RULE GENERALIZATION FOR WEB APPLICATION ENTRY POINT MODELING
First Claim
Patent Images
1. A method comprising:
- (a) maintaining, by a device intermediary to a client and a server, statistical data about messages of one or more user sessions that are rejected based on a rejection rule that rejects messages for having an identified attribute;
(b) determining, by the device, from the statistical data the frequency count at which messages having the identified attribute are rejected;
(c) comparing, by the device, the frequency count to a threshold;
(d) generating, by the device, responsive to the comparison, an exception rule to the rejection rule, the exception rule allowing messages having the identified attribute to pass;
(e) receiving, by the device, via a user session of the one or more user sessions a message having the identified attribute; and
(f) allowing, by the device, the message of the user session to pass between the client and the server based on the exception rule that allows messages having the identified attribute to pass.
8 Assignments
0 Petitions
Accused Products
Abstract
A security gateway receives messages, such as URL requests, rejected by a message filter based on a set of rules. The security gateway maintains frequencies with which the messages were rejected by the rules. The security gateway finds rejected messages having a high frequency of occurrence. Since messages having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow similar messages to pass through the gateway.
103 Citations
20 Claims
-
1. A method comprising:
-
(a) maintaining, by a device intermediary to a client and a server, statistical data about messages of one or more user sessions that are rejected based on a rejection rule that rejects messages for having an identified attribute; (b) determining, by the device, from the statistical data the frequency count at which messages having the identified attribute are rejected; (c) comparing, by the device, the frequency count to a threshold; (d) generating, by the device, responsive to the comparison, an exception rule to the rejection rule, the exception rule allowing messages having the identified attribute to pass; (e) receiving, by the device, via a user session of the one or more user sessions a message having the identified attribute; and (f) allowing, by the device, the message of the user session to pass between the client and the server based on the exception rule that allows messages having the identified attribute to pass. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
(a) maintaining, by a device intermediary to a client and a server, a count of a number of times via one or more user sessions that messages having a predetermined attribute are rejected based on a rejection rule that rejects messages having the predetermined attribute; (b) determining, by the device, that the count of the number of times via the one or more user sessions that messages are rejected based on the rejection rule exceeds a threshold; (c) generating, by the device, an exception rule to the rejection rule responsive to the determination, the exception rule allowing messages having the predetermined attribute to pass; (d) receiving, by the device, via a user session a message having the predetermined attribute; and (e) allowing, by the device, the message of the user session to pass between the client and the server based on the exception rule that allows messages having the predetermined attribute to pass.
-
- 12. The method of claim 12, wherein step (a) further comprises maintaining, by the device, statistical data about messages via the one or more user sessions that are rejected based on the rejection rule.
Specification