Application layer security method and system

US 7,882,555 B2
Filed: 05/28/2003
Issued: 02/01/2011
Est. Priority Date: 03/16/2001
Status: Expired due to Fees

First Claim

Patent Images

1. An application layer security method comprising the steps of:

receiving, at an application-level switch at least partially implemented in hardware, an operation request to be executed by an application,identifying an application attribute of said operation request,identifying an application path associated with said identified application attribute,directing, at the application-level switch, said operation request to said identified application path, andapplying one or more pipes to a portion of said operation request, wherein said one or more pipes are security components, and a number and each individual type of said one or more pipes are defined according to said identified application path.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides an application layer security method and system to secure trusted computer applications from executing out of their intended and authorized scope caused by illegal or harmful operation requests received from a distrusted environment. In an embodiment of the invention, a protective layer is implemented in between a trusted application and distrusted application operation requests. In operation, the protective layer identifies an application path of each operation request. Depending on the application path identified, one or more security pipes scrutinize the application contents of the operation request to determine if the operation request is illegal or harmful to the application or a surrounding environment.

111 Citations

View as Search Results

22 Claims

1. An application layer security method comprising the steps of:
- receiving, at an application-level switch at least partially implemented in hardware, an operation request to be executed by an application,identifying an application attribute of said operation request,identifying an application path associated with said identified application attribute,directing, at the application-level switch, said operation request to said identified application path, andapplying one or more pipes to a portion of said operation request, wherein said one or more pipes are security components, and a number and each individual type of said one or more pipes are defined according to said identified application path.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 19, 20, 21, 22)
- - 2. The method of claim 1, wherein said step of identifying an application path comprises the step of comparing said identified application attribute to a predefined list of confirmed application attributes.
  - 3. The method of claim 2, wherein said identified application path is a trusted application path to said application.
  - 4. The method of claim 2, wherein said identified application path is a default application path.
  - 5. The method of claim 1, wherein one of said one or more pipes comprises the step of inspecting said portion of said operation request for improper database request syntax or the existence of one or more embedded database commands.
  - 6. The method of claim 1, wherein one of said one or more pipes comprises the step of inspecting said portion of said operation request for a known vulnerability pattern.
  - 7. The method of claim 1, wherein one of said one or more pipes comprises the step of blocking said operation request if said identified application path is designated as restricted by an owner of said application.
  - 8. The method of claim 1, wherein one of said one or more pipes comprises the step of blocking said operation request from being forwarded to a specified zone within a trusted network of said application.
  - 9. The method of claim 1, wherein one of said one or more pipes comprises the step of validating a parameter of said operation request according to predefined expression rules.
  - 10. The method of claim 1, wherein one of said one or more pipes comprises the step of protecting attribute values in said operation request, which are set by said application, from being modified.
  - 11. The method of claim 1, wherein one of said one or more pipes comprises the step of validating web service definitions and data structures of said operation request.
  - 12. The method of claim 1, wherein said step of directing said operation request to said identified application path is implemented by an application-level switch.
  - 19. The method of claim 1, wherein said identified application path is selected among a plurality of application paths, each of said plurality of application paths being associated with one or more pipes to be applied to a portion of said operation request in accordance with a routing scheme.
  - 20. The method of claim 19, further comprising the step of updating said routing scheme.
  - 21. The method of claim 20, wherein said step of updating said routing scheme comprises the step of dynamically altering said routing scheme.
  - 22. The method of claim 19, wherein one of said plurality of application paths is associated with a particular pipe not associated with another one of said plurality of application paths.

13. An application security system for protecting a trusted application comprising:
- an application-level switch at least partially implemented in hardware and comprising;
  
  an application attribute identifier, wherein said application attribute identifier identifies an application attribute of a message directed to or from said trusted application and identifies an application path associated with said identified application attribute; and
  
  a message router, wherein said message router routes each message to said identified application path associated with said message; and
  
  a number of security pipes, wherein said number of security pipes are security components to protect or monitor functionality of said trusted application, and wherein a portion of said number of security pipes are associated with said identified application path and are implemented on said message upon routing of said message to said application path.
- View Dependent Claims (14, 15)
- - 14. The application security system of claim 13, further comprising a message identifier, wherein said message identifier comprises a list of confirmed messages and compares said message to said list of confirmed messages to identify if said message is a confirmed message.
  - 15. The application security system of claim 14, wherein said message router routes a confirmed message to an application path having zero security pipes implemented thereon.

16. An application security method comprising the steps of:
- classifying, at an application-level switch at least partially implemented in hardware, an application attribute of a first message directed to or from a trusted application,identifying, at the application-level switch, a first application path associated with said classified application attribute of said first message,implementing on said first message a predetermined number of security pipes based on said identified first application path, wherein said predetermined number of security pipes are security components to protect or monitor functionality of a trusted application,classifying, at the application-level switch, an application attribute of a second message directed to or from a trusted application,identifying, at the application-level switch, a second application path associated with said classified application attribute of said second message,implementing on said second message a different predetermined number of security pipes based on said identified second application path.
- View Dependent Claims (17, 18)
- - 17. The application security method of claim 16, wherein said first message is a request and further comprising the step of comparing said first request to a list of confirmed requests and if said first request matches one of said list of confirmed requests, said predetermined number is zero.
  - 18. The application security method of claim 17, further comprising the step of dynamically updating said list of confirmed requests with another confirmed request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kavado, Inc. (Xcelera Inc.)
Original Assignee
Kavado, Inc. (Xcelera Inc.)
Inventors
Ben-Itzhak, Yuval
Primary Examiner(s)
Abrishamkar; Kaveh

Application Number

US10/446,054
Publication Number

US 20030204719A1
Time in Patent Office

2,806 Days
Field of Search

713/200
US Class Current

726/13
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/168   above the transport layer

Application layer security method and system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

111 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Application layer security method and system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

111 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others