RULE GENERALIZATION FOR WEB APPLICATION ENTRY POINT MODELING

US 20100269170A1
Filed: 06/30/2010
Published: 10/21/2010
Est. Priority Date: 02/18/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

(a) maintaining, by a device intermediary to a client and a server, statistical data about messages of one or more user sessions that are rejected based on a rejection rule that rejects messages for having an identified attribute;

(b) determining, by the device, from the statistical data the frequency count at which messages having the identified attribute are rejected;

(c) comparing, by the device, the frequency count to a threshold;

(d) generating, by the device, responsive to the comparison, an exception rule to the rejection rule, the exception rule allowing messages having the identified attribute to pass;

(e) receiving, by the device, via a user session of the one or more user sessions a message having the identified attribute; and

(f) allowing, by the device, the message of the user session to pass between the client and the server based on the exception rule that allows messages having the identified attribute to pass.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security gateway receives messages, such as URL requests, rejected by a message filter based on a set of rules. The security gateway maintains frequencies with which the messages were rejected by the rules. The security gateway finds rejected messages having a high frequency of occurrence. Since messages having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow similar messages to pass through the gateway.

103 Citations

View as Search Results

20 Claims

1. A method comprising:
- (a) maintaining, by a device intermediary to a client and a server, statistical data about messages of one or more user sessions that are rejected based on a rejection rule that rejects messages for having an identified attribute;
  
  (b) determining, by the device, from the statistical data the frequency count at which messages having the identified attribute are rejected;
  
  (c) comparing, by the device, the frequency count to a threshold;
  
  (d) generating, by the device, responsive to the comparison, an exception rule to the rejection rule, the exception rule allowing messages having the identified attribute to pass;
  
  (e) receiving, by the device, via a user session of the one or more user sessions a message having the identified attribute; and
  
  (f) allowing, by the device, the message of the user session to pass between the client and the server based on the exception rule that allows messages having the identified attribute to pass.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein step (a) further comprises operating, by the device, in a learning mode.
  - 3. The method of claim 1, wherein step (a) further comprises rejecting, by the device, messages having the identified attribute of a data type of a value in the message.
  - 4. The method of claim 1, wherein step (a) further comprises rejecting, by the device, messages having the identified attribute of a length of a value in the message.
  - 5. The method of claim 1, wherein step (b) further comprising weighting, by the device, the frequency count based on a source of the message.
  - 6. The method of claim 1, wherein step (b) further comprises maintaining by the device frequency counts for each attribute for which messages are rejected by a corresponding rejection rule.
  - 7. The method of claim 1, wherein step (c) further comprises comparing, by the device, the frequency count to the threshold calculated using a sensitivity parameter that identifies a number of messages that should be passed by the device.
  - 8. The method of claim 7, further comprising calculating the threshold as a product of the sensitivity parameter by a total number of messages of a predetermined time interval.
  - 9. The method of claim 1, wherein step (d) further comprises generating, by the device, a second exception rule to the rejection rule based on a second identified attribute of the rejection rule for rejecting messages for having an identified attribute
  - 10. The method of claim 1, wherein step (f) further comprises operating, by the device, in blocking mode.

11. A method comprising:
- (a) maintaining, by a device intermediary to a client and a server, a count of a number of times via one or more user sessions that messages having a predetermined attribute are rejected based on a rejection rule that rejects messages having the predetermined attribute;
  
  (b) determining, by the device, that the count of the number of times via the one or more user sessions that messages are rejected based on the rejection rule exceeds a threshold;
  
  (c) generating, by the device, an exception rule to the rejection rule responsive to the determination, the exception rule allowing messages having the predetermined attribute to pass;
  
  (d) receiving, by the device, via a user session a message having the predetermined attribute; and
  
  (e) allowing, by the device, the message of the user session to pass between the client and the server based on the exception rule that allows messages having the predetermined attribute to pass.

12. The method of claim 12, wherein step (a) further comprises maintaining, by the device, statistical data about messages via the one or more user sessions that are rejected based on the rejection rule.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The method of claim 12, wherein step (a) further comprises rejecting, by the device, messages having the predetermined attribute of a data type of a value in the message.
  - 14. The method of claim 12, wherein step (a) further comprises rejecting, by the device, messages having the predetermined attribute of a length of a value in the message.
  - 15. The method of claim 12, wherein step (b) further comprises weighting, by the device, the count of the number of times based on a source of the message.
  - 16. The method of claim 12, wherein step (b) further comprises maintaining by the device counts for each attribute for which messages are rejected by a corresponding rejection rule.
  - 17. The method of claim 12, wherein step (b) further comprises calculating, by the device, the threshold using a sensitivity parameter that identifies a number of messages that should be passed by the device.
  - 18. The method of claim 17, further comprising calculating the threshold as a product of the sensitivity parameter by a total number of messages of a predetermined time interval.
  - 19. The method of claim 12, wherein step (c) further comprises generating, by the device, a second exception rule to the rejection rule based on a second identified attribute of the rejection rule for rejecting messages for having an identified attribute
  - 20. The method of claim 12, wherein step (e) further comprises operating, by the device, in a blocking mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Teros, Inc. (Cloud Software Group)
Inventors
Chauhan, Abhishek, Mirani, Rajiv, Kohli, Prince, Nanduri, Priya

Granted Patent

US 8,695,083 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/1425   Traffic logging, e.g. anoma...

RULE GENERALIZATION FOR WEB APPLICATION ENTRY POINT MODELING

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

RULE GENERALIZATION FOR WEB APPLICATION ENTRY POINT MODELING

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links