Computer code intrusion detection system based on acceptable retrievals
First Claim
1. A computer-implemented method for protecting computer code from malicious retrievers, the method comprising the steps of:
- observing a plurality of retrieval commands that access the computer code;
observing responses to the plurality of retrieval commands generated by the computer code;
deriving from the plurality of retrieval commands and the responses a set of retrieval information, the set of retrieval information comprising input vectors characterizing the plurality of retrieval commands;
converting the set of retrieval information into at least one rule for determining whether retrieval commands are acceptable;
generating retrieval information characteristic of data sent to a retriever by the computer code in response to a retrieval command issued by the retriever, the retrieval information comprising an input vector characterizing the retrieval command;
determining whether the retrieval command is acceptable using at least some of the retrieval information as an input to the at least one rule; and
responsive to the retrieval command being not acceptable, performing at least one of the following;
restricting the retrieval command from accessing the computer code,allowing the retrieval command limited access to the computer code,augmenting the command, andinvestigating a sender of the command.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparati, and computer-readable media for protecting computer code (1) from malicious retrievers (3). A method embodiment of the present invention comprises the steps of generating (22) retrieval information characteristic of data sent to a retriever (3) by the computer code (1) in response to a retrieval command (5) issued by the retriever (3); accessing at least one rule (6) using at least some of said retrieval information as an input to said at least one rule (6); and, when said at least one rule (6) informs that the retrieval is not acceptable, flagging (28) the retrieval command (5) as suspicious.
88 Citations
32 Claims
-
1. A computer-implemented method for protecting computer code from malicious retrievers, the method comprising the steps of:
-
observing a plurality of retrieval commands that access the computer code; observing responses to the plurality of retrieval commands generated by the computer code; deriving from the plurality of retrieval commands and the responses a set of retrieval information, the set of retrieval information comprising input vectors characterizing the plurality of retrieval commands; converting the set of retrieval information into at least one rule for determining whether retrieval commands are acceptable; generating retrieval information characteristic of data sent to a retriever by the computer code in response to a retrieval command issued by the retriever, the retrieval information comprising an input vector characterizing the retrieval command; determining whether the retrieval command is acceptable using at least some of the retrieval information as an input to the at least one rule; and responsive to the retrieval command being not acceptable, performing at least one of the following; restricting the retrieval command from accessing the computer code, allowing the retrieval command limited access to the computer code, augmenting the command, and investigating a sender of the command. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A computer-readable medium containing computer program instructions for protecting computer code from malicious retrievers, the computer program instructions performing the steps of:
-
observing a plurality of retrieval commands that access the computer code; observing responses to the plurality of retrieval commands generated by the computer code; deriving from the plurality of retrieval commands and the responses a set of retrieval information, the set of retrieval information comprising input vectors characterizing the plurality of retrieval commands; converting the set of retrieval information into at least one rule for determining whether retrieval commands are acceptable; generating retrieval information characteristic of data sent to a retriever by the computer code in response to a retrieval command issued by the retriever, the retrieval information comprising an input vector characterizing the retrieval command; determining whether the retrieval command is acceptable using at least some of the retrieval information as an input to the at least one rule; and responsive to the retrieval command being not acceptable, performing at least one of the following; restricting the retrieval command from accessing the computer code, allowing the retrieval command limited access to the computer code, augmenting the command, and investigating a sender of the command.
-
-
32. Apparatus for protecting computer code from malicious retrievers, the apparatus comprising:
-
a computer processor; a training module configured to be executed by the computer processor for observing a plurality of retrieval commands that access the computer code, observing responses to the plurality of retrieval commands generated by the computer code, and deriving from the plurality of retrieval commands and the responses a set of retrieval information, the set of retrieval information comprising input vectors characterizing the plurality of retrieval commands; a computation module configured for converting the set of retrieval information into at least one rule for determining whether retrieval commands are acceptable, the at least one rule associated with a input vector, generating retrieval information characteristic of data sent to a retriever by the computer code in response to a retrieval command issued by the retriever, the retrieval information comprising an input vector characterizing the retrieval command, and responsive to the input vector of the retrieval information matching the input vector associated with the at least one rule, determining whether the retrieval command is acceptable using at least some of the retrieval information as an input to the at least one rule; and a post flagging module communicatively connected with the training module and the computation module, the post flagging module configured for responsive to the retrieval command being not acceptable by performing at least one of the following; restricting the retrieval command from accessing the computer code, allowing the retrieval command limited access to the computer code, augmenting the command, and investigating a sender of the command.
-
Specification