Correlation engine for detecting network attacks and detection method

US 8,024,804 B2
Filed: 03/08/2006
Issued: 09/20/2011
Est. Priority Date: 03/08/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting application level attacks and for protecting web applications, comprising:

receiving a plurality of attack indications based on data transmitted on the network, wherein the attack indications are generated in response to violation of at least a plurality of profiles of a protected web application, the attack indications comprise an anomaly, and wherein the anomaly is a deviation from at least a normal behavior profile of a protected web application, the plurality of attack indications being of at least one of a maximal average latency (MAL) profile, a maximal latency (ML) profile, and a maximal access rate (MAR) profile of the protected application;

iteratively applying a set of correlation rules to correlate the plurality of attack indications by applying a first rule of the set of correlation rules to the attack indications to obtain a first result; and

if the first result does not indicate on a potential attack applying a next rule in the set of correlation rules until a result indicating on a potential attack is detected or all rules in the set of correlation rules are applied, wherein the set of correlation rules corresponds to the particular type of an application level attack, to determine if the MAL profile and ML profile are violated, the MAL profile and the MAR profile are violated, or the ML profile and the MAR profile are violated;

generating an alert if at least one rule of the set of correlation rules applied on the plurality of attack indications indicate that at least a violation occurred;

wherein the application level attack comprises at least one of a directory traversal attack, a cross site scripting attack, an automatic reconnaissance attack, a search engine hacking attack, and an application denial of service attack.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting network attacks is provided. In one implementation, the method receives a plurality of attack indications based on data transmitted on the network and applies rules to the plurality of attack indications. Also, the method generates an alert if an application of at least a subset of the rules on the plurality of attack indications indicates a potential attack. In addition, a network device that performs the method and a computer program corresponding to the method are provided.

Citations

47 Claims

1. A method for detecting application level attacks and for protecting web applications, comprising:
- receiving a plurality of attack indications based on data transmitted on the network, wherein the attack indications are generated in response to violation of at least a plurality of profiles of a protected web application, the attack indications comprise an anomaly, and wherein the anomaly is a deviation from at least a normal behavior profile of a protected web application, the plurality of attack indications being of at least one of a maximal average latency (MAL) profile, a maximal latency (ML) profile, and a maximal access rate (MAR) profile of the protected application;
  
  iteratively applying a set of correlation rules to correlate the plurality of attack indications by applying a first rule of the set of correlation rules to the attack indications to obtain a first result; and
  
  if the first result does not indicate on a potential attack applying a next rule in the set of correlation rules until a result indicating on a potential attack is detected or all rules in the set of correlation rules are applied, wherein the set of correlation rules corresponds to the particular type of an application level attack, to determine if the MAL profile and ML profile are violated, the MAL profile and the MAR profile are violated, or the ML profile and the MAR profile are violated;
  
  generating an alert if at least one rule of the set of correlation rules applied on the plurality of attack indications indicate that at least a violation occurred;
  
  wherein the application level attack comprises at least one of a directory traversal attack, a cross site scripting attack, an automatic reconnaissance attack, a search engine hacking attack, and an application denial of service attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the set of correlation rules are independent rules.
  - 3. The method of claim 1, wherein the potential application level attack comprises an attack against a web server executing the web application.
  - 4. The method of claim 1, wherein the potential application level attack comprises an attack against a database server accessed by the web application.
  - 5. The method of claim 1, wherein the attack indications comprise at least one of an irregular event, an anomaly, and an alert.
  - 6. The method of claim 1, wherein the attack indications comprise a first irregular event.
  - 7. The method of claim 6, wherein the first irregular event comprises at least one of an irregular hypertext transfer protocol event and an irregular structured query language event.
  - 8. The method of claim 6, wherein the attack indications comprise anomalies from the first irregular event.
  - 9. The method of claim 6, wherein the attack indications comprise anomalies from a sequence of the first irregular event and at least a second irregular event, andwherein the first irregular event and the at least the second irregular event are the same type of events.
  - 10. The method of claim 6, wherein the attack indications comprise the first irregular event and at least a second irregular event, andwherein the first irregular event and the at least the second irregular event are different types of events.
  - 11. The method of claim 1, wherein the attack indications further comprise an anomaly, andwherein the anomaly comprises a deviation from a signature of an application layer protocol of the data.
  - 12. The method of claim 11, wherein the application layer protocol comprises at least one of a hypertext transfer protocol and a structured query language protocol.
  - 13. The method of claim 1, wherein the rules are applied in an order based on a type of the potential attack to be detected.
  - 14. The method of claim 13, wherein the rules are applied in an order based on a type of the potential application level attack to be detected.

15. A computer program product including a non-transitory computer-readable medium comprising instructions, the instructions being capable of instructing a computer to perform a routine for detecting application level attacks and for protecting web application, wherein the routine comprises:
- receiving a plurality of attack indications based on data transmitted on the network, wherein the attack indications are generated in response to violation of at least a plurality of profiles of a protected web application, the attack indications comprise an anomaly, and wherein the anomaly is a deviation from at least a normal behavior profile of a protected web application, the plurality of attack indications being at least one of a maximal average latency (MAL) profile, a maximal latency (ML) profile, and a maximal access rate (MAR) profile of the protected application;
  
  iteratively applying a set of correlation rules to correlate the plurality of attack indications by applying a first rule of the set of correlation rules to the attack indications to obtain a first result; and
  
  if the first result does not indicate on a potential attack applying a next rule in the set of rules until a result indicating on a potential attack is detected or all rules in the set of correlation rules are applied, wherein the set of correlation rules corresponds to the particular type of an application level attack, to determine if the MAL profile and ML profile are violated, the MAL profile and the MAR profile are violated, or the ML profile and the MAR profile are violated;
  
  generating an alert if at least one rule of the set of correlation rules applied on the plurality of attack indications indicates that at least a violation occurred;
  
  wherein the application level attack comprises at least one of a directory traversal attack, a cross site scripting attack, an automatic reconnaissance attack, a search engine hacking attack, and an application denial of service attack.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The computer program product of claim 15, wherein the set of correlation rules are independent rules.
  - 17. The computer program product of claim 15, wherein the potential application level attack comprises an attack against a web server executing the web application.
  - 18. The computer program product of claim 15, wherein the application level potential attack comprises an attack against a database server accessed by the web application.
  - 19. The computer program product of claim 15, wherein the attack indications comprise at least one of an irregular event, an anomaly, and an alert.
  - 20. The computer program product of claim 15, wherein the attack indications comprise a first irregular event.
  - 21. The software program of claim 20, wherein the first irregular event comprises at least one of an irregular hypertext transfer protocol event and an irregular structured query language event.
  - 22. The software program of claim 20, wherein the attack indications comprise anomalies from the first irregular event.
  - 23. The software program of claim 20, wherein the attack indications comprise anomalies from a sequence of the first irregular event and at least a second irregular event, andwherein the first irregular event and the at least the second irregular event are the same type of events.
  - 24. The software program of claim 20, wherein the attack indications comprise the first irregular event and at least a second irregular event, andwherein the first irregular event and the at least the second irregular event are different types of events.
  - 25. The computer program product of claim 15, wherein the attack indications further comprise an anomaly, andwherein the anomaly comprises a deviation from a signature of an application layer protocol of the data.
  - 26. The software program of claim 25, wherein the application layer protocol comprises at least one of a hypertext transfer protocol and a structured query language protocol.
  - 27. The computer program product of claim 15, wherein the rules are applied in an order based on a type of the potential attack to be detected.
  - 28. The software program of claim 27, wherein the rules are applied in an order based on a type of the application level potential attack to be detected.

29. A network device in an application level security system for detecting application level attacks, comprising:
- a network sensor that receives data transmitted on the network and that generates a plurality of attack indications based on the data, wherein the attack indications are generated in response to violation of at least a plurality of profiles of a protected web application, the attack indications comprise an anomaly, and wherein the anomaly is a deviation from at least a normal behavior profile of a protected web application; and
  
  a first correlation engine that applies a first set of correlation rules corresponding to a first type of an application level attack to correlate the plurality of attack indications and that generates a first alert if an application of at least a subset of the first set of correlation rules on the plurality of attack indications indicates a first potential attack;
  
  the denial of service attack comprising;
  
  receiving attack indications generated in response to a violation of at least one of a maximal average latency (MAL) profile, a maximal latency (ML) profile, and a maximal access rate (MAR) profile of the protected application;
  
  iteratively applying a set of correlation rules on the attack indications to determine if the MAL profile and ML profile are violated, the MAL profile and the MAR profile are violated, or the ML profile and the MAR profile are violated; and
  
  generating the alert on a denial of service attack if one of the violations occurswherein the application level attack comprises at least one of a directory traversal attack, a cross site scripting attack, an automatic reconnaissance attack, a search engine hacking attack, and an application denial of service attack.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 30. The device of claim 29, further comprising a second correlation engine that applies a second set of correlation rules corresponding to a second type of an application level attack to correlate the plurality of attack indications and that generates a second alert if an application of at least a subset of the second set of correlation rules on the plurality of attack indications indicates a second potential attack.
  - 31. The device of claim 30, wherein the first correlation engine (1) inputs the second alert from the second correlation engine, (2) applies the first set of correlation rules to the second alert and the plurality of attack indications, and (3) generates the first alert if at least the subset of the first set of correlation rules on the second alert and the plurality of attack indications indicates the first potential attack.
  - 32. The device of claim 29, wherein the first set of correlation rules comprises independent rules.
  - 33. The device of claim 29, wherein the first or the second potential attack comprises an attack against a web server executing the protected web application.
  - 34. The device of claim 29, wherein the first or second potential attack comprises an attack against a database server accessed by the protected web application.
  - 35. The device of claim 29, wherein the attack indications comprise at least one of an irregular event, an anomaly, and an alert.
  - 36. The device of claim 29, wherein the attack indications comprise at least one of an irregular event, an anomaly, and an alert.
  - 37. The device of claim 29, wherein the attack indications comprise a first irregular event.
  - 38. The device of claim 37, wherein the first irregular event comprises at least one of an irregular hypertext transfer protocol event and an irregular structured query language event.
  - 39. The device of claim 37, wherein the attack indications comprise anomalies from the first irregular event.
  - 40. The device of claim 37, wherein the attack indications comprise anomalies from a sequence of the first irregular event and at least a second irregular event, andwherein the first irregular event and the at least the second irregular event are the same type of events.
  - 41. The device of claim 37, wherein the attack indications comprise the first irregular event and at least a second irregular event, andwherein the first irregular event and the at least the second irregular event are different types of events.
  - 42. The device of claim 29, wherein the attack indications comprise an anomaly, andwherein the anomaly comprises a deviation from a normal behavior profile of the data.
  - 43. The device of claim 29, wherein the attack indications further comprise an anomaly, andwherein the anomaly comprises a deviation from a signature of an application layer protocol of the data.
  - 44. The device of claim 43, wherein the application layer protocol comprises at least one of a hypertext transfer protocol and a structured query language protocol.
  - 45. The device of claim 29, wherein the first correlation engine applies a first rules of the first set of rules to the plurality of attack indications to obtain a first result, andwherein the first correlation engine selectively applies a second rule of the first set of rules to the attack indications based on the first result.
  - 46. The device of claim 45, wherein the rules of the first set of rules are applied in an order based on a type of the first potential attack that the first correlation engine is configured to detect.
  - 47. The device of claim 29, wherein the rules of the first set of rules are applied in an order based on a type of the first potential attack that the first correlation engine is configured to detect.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Kremer, Shlomo, Shulman, Amichai, Boodaei, Mickey
Primary Examiner(s)
Flynn; Nathan
Assistant Examiner(s)
Vaughan; Michael R

Application Number

US11/369,733
Publication Number

US 20070214503A1
Time in Patent Office

2,022 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 11/2257   using expert systems

G06F 21/552   involving long-term monitor...

H04L 63/1408   by monitoring network traff...

Correlation engine for detecting network attacks and detection method

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Correlation engine for detecting network attacks and detection method

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links