Correlation engine for detecting network attacks and detection method
First Claim
Patent Images
1. A method for detecting application level attacks and for protecting web applications, comprising:
- receiving a plurality of attack indications based on data transmitted on the network, wherein the attack indications are generated in response to violation of at least a plurality of profiles of a protected web application, the attack indications comprise an anomaly, and wherein the anomaly is a deviation from at least a normal behavior profile of a protected web application, the plurality of attack indications being of at least one of a maximal average latency (MAL) profile, a maximal latency (ML) profile, and a maximal access rate (MAR) profile of the protected application;
iteratively applying a set of correlation rules to correlate the plurality of attack indications by applying a first rule of the set of correlation rules to the attack indications to obtain a first result; and
if the first result does not indicate on a potential attack applying a next rule in the set of correlation rules until a result indicating on a potential attack is detected or all rules in the set of correlation rules are applied, wherein the set of correlation rules corresponds to the particular type of an application level attack, to determine if the MAL profile and ML profile are violated, the MAL profile and the MAR profile are violated, or the ML profile and the MAR profile are violated;
generating an alert if at least one rule of the set of correlation rules applied on the plurality of attack indications indicate that at least a violation occurred;
wherein the application level attack comprises at least one of a directory traversal attack, a cross site scripting attack, an automatic reconnaissance attack, a search engine hacking attack, and an application denial of service attack.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting network attacks is provided. In one implementation, the method receives a plurality of attack indications based on data transmitted on the network and applies rules to the plurality of attack indications. Also, the method generates an alert if an application of at least a subset of the rules on the plurality of attack indications indicates a potential attack. In addition, a network device that performs the method and a computer program corresponding to the method are provided.
-
Citations
47 Claims
-
1. A method for detecting application level attacks and for protecting web applications, comprising:
-
receiving a plurality of attack indications based on data transmitted on the network, wherein the attack indications are generated in response to violation of at least a plurality of profiles of a protected web application, the attack indications comprise an anomaly, and wherein the anomaly is a deviation from at least a normal behavior profile of a protected web application, the plurality of attack indications being of at least one of a maximal average latency (MAL) profile, a maximal latency (ML) profile, and a maximal access rate (MAR) profile of the protected application; iteratively applying a set of correlation rules to correlate the plurality of attack indications by applying a first rule of the set of correlation rules to the attack indications to obtain a first result; and
if the first result does not indicate on a potential attack applying a next rule in the set of correlation rules until a result indicating on a potential attack is detected or all rules in the set of correlation rules are applied, wherein the set of correlation rules corresponds to the particular type of an application level attack, to determine if the MAL profile and ML profile are violated, the MAL profile and the MAR profile are violated, or the ML profile and the MAR profile are violated;generating an alert if at least one rule of the set of correlation rules applied on the plurality of attack indications indicate that at least a violation occurred; wherein the application level attack comprises at least one of a directory traversal attack, a cross site scripting attack, an automatic reconnaissance attack, a search engine hacking attack, and an application denial of service attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer program product including a non-transitory computer-readable medium comprising instructions, the instructions being capable of instructing a computer to perform a routine for detecting application level attacks and for protecting web application, wherein the routine comprises:
-
receiving a plurality of attack indications based on data transmitted on the network, wherein the attack indications are generated in response to violation of at least a plurality of profiles of a protected web application, the attack indications comprise an anomaly, and wherein the anomaly is a deviation from at least a normal behavior profile of a protected web application, the plurality of attack indications being at least one of a maximal average latency (MAL) profile, a maximal latency (ML) profile, and a maximal access rate (MAR) profile of the protected application; iteratively applying a set of correlation rules to correlate the plurality of attack indications by applying a first rule of the set of correlation rules to the attack indications to obtain a first result; and
if the first result does not indicate on a potential attack applying a next rule in the set of rules until a result indicating on a potential attack is detected or all rules in the set of correlation rules are applied, wherein the set of correlation rules corresponds to the particular type of an application level attack, to determine if the MAL profile and ML profile are violated, the MAL profile and the MAR profile are violated, or the ML profile and the MAR profile are violated;generating an alert if at least one rule of the set of correlation rules applied on the plurality of attack indications indicates that at least a violation occurred; wherein the application level attack comprises at least one of a directory traversal attack, a cross site scripting attack, an automatic reconnaissance attack, a search engine hacking attack, and an application denial of service attack. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A network device in an application level security system for detecting application level attacks, comprising:
-
a network sensor that receives data transmitted on the network and that generates a plurality of attack indications based on the data, wherein the attack indications are generated in response to violation of at least a plurality of profiles of a protected web application, the attack indications comprise an anomaly, and wherein the anomaly is a deviation from at least a normal behavior profile of a protected web application; and a first correlation engine that applies a first set of correlation rules corresponding to a first type of an application level attack to correlate the plurality of attack indications and that generates a first alert if an application of at least a subset of the first set of correlation rules on the plurality of attack indications indicates a first potential attack; the denial of service attack comprising; receiving attack indications generated in response to a violation of at least one of a maximal average latency (MAL) profile, a maximal latency (ML) profile, and a maximal access rate (MAR) profile of the protected application; iteratively applying a set of correlation rules on the attack indications to determine if the MAL profile and ML profile are violated, the MAL profile and the MAR profile are violated, or the ML profile and the MAR profile are violated; and generating the alert on a denial of service attack if one of the violations occurs wherein the application level attack comprises at least one of a directory traversal attack, a cross site scripting attack, an automatic reconnaissance attack, a search engine hacking attack, and an application denial of service attack. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
-
Specification