Using statistical analysis to generate exception rules that allow legitimate messages to pass through application proxies and gateways
First Claim
1. A computer-implemented method for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the method comprising:
- receiving, by a security gateway, a first message from a user, the first message comprising a cookie session identifier field and a value of the cookie session identifier;
rejecting, by a message filter of the security gateway, the first message based on a rejection rule, the rejection rule rejecting messages having a cookie session identifier attribute, the cookie session identifier attribute indicating that the value of the cookie session identifier is different from a previously stored cookie session identifier value;
incrementing, by the learning engine, a count of the number of messages from the user received via one or more user sessions within a predetermined amount of time and rejected based on the cookie session identifier attribute;
based on the count for the attribute, determining, by the learning engine, a frequency with which messages with the cookie session identifier attribute were rejected based on the rejection rule;
generating, by the learning engine, an exception rule to the rejection rule in response to determining that the frequency exceeds a threshold within the predetermined amount of time;
receiving, by the security gateway, a second message having the cookie session identifier attribute; and
allowing, by an adaptive filter of the security gateway, the second message, responsive to the exception rule.
8 Assignments
0 Petitions
Accused Products
Abstract
A security gateway receives messages rejected by a message filter based on a set of rules. The security gateway also receives attributes of the rejected messages that triggered the rules. The security gateway maintains frequencies with which the messages with a particular attribute were rejected by the rules. The security gateway finds rejected messages or attributes having a high frequency of occurrence. Since messages or attributes having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow messages that have similar attributes to pass through the gateway.
239 Citations
47 Claims
-
1. A computer-implemented method for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the method comprising:
-
receiving, by a security gateway, a first message from a user, the first message comprising a cookie session identifier field and a value of the cookie session identifier; rejecting, by a message filter of the security gateway, the first message based on a rejection rule, the rejection rule rejecting messages having a cookie session identifier attribute, the cookie session identifier attribute indicating that the value of the cookie session identifier is different from a previously stored cookie session identifier value; incrementing, by the learning engine, a count of the number of messages from the user received via one or more user sessions within a predetermined amount of time and rejected based on the cookie session identifier attribute; based on the count for the attribute, determining, by the learning engine, a frequency with which messages with the cookie session identifier attribute were rejected based on the rejection rule; generating, by the learning engine, an exception rule to the rejection rule in response to determining that the frequency exceeds a threshold within the predetermined amount of time; receiving, by the security gateway, a second message having the cookie session identifier attribute; and allowing, by an adaptive filter of the security gateway, the second message, responsive to the exception rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the system comprising:
-
a receiver which receives a first message from a user, the first message comprising a cookie session identifier field and a value of the cookie session identifier; a filter which rejects the first message based on a rejection rule, the rejection rule rejecting messages having a cookie session identifier attribute, the cookie session identifier attribute indicating that the value of the cookie session identifier is different from a previously stored cookie session identifier value; a learning engine, for incrementing, for the attribute, a count of the number of messages from the user received via one or more user sessions within a predetermined amount of time and rejected based on the cookie session identifier attribute, for determining, based on the count, a frequency for which messages with the cookie session identifier attribute were rejected based on the rejection rule, and for generating an exception rule to the rejection rule in response to determining that the frequency exceeds a threshold within the predetermined amount of time; and
whereinthe filter applies the exception rule to subsequent messages to determine whether to allow the subsequent messages. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer program product comprising:
- a computer-readable medium having computer program code embodied therein for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the computer program code adapted to;
receive a first message from a user, the first message comprising a cookie session identifier field and a value of the cookie session identifier; reject the first message based on a rejection rule, the rejection rule rejecting messages having a cookie session identifier attribute, the cookie session identifier attribute indicating that the value of the cookie session identifier is different from a previously stored cookie session identifier value; increment a count of the number of messages from the user received via one or more user sessions within a predetermined amount of time and rejected based on the cookie session identifier attribute; based on the count, determining a frequency with which messages with the cookie session identifier attribute were rejected based on the rejection rule; and generate an exception rule to the rejection rule in response to determining that the frequency exceeds a threshold within the predetermined amount of time; receiving a second message having the cookie session identifier attribute; and allowing the second message based on the exception rule. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- a computer-readable medium having computer program code embodied therein for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the computer program code adapted to;
-
36. A computer-implemented method for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the method comprising:
-
receiving, by the security gateway, a first message from a user, the first message comprising a webpage that includes a password field and a user login field; rejecting, by the message filter, the first message based on a rejection rule for a field attribute, the field attribute indicating that one of the password field or the user login field exceeds a predetermined number of characters; incrementing, by the learning engine, a count of messages from the user received via one or more of a plurality of user sessions within a predetermined amount of time and rejected based on the field attribute; determining, by the learning engine based on the count, a frequency with which messages having the field attribute were rejected based on the rejection rule; generating, by the learning engine, an exception rule to the rejection rule in response to the determined frequency exceeding a threshold within the predetermined amount of time; receiving, by the security gateway, a second message having the field attribute; and allowing, by the adaptive filter, the second message responsive to the exception rule. - View Dependent Claims (37, 38, 39)
-
-
40. A system for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the system comprising:
-
a receiver which receives a first message from a user, the first message comprising a webpage that includes a password field and a user login field; a filter which rejects the first message based on a rejection rule for a field attribute, the field attribute indicating that one of the password field or the user login field exceeds a predetermined number of characters; a learning engine, for incrementing, a count of messages from the user received via one or more of a plurality of user sessions within a predetermined amount of time and rejected based on the field attribute, for determining, based on the count, a frequency with which messages having the field attribute were rejected based on the rejection rule, and for generating an exception rule to the rejection rule in response to the determined frequency exceeding a threshold within the predetermined amount of time; and
whereinthe filter applies the exception rule to subsequent messages to determine whether to allow the subsequent messages. - View Dependent Claims (41, 42, 43)
-
-
44. A computer program product comprising:
- a computer-readable medium having computer program code embodied therein for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the computer program code adapted to;
receive a first message from a user, the first message comprising a webpage that includes a password field and a user login field; reject the first message based on a rejection rule for a field attribute, the field attribute indicating that one of the password field or the user login field exceeds a predetermined number of characters; increment, for the attribute, a count of messages from the user received via one or more of a plurality of user sessions within a predetermined amount of time and rejected based on the field attribute; based on the count, determining a frequency with which messages having the field attribute were rejected based on the rejection rule; and generate an exception rule to the rejection rule in response to the determined frequency exceeding a threshold within the predetermined amount of time; receiving a second message having the field attribute; and allowing the second message based on the exception rule. - View Dependent Claims (45, 46, 47)
- a computer-readable medium having computer program code embodied therein for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the computer program code adapted to;
Specification