the fields.
  - 6. The method of claim 1, wherein taking one or more actions comprises preventing the response data from reaching the client.
  - 7. The method of claim 1, wherein taking one or more actions comprises decoding the response data to generate untransformed response data and inspecting the untransformed response data.
  - 8. The method of claim 7, further comprising:
    - detecting malicious content in the untransformed response data;
      
      modifying the response data to remove the malicious content; and
      
      forwarding the modified response data.

9. A method comprising:
- receiving a request, the request including a specification of one or more forms of transforming response data sent by a server in response to the request;
  
  modifying the request to remove at least one of the forms of transforming from the specification;
  
  sending the modified request to the server;
  
  inspecting response data from the server for malicious content if the response data is not transformed or is transformed using a form of transforming specified in the modified request; and
  
  taking one or more predetermined actions if the response data is transformed using a form of encoding that is not specified in the modified request.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein:
    - the specification comprises one or more fields in a Hypertext Transfer Protocol (HTTP) header; and
      
      modifying the request comprises at least one of modifying or deleting the fields in the HTTP header.
  - 11. The method of claim 9, wherein taking one or more predetermined actions comprises decoding the response data and inspecting the decoded response data.
  - 12. The method of claim 9, wherein taking one or more actions comprises sending a notification to a user.
  - 13. The method of claim 12, further comprising receiving an identification of the user via an interface.

14. An inspection device, comprising:
- an interface for receiving client requests and responses from a server; and
  
  logic configured to receive a request that includes a specification of one or more forms of transforming response data sent by a server in response to the request, modify the request to remove at least one of the forms of transforming from the specification, send the modified request to the server, inspect response data from the server for malicious content if the response data is not transformed or is transformed using a form of transforming specified in the modified request, and take one or more predetermined actions if the response data is transformed using a form of encoding that is not specified in the modified request.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The device of claim 14, wherein the one or more forms of transforming response data comprise one or more forms of compression.
  - 16. The device of claim 14, wherein the logic is configured to, if the response data is not transformed or is transformed using a form of transforming specified in the modified request and malicious content is found in the response data, remove the malicious content from the response data prior to forwarding the response data.
  - 17. The device of claim 14, wherein:
    - the specification comprises one or more fields in a Hypertext Transfer Protocol (HTTP) header; and
      
      modifying the request in a manner designed to prevent encoding of data sent to the client from the server comprises at least one of modifying or deleting the fields in the HTTP header.
  - 18. The device of claim 14, wherein the one or more predetermined actions comprise preventing the response data from being forwarded by the device.
  - 19. The device of claim 14, wherein the one or more actions comprise decoding the response data to generate untransformed response data and inspecting the transformed response data.
  - 20. The device of claim 14, wherein the logic is further configured to:
    - detect malicious content in the transformed response data;
      
      modify the response data to remove the malicious content; and
      
      forward the modified response data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
WILLIAMS, CRAIG ALLEN, Lathem, Gerald S.

Granted Patent

US 8,037,528 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/168 above the transport layer

ENHANCED SERVER TO CLIENT SESSION INSPECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ENHANCED SERVER TO CLIENT SESSION INSPECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links