AUTOMATIC GENERATION OF ATTRIBUTE VALUES FOR RULES OF A WEB APPLICATION LAYER ATTACK DETECTOR
First Claim
1. A method in a computing device communicatively coupled to a web application layer attack detector (AD), wherein the AD is communicatively coupled between a Hypertext Transfer Protocol (HTTP) client and a web application server to protect the web application server against web application layer attacks, and wherein the AD applies rules that each comprise a condition including a set of one or more attributes, wherein each of the set of attributes includes an attribute identifier and a set of one or more attribute values, the method comprising:
- receiving, from the AD, an alert package comprising a web application layer request message sent by the HTTP client to the web application server, wherein the alert package was sent responsive to a set of one or more packets that collectively carried the web application layer request message and that resulted in the condition of one of the rules being met, wherein the set of packets are sent using a protocol stack including an application layer that carries web application layer request messages, a transport layer under the application layer to provide end-to-end communication services, and a network layer under the transport layer to route data supplied by the transport layer;
automatically generating, using the received alert package and without relying on a web application layer response message that may be sent by the web application server to the HTTP client, a new set of one or more attribute values for each of a set of one or more attribute identifiers; and
transmitting, for delivery to the AD, the new set of attribute values for each of the set of attribute identifiers for a different rule than the one of the rules that caused the sending of the alert package to be used in the AD'"'"'s protection of the web application server against web application layer attacks from the HTTP client or any other HTTP client.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack.
67 Citations
20 Claims
-
1. A method in a computing device communicatively coupled to a web application layer attack detector (AD), wherein the AD is communicatively coupled between a Hypertext Transfer Protocol (HTTP) client and a web application server to protect the web application server against web application layer attacks, and wherein the AD applies rules that each comprise a condition including a set of one or more attributes, wherein each of the set of attributes includes an attribute identifier and a set of one or more attribute values, the method comprising:
-
receiving, from the AD, an alert package comprising a web application layer request message sent by the HTTP client to the web application server, wherein the alert package was sent responsive to a set of one or more packets that collectively carried the web application layer request message and that resulted in the condition of one of the rules being met, wherein the set of packets are sent using a protocol stack including an application layer that carries web application layer request messages, a transport layer under the application layer to provide end-to-end communication services, and a network layer under the transport layer to route data supplied by the transport layer; automatically generating, using the received alert package and without relying on a web application layer response message that may be sent by the web application server to the HTTP client, a new set of one or more attribute values for each of a set of one or more attribute identifiers; and transmitting, for delivery to the AD, the new set of attribute values for each of the set of attribute identifiers for a different rule than the one of the rules that caused the sending of the alert package to be used in the AD'"'"'s protection of the web application server against web application layer attacks from the HTTP client or any other HTTP client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computing device to be communicatively coupled to a web application layer attack detector (AD), wherein the AD is to be communicatively coupled between Hypertext Transfer Protocol (HTTP) clients and one or more web application servers to protect the one or more web application servers against web application layer attacks, wherein the AD is to apply rules that each comprise a condition including a set of one or more attributes, wherein each of the set of attributes is to include an attribute identifier and a set of one or more attribute values, the computing device comprising:
-
a set of one or more network interfaces; an automatic attribute value generation and rule feedback module coupled to the set of network interfaces and comprising, an alert package reception module configured to receive, from the AD, alert packages that comprise web application layer request messages sent by the HTTP clients to the one or more web application servers, wherein the alert packages are to be sent responsive to sets of one or more packets that collectively carry the web application layer request messages and that result in the conditions of the rules being met, wherein the sets of packets are to be sent using a protocol stack including an application layer that carries web application layer request messages, a transport layer under the application layer to provide end-to-end communication services, and a network layer under the transport layer to route data supplied by the transport layer, an attribute value generation module configured to automatically generate, using the alert packages and without relying on a web application layer response messages that may be sent by the one or more web application servers to the HTTP clients, new sets of one or more attribute values for sets of one or more attribute identifiers, and a transmission module configured to transmit, for delivery to the AD, the new sets of attribute values for the sets of attribute identifiers for different rules than those rules that caused the sending of the alert packages, wherein the different rules are to be used in the AD'"'"'s protection of the one or more web application servers against web application layer attacks from the HTTP clients or any other HTTP clients. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification