FALSE POSITIVE DETECTION REDUCTION SYSTEM FOR NETWORK-BASED ATTACKS

US 20170163663A1
Filed: 12/02/2015
Published: 06/08/2017
Est. Priority Date: 12/02/2015
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a security attack through a network-based application, comprising:

receiving, by a processing device, a runtime request for invocation of a function;

determining, by the processing device, whether the function is included in a stored list of suspicious functions that are associated with a network attack; and

storing, by the processing device, information associated with the runtime request in in response to determining that the function is included in the list of suspicious functions.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system detects a security attack through a network-based application. The system receives a runtime request for invocation of a function and dynamically determines if the request for invocation of the function is associated with a cross-site scripting attack. In response to determine the function is associated with a cross-site scripting attack, the system stores information associated with the request, which is used for determining if the request is a legitimate request or a cross-site scripting attack.

Citations

20 Claims

1. A method of detecting a security attack through a network-based application, comprising:
- receiving, by a processing device, a runtime request for invocation of a function;
  
  determining, by the processing device, whether the function is included in a stored list of suspicious functions that are associated with a network attack; and
  
  storing, by the processing device, information associated with the runtime request in in response to determining that the function is included in the list of suspicious functions.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the list of suspicious functions comprises functions that exhibit one or more of the characteristics of being document object model idempotent, being debuggable or resulting in visual changes in response to execution of the functions.
  - 3. The method of claim 1, further comprising:
    - extracting, by the processing device, a runtime signature from the runtime request in response to determining that the function is included in the list of suspicious functions; and
      
      determining, by the processing device, whether the runtime request is a legitimate request based on the extracted runtime signature.
  - 4. The method of claim 3, wherein determining whether the runtime request is a legitimate request comprises comparing, by the processing device, the extracted runtime signature to a stored list of trusted signatures.
  - 5. The method of claim 1, further comprising:
    - performing, by the processing device, a hash operation on the runtime request in response to determining that the function is included in the list of suspicious functions; and
      
      determining, by the processing device, whether the runtime request is a legitimate request based on a resultant output value of the hash operation.
  - 6. The method of claim 5, wherein performing the hash operation comprises:
    - extracting, by the processing device, values from a memory stack associated with the runtime request; and
      
      performing, by the processing device, the hash operation on the extracted values.

7. An apparatus, comprising:
- a processing device; and
  
  a memory device coupled to the processing device, the memory device having instructions stored thereon that, in response to execution by the processing device, cause the processing device to perform operations comprising;
  
  receiving a runtime request for invocation of a function;
  
  determining whether the function is a predetermined function associated with a cross-site scripting attack; and
  
  storing information associated with the runtime request in response to determining that the function is the predetermined function.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The apparatus of claim 7, wherein the apparatus further comprises a display device, and wherein execution of the predetermined function results in a visual change of a display on the display device.
  - 9. The apparatus of claim 7, wherein the operations further comprise:
    - extracting elements from a memory stack in response to determining the function is the predetermined function;
      
      performing a hash operation with the elements; and
      
      comparing a resultant value from the hash operation to trusted values for determining whether the request is legitimate.
  - 10. The apparatus of claim 9, wherein the operations further comprise removing domain names from the elements, and wherein the hash operation is performed on the elements with the domain names removed.
  - 11. The apparatus of claim 7, wherein the operations further comprise:
    - generating a runtime signature based on the information associated with the runtime request; and
      
      comparing the runtime signature to one or more trusted signatures to determine whether the runtime request is legitimate.
  - 12. The apparatus of claim 7, wherein the operations further comprise determining whether the runtime request is legitimate based on a stack length associated with the function.
  - 13. The apparatus of claim 7, wherein the operations further comprise determining whether the runtime request is legitimate based on one or more functions performed precedent to receiving the runtime request.

14. A computer program stored on a tangible medium for a database system, the computer program comprising a set of instructions operable to:
- receive, by the database system, a function call;
  
  dynamically determine, by the database system, whether the function call is directed to a suspicious function associated with a cross-site scripting attack; and
  
  store, by the database system, identification information associated with the function call in response to determining the function call is directed to the suspicious function.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer program of claim 14, wherein invocation of the suspicious function adds a value to an accessible log.
  - 16. The computer program of claim 14, wherein the suspicious function is idempotent.
  - 17. The computer program of claim 14, wherein the set of instructions are further operable to:
    - generate, by the database system, a signature based on the identification information; and
      
      compare, by the database system, the signature to one or more trusted signatures to determine whether the function call is legitimate.
  - 18. The computer program of claim 17, wherein the identification information comprises one or more values extracted from a memory stack associated with the function call.
  - 19. The computer program of claim 17, wherein generating the signature comprises performing, by the database system, a hash operation on the identification information.
  - 20. The computer program of claim 14 wherein the identification information comprises one or more cookies associated with the function, and wherein the set of instructions are further operable to:
    - generate, by the database system, a signature based on the one or more cookies; and
      
      compare, by the database system, the signature to one or more trusted signatures to determine whether the function call is legitimate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Gopalakrishnan, Amalkrishnan Chemmany, Prado, Angel, Kim, Sun Hwan, Kulkarni, Omkar Ramesh, Chabbewal, Harsimranjit Singh

Granted Patent

US 10,187,403 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

H04L 67/02   based on web technology, e....

FALSE POSITIVE DETECTION REDUCTION SYSTEM FOR NETWORK-BASED ATTACKS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FALSE POSITIVE DETECTION REDUCTION SYSTEM FOR NETWORK-BASED ATTACKS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links