Method and Apparatus for Excessive Access Rate Detection

US 20100192201A1
Filed: 01/29/2010
Published: 07/29/2010
Est. Priority Date: 01/29/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method for securing a web server, the method comprising:

receiving a request to access content on a web server at an application security system;

identifying a source of the request using the application security system;

incrementing a request total associated with the source representing a number of requests received from the source during a predetermined time interval;

determining whether the request total exceeds an access threshold associated with the content; and

performing a responsive action if the request total exceeds the access threshold.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for protection of Web based applications are described. Anomalous traffic can be identified by comparing the traffic to a profile of acceptable user traffic when interacting with the application. Excessive access rates are one type of anomalous traffic that is detected by monitoring a source and determining whether the number of requests that the source generates within a specific time frame is above a threshold. The anomalous traffic, or security events, identified at the individual computer networks are communicated to a central security manager. The central security manager correlates the security events at the individual computer networks to determine if there is an enterprise wide security threat. The central security manager can then communicate instructions to the individual computer networks so as to provide an enterprise wide solution to the threat. Various responsive actions may be taken in response to detection of an excessive access rate.

Citations

21 Claims

1. A method for securing a web server, the method comprising:
- receiving a request to access content on a web server at an application security system;
  
  identifying a source of the request using the application security system;
  
  incrementing a request total associated with the source representing a number of requests received from the source during a predetermined time interval;
  
  determining whether the request total exceeds an access threshold associated with the content; and
  
  performing a responsive action if the request total exceeds the access threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the responsive action includes blocking the request from the source to prevent the request from reaching the web server.
  - 3. The method of claim 2 wherein the responsive action further comprises blocking subsequent requests from the source from reaching the web server.
  - 4. The method of claim 1, further comprising:
    - identifying a user associated with the request; and
      
      logging the user out from the web server if the request total exceeds the access threshold.
  - 5. The method of claim 4, further comprising:
    - blocking subsequent requests received from the user.
  - 6. The method of claim 1 wherein incrementing a request total associated with the source representing the number of requests received from the source during a predetermined time interval further comprises:
    - monitoring requests received from the source over a predetermined time frame, the predetermined time frame including a plurality of incremental time windows;
      
      identifying a current incremental time window;
      
      incrementing a request total associated with the current incremental time window;
      
      calculating a current request total by summing a request total associated with a set of incremental time windows included in a rolling time window; and
      
      wherein determining whether the request total exceeds an access threshold associated with the content further comprises comparing the current request total to access threshold.
  - 7. The method of claim 1, further comprising:
    - identifying a security policy associated with the content, the security policy identifying the responsive action to be taken if the request total exceeds the access threshold.

8. An application security system comprising:
- a processor;
  
  a computer-readable storage medium communicatively coupled with the processor and storing computer-executable instructions comprisingan application protection module configured to perform the following stepsreceiving a request to access content on a web server;
  
  identifying a source of the request;
  
  incrementing a request total associated with the source representing a number of requests received from the source during a predetermined time interval;
  
  determining whether the request total exceeds an access threshold associated with the content; and
  
  performing a responsive action if the request total exceeds the access threshold.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The application security system of claim 8 wherein the responsive action includes blocking the request from the source.
  - 10. The application security system of claim 9 wherein the responsive action further comprises blocking subsequent requests from the source.
  - 11. The application security system of claim 8, wherein the application protection module is further configured to perform the following steps:
    - identifying a user associated with the request; and
      
      logging the user out from the web server if the request total exceeds the access threshold.
  - 12. The application security system of claim 11, wherein the application protection module is further configured to perform the following steps:
    - blocking subsequent requests received from the user.
  - 13. The application security system of claim 8 wherein incrementing a request total associated with the source representing the number of requests received from the source during a predetermined time interval further comprises:
    - monitoring requests received from the source over a predetermined time frame, the predetermined time frame including a plurality of incremental time windows;
      
      identifying a current incremental time window;
      
      incrementing a request total associated with the current incremental time window; and
      
      calculating a current request total by summing a request total associated with a set of incremental time windows included in a rolling time window;
      
      wherein determining whether the request total exceeds an access threshold associated with the content further comprises comparing the current request total to access threshold.
  - 14. The application security system of claim 8, wherein the application protection module is further configured to perform the following steps:
    - identifying a security policy associated with the content, the security policy identifying the responsive action to be taken if the request total exceeds the access threshold.

15. A computer-readable medium comprising processor-executable instructions that, when executed, direct a computer system to perform actions comprising:
- receiving a request to access content on a web server;
  
  identifying a source of the request;
  
  incrementing a request total associated with the source representing a number of requests received from the source during a predetermined time interval;
  
  determining whether the request total exceeds an access threshold associated with the content; and
  
  performing a responsive action if the request total exceeds the access threshold.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer-readable medium of claim 15 wherein the responsive action includes blocking the request from the source to prevent the request from reaching the web server.
  - 17. The computer-readable medium of claim 16 wherein the responsive action further comprises blocking subsequent requests from the source from reaching the web server.
  - 18. The computer-readable medium of claim 15, further comprising instructions that, when executed, direct the computer system to perform actions comprising:
    - identifying a user associated with the request; and
      
      logging the user out from the web server if the request total exceeds the access threshold.
  - 19. The computer-readable medium of claim 18, further comprising instructions that, when executed, direct the computer system to perform actions comprising:
    - blocking subsequent requests received from the user.
  - 20. The computer-readable medium of claim 15 wherein incrementing a request total associated with the source representing the number of requests received from the source during a predetermined time interval further comprises:
    - monitoring requests received from the source over a predetermined time frame, the predetermined time frame including a plurality of incremental time windows;
      
      identifying a current incremental time window;
      
      incrementing a request total associated with the current incremental time window;
      
      calculating a current request total by summing a request total associated with a set of incremental time windows included in a rolling time window; and
      
      wherein determining whether the request total exceeds an access threshold associated with the content further comprises comparing the current request total to access threshold.
  - 21. The computer-readable medium of claim 15, further comprising instructions that, when executed, direct the computer system to perform actions comprising:
    - identifying a security policy associated with the content, the security policy identifying the responsive action to be taken if the request total exceeds the access threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Breach Security, Inc. (Singapore Telecommunications Limited)
Inventors
Mizrahi, Rami, Shezaf, Ofer, Shimoni, Asaf, Efron-Nitzan, Galit

Application Number

US12/697,049
Publication Number

US 20100192201A1
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 2463/141   Denial of service attacks a...

H04L 63/0263   Rule management

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

Method and Apparatus for Excessive Access Rate Detection

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Excessive Access Rate Detection

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links