Systems and methods for enhancing electronic communication security
First Claim
Patent Images
1. An application layer security system, the system comprising:
- a) at least one application server system communication interface communicatively coupling the security system to one or more application server systems;
b) a system data store capable of storing an electronic communication and accumulated data associated with received electronic communications; and
c) a system processor in communication with the system data store and the at least one application server system communication interface, wherein the system processor comprises one or more processing elements and wherein the system processor;
i) receives an electronic communication from a remote system and directed to or from a selected application server system;
ii) applies a plurality of anomaly types of tests to each of the received electronic communication, wherein the plurality of tests combine to evaluate the received electronic communication for a plurality of security risk categories, each of the plurality of tests being operable to measure different behavioral attributes present in at least one of the plurality of security risk categories, the behavioral attributes comprising characteristics of the electronic communication which when taken alone are not determinative of a classification associated with the communication, however, when taken in combination with other behavioral attributes can be used to identify a communication classification;
iii) stores in the system data store (1) a risk profile associated with the received electronic communication based upon the applied plurality of tests, the risk profile including an array comprising the results of each of the plurality of anomaly types of tests applied to each of the electronic communication; and
(2) a queue data store with an index queue associated with each of the plurality of test types;
iv) determines whether an anomaly exists with respect to the received electronic communication based upon the stored risk profile and accumulated data associated with received electronic communications from the system data store, the determination being based on comparing the behavioral attributes associated with the currently received electronic communication with identified behavioral attributes associated previously received and classified communications, the previously received and classified communications comprising both known non-anomalous communications and known anomalous communications; and
v) outputs an anomaly indicator signal if an anomaly is determined to exist based upon the comparison of the behavioral attributes of the communication with identified attributes of previously received and classified communications.
14 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed to systems and methods for enhancing electronic communication security. An electronic communication related to an application is received and stored. One or more risk assessments are made with respect to the received communication thereby generating a risk profile associated with the communication. The risk profile is analyzed with respect to data associated with previously received communications to determine if the received communication is anomalous. If the received communication is determined to be anomalous, an anomaly indicator signal is output.
-
Citations
64 Claims
-
1. An application layer security system, the system comprising:
-
a) at least one application server system communication interface communicatively coupling the security system to one or more application server systems; b) a system data store capable of storing an electronic communication and accumulated data associated with received electronic communications; and c) a system processor in communication with the system data store and the at least one application server system communication interface, wherein the system processor comprises one or more processing elements and wherein the system processor; i) receives an electronic communication from a remote system and directed to or from a selected application server system; ii) applies a plurality of anomaly types of tests to each of the received electronic communication, wherein the plurality of tests combine to evaluate the received electronic communication for a plurality of security risk categories, each of the plurality of tests being operable to measure different behavioral attributes present in at least one of the plurality of security risk categories, the behavioral attributes comprising characteristics of the electronic communication which when taken alone are not determinative of a classification associated with the communication, however, when taken in combination with other behavioral attributes can be used to identify a communication classification; iii) stores in the system data store (1) a risk profile associated with the received electronic communication based upon the applied plurality of tests, the risk profile including an array comprising the results of each of the plurality of anomaly types of tests applied to each of the electronic communication; and
(2) a queue data store with an index queue associated with each of the plurality of test types;iv) determines whether an anomaly exists with respect to the received electronic communication based upon the stored risk profile and accumulated data associated with received electronic communications from the system data store, the determination being based on comparing the behavioral attributes associated with the currently received electronic communication with identified behavioral attributes associated previously received and classified communications, the previously received and classified communications comprising both known non-anomalous communications and known anomalous communications; and v) outputs an anomaly indicator signal if an anomaly is determined to exist based upon the comparison of the behavioral attributes of the communication with identified attributes of previously received and classified communications. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A method for enhancing application layer communication security, the method comprising the steps of:
-
a) receiving an electronic communication directed to or from a selected application server system, wherein the received electronic communication is an application layer communication; b) applying a plurality of anomaly types of tests to each of the received electronic communication, wherein the plurality of tests evaluate the received electronic communication for a plurality of security risk categories, each of the plurality of tests being operable to measure different behavioral attributes present in at least one of the plurality of security risk categories, the behavioral attributes comprising characteristics which when taken alone are not determinative of a classification associated with the communication, however, when taken in combination with other behavioral attributes can be used to identify a communication classification, thereby generating at least one risk profile associated with the electronic communication, and storing in a system data store (1) a risk profile associated with the received electronic communication based upon the applied plurality of tests, the risk profile including an array comprising the results of each of the plurality of anomaly types of tests applied to each of the electronic communication and (2) a queue data store with an index queue associated with each of the plurality of test types; c) determining whether an anomaly exists with respect to the received electronic communication based upon a comparison of the behavioral attributes associated with the currently received electronic communication and identified attributes associated with previously received and classified communications, the previously received and classified communications comprising both known non-anomalous communications and known anomalous communications; and d) outputting an anomaly indicator signal if an anomaly is determined to exist based upon the comparison of the behavioral attributes of the communication with identified attributes of previously received and classified communications. - View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
-
-
56. Computer readable storage media storing instructions that upon execution by a system processor cause the system processor to provide application layer security, the media having stored instruction that cause the system processor to perform the steps comprising of:
-
a) receiving an electronic communication directed to or from a selected application server system, wherein the received electronic communication is an application layer communication; b) applying a plurality of anomaly types of tests to each of the received electronic communication, wherein the plurality of tests evaluate the received electronic communication for a plurality of security risk categories, each of the plurality of tests being operable to measure different behavioral attributes present in at least one of the plurality of security risk categories, the behavioral attributes comprising characteristics which when taken alone are not determinative of a classification associated with the communication, however, when taken in combination with other behavioral attributes can be used to identify a communication classification, thereby generating at least one risk profile associated with the electronic communication, and storing in a system data store (1) the risk profile associated with the received electronic communication based upon the applied plurality of tests, the risk profile including an array comprising the results of each of the plurality of anomaly types of tests applied to each of the electronic communication and (2) a queue data store with an index queue associated with each of the plurality of test types; c) determining whether an anomaly exists with respect to the received electronic communication based upon a comparison of the behavioral attributes associated with the currently received electronic communication and identified attributes associated with previously received and classified communications, the previously received and classified communications comprising both known non-anomalous communications and known anomalous communications; and d) outputting an anomaly indicator signal if an anomaly is determined to exist based upon the comparison of the behavioral attributes of the communication with identified attributes of previously received and classified communications. - View Dependent Claims (57, 58, 59, 60, 61, 62)
-
-
63. An application layer security system, the system comprising:
-
a) receiving means for receiving an application layer electronic communication; b) storing means for storing an electronic communication and accumulated data associated with received electronic communications; c) assessment means for applying a plurality of anomaly types of tests to each of the received electronic communication, wherein the plurality of tests evaluate the received electronic communication for a plurality of security risk categories each of the plurality of tests being operable to measure different behavioral attributes present in a particular security risk category from among the plurality of security risk categories, the behavioral attributes comprising characteristics which when taken alone are not determinative of a classification associated with the communication, however, when taken in combination with other behavioral attributes can be used to identify a communication classification, and for storing a risk profile in the storing means, wherein the risk profile was generated from applying the plurality of tests to the received electronic communication, and thereby storing in a system data store (1) the risk profile associated with the received electronic communication based upon the applied plurality of tests, the risk profile including an array comprising the results of each of the plurality of anomaly types of tests applied to each of the electronic communication and (2) a queue data store with an index queue associated with each of the plurality of test types; d) anomaly determining means for determining whether an anomaly exists with respect to the received communication based upon a comparison of the behavioral attributes associated with the currently received electronic communication and identified attributes associated with previously received and classified communications, the previously received and classified communications comprising both known non-anomalous communications and known anomalous communications; and e) output means for outputting an anomaly indicator signal if an anomaly was determined to exist by the anomaly determining means based upon the comparison of the behavioral attributes of the communication with identified attributes of previously received and classified communications.
-
-
64. An application layer security system, the system comprising:
-
a) at least one application server system communication interface communicatively coupling the security system to one or more application server systems; b) a system data store capable of storing an electronic communication and accumulated data associated with received electronic communications; and c) a system processor in communication with the system data store and the at least one application server system communication interface, wherein the system processor comprises one or more processing elements and wherein the system processor; i) receives an electronic communication directed to or from a selected application server system; ii) applies a plurality of anomaly types of tests to each of the received electronic communication, wherein the plurality of tests combine to evaluate the received electronic communication for a plurality of security risk categories, each of the plurality of tests being operable to measure different behavioral attributes present in at least one of the plurality of security risk categories, the behavioral attributes comprising characteristics of the electronic communication which when taken alone are not determinative of a classification associated with the communication, however, when taken in combination with other behavioral attributes can be used to identify a communication classification; iii) stores in the system data store (1) a risk profile associated with the received electronic communication based upon the applied plurality of tests, the risk profile including an array comprising the results of each of the plurality of anomaly types of tests applied to each of the electronic communication; and
(2) a queue data store having a plurality of index queue associated with the plurality of test types;iv) determines whether an anomaly exists with respect to the received electronic communication based upon the stored risk profile and accumulated data associated with received electronic communications from the system data store; and v) outputs an anomaly indicator signal if an anomaly is determined to exist; wherein the system data store comprises; i) a message data store capable of storing an electronic communication, and ii) the queue data store capable of storing the plurality of index queues; and wherein the system processor applies the plurality of tests in a sequential fashion by; 1) storing the received electronic communication in the message data store; 2) assigning a selected index to the stored electronic communication; 3) executing a plurality of testing engines, wherein each of the testing engines has a test type and has an index queue in the queue data store associated with it, wherein at any given time at least two of the executing testing engines have differing test types, and wherein each of the testing engines; (a) monitors its associated index queue for a placed index; (b) retrieves the electronic communication associated with the placed index from the message data store; and (c) tests the retrieved electronic communication against a set of one or more criteria; and 4) placing the selected index into the index queue associated with a first testing engine, wherein the first testing engine has a first test type; and 5) placing the selected index into the index queue associated with a second testing engine, after the first testing engine performs its test upon the stored electronic communication associated with the selected index, wherein the second testing engine has a second test type that differs from the first test type.
-
Specification