Using statistical analysis to generate exception rules that allow legitimate messages to pass through application proxies and gateways

US 7,890,996 B1
Filed: 02/18/2004
Issued: 02/15/2011
Est. Priority Date: 02/18/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the method comprising:

receiving, by a security gateway, a first message from a user, the first message comprising a cookie session identifier field and a value of the cookie session identifier;

rejecting, by a message filter of the security gateway, the first message based on a rejection rule, the rejection rule rejecting messages having a cookie session identifier attribute, the cookie session identifier attribute indicating that the value of the cookie session identifier is different from a previously stored cookie session identifier value;

incrementing, by the learning engine, a count of the number of messages from the user received via one or more user sessions within a predetermined amount of time and rejected based on the cookie session identifier attribute;

based on the count for the attribute, determining, by the learning engine, a frequency with which messages with the cookie session identifier attribute were rejected based on the rejection rule;

generating, by the learning engine, an exception rule to the rejection rule in response to determining that the frequency exceeds a threshold within the predetermined amount of time;

receiving, by the security gateway, a second message having the cookie session identifier attribute; and

allowing, by an adaptive filter of the security gateway, the second message, responsive to the exception rule.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security gateway receives messages rejected by a message filter based on a set of rules. The security gateway also receives attributes of the rejected messages that triggered the rules. The security gateway maintains frequencies with which the messages with a particular attribute were rejected by the rules. The security gateway finds rejected messages or attributes having a high frequency of occurrence. Since messages or attributes having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow messages that have similar attributes to pass through the gateway.

239 Citations

47 Claims

1. A computer-implemented method for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the method comprising:
- receiving, by a security gateway, a first message from a user, the first message comprising a cookie session identifier field and a value of the cookie session identifier;
  
  rejecting, by a message filter of the security gateway, the first message based on a rejection rule, the rejection rule rejecting messages having a cookie session identifier attribute, the cookie session identifier attribute indicating that the value of the cookie session identifier is different from a previously stored cookie session identifier value;
  
  incrementing, by the learning engine, a count of the number of messages from the user received via one or more user sessions within a predetermined amount of time and rejected based on the cookie session identifier attribute;
  
  based on the count for the attribute, determining, by the learning engine, a frequency with which messages with the cookie session identifier attribute were rejected based on the rejection rule;
  
  generating, by the learning engine, an exception rule to the rejection rule in response to determining that the frequency exceeds a threshold within the predetermined amount of time;
  
  receiving, by the security gateway, a second message having the cookie session identifier attribute; and
  
  allowing, by an adaptive filter of the security gateway, the second message, responsive to the exception rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the rejection rule indicates that a value of a cookie session identifier of a received message cannot be changed.
  - 3. The method of claim 1, wherein the frequency is a weighted count of occurrences of the cookie session identifier attribute.
  - 4. The method of claim 1, wherein the frequency is a direct count of occurrences of the cookie session identifier attribute.
  - 5. The method of claim 1, further comprising comparing, by the message filter, that the value of the cookie session identifier and the previously stored cookie session identifier value.
  - 6. The method of claim 1, wherein a user session represents communications between a client operated by the user and a server.
  - 7. The method of claim 1, further comprising storing, by the message filter, the value of the cookie session identifier.
  - 8. The method of claim 1, further comprising:
    - rejecting a third message based on a second rejection rule, the second rejection rule rejecting messages having a number of cookies different from a previously indicated number of cookies.incrementing, by the learning engine, a second count of the number of messages from the user received via the one or more user sessions within the predetermined amount of time and rejected based on the cookie number attribute;
      
      based on the second count, determining, by the learning engine, a second frequency with which messages with the cookie number attribute were rejected based on the second rejection rule;
      
      generating, by the learning engine, an exception rule to the rejection rule in response to determining that the second frequency exceeds a threshold within the predetermined amount of time;
      
      receiving, by the security gateway, a third message having the cookie number attribute; and
      
      allowing, by the adaptive filter, the fourth message, responsive to the second exception rule.
  - 9. The method of claim 8, wherein the third message is a message responsive to an earlier message.
  - 10. The method of claim 8, wherein the third message is a message responsive to an earlier message, the earlier message providing the previously indicated number of cookies.
  - 11. The method of claim 8, wherein the third message is a message sent from a client operated by the user to the server via the security gateway responsive to an earlier message sent from the server to the client.
  - 12. The method of claim 1, wherein the threshold is a product of a total number of messages over a time interval and a percentage of the messages that should be allowed to pass.

13. A system for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the system comprising:
- a receiver which receives a first message from a user, the first message comprising a cookie session identifier field and a value of the cookie session identifier;
  
  a filter which rejects the first message based on a rejection rule, the rejection rule rejecting messages having a cookie session identifier attribute, the cookie session identifier attribute indicating that the value of the cookie session identifier is different from a previously stored cookie session identifier value;
  
  a learning engine, for incrementing, for the attribute, a count of the number of messages from the user received via one or more user sessions within a predetermined amount of time and rejected based on the cookie session identifier attribute, for determining, based on the count, a frequency for which messages with the cookie session identifier attribute were rejected based on the rejection rule, and for generating an exception rule to the rejection rule in response to determining that the frequency exceeds a threshold within the predetermined amount of time; and
  
  whereinthe filter applies the exception rule to subsequent messages to determine whether to allow the subsequent messages.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the rejection rule indicates that a value of a cookie session identifier of a received message cannot be changed.
  - 15. The system of claim 13, wherein the frequency is a weighted count of occurrences of the cookie session identifier attribute.
  - 16. The system of claim 13, wherein the frequency is a direct count of occurrences of the cookie session identifier attribute.
  - 17. The system of claim 13, wherein the message filter compares the value of the cookie session identifier and the previously stored cookie session identifier value.
  - 18. The system of claim 13, wherein a user session represents communications between a client operated by a user and a server.
  - 19. The system of claim 13, wherein the message filter stores the value of the cookie session identifier.
  - 20. The system of claim 17, whereinthe message filter rejects a third message based on a second rejection rule, the second rejection rule rejecting messages having a number of cookies different from a previously indicated number of cookies;
    - the learning engine increments a second count of the number of messages from the user received via the one or more user sessions within the predetermined amount of time and rejected based on the cookie number attribute, determining a second frequency with which messages with the cookie number attribute were rejected based on the second rejection rule based on the second count, and generating an exception rule to the rejection rule in response to determining that the second frequency exceeds a threshold within the predetermined amount of time;
      
      the security gateway receiving a third message having the cookie number attribute; and
      
      the adaptive filter allowing the fourth message, responsive to the second exception rule.
  - 21. The system of claim 20, wherein the third message is a message responsive to an earlier message.
  - 22. The system of claim 20, wherein the third message is a message responsive to an earlier message, the earlier message providing the previously indicated number of cookies.
  - 23. The system of claim 20, wherein the third message is a message sent from a client operated by the user to the server via the security gateway responsive to an earlier message sent from the server to the client.
  - 24. The system of claim 13, wherein the threshold is a product of a total number of messages over a time interval and a percentage of the messages that should be allowed to pass.

25. A computer program product comprising:
- a computer-readable medium having computer program code embodied therein for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the computer program code adapted to;
  
  receive a first message from a user, the first message comprising a cookie session identifier field and a value of the cookie session identifier;
  
  reject the first message based on a rejection rule, the rejection rule rejecting messages having a cookie session identifier attribute, the cookie session identifier attribute indicating that the value of the cookie session identifier is different from a previously stored cookie session identifier value;
  
  increment a count of the number of messages from the user received via one or more user sessions within a predetermined amount of time and rejected based on the cookie session identifier attribute;
  
  based on the count, determining a frequency with which messages with the cookie session identifier attribute were rejected based on the rejection rule; and
  
  generate an exception rule to the rejection rule in response to determining that the frequency exceeds a threshold within the predetermined amount of time;
  
  receiving a second message having the cookie session identifier attribute; and
  
  allowing the second message based on the exception rule.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 26. The computer program product of claim 25, wherein the rejection rule indicates that a value of a cookie session identifier of a received message cannot be changed.
  - 27. The computer program product of claim 25, wherein the frequency is a weighted count of the occurrences of the cookie session identifier attribute.
  - 28. The computer program product of claim 25, wherein the frequency is a direct count of the occurrences of the cookie session identifier attribute.
  - 29. The computer program product of claim 25, wherein the computer program code is further adapted to compare the value of the cookie session identifier and the previously stored cookie session identifier value.
  - 30. The computer program product of claim 25, wherein a user session represents communications between a client operated by a user and a server.
  - 31. The computer program product of claim 29, wherein the computer program code is further adapted to store the value of the cookie session.
  - 32. The computer program product of claim 25, wherein the computer program code is further adapted to:
    - reject a third message based on a second rejection rule, the second rejection rule rejecting messages having a number of cookies different from a previously indicated number of cookies;
      
      increment a second count of the number of messages from the user received via the one or more user sessions within the predetermined amount of time and rejected based on the cookie number attribute;
      
      based on the second count, determine a second frequency with which messages with the cookie number attribute were rejected based on the second rejection rule;
      
      generate an exception rule to the rejection rule in response to determining that the second frequency exceeds a threshold within the predetermined amount of timereceive a third message having the cookie number attribute; and
      
      allow the fourth message, responsive to the second exception rule.
  - 33. The computer program product of claim 32, wherein the third message is a message responsive to an earlier message.
  - 34. The computer program product of claim 32, wherein the third message is a message responsive to an earlier message, the earlier message providing the previously indicated number of cookies.
  - 35. The computer program product of claim 25, wherein the computer program code is further adapted to determine the threshold as a product of a total number of messages over a time interval and a percentage of the messages that should be allowed to pass.

36. A computer-implemented method for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the method comprising:
- receiving, by the security gateway, a first message from a user, the first message comprising a webpage that includes a password field and a user login field;
  
  rejecting, by the message filter, the first message based on a rejection rule for a field attribute, the field attribute indicating that one of the password field or the user login field exceeds a predetermined number of characters;
  
  incrementing, by the learning engine, a count of messages from the user received via one or more of a plurality of user sessions within a predetermined amount of time and rejected based on the field attribute;
  
  determining, by the learning engine based on the count, a frequency with which messages having the field attribute were rejected based on the rejection rule;
  
  generating, by the learning engine, an exception rule to the rejection rule in response to the determined frequency exceeding a threshold within the predetermined amount of time;
  
  receiving, by the security gateway, a second message having the field attribute; and
  
  allowing, by the adaptive filter, the second message responsive to the exception rule.
- View Dependent Claims (37, 38, 39)
- - 37. The method of claim 36, wherein the frequency is a weighted count of occurrences of the field attribute.
  - 38. The method of claim 36, wherein the frequency is a direct count of occurrences of the field attribute.
  - 39. The method of claim 36, wherein the threshold is a product of a total number of messages over a time interval and a percentage of the messages that should be allowed to pass.

40. A system for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the system comprising:
- a receiver which receives a first message from a user, the first message comprising a webpage that includes a password field and a user login field;
  
  a filter which rejects the first message based on a rejection rule for a field attribute, the field attribute indicating that one of the password field or the user login field exceeds a predetermined number of characters;
  
  a learning engine, for incrementing, a count of messages from the user received via one or more of a plurality of user sessions within a predetermined amount of time and rejected based on the field attribute, for determining, based on the count, a frequency with which messages having the field attribute were rejected based on the rejection rule, and for generating an exception rule to the rejection rule in response to the determined frequency exceeding a threshold within the predetermined amount of time; and
  
  whereinthe filter applies the exception rule to subsequent messages to determine whether to allow the subsequent messages.
- View Dependent Claims (41, 42, 43)
- - 41. The system of claim 40, wherein the frequency is a weighted count of occurrences of the field attribute.
  - 42. The system of claim 40, wherein the frequency is a direct count of occurrences of the field attribute.
  - 43. The system of claim 40, wherein the threshold is a product of a total number of messages over a time interval and a percentage of the messages that should be allowed to pass.

44. A computer program product comprising:
- a computer-readable medium having computer program code embodied therein for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the computer program code adapted to;
  
  receive a first message from a user, the first message comprising a webpage that includes a password field and a user login field;
  
  reject the first message based on a rejection rule for a field attribute, the field attribute indicating that one of the password field or the user login field exceeds a predetermined number of characters;
  
  increment, for the attribute, a count of messages from the user received via one or more of a plurality of user sessions within a predetermined amount of time and rejected based on the field attribute;
  
  based on the count, determining a frequency with which messages having the field attribute were rejected based on the rejection rule; and
  
  generate an exception rule to the rejection rule in response to the determined frequency exceeding a threshold within the predetermined amount of time;
  
  receiving a second message having the field attribute; and
  
  allowing the second message based on the exception rule.
- View Dependent Claims (45, 46, 47)
- - 45. The computer program product of claim 44, wherein the frequency is a weighted count of the occurrences of the field attribute.
  - 46. The computer program product of claim 44, wherein the frequency is a direct count of the occurrences of the field attribute.
  - 47. The computer program product of claim 44, wherein the computer program code is further adapted to determine the threshold as a product of a total number of messages over a time interval and a percentage of the messages that should be allowed to pass.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Teros, Inc. (Cloud Software Group)
Inventors
Kohli, Prince, Chauhan, Abhishek, Mirani, Rajiv
Primary Examiner(s)
Lanier; Benjamin E

Application Number

US10/782,739
Time in Patent Office

2,554 Days
Field of Search

None
US Class Current

726/13
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/029 Firewall traversal, e.g. tu...

Using statistical analysis to generate exception rules that allow legitimate messages to pass through application proxies and gateways

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

239 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Using statistical analysis to generate exception rules that allow legitimate messages to pass through application proxies and gateways

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

239 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links