AUTOMATIC GENERATION OF ATTRIBUTE VALUES FOR RULES OF A WEB APPLICATION LAYER ATTACK DETECTOR

US 20140317738A1
Filed: 07/22/2013
Published: 10/23/2014
Est. Priority Date: 04/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method in a computing device communicatively coupled to a web application layer attack detector (AD), wherein the AD is communicatively coupled between a Hypertext Transfer Protocol (HTTP) client and a web application server to protect the web application server against web application layer attacks, and wherein the AD applies rules that each comprise a condition including a set of one or more attributes, wherein each of the set of attributes includes an attribute identifier and a set of one or more attribute values, the method comprising:

receiving, from the AD, an alert package comprising a web application layer request message sent by the HTTP client to the web application server, wherein the alert package was sent responsive to a set of one or more packets that collectively carried the web application layer request message and that resulted in the condition of one of the rules being met, wherein the set of packets are sent using a protocol stack including an application layer that carries web application layer request messages, a transport layer under the application layer to provide end-to-end communication services, and a network layer under the transport layer to route data supplied by the transport layer;

automatically generating, using the received alert package and without relying on a web application layer response message that may be sent by the web application server to the HTTP client, a new set of one or more attribute values for each of a set of one or more attribute identifiers; and

transmitting, for delivery to the AD, the new set of attribute values for each of the set of attribute identifiers for a different rule than the one of the rules that caused the sending of the alert package to be used in the AD'"'"'s protection of the web application server against web application layer attacks from the HTTP client or any other HTTP client.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack.

67 Citations

View as Search Results

20 Claims

1. A method in a computing device communicatively coupled to a web application layer attack detector (AD), wherein the AD is communicatively coupled between a Hypertext Transfer Protocol (HTTP) client and a web application server to protect the web application server against web application layer attacks, and wherein the AD applies rules that each comprise a condition including a set of one or more attributes, wherein each of the set of attributes includes an attribute identifier and a set of one or more attribute values, the method comprising:
- receiving, from the AD, an alert package comprising a web application layer request message sent by the HTTP client to the web application server, wherein the alert package was sent responsive to a set of one or more packets that collectively carried the web application layer request message and that resulted in the condition of one of the rules being met, wherein the set of packets are sent using a protocol stack including an application layer that carries web application layer request messages, a transport layer under the application layer to provide end-to-end communication services, and a network layer under the transport layer to route data supplied by the transport layer;
  
  automatically generating, using the received alert package and without relying on a web application layer response message that may be sent by the web application server to the HTTP client, a new set of one or more attribute values for each of a set of one or more attribute identifiers; and
  
  transmitting, for delivery to the AD, the new set of attribute values for each of the set of attribute identifiers for a different rule than the one of the rules that caused the sending of the alert package to be used in the AD'"'"'s protection of the web application server against web application layer attacks from the HTTP client or any other HTTP client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein:
    - one of the set of attribute identifiers for the different rule is a source Internet Protocol (IP) address; and
      
      one of the new set of attribute values for the one attribute identifier is the IP address of the HTTP client.
  - 3. The method of claim 2, wherein:
    - at least one of the set of attribute identifiers for the one of the rules pertains to the web application layer request message instead of an IP address; and
      
      at least one of the set of attribute values for the at least one of the set of attribute identifiers is from the web application layer request message instead of the IP address of the HTTP client.
  - 4. The method of claim 1, further comprising:
    - receiving a second alert package comprising a second web application layer request message, wherein the second alert package was sent responsive to a second set of one or more packets that collectively carried the second web application layer request message and that resulted in the condition of the different rule being met;
      
      automatically generating, using the second alert package, a second new set of one or more attribute values for each of a second set of one or more attribute identifiers; and
      
      transmitting the second new set of attribute values for each of the second set of attribute identifiers for another rule.
  - 5. The method of claim 4, wherein:
    - the second alert package is received from the AD; and
      
      the second new set of attribute values is transmitted for delivery to the AD.
  - 6. The method of claim 4, wherein:
    - the second alert package is received from a different AD owned by a different business enterprise than a business enterprise that owns the AD.
  - 7. The method of claim 4, wherein:
    - the one of the rules is an attack specific type of rule in that all of its set of attribute values pertain to application layer request messages and not IP addresses of HTTP clients such that its condition being met indicated a suspected web application layer attack;
      
      the different rule is an attacker specific type of rule in that at least one of the new set of attribute values is an IP address of the HTTP client that was automatically learned as a result of its inclusion as a source IP address in the alert package that was received because of the condition of the attack specific type of rule being met; and
      
      the another rule is another attack specific type of rule in that all of the second set of attribute values pertain to application layer request messages and not IP addresses of HTTP clients such that the second set of attribute values for the another rule was automatically learned as a result of the different rule being met.
  - 8. The method of claim 1, wherein the alert package further comprises at least one of:
    - an Internet Protocol (IP) address from the set of packets;
      
      a port identifier from the set of packets; and
      
      an identifier of the one of the rules.
  - 9. The method of claim 1, wherein the different rule already existed at the AD when the set of packets resulted in the condition of the one of the rules being met.
  - 10. The method of claim 1, wherein said automatically generating comprises:
    - determining, using the received alert package, a set of one or more observed values for each of the set of attribute identifiers; and
      
      filtering, from the set of observed values, any observed values that cannot be considered indicative of a web application layer attack to create the new set of attribute values.

11. A computing device to be communicatively coupled to a web application layer attack detector (AD), wherein the AD is to be communicatively coupled between Hypertext Transfer Protocol (HTTP) clients and one or more web application servers to protect the one or more web application servers against web application layer attacks, wherein the AD is to apply rules that each comprise a condition including a set of one or more attributes, wherein each of the set of attributes is to include an attribute identifier and a set of one or more attribute values, the computing device comprising:
- a set of one or more network interfaces;
  
  an automatic attribute value generation and rule feedback module coupled to the set of network interfaces and comprising,an alert package reception module configured to receive, from the AD, alert packages that comprise web application layer request messages sent by the HTTP clients to the one or more web application servers, wherein the alert packages are to be sent responsive to sets of one or more packets that collectively carry the web application layer request messages and that result in the conditions of the rules being met, wherein the sets of packets are to be sent using a protocol stack including an application layer that carries web application layer request messages, a transport layer under the application layer to provide end-to-end communication services, and a network layer under the transport layer to route data supplied by the transport layer,an attribute value generation module configured to automatically generate, using the alert packages and without relying on a web application layer response messages that may be sent by the one or more web application servers to the HTTP clients, new sets of one or more attribute values for sets of one or more attribute identifiers, anda transmission module configured to transmit, for delivery to the AD, the new sets of attribute values for the sets of attribute identifiers for different rules than those rules that caused the sending of the alert packages, wherein the different rules are to be used in the AD'"'"'s protection of the one or more web application servers against web application layer attacks from the HTTP clients or any other HTTP clients.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computing device of claim 11, wherein:
    - one of the set of attribute identifiers for the different rules is a source Internet Protocol (IP) address; and
      
      one of the new set of attribute values for the one attribute identifier is the IP address of one of the HTTP clients.
  - 13. The computing device of claim 12, wherein:
    - at least one of the set of attribute identifiers for the one of the rules is to pertain to the web application layer request message instead of any IP address; and
      
      at least one of the set of attribute values for the at least one of the set of attribute identifiers is to be from the web application layer request message instead of the IP address of the one of the HTTP clients.
  - 14. The computing device of claim 11, wherein:
    - the alert package reception module is further configured to receive an alert package comprising a web application layer request message, wherein the alert package was sent responsive to a set of one or more packets that collectively carried the web application layer request message and that resulted in the condition of one of the different rules being met;
      
      the attribute value generation module is further configured to automatically generate, using the alert package, a new set of one or more attribute values for each of a set of one or more attribute identifiers; and
      
      the transmission module is further configured to transmit the new set of attribute values for each of the set of attribute identifiers for another rule.
  - 15. The computing device of claim 14, wherein:
    - the alert package reception module is to receive the alert package from the AD; and
      
      the transmission module is to transmit the new set of attribute values for delivery to the AD.
  - 16. The computing device of claim 14, wherein:
    - the alert package reception module is to receive the alert package from a different AD owned by a different business enterprise than a business enterprise that owns the AD.
  - 17. The computing device of claim 14, wherein:
    - the one of the different rules is to be an attacker specific type of rule in that at least one of its set of attribute values is an IP address of one of the HTTP clients; and
      
      the another rule is to be an attack specific type of rule in that all of the set of attribute values pertain to application layer request messages and not IP addresses such that the set of attribute values for the another rule was automatically learned as a result of the one of the different rules being met.
  - 18. The computing device of claim 11, wherein one of the alert packages is to further comprise at least one of:
    - an Internet Protocol (IP) address from the set of packets that caused the one alert package to be sent;
      
      a port identifier from the set of packets that caused the one alert package to be sent; and
      
      an identifier of the rule having the condition that was met that caused the one alert package to be sent.
  - 19. The computing device of claim 11, wherein at least one of the different rules is to already exist at the AD when the set of packets that resulted in the condition of the one of the rules being met arrived at the AD.
  - 20. The computing device of claim 11, wherein the attribute value generation module is to automatically generate the new sets of attribute values by being configured to:
    - determine, using the received alert packages, sets of one or more observed values for each attribute identifier in respective sets of attribute identifiers; and
      
      filter, from the sets of observed values, any observed values that cannot be considered indicative of a web application layer attack to create the new sets of attribute values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Be'ery, Tal Arieh, Shulman, Amichai, Hershkovitz, Shelly, Niv, Nitzan

Granted Patent

US 9,027,136 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/16   Implementing security featu...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 63/30   for supporting lawful inter...

H04L 67/02   based on web technology, e....

AUTOMATIC GENERATION OF ATTRIBUTE VALUES FOR RULES OF A WEB APPLICATION LAYER ATTACK DETECTOR

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATIC GENERATION OF ATTRIBUTE VALUES FOR RULES OF A WEB APPLICATION LAYER ATTACK DETECTOR

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links