Rule generalization for web application entry point modeling
First Claim
Patent Images
1. A method for adaptively generating exception rules to rejection rules for filtering messages, comprising:
- (a) receiving, by an intermediary device between a client and a server, a first message of a first user session, the first message having a first URL comprising a plurality of hierarchically related URL components, the plurality of hierarchically related URL components comprising a first URL component and a second URL component, the second URL component being a descendant of the first URL component;
(b) rejecting, by the intermediary device, the first message based on a rejection rule that rejects messages having the first URL component;
(c) maintaining, by the intermediary device, a first number of user sessions each having one or more messages rejected based on the first URL component;
(d) maintaining, by the intermediary device, a second number of user sessions each having one or more messages rejected based on the second URL component;
(e) determining, by the intermediary device, that the first number of user sessions exceeds a threshold and that the second number of user sessions does not exceed the threshold;
(f) generating, by the intermediary device, an exception rule to the rejection rule responsive to the determination, the exception rule allowing messages having the first URL component to pass;
(g) receiving, by the intermediary device, a second message of the first user session having the first URL component; and
(h) allowing, by the intermediary device, the second message of the first user session to pass between the client and the server based on the exception rule that allows messages having the first URL component to pass.
8 Assignments
0 Petitions
Accused Products
Abstract
A security gateway receives messages, such as URL requests, rejected by a message filter based on a set of rules. The security gateway maintains frequencies with which the messages were rejected by the rules. The security gateway finds rejected messages having a high frequency of occurrence. Since messages having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow similar messages to pass through the gateway.
239 Citations
21 Claims
-
1. A method for adaptively generating exception rules to rejection rules for filtering messages, comprising:
-
(a) receiving, by an intermediary device between a client and a server, a first message of a first user session, the first message having a first URL comprising a plurality of hierarchically related URL components, the plurality of hierarchically related URL components comprising a first URL component and a second URL component, the second URL component being a descendant of the first URL component; (b) rejecting, by the intermediary device, the first message based on a rejection rule that rejects messages having the first URL component; (c) maintaining, by the intermediary device, a first number of user sessions each having one or more messages rejected based on the first URL component; (d) maintaining, by the intermediary device, a second number of user sessions each having one or more messages rejected based on the second URL component; (e) determining, by the intermediary device, that the first number of user sessions exceeds a threshold and that the second number of user sessions does not exceed the threshold; (f) generating, by the intermediary device, an exception rule to the rejection rule responsive to the determination, the exception rule allowing messages having the first URL component to pass; (g) receiving, by the intermediary device, a second message of the first user session having the first URL component; and (h) allowing, by the intermediary device, the second message of the first user session to pass between the client and the server based on the exception rule that allows messages having the first URL component to pass. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for adaptively generating exception rules to rejection rules for filtering messages received by an intermediary device, comprising:
-
a filter receiving a first message of a first user session, the first message having a first URL, the first URL comprising a plurality of hierarchically related URL components, the plurality of hierarchically related URL components comprising a first URL component and a second URL component, the second URL component being a descendant of a first URL component, wherein the first message is rejected based on a rejection rule that rejects messages having the first URL component; and an engine maintaining, in memory, a first number of user sessions each having one or more messages rejected based on the first URL component, and a second number of user sessions each having one or more messages rejected based on the second URL component;
determining that the first number of user sessions exceeds a threshold and that the second number of user sessions does not exceed the threshold; and
generating an exception rule to the rejection rule for the first node associated with the first URL component responsive to the determination, the exception rule allowing messages having the first URL component to pass;wherein the filter receives a second message of the first user session having the first URL component; and
allows the second message of the first user session to pass between the client and the server based on the exception rule that allows messages having the first URL component to pass. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method for adaptively generating exception rules to rejection rules for filtering messages, comprising:
-
(a) receiving, by an intermediary device between a client and a server, a first message of a first user session, the first message having a first URL comprising a plurality of hierarchically related URL components, the plurality of hierarchically related URL components comprising a first URL component and a second URL component, the second URL component being a descendant of the first URL component; (b) rejecting, by the intermediary device, the first message based on a rejection rule that rejects messages having the first URL component; (c) maintaining, by the intermediary device, a first number of user sessions each having one or more messages rejected based on the first URL component; (d) maintaining, by the intermediary device, a second number of user sessions each having one or more messages rejected based on the second URL component; (e) determining, by the intermediary device, that the first number of user sessions exceeds a threshold and the second number of user sessions does not exceed the threshold; (f) generating, by the intermediary device, an exception rule to the rejection rule responsive to the determination, the exception rule allowing messages having the first URL component to pass; (g) receiving, by the intermediary device, a second message of the first user session having the first URL component; (h) identifying, by the intermediary device, that the second message having the first URL component is rejected by the rejection rule; (i) determining, by the intermediary device, that the rejection rule has an exception rule that may allow a message that has been rejected by the rejection rule to pass; and (j) allowing, by the intermediary device, the second message of the first user session to pass between the client and the server based on the exception rule that allows messages having the first URL component to pass.
-
Specification