Stateful attack protection
First Claim
Patent Images
1. A computer-implemented method for protecting a computer network, comprising:
- monitoring communication traffic transmitted between clients outside the protected network and an application server inside the protected network over connections on the network that are associated with a stateful application protocol implemented by the application server;
implementing a state machine that tracks the connections between the clients and the application server, and makes transitions between state machine states based on application commands and replies generated by the clients and application server, in accordance with rules of the stateful application protocol, so as to detect respective application states of the connections;
analyzing a distribution of the application states so as to detect an attack on the application server; and
filtering traffic entering the network in order to block traffic participating in the attack, wherein analyzing the distribution comprises interpreting as indicative of the attack a number of connections in one of the application states that is beyond a certain number of standard deviations from an average number of connections in the other application states.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting an attack in a computer network includes monitoring communication traffic transmitted over connections on the network that are associated with a stateful application protocol so as to detect respective states of the connections, and analyzing a distribution of the states so as to detect the attack.
245 Citations
51 Claims
-
1. A computer-implemented method for protecting a computer network, comprising:
-
monitoring communication traffic transmitted between clients outside the protected network and an application server inside the protected network over connections on the network that are associated with a stateful application protocol implemented by the application server; implementing a state machine that tracks the connections between the clients and the application server, and makes transitions between state machine states based on application commands and replies generated by the clients and application server, in accordance with rules of the stateful application protocol, so as to detect respective application states of the connections; analyzing a distribution of the application states so as to detect an attack on the application server; and filtering traffic entering the network in order to block traffic participating in the attack, wherein analyzing the distribution comprises interpreting as indicative of the attack a number of connections in one of the application states that is beyond a certain number of standard deviations from an average number of connections in the other application states. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. Apparatus for protecting an application server inside a computer network in communication with clients outside the network, the apparatus comprising:
-
an interface; and a network security processor, which is adapted to monitor, via the interface. communication traffic transmitted between the clients and the application server over connections on the network that are associated with a stateful application protocol implemented by the application server;
to implement a state machine that tracks the connections between the clients and the application server, and makes transitions between state machine states based on application commands and replies generated by the clients and application server, in accordance with rules of the stateful application protocol, so as to detect respective application states of the connection;
to analyze a distribution of the application states so as to detect an attack on the application server; and
to filter traffic entering the network in order to block traffic participating in the attack, wherein the network security processor is adapted to interpret as indicative of the attack a number of connections in one of the application states that is beyond a certain number of standard deviations from an average number of connections in the other application states. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A computer software product for protecting a computer network, the product comprising a tangible computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to monitor communication traffic transmitted between clients outside the protected network and an application server inside the protected network over connections on the network that are associated with a stateful application protocol implemented by the application server;
- to implement a state machine that tracks the connections between the clients and the application server, and makes transitions between state machine states based on application commands and replies generated by the clients and application server, in accordance with rules of the stateful application protocol, so as to detect respective application states of the connections;
to analyze a distribution of the application states so as to detect an attack on the application server; and
to filter traffic entering the network in order to block traffic participating in the attack, wherein the instructions cause the computer to interpret as indicative of the attack a number of connections in one of the application states that is beyond a certain number of standard deviations from an average number of connections in the other application states. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- to implement a state machine that tracks the connections between the clients and the application server, and makes transitions between state machine states based on application commands and replies generated by the clients and application server, in accordance with rules of the stateful application protocol, so as to detect respective application states of the connections;
Specification