Method and Apparatus for Phishing and Leeching Vulnerability Detection

US 20100235918A1
Filed: 03/12/2010
Published: 09/16/2010
Est. Priority Date: 03/13/2009
Status: Active Grant

First Claim

Patent Images

1. A method for securing a web server from phishing and leeching activity, the method comprising:

receiving a request to access content at an application security system;

identifying a source of the request and a local host to which the request is directed using the application security system;

determining whether the source of the request is an external source; and

performing a responsive action if the source of the request is received from an external source.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for protection of Web based applications are described. Anomalous traffic can be identified by comparing the traffic to a profile of acceptable user traffic when interacting with the application. Phishing and leeching are one type of anomalous traffic that is detected. The anomalous traffic, or security events, identified at the individual computer networks are communicated to a central security manager. Various responsive actions may be taken in response to detection of phishing or leeching.

223 Citations

18 Claims

1. A method for securing a web server from phishing and leeching activity, the method comprising:
- receiving a request to access content at an application security system;
  
  identifying a source of the request and a local host to which the request is directed using the application security system;
  
  determining whether the source of the request is an external source; and
  
  performing a responsive action if the source of the request is received from an external source.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein the responsive action includes blocking the request to prevent the request from reaching the local host.
  - 3. The method of claim 1 wherein the request is an HTTP request, and wherein identifying a source of the request and a local host to which the request is directed using the application security system further comprises:
    - tokenizing the contents of the referrer field from a HTTP request header of the HTTP request to produce a set of referrer tokens;
      
      tokenizing the host field from the HTTP request header to produce a set of host tokens;
      
      comparing the referrer tokens and the host tokens using a set of matching criteria;
      
      determining whether the referrer tokens and the host tokens match based on the set of matching criteria, wherein the request is external source if the referrer tokens and the host tokens do not match.
  - 4. The method of claim 1 wherein the request is an HTTP request, and wherein identifying a source of the request and a local host to which the request is directed using the application security system further comprises:
    - tokenizing the contents of the referrer field from a HTTP request header of the HTTP request to produce a set of referrer tokens;
      
      tokenizing the host field from the HTTP request header to produce a set of host tokens;
      
      comparing the referrer tokens and the host tokens using a set of site aliases;
      
      determining whether the referrer tokens and the host tokens match based on the set of site aliases, wherein the request is external source if the referrer tokens and the host tokens do not match.

5. A method for securing a web server by detecting phishing vulnerability, the method comprising:
- receiving an HTTP request at an application security system;
  
  identifying link parameters in the HTTP request;
  
  determining whether the HTTP request includes a redirect to one of the link parameters;
  
  determining whether the redirect is to a local host if the HTTP request includes a redirect; and
  
  performing a responsive action if redirect is to external source.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The method of claim 5, further comprising:
    - decoding URLs included in the link parameters if the URLs are encoded.
  - 7. The method of claim 5 wherein determining whether the HTTP request includes a redirect to one of the link parameters further comprises:
    - comparing a URL in a link parameter to a list of redirect related functions to determine whether the URL includes a redirect related function.
  - 8. The method of claim 5 wherein determining whether the redirect is to a local host if the HTTP request includes a redirect further comprises:
    - tokenizing the link parameters to produce a set of link parameter tokens;
      
      comparing the link parameter tokens to local host information using token matching criteria;
      
      wherein if the tokenized link parameters match the local host information based on the token matching criteria, the redirect is to a local host.
  - 9. The method of claim 5 wherein determining whether the redirect is to a local host if the HTTP request includes a redirect further comprises:
    - tokenizing the link parameters to produce a set of link parameter tokens;
      
      comparing the link parameter tokens to site aliases;
      
      wherein if the tokenized link parameters match at least one of the site aliases, the redirect is to a local host.

10. A computer-readable medium comprising processor-executable instructions that, when executed, direct a computer system to perform actions for securing a web server from phishing and leeching activity, the actions comprising:
- receiving a request to access content at an application security system;
  
  identifying a source of the request and a local host to which the request is directed using the application security system;
  
  determining whether the source of the request is an external source; and
  
  performing a responsive action if the source of the request is received from an external source.
- View Dependent Claims (11, 12, 13)
- - 11. The computer-readable medium of claim 10 wherein the responsive action includes blocking the request to prevent the request from reaching the local host.
  - 12. The computer-readable medium of claim 10 wherein the request is an HTTP request, and wherein identifying a source of the request and a local host to which the request is directed using the application security system further comprises:
    - tokenizing the contents of the referrer field from a HTTP request header of the HTTP request to produce a set of referrer tokens;
      
      tokenizing the host field from the HTTP request header to produce a set of host tokens;
      
      comparing the referrer tokens and the host tokens using a set of matching criteria;
      
      determining whether the referrer tokens and the host tokens match based on the set of matching criteria, wherein the request is external source if the referrer tokens and the host tokens do not match.
  - 13. The computer-readable medium of claim 10 wherein the request is an HTTP request, and wherein identifying a source of the request and a local host to which the request is directed using the application security system further comprises:
    - tokenizing the contents of the referrer field from a HTTP request header of the HTTP request to produce a set of referrer tokens;
      
      tokenizing the host field from the HTTP request header to produce a set of host tokens;
      
      comparing the referrer tokens and the host tokens using a set of site aliases;
      
      determining whether the referrer tokens and the host tokens match based on the set of site aliases, wherein the request is external source if the referrer tokens and the host tokens do not match.

14. A computer-readable medium comprising processor-executable instructions that, when executed, direct a computer system to perform actions for securing a web server by detecting phishing vulnerability, the actions comprising:
- receiving an HTTP request at an application security system;
  
  identifying link parameters in the HTTP request;
  
  determining whether the HTTP request includes a redirect to one of the link parameters;
  
  determining whether the redirect is to a local host if the HTTP request includes a redirect; and
  
  performing a responsive action if redirect is to external source.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The computer-readable medium of claim 14, further comprising instructions that, when executed, direct the computer system to perform actions comprising:
    - decoding URLs included in the link parameters if the URLs are encoded.
  - 16. The computer-readable medium of claim 14 wherein determining whether the HTTP request includes a redirect to one of the link parameters further comprises:
    - comparing a URL in a link parameter to a list of redirect related functions to determine whether the URL includes a redirect related function.
  - 17. The computer-readable medium of claim 14 wherein determining whether the redirect is to a local host if the HTTP request includes a redirect further comprises:
    - tokenizing the link parameters to produce a set of link parameter tokens;
      
      comparing the link parameter tokens to local host information using token matching criteria;
      
      wherein if the tokenized link parameters match the local host information based on the token matching criteria, the redirect is to a local host.
  - 18. The computer-readable medium of claim 14 wherein determining whether the redirect is to a local host if the HTTP request includes a redirect further comprises:
    - tokenizing the link parameters to produce a set of link parameter tokens;
      
      comparing the link parameter tokens to site aliases;
      
      wherein if the tokenized link parameters match at least one of the site aliases, the redirect is to a local host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Katz, Or, Mizrahi, Rami, Efron-Nitzan, Galit

Granted Patent

US 8,429,751 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/168 above the transport layer

Method and Apparatus for Phishing and Leeching Vulnerability Detection

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

223 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Phishing and Leeching Vulnerability Detection

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

223 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links