Method and apparatus for high-speed detection and blocking of zero day worm attacks
First Claim
Patent Images
1. A method for detection of zero day worm attacks on a protected web application, wherein the method comprises:
- parsing a hypertext transfer protocol (HTTP) request received by the protected web application to extract at least one HTTP request parameter;
comparing the at least one extracted HTTP request parameter against a normal behavior profile (NBP) of the protected web application comprises;
checking if the URL in the HTTP request of the protected web application is not listed in the reliable paths list;
checking if the URL in the HTTP request of the protected web application references a directory in the vulnerable directories list;
checking if a host header field in the HTTP request of the protected web application is invalid;
checking if the HTTP request of the protected web application does not include a session identifier;
checking if the HTTP request of the protected web application belongs to a previously established session;
wherein a deviation from the NBP of protected web application is identified if, all checks result with an affirmative answer;
a deviation from NBP identifies a zero day worm attack;
and generating an alert indicating a zero day worm attack if a deviation from the NBP is identified, wherein the zero day attack is an initial appearance of a web worm.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for detection and blocking of zero day worm attacks is disclosed. A zero day worm attack is the initial appearance of a new or revised Web worm. The method compares a hypertext transfer protocol (HTTP) request sent from an attacking computer (or server) to a predefined behavior profile of a protected Web application in order to detect a worm attack. A zero day worm attack based on the first data packet of an HTTP request can be detected.
46 Citations
45 Claims
-
1. A method for detection of zero day worm attacks on a protected web application, wherein the method comprises:
-
parsing a hypertext transfer protocol (HTTP) request received by the protected web application to extract at least one HTTP request parameter; comparing the at least one extracted HTTP request parameter against a normal behavior profile (NBP) of the protected web application comprises; checking if the URL in the HTTP request of the protected web application is not listed in the reliable paths list; checking if the URL in the HTTP request of the protected web application references a directory in the vulnerable directories list; checking if a host header field in the HTTP request of the protected web application is invalid; checking if the HTTP request of the protected web application does not include a session identifier; checking if the HTTP request of the protected web application belongs to a previously established session; wherein a deviation from the NBP of protected web application is identified if, all checks result with an affirmative answer; a deviation from NBP identifies a zero day worm attack; and generating an alert indicating a zero day worm attack if a deviation from the NBP is identified, wherein the zero day attack is an initial appearance of a web worm. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product comprising computer-readable media with instructions that enable a computer to implement a method for detection of zero day worm attacks on a protected web application, wherein the method comprises:
-
parsing a hypertext transfer protocol (HTTP) request received by the protected web application to extract at least one HTTP request parameter; comparing the at least one extracted HTTP request parameter against a normal behavior profile (NBP) of the protected web application comprises; checking if the URL in the HTTP request of the protected web application is not listed in the reliable paths list; checking if the URL in the HTTP request of the protected web application references a directory in the vulnerable directories list; checking if a host header field in the HTTP request of the protected web application is invalid; checking if the HTTP request of the protected web application does not include a session identifier; checking if the HTTP request of the protected web application belongs to a previously established session; wherein a deviation from the NBP of protected web application is identified if, all checks result with an affirmative answer; a deviation from NBP identifies a zero day worm attack; and generating an alert indicating a zero day worm attack if a deviation from the NBP is identified. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method for high-speed detection of zero day worm attacks on a protected web application, wherein the method comprises:
-
parsing a first data packet belonging to a hypertext transfer protocol (HTTP) request to the protected web application to extract at least one HTTP request parameter; comparing the at least one extracted HTTP request parameter against a normal behavior profile (NBP) of the protected web application comprises; checking if the URL in the HTTP request of the protected web application is not listed in the reliable paths list; checking if the URL in the HTTP request of the protected web application references a directory in the vulnerable directories list; checking if a host header field in the HTTP request of the protected web application is invalid; checking if the HTTP request of the protected web application does not include a session identifier; checking if the HTTP request of the protected web application belongs to a previously established session; wherein a deviation from the NBP of protected web application is identified if, all checks result with an affirmative answer; a deviation from NBP identifies a zero day worm attack; and generating an alert indicating a zero day worm attack if a deviation from the NBP was identified, wherein the zero day attack is an initial appearance of a web worm. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A computer program product comprising computer-readable media with instructions that enable a computer to implement a method for detection of zero day worm attacks on a protected web application, wherein the method comprises:
-
parsing a first data packet belonging to a hypertext transfer protocol (HTTP) request to the protected web application to extract at least one HTTP request parameter; comparing the at least one extracted HTTP request parameter against a normal behavior profile (NBP) of the protected web application comprises; checking if the URL in the HTTP request of the protected web application is not listed in the reliable paths list; checking if the URL in the HTTP request of the protected web application references a directory in the vulnerable directories list; checking if a host header field in the HTTP request of the protected web application is invalid; checking if the HTTP request of the protected web application does not include a session identifier; checking if the HTTP request of the protected web application belongs to a previously established session; wherein a deviation from the NBP of protected web application is identified if, all checks result with an affirmative answer; a deviation from NBP identifies a zero day worm attack; and generating an alert indicating a zero day worm attack if a deviation from the NBP was identified. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37)
-
-
38. A security system for detection and blocking of zero day worm attacks on a protected web application, comprising:
-
at least one network sensors for collecting and normalizing events respective of the protected web application; a secure server for building normal behavior profiles of protected web applications and analyzing hypertext transfer protocol (HTTP) requests sent to the protected web application comprises; checking if the URL in the HTTP request of the protected web application is not listed in the reliable paths list; checking if the URL in the HTTP request of the protected web application references a directory in the vulnerable directories list; checking if a host header field in the HTTP request of the protected web application is invalid; checking if the HTTP request of the protected web application does not include a session identifier; checking if the HTTP request of the protected web application belongs to a previously established session; wherein a deviation from the NBP of protected web application is identified if, all checks result with an affirmative answer; a deviation from NBP identifies a zero day worm attack; and connectivity means enabling the plurality of network sensors to monitor traffic directed to the protected web applications. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45)
-
Specification