Inferencing data types of message components
First Claim
1. A method of a device for filtering messages routed across a network, the messages including field name-value pairs, the method comprising:
- extracting, by a filter configured on a device, field name-value pairs from messages received via a network;
determining, by a learning engine configured on the device, a most restrictive data type of values from a plurality of data types of values for a field name of the extracted field name-value pairs;
determining, by the learning engine, a match factor for a data type, the match factor indicating a fraction of values for the same field name that match the data type;
selecting, by the learning engine, a data type having a match factor exceeding a threshold and having no child data types with a match factor exceeding the threshold; and
storing, by the device, the most restrictive data type in association with the field name.
8 Assignments
0 Petitions
Accused Products
Abstract
A security gateway receives messages and extracts components thereof, typically in the form of field name-value pairs. The security gateway determines a data type of the values for individual field names to infer the most restrictive data type of the values for that field. The security gateway may then generates rules, which would block messages that do not have values that match the most restrictive data type. Since the most restrictive data type defines a data type of values for the field as narrowly as possible, the generated rules will make it more difficult for an intruder to guess a valid data type of a value. Since messages that have values that do not match the most restrictive data type are likely to represent malicious attacks, the more narrowly the data type of values is defined, the greater the number of illegitimate messages that will be blocked.
234 Citations
19 Claims
-
1. A method of a device for filtering messages routed across a network, the messages including field name-value pairs, the method comprising:
-
extracting, by a filter configured on a device, field name-value pairs from messages received via a network; determining, by a learning engine configured on the device, a most restrictive data type of values from a plurality of data types of values for a field name of the extracted field name-value pairs; determining, by the learning engine, a match factor for a data type, the match factor indicating a fraction of values for the same field name that match the data type; selecting, by the learning engine, a data type having a match factor exceeding a threshold and having no child data types with a match factor exceeding the threshold; and storing, by the device, the most restrictive data type in association with the field name. - View Dependent Claims (2, 3, 4)
-
-
5. A method of a device for filtering Uniform Resource Locator (URL) messages routed across a network, wherein the messages include URL components, the method comprising:
-
extracting, by a filter configured on a device, URL components from messages received via a network; determining, by a learning engine configured on the device, for URL components at a same level, with a same root URL component, a most restrictive data type from a plurality of data types of extracted URL components at the same level; determining, by the learning engine, a match factor for a data type the match factor indicating a fraction of URL components at the same level, with the same root URL component that matches the data type; and selecting, by the learning engine, a data type having a match factor exceeding a threshold and having no child data types with a match factor exceeding the threshold; and storing, by the learning engine, the most restrictive data type in association with the URL components at the same level. - View Dependent Claims (6, 7, 8)
-
-
9. A method of a device for inferencing a data type of scalar objects from messages routed across a network, the method comprising:
-
identifying, by a message filter configured on a device, scalar objects from messages received via a network, each of the scalar objects having a data type from a plurality of data types; determining, by learning engine configured on the device, a match factor for a each data type of the scalar objects, the match factor indicating a fraction of the scalar objects that match the data type; and selecting, by the learning engine, a most restrictive data type from the plurality of data types of the scalar objects, the most restrictive data type having a match factor exceeding a threshold and having no child data types with a match factor exceeding the threshold. - View Dependent Claims (10)
-
-
11. A system for inferencing a data type of scalar objects from messages routed across a network, the system comprising:
-
a learning engine configured in a device for determining a match factor for each data type of the scalar objects, the match factor indicating a fraction of scalar objects identified from messages received via a network that match the data type; and wherein the learning engine the device selects a most restrictive data type from a plurality of data types of the scalar objects, the most restrictive data type having a match factor exceeding a threshold and having no child data types with a match factor exceeding the threshold.
-
-
12. A system for filtering messages routed across a network, the messages including field name-value pairs, the system comprising:
-
a learning engine configured on a device, for extracting field name-value pairs from messages received via a network, determining, a most restrictive data type of values from a plurality of data types of values for a field name from the extracted field name-value pairs, and storing the most restrictive data type in association with the field name, determining a match factor for a data type, the match factor indicating a fraction of values for the same field name that match the data type, and selecting a data type having a match factor exceeding a threshold and having no child data types with a match factor exceeding the threshold; and a message filter configured on the device, for generating a rule which would allow messages having values of a field name that match the most restrictive data type. - View Dependent Claims (13, 14, 15)
-
-
16. A system for filtering Uniform Resource Locator (URL) messages routed across a network, wherein the messages include URL components, the system comprising:
-
a learning engine configured on a device, for extracting URL components from messages received from a network, determining, for URL components at a same level, with a same root URL component, a most restrictive data type from a plurality of data types of URL components at the same level, and storing the most restrictive data type in association with the URL components at the same level, determining a match factor for a data type the match factor indicating a fraction of URL components at the same level with the same root URL component, that match the data type, and selecting a data type having a match factor exceeding a threshold and having no child data types with a match factor exceeding the threshold; and a message filter configured on the device, for generating a rule which would allow messages having the URL components that match the most restrictive data type. - View Dependent Claims (17, 18, 19)
-
Specification