USING STATISTICAL ANALYSIS TO GENERATE EXCEPTION RULES THAT ALLOW LEGITIMATE MESSAGES TO PASS THROUGH APPLICATION PROXIES AND GATEWAYS
First Claim
1. A method for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the method comprising:
- rejecting, by a filter of a security gateway, a first message of a first user session, the first message having an attribute identified by a rejection rule;
incrementing, by a learning engine of the security gateway responsive to the rejection of the first message, a count representing the number of user sessions having one or more messages rejected based on the attribute;
rejecting, by the filter, a second message of a second user session, the second message having the attribute identified by the rejection rule;
incrementing, by the learning engine, the count responsive to the rejection of the second message;
generating, by the learning engine responsive to determining that the count exceeds a predetermined threshold, an exception rule to the rejection rule identifying the attribute;
receiving, by the filter after generating the exception rule, a third message of the first user session having the attribute; and
allowing, by the filter, the third message to pass responsive to the exception rule.
9 Assignments
0 Petitions
Accused Products
Abstract
A security gateway receives messages rejected by a message filter based on a set of rules. The security gateway also receives attributes of the rejected messages that triggered the rules. The security gateway maintains frequencies with which the messages with a particular attribute were rejected by the rules. The security gateway finds rejected messages or attributes having a high frequency of occurrence. Since messages or attributes having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow messages that have similar attributes to pass through the gateway.
-
Citations
20 Claims
-
1. A method for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the method comprising:
-
rejecting, by a filter of a security gateway, a first message of a first user session, the first message having an attribute identified by a rejection rule; incrementing, by a learning engine of the security gateway responsive to the rejection of the first message, a count representing the number of user sessions having one or more messages rejected based on the attribute; rejecting, by the filter, a second message of a second user session, the second message having the attribute identified by the rejection rule; incrementing, by the learning engine, the count responsive to the rejection of the second message; generating, by the learning engine responsive to determining that the count exceeds a predetermined threshold, an exception rule to the rejection rule identifying the attribute; receiving, by the filter after generating the exception rule, a third message of the first user session having the attribute; and allowing, by the filter, the third message to pass responsive to the exception rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, comprising:
-
means for rejecting, by a filter of a security gateway, a first message of a first user session, the first message having an attribute identified by a rejection rule; means for incrementing, by a learning engine of the security gateway responsive to the rejection of the first message, a count representing the number of user sessions having one or more messages rejected based on the attribute; means for rejecting, by the filter, a second message of a second user session, the second message having the attribute identified by the rejection rule; means for incrementing, by the learning engine, the count responsive to the rejection of the second message; means for generating, by the learning engine responsive to determining that the count exceeds a predetermined threshold, an exception rule to the rejection rule identifying the attribute; means for receiving, by the filter after generating the exception rule, a third message of the first user session having the attribute; and means for allowing, by the filter, the third message to pass responsive to the exception rule. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification