IDENTIFYING A SECURITY THREAT TO A WEB-BASED RESOURCE

US 20180219890A1
Filed: 02/01/2017
Published: 08/02/2018
Est. Priority Date: 02/01/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

monitoring access logs associated with user requests for a web-based resource;

identifying, based on the access logs, one or more parameters that index records of the web-based resource;

generating at least one baseline distribution of values of the one or more parameters;

calculating, based on the at least one baseline distribution, a baseline entropy of the one or more parameters;

generating at least one distribution of values of the one or more parameters associated with user requests made by a particular user;

calculating, based on the distribution, an entropy of the one or more parameters associated with the user requests made by the particular user;

comparing the entropy to the baseline entropy; and

if a difference between the baseline entropy and the entropy exceeds a threshold, determining that the user requests made by the particular user poses a security threat to the web-based resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access logs associated with user requests for a web-based resource are monitored. Parameter(s) that index records of the web-based resource are identified. A baseline distribution(s) of values of the parameter(s) are generated and, based on the baseline distribution(s), a baseline entropy of the parameter(s) is calculated. A distribution(s) of values of the parameters associated with user requests made by a particular user is generated and, based on the distribution(s), an entropy of the parameter(s) associated with the user requests is calculated. The entropy is compared to the baseline entropy. If a difference between the baseline entropy and the entropy exceeds a threshold, it is determined that the particular user poses a security threat to the web-based resource.

Citations

20 Claims

1. A computer-implemented method comprising:
- monitoring access logs associated with user requests for a web-based resource;
  
  identifying, based on the access logs, one or more parameters that index records of the web-based resource;
  
  generating at least one baseline distribution of values of the one or more parameters;
  
  calculating, based on the at least one baseline distribution, a baseline entropy of the one or more parameters;
  
  generating at least one distribution of values of the one or more parameters associated with user requests made by a particular user;
  
  calculating, based on the distribution, an entropy of the one or more parameters associated with the user requests made by the particular user;
  
  comparing the entropy to the baseline entropy; and
  
  if a difference between the baseline entropy and the entropy exceeds a threshold, determining that the user requests made by the particular user poses a security threat to the web-based resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein identifying one or more parameters includes:
    - identifying one or more candidate parameters, wherein the one or more candidate parameters are associated with the user requests to the web-based resource;
      
      generating at least one distribution of values of the one or more candidate parameters;
      
      calculating, based on the at least one distribution of values of the one or more candidate parameters, respective entropies of the one or more candidate parameters; and
      
      determining, based on the respective entropies of the one or more candidate parameters, which of the one or more candidate parameters index the web-based resource.
  - 3. The method of claim 2, wherein determining which of the one or more candidate parameters index the web-based resource includes determining which of the respective entropies of the one or more candidate parameters are intermediate entropies of the respective entropies.
  - 4. The method of claim 1, wherein the at least one baseline distribution of values of the one or more parameters is associated with the user requests made by the particular user.
  - 5. The method of claim 1, wherein the at least one baseline distribution of values of the one or more parameters is associated with user requests made by a plurality of users.
  - 6. The method of claim 1, wherein:
    - generating the at least one baseline distribution of values includes generating a user-specific baseline distribution of values of the one or more parameters associated with user requests made by the particular user, and a global baseline distribution of values of the one or more parameters associated with user requests made by a plurality of users; and
      
      calculating a baseline entropy comprises calculating a user-specific baseline entropy based on the user-specific baseline distribution of values and a global baseline entropy based on the global baseline distribution of values.
  - 7. The method of claim 6, wherein comparing includes comparing the entropy to either or both of the user-specific baseline entropy and global baseline entropy.
  - 8. The method of claim 1, wherein the access requests are a hypertext transfer protocol requests made to a uniform resource locator.
  - 9. The method of claim 1, wherein the at least one baseline distribution is at least one baseline histogram, and the at least one distribution is at least one histogram.
  - 10. The method of claim 1, wherein monitoring, identifying, generating at least one baseline distribution of values, and calculating a baseline entropy, are performed for each of a plurality of web-based resources based on user requests made by each of a plurality of users.
  - 11. The method of claim 10, wherein generating at least one distribution, calculating the entropy, comparing and determining are performed for each of a plurality of users.
  - 12. The method of claim 1, further comprising providing an alert that the particular user poses a security threat to the web-based resource.

13. An apparatus comprising:
- a memory; and
  
  a communication interface configured to enable communications in a network;
  
  one or more processors coupled to the memory and to the communication interface, and configured to;
  
  monitor access logs associated with user requests for a web-based resource;
  
  identify, based on the access logs, one or more parameters that index records of the web-based resource;
  
  generate at least one baseline distribution of values of the one or more parameters;
  
  calculate, based on the at least one baseline distribution, a baseline entropy of the one or more parameters;
  
  generate at least one distribution of values of the one or more parameters associated with user requests made by the particular user;
  
  calculate, based on the distribution, an entropy of the one or more parameters associated with the user requests made by the particular user;
  
  compare the entropy to the baseline entropy; and
  
  if a difference between the baseline entropy and the entropy exceeds a threshold, determine that the user requests made by the particular user poses a security threat to the web-based resource.
- View Dependent Claims (14, 15, 16)
- - 14. The apparatus of claim 13, wherein one or more processors are configured to identify, based on the access logs, one or more parameters that index records of the web-based resource, by:
    - identifying one or more candidate parameters, wherein the one or more candidate parameters are associated with the user requests to the web-based resource;
      
      generating at least one distribution of values of the one or more candidate parameters;
      
      calculating, based on the at least one distribution of values of the one or more candidate parameters, respective entropies of the one or more candidate parameters; and
      
      determining, based on the respective entropies of the one or more candidate parameters, which of the one or more candidate parameters index the web-based resource.
  - 15. The apparatus of claim 14, wherein one or more processors are configured to determine which of the one or more candidate parameters index the web-based resource by determining which of the respective entropies of the one or more candidate parameters are intermediate entropies of the respective entropies.
  - 16. The apparatus of claim 13, wherein the one or more processors are configured:
    - generate a user-specific baseline distribution of values of the one or more parameters associated with user requests made by the particular user, and a global baseline distribution of values of the one or more parameters associated with user requests made by a plurality of users; and
      
      calculate a user-specific baseline entropy based on the user-specific baseline distribution of values and a global baseline entropy based on the global baseline distribution of values.

17. One or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to:
- monitor access logs associated with user requests for a web-based resource;
  
  identify, based on the access logs, one or more parameters that index records of the web-based resource;
  
  generate at least one baseline distribution of values of the one or more parameters;
  
  calculate, based on the at least one baseline distribution, a baseline entropy of the one or more parameters;
  
  generate at least one distribution of values of the one or more parameters associated with user requests made by the particular user;
  
  calculate, based on the distribution, an entropy of the one or more parameters associated with the user requests made by the particular user;
  
  compare the entropy to the baseline entropy; and
  
  if a difference between the baseline entropy and the entropy exceeds a threshold, determine that the user requests made by the particular user poses a security threat to the web-based resource.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer readable storage media of claim 17, wherein the instructions that cause the processor to identify, based on the access logs, one or more parameters that index records of the web-based resource, include instructions that cause the processor to:
    - identify one or more candidate parameters, wherein the one or more candidate parameters are associated with the user requests to the web-based resource;
      
      generate at least one distribution of values of the one or more candidate parameters;
      
      calculate, based on the at least one distribution of values of the one or more candidate parameters, respective entropies of the one or more candidate parameters; and
      
      determine, based on the respective entropies of the one or more candidate parameters, which of the one or more candidate parameters index the web-based resource.
  - 19. The non-transitory computer readable storage media of claim 18, wherein the instructions that cause the processor to determine which of the one or more candidate parameters index the web-based resource include instructions that cause the processor to determine which of the respective entropies of the one or more candidate parameters are intermediate entropies of the respective entropies.
  - 20. The non-transitory computer readable storage media of claim 17, wherein:
    - the instructions that cause the processor to generate the at least one baseline distribution of values include instructions that cause the processor to generate a user-specific baseline distribution of values of the one or more parameters associated with user requests made by the particular user, and a global baseline distribution of values of the one or more parameters associated with user requests made by a plurality of users; and
      
      the instructions that cause the processor to calculate a baseline entropy include instructions that cause the processor to calculate a user-specific baseline entropy based on the user-specific baseline distribution of values and a global baseline entropy based on the global baseline distribution of values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Rehak, Martin

Granted Patent

US 10,574,679 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06N 5/04   Inference or reasoning models

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/02   based on web technology, e....

IDENTIFYING A SECURITY THREAT TO A WEB-BASED RESOURCE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFYING A SECURITY THREAT TO A WEB-BASED RESOURCE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links