Method and apparatus for high-speed detection and blocking of zero day worm attacks

US 7,752,662 B2
Filed: 09/30/2004
Issued: 07/06/2010
Est. Priority Date: 02/20/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detection of zero day worm attacks on a protected web application, wherein the method comprises:

parsing a hypertext transfer protocol (HTTP) request received by the protected web application to extract at least one HTTP request parameter;

comparing the at least one extracted HTTP request parameter against a normal behavior profile (NBP) of the protected web application comprises;

checking if the URL in the HTTP request of the protected web application is not listed in the reliable paths list;

checking if the URL in the HTTP request of the protected web application references a directory in the vulnerable directories list;

checking if a host header field in the HTTP request of the protected web application is invalid;

checking if the HTTP request of the protected web application does not include a session identifier;

checking if the HTTP request of the protected web application belongs to a previously established session;

wherein a deviation from the NBP of protected web application is identified if, all checks result with an affirmative answer;

a deviation from NBP identifies a zero day worm attack;

and generating an alert indicating a zero day worm attack if a deviation from the NBP is identified, wherein the zero day attack is an initial appearance of a web worm.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detection and blocking of zero day worm attacks is disclosed. A zero day worm attack is the initial appearance of a new or revised Web worm. The method compares a hypertext transfer protocol (HTTP) request sent from an attacking computer (or server) to a predefined behavior profile of a protected Web application in order to detect a worm attack. A zero day worm attack based on the first data packet of an HTTP request can be detected.

46 Citations

View as Search Results

45 Claims

1. A method for detection of zero day worm attacks on a protected web application, wherein the method comprises:
- parsing a hypertext transfer protocol (HTTP) request received by the protected web application to extract at least one HTTP request parameter;
  
  comparing the at least one extracted HTTP request parameter against a normal behavior profile (NBP) of the protected web application comprises;
  
  checking if the URL in the HTTP request of the protected web application is not listed in the reliable paths list;
  
  checking if the URL in the HTTP request of the protected web application references a directory in the vulnerable directories list;
  
  checking if a host header field in the HTTP request of the protected web application is invalid;
  
  checking if the HTTP request of the protected web application does not include a session identifier;
  
  checking if the HTTP request of the protected web application belongs to a previously established session;
  
  wherein a deviation from the NBP of protected web application is identified if, all checks result with an affirmative answer;
  
  a deviation from NBP identifies a zero day worm attack;
  
  and generating an alert indicating a zero day worm attack if a deviation from the NBP is identified, wherein the zero day attack is an initial appearance of a web worm.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the vulnerable directories list comprises at least one directory name of a default directory of the web server of the protected web application.
  - 3. The method of claim 1, wherein a user pre-configures the vulnerable directories list of the protected web application.
  - 4. The method of claim 1, wherein the reliable paths list of the protected web application comprises at least one uniform resource locator (URL) that refers to at least one of the vulnerable directories of the protected web application.
  - 5. The method of claim 1, wherein the accepted hosts list comprises at least one host name permitted to access to the protected web application.
  - 6. The method of claim 1, wherein checking if the host header field is invalid further comprises:
    - checking if the host name in the HTTP request of the protected web application is not defined in the accepted hosts list of the protected web application, if the host header field includes an IP address and if the host header field is not included in the HTTP request of the protected web application.
  - 7. The method of claim 1, wherein the HTTP request parameter is at least one of a URL, a host name and a session identifier.
  - 8. The method of claim 1, wherein the parsing the HTTP request further comprises decoding the at least one extracted HTTP request parameter.
  - 9. The method of claim 1, wherein the alert is output via a display message, a print message, an electronic mail message and a short message service message.
  - 10. The method of claim 1, wherein the method further comprises blocking the zero day worm attack on the protected web application by dropping packets of the HTTP request.

11. A computer program product comprising computer-readable media with instructions that enable a computer to implement a method for detection of zero day worm attacks on a protected web application, wherein the method comprises:
- parsing a hypertext transfer protocol (HTTP) request received by the protected web application to extract at least one HTTP request parameter;
  
  comparing the at least one extracted HTTP request parameter against a normal behavior profile (NBP) of the protected web application comprises;
  
  checking if the URL in the HTTP request of the protected web application is not listed in the reliable paths list;
  
  checking if the URL in the HTTP request of the protected web application references a directory in the vulnerable directories list;
  
  checking if a host header field in the HTTP request of the protected web application is invalid;
  
  checking if the HTTP request of the protected web application does not include a session identifier;
  
  checking if the HTTP request of the protected web application belongs to a previously established session;
  
  wherein a deviation from the NBP of protected web application is identified if, all checks result with an affirmative answer;
  
  a deviation from NBP identifies a zero day worm attack;
  
  andgenerating an alert indicating a zero day worm attack if a deviation from the NBP is identified.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer program product of claim 11, wherein the vulnerable directories list of the protected web application comprises at least one directory name of a frequently accessed directory in the protected web application.
  - 13. The computer program product of claim 11, wherein a user pre-configures the vulnerable directories list of the protected web application.
  - 14. The computer program product of claim 11, wherein the reliable paths list of the protected web application comprises at least one uniform resource locator (URL) that refers to at least one of the vulnerable directories of the protected web application.
  - 15. The computer program product of claim 11, wherein the accepted hosts list comprises at least one host name permitted to access to the protected web application.
  - 16. The computer program product of claim 11, wherein checking if the host header field is invalid further comprises checking if the host name in the HTTP request of the protected web application is not defined in the accepted hosts list of the protected web application, if the host header field includes an IP address and if the host header field is not included in the HTTP request of the protected web application.
  - 17. The computer program product of claim 11, wherein the at least one extracted HTTP request parameter is at least one of a URL, a host name and a session identifier.
  - 18. The computer program product of claim 11, wherein parsing the HTTP request comprises decoding the at least one extracted HTTP request parameter.
  - 19. The computer program product of claim 11, wherein the alert is output via a display message, a print message, an electronic mail message and a short message service message.
  - 20. The computer program product of claim 11, wherein the method further comprises blocking the zero day worm attack on the protected web application by dropping packets of the application protocol request.

21. A method for high-speed detection of zero day worm attacks on a protected web application, wherein the method comprises:
- parsing a first data packet belonging to a hypertext transfer protocol (HTTP) request to the protected web application to extract at least one HTTP request parameter;
  
  comparing the at least one extracted HTTP request parameter against a normal behavior profile (NBP) of the protected web application comprises;
  
  checking if the URL in the HTTP request of the protected web application is not listed in the reliable paths list;
  
  checking if the URL in the HTTP request of the protected web application references a directory in the vulnerable directories list;
  
  checking if a host header field in the HTTP request of the protected web application is invalid;
  
  checking if the HTTP request of the protected web application does not include a session identifier;
  
  checking if the HTTP request of the protected web application belongs to a previously established session;
  
  wherein a deviation from the NBP of protected web application is identified if, all checks result with an affirmative answer;
  
  a deviation from NBP identifies a zero day worm attack;
  
  andgenerating an alert indicating a zero day worm attack if a deviation from the NBP was identified, wherein the zero day attack is an initial appearance of a web worm.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The method of claim 21, wherein the vulnerable directories list of the protected web application comprises at least one directory name of a default directory of the web server.
  - 23. The method of claim 21, wherein a user pre-configures the vulnerable directories list of the protected web application.
  - 24. The method of claim 21, wherein the reliable paths list of the protected web application comprises at least one uniform resource locator (URL) that refers to at least one of the vulnerable directories of the protected web application.
  - 25. The method of claim 21, wherein the accepted hosts list of the protected web application comprises at least one host name permitted to access to the protected web application.
  - 26. The method of claim 21, wherein the at least one extracted HTTP request parameter is at least one of a URL, a host name and a session identifier.
  - 27. The method of claim 21, wherein parsing the at least one extracted HTTP request comprises decoding the at least one extracted HTTP request parameter.
  - 28. The method of claim 21, wherein the alert is output via a display message, a print message, an electronic mail message and a short message service message.
  - 29. The method of claim 21, wherein the method further comprises blocking the zero day worm attack by dropping packets of the HTTP request.

30. A computer program product comprising computer-readable media with instructions that enable a computer to implement a method for detection of zero day worm attacks on a protected web application, wherein the method comprises:
- parsing a first data packet belonging to a hypertext transfer protocol (HTTP) request to the protected web application to extract at least one HTTP request parameter;
  
  comparing the at least one extracted HTTP request parameter against a normal behavior profile (NBP) of the protected web application comprises;
  
  checking if the URL in the HTTP request of the protected web application is not listed in the reliable paths list;
  
  checking if the URL in the HTTP request of the protected web application references a directory in the vulnerable directories list;
  
  checking if a host header field in the HTTP request of the protected web application is invalid;
  
  checking if the HTTP request of the protected web application does not include a session identifier;
  
  checking if the HTTP request of the protected web application belongs to a previously established session;
  
  wherein a deviation from the NBP of protected web application is identified if, all checks result with an affirmative answer;
  
  a deviation from NBP identifies a zero day worm attack;
  
  andgenerating an alert indicating a zero day worm attack if a deviation from the NBP was identified.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37)
- - 31. The computer program product of claim 30, wherein the vulnerable directories list of the protected web application comprises at least one directory name of a frequently accessed directory in the protected web application.
  - 32. The computer program product of claim 30, wherein a user pre-configures the vulnerable directories list of the protected web application.
  - 33. The computer program product of claim 30, wherein the reliable paths list of the protected web application comprises at least one uniform resource locator (URL) that refers to at least one of the vulnerable directories of the protected web application.
  - 34. The computer program product of claim 30, wherein the accepted hosts list of the protected web application comprises at least one host name permitted to access to the protected web application.
  - 35. The computer program product of claim 30, wherein parsing the HTTP request comprises decoding the at least one extracted HTTP request parameter.
  - 36. The computer program product of claim 30, wherein the alert is output via a display message, a print message, an electronic mail message and a short message service message.
  - 37. The computer program product of claim 30, wherein the method further comprises blocking the zero day worm attack by dropping packets of the HTTP request.

38. A security system for detection and blocking of zero day worm attacks on a protected web application, comprising:
- at least one network sensors for collecting and normalizing events respective of the protected web application;
  
  a secure server for building normal behavior profiles of protected web applications and analyzing hypertext transfer protocol (HTTP) requests sent to the protected web application comprises;
  
  checking if the URL in the HTTP request of the protected web application is not listed in the reliable paths list;
  
  checking if the URL in the HTTP request of the protected web application references a directory in the vulnerable directories list;
  
  checking if a host header field in the HTTP request of the protected web application is invalid;
  
  checking if the HTTP request of the protected web application does not include a session identifier;
  
  checking if the HTTP request of the protected web application belongs to a previously established session;
  
  wherein a deviation from the NBP of protected web application is identified if, all checks result with an affirmative answer;
  
  a deviation from NBP identifies a zero day worm attack;
  
  andconnectivity means enabling the plurality of network sensors to monitor traffic directed to the protected web applications.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45)
- - 39. The security system of claim 38, wherein the network sensor is at least an HTTP sensor.
  - 40. The security system of claim 38, wherein analyzing an HTTP request further comprises analyzing each of the data packets comprising the HTTP request of the protected web application.
  - 41. The security system of claim 40, wherein analyzing the HTTP request further comprises:
    - parsing the HTTP request to extract at least one HTTP request parameter;
      
      comparing the at least one extracted HTTP request parameter against the NBP of the web application; and
      
      generating an alert indicating a zero day worm attack if a deviation from the NBP was identified.
  - 42. The security system of claim 41, wherein parsing HTTP request further comprises generating the alert if the HTTP parameters cannot be extracted from the data packet.
  - 43. The security system of claim 41, wherein the at least one extracted HTTP request parameter is at least one of a URL, a host name and a session identifier.
  - 44. The security system of claim 41, wherein a detected zero day worm attack is blocked by dropping packets of the HTTP request.
  - 45. The security system of claim 38, wherein checking if the host header field is invalid further comprises checking if the host name in the HTTP request of the protected web application is not defined in the accepted hosts list of the protected web application, if the host header field includes an IP address and if the host header field is not included in the HTTP request of the protected web application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Boodaei, Michael, Kremer, Shlomo, Shulman, Amichai
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US10/953,557
Publication Number

US 20050188215A1
Time in Patent Office

2,105 Days
Field of Search

726/22, 726/23, 726/24, 726/25
US Class Current

726/22
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 67/02   based on web technology, e....

H04L 69/22   Parsing or analysis of headers

Method and apparatus for high-speed detection and blocking of zero day worm attacks

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for high-speed detection and blocking of zero day worm attacks

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links