PROTECTING AGAINST AND LEARNING ATTACK VECTORS ON WEB ARTIFACTS

US 20200137084A1
Filed: 10/25/2018
Published: 04/30/2020
Est. Priority Date: 10/25/2018
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processor; and

memory configured to store one or more sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of protecting against attacks to web files hosted on a web server by;

performing a plurality of monitoring tasks by a service processor, the service processor being hosted by a baseboard management controller (BMC) and independent of a central processing unit (CPU) of the web server, the plurality of monitoring tasks comprising;

receiving a plurality of packets forming access requests made to the web files;

determining that a packet is suspicious when a source Internet Protocol (IP) address associated with the packet is not on a whitelist or a blacklist;

updating a learning block with information about each suspicious packet, the information comprising a signature associated with the suspicious packet, a source IP address associated with the suspicious packet, and a time indicating when the suspicious packet arrived;

updating a counter indicating a number of times a packet with the signature of the suspicious packet was received;

forwarding the suspicious packet to the web server when the counter is below a threshold;

not forwarding the suspicious packet to the web server when the counter is above the threshold; and

upon not forwarding the suspicious packet, analyzing the suspicious packet in conjunction with other packets previously determined to be suspicious, the analyzing comprising;

rearranging an order in which the suspicious packet and the other suspicious packets arrived to form a new arrival sequence of the suspicious packets;

matching the new arrival sequence of the suspicious packets to attack patterns stored in an attack pattern database; and

upon the new arrival sequence of the suspicious packets matching an attack pattern, adding source IP addresses associated with the suspicious packets matching the attack pattern to the blacklist.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server includes a service processor hosted by a baseboard management controller (BMC) and independent of a CPU of the server. The server hosts web files. The service processor performs a set of monitoring tasks including receiving packets forming access requests made to the web files. A learning block is updated with information about suspicious packets. A counter is updated indicating a number of times a packet with a signature of a suspicious packet was received. When the counter reaches a threshold, a suspicious packet is analyzed in conjunction with other previously received suspicious packets. The analysis includes rearranging an arrival order of the suspicious packets into a new arrival sequence. The new arrival sequence of suspicious packets is matched to attack patterns in an attack pattern database. When the new arrival sequence matches an attack pattern, source IP addresses associated with the suspicious packets are added to a blacklist.

Citations

18 Claims

1. A system comprising:
- a processor; and
  
  memory configured to store one or more sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of protecting against attacks to web files hosted on a web server by;
  
  performing a plurality of monitoring tasks by a service processor, the service processor being hosted by a baseboard management controller (BMC) and independent of a central processing unit (CPU) of the web server, the plurality of monitoring tasks comprising;
  
  receiving a plurality of packets forming access requests made to the web files;
  
  determining that a packet is suspicious when a source Internet Protocol (IP) address associated with the packet is not on a whitelist or a blacklist;
  
  updating a learning block with information about each suspicious packet, the information comprising a signature associated with the suspicious packet, a source IP address associated with the suspicious packet, and a time indicating when the suspicious packet arrived;
  
  updating a counter indicating a number of times a packet with the signature of the suspicious packet was received;
  
  forwarding the suspicious packet to the web server when the counter is below a threshold;
  
  not forwarding the suspicious packet to the web server when the counter is above the threshold; and
  
  upon not forwarding the suspicious packet, analyzing the suspicious packet in conjunction with other packets previously determined to be suspicious, the analyzing comprising;
  
  rearranging an order in which the suspicious packet and the other suspicious packets arrived to form a new arrival sequence of the suspicious packets;
  
  matching the new arrival sequence of the suspicious packets to attack patterns stored in an attack pattern database; and
  
  upon the new arrival sequence of the suspicious packets matching an attack pattern, adding source IP addresses associated with the suspicious packets matching the attack pattern to the blacklist.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1 wherein the plurality of monitoring tasks comprise periodically checking the web files for changes indicating the web files have been compromised.
  - 3. The system of claim 1 wherein the plurality of monitoring tasks comprise:
    - requesting, by the service processor at a first time, that the web files be copied to a shared storage accessible by the service processor and host CPU to create a first copy;
      
      requesting, by the service processor at a second time, after the first time, that the web files be copied to the shared storage to create a second copy;
      
      comparing the second copy against the first copy to detect any changes indicated the web files were compromised; and
      
      generating an alert notification upon detecting the changes.
  - 4. The system of claim 1 wherein the plurality of monitoring tasks comprise:
    - requesting, by the service processor, that logs associated with the web files be copied to a shared storage accessible by the service processor and host CPU, the logs comprising entries storing access requests made to the web files;
      
      comparing the access requests against a database of attack patterns; and
      
      generating an alert notification upon detecting that an access request matches an attack pattern.
  - 5. The system of claim 1 wherein the service processor is powered independent of the host CPU.
  - 6. The system of claim 1 wherein the service processor and host CPU reside in a same single box.

7. A method for protecting against attacks to web files hosted on a web server comprising:
- performing a plurality of monitoring tasks by a service processor, the service processor being hosted by a baseboard management controller (BMC) and independent of a central processing unit (CPU) of the web server, the plurality of monitoring tasks comprising;
  
  receiving a plurality of packets forming access requests made to the web files;
  
  determining that a packet is suspicious when a source Internet Protocol (IP) address associated with the packet is not on a whitelist or a blacklist;
  
  updating a learning block with information about each suspicious packet, the information comprising a signature associated with the suspicious packet, a source IP address associated with the suspicious packet, and a time indicating when the suspicious packet arrived;
  
  updating a counter indicating a number of times a packet with the signature of the suspicious packet was received;
  
  forwarding the suspicious packet to the web server when the counter is below a threshold;
  
  not forwarding the suspicious packet to the web server when the counter is above the threshold; and
  
  upon not forwarding the suspicious packet, analyzing the suspicious packet in conjunction with other packets previously determined to be suspicious, the analyzing comprising;
  
  rearranging an order in which the suspicious packet and the other suspicious packets arrived to form a new arrival sequence of the suspicious packets;
  
  matching the new arrival sequence of the suspicious packets to attack patterns stored in an attack pattern database; and
  
  upon the new arrival sequence of the suspicious packets matching an attack pattern, adding source IP addresses associated with the suspicious packets matching the attack pattern to the blacklist.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7 wherein the plurality of monitoring tasks comprise periodically checking the web files for changes indicating the web files have been compromised.
  - 9. The method of claim 7 wherein the plurality of monitoring tasks comprise:
    - requesting, by the service processor at a first time, that the web files be copied to a shared storage accessible by the service processor and host CPU to create a first copy;
      
      requesting, by the service processor at a second time, after the first time, that the web files be copied to the shared storage to create a second copy;
      
      comparing the second copy against the first copy to detect any changes indicated the web files were compromised; and
      
      generating an alert notification upon detecting the changes.
  - 10. The method of claim 7 wherein the plurality of monitoring tasks comprise:
    - requesting, by the service processor, that logs associated with the web files be copied to a shared storage accessible by the service processor and host CPU, the logs comprising entries storing access requests made to the web files;
      
      comparing the access requests against a database of attack patterns; and
      
      generating an alert notification upon detecting that an access request matches an attack pattern.
  - 11. The method of claim 7 wherein the service processor is powered independent of the host CPU.
  - 12. The method of claim 7 wherein the service processor and host CPU reside in a same single box.

13. A computer program product, comprising a non-transitory computer-readable medium having a computer-readable program code embodied therein, the computer-readable program code adapted to be executed by one or more processors to implement a method comprising:
- performing a plurality of monitoring tasks by a service processor, the service processor being hosted by a baseboard management controller (BMC) and independent of a central processing unit (CPU) of the web server, the plurality of monitoring tasks comprising;
  
  receiving a plurality of packets forming access requests made to the web files;
  
  determining that a packet is suspicious when a source Internet Protocol (IP) address associated with the packet is not on a whitelist or a blacklist;
  
  updating a learning block with information about each suspicious packet, the information comprising a signature associated with the suspicious packet, a source IP address associated with the suspicious packet, and a time indicating when the suspicious packet arrived;
  
  updating a counter indicating a number of times a packet with the signature of the suspicious packet was received;
  
  forwarding the suspicious packet to the web server when the counter is below a threshold;
  
  not forwarding the suspicious packet to the web server when the counter is above the threshold; and
  
  upon not forwarding the suspicious packet, analyzing the suspicious packet in conjunction with other packets previously determined to be suspicious, the analyzing comprising;
  
  rearranging an order in which the suspicious packet and the other suspicious packets arrived to form a new arrival sequence of the suspicious packets;
  
  matching the new arrival sequence of the suspicious packets to attack patterns stored in an attack pattern database; and
  
  upon the new arrival sequence of the suspicious packets matching an attack pattern, adding source IP addresses associated with the suspicious packets matching the attack pattern to the blacklist.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product of claim 13 wherein the plurality of monitoring tasks comprise periodically checking the web files for changes indicating the web files have been compromised.
  - 15. The computer program product of claim 13 wherein the plurality of monitoring tasks comprise:
    - requesting, by the service processor at a first time, that the web files be copied to a shared storage accessible by the service processor and host CPU to create a first copy;
      
      requesting, by the service processor at a second time, after the first time, that the web files be copied to the shared storage to create a second copy;
      
      comparing the second copy against the first copy to detect any changes indicated the web files were compromised; and
      
      generating an alert notification upon detecting the changes.
  - 16. The computer program product of claim 13 wherein the plurality of monitoring tasks comprise:
    - requesting, by the service processor, that logs associated with the web files be copied to a shared storage accessible by the service processor and host CPU, the logs comprising entries storing access requests made to the web files;
      
      comparing the access requests against a database of attack patterns; and
      
      generating an alert notification upon detecting that an access request matches an attack pattern.
  - 17. The computer program product of claim 13 wherein the service processor is powered independent of the host CPU.
  - 18. The computer program product of claim 13 wherein the service processor and host CPU reside in a same single box.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Roy, Mainak, Gupta, Chitrak

Granted Patent

US 10,944,770 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2455   Query execution

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

G06N 20/00   Machine learning

G06N 7/01   Probabilistic graphical mod...

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

PROTECTING AGAINST AND LEARNING ATTACK VECTORS ON WEB ARTIFACTS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

PROTECTING AGAINST AND LEARNING ATTACK VECTORS ON WEB ARTIFACTS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links