Method and apparatus for detection of information transmission abnormalities
First Claim
1. A computer-implemented method of adapting to changed conditions and analyzing network communication with a web application with respect to a profile of acceptable behavior including probability values of network communication attributes developed from a collection of historical network communication with the web application in order to detect and prevent attacks on the web application, the method where one or more processors are programmed to perform steps comprising:
- receiving a plurality of network communications in succession, the plurality of network communications each including a plurality of parameters, each of the plurality of network communications being independent of the next successive network communication;
extracting a plurality of attributes from the plurality of parameters of each network communication;
assigning a plurality of probability values indicative of each of the plurality of attributes of each network communication, the plurality of probability values based on a comparison of each attribute against the profile of acceptable behavior;
augmenting the profile of acceptable behavior based on the comparison of the plurality of attributes against the profile of acceptable behavior for each successive network communication;
receiving a current network communication, including a plurality of current network communication parameters;
extracting a plurality of attributes from the plurality of current network communication parameters;
assigning a plurality of probability values indicative of each of the plurality of current network communication attributes, the plurality of probability values based on a comparison of each current network communication attribute against the profile of acceptable behavior, the plurality of probability values for each of the plurality of current network communication attributes being statistically independent of the plurality of previous network communications attribute probability values;
updating the profile of acceptable behavior based on the comparison of the plurality of current network attributes against the augmented profile of acceptable behavior;
determining an overall probability value of the current network communication based on a calculation comprising the plurality of attribute probability values of the current network communication;
validating the current network communication against the profile of acceptable behavior based upon the probability value of the current network communication and a threshold criteria; and
triggering a responsive action based on the result of the validation.
11 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, a method for securing a network application is described. The method for securing a network application includes receiving network information within a network application and assigning a probability value to an independent aspect of the network information. The probability value is based on a verification of the independent aspect of the information against a profile of acceptable behavior. The method for securing a network application also includes aggregating the probability values of the independent aspects of the network information to determine the probability of the entire network traffic. In addition, the method for securing a network application includes determining whether the probability value of the entire network information is above or below a threshold probability value. The entire network information is screened out based on the probability value of the entire message with respect to the threshold probability value.
163 Citations
35 Claims
-
1. A computer-implemented method of adapting to changed conditions and analyzing network communication with a web application with respect to a profile of acceptable behavior including probability values of network communication attributes developed from a collection of historical network communication with the web application in order to detect and prevent attacks on the web application, the method where one or more processors are programmed to perform steps comprising:
-
receiving a plurality of network communications in succession, the plurality of network communications each including a plurality of parameters, each of the plurality of network communications being independent of the next successive network communication; extracting a plurality of attributes from the plurality of parameters of each network communication; assigning a plurality of probability values indicative of each of the plurality of attributes of each network communication, the plurality of probability values based on a comparison of each attribute against the profile of acceptable behavior; augmenting the profile of acceptable behavior based on the comparison of the plurality of attributes against the profile of acceptable behavior for each successive network communication; receiving a current network communication, including a plurality of current network communication parameters; extracting a plurality of attributes from the plurality of current network communication parameters; assigning a plurality of probability values indicative of each of the plurality of current network communication attributes, the plurality of probability values based on a comparison of each current network communication attribute against the profile of acceptable behavior, the plurality of probability values for each of the plurality of current network communication attributes being statistically independent of the plurality of previous network communications attribute probability values; updating the profile of acceptable behavior based on the comparison of the plurality of current network attributes against the augmented profile of acceptable behavior; determining an overall probability value of the current network communication based on a calculation comprising the plurality of attribute probability values of the current network communication; validating the current network communication against the profile of acceptable behavior based upon the probability value of the current network communication and a threshold criteria; and triggering a responsive action based on the result of the validation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer-implemented method of adapting to changed conditions and analyzing network traffic related to a web application in a network application system to detect and prevent attacks on the network application system, where one or more processors are programmed to perform steps comprising:
-
developing a profile of acceptable behavior for network communication for transmission over a network, the profile of acceptable behavior including probability values of network communication parameters developed from a collection of historical network communication; receiving a current network communication, the current network communication including multiple current network communication parameters, each of the current network communication parameters independent of each other; assigning an updateable probability value indicative of each of the current network communication parameters, the updateable probability value based on a comparison of each of the current network communication parameters against the profile of acceptable behavior; determining the probability value of the current network communication by a calculation comprising the updateable probability value of each of the current network communication parameters; validating the current network communication against the profile of acceptable behavior based upon whether or not the probability value of the current network communication meets a threshold criteria; updating the probability values of historical network communication parameters in the profile of acceptable behavior; and triggering a responsive action based on the result of the validation. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A system for adapting to changed conditions and analyzing network traffic in a network application system comprising:
-
a non-transitory computer readable medium configured to store computer executable programmed modules; a processor communicatively coupled with the non-transitory computer readable medium configured to execute programmed modules stored therein; a dynamic profiling module stored in the non-transitory computer readable medium and configured to develop a profile of acceptable behavior for network communication for transmission over a network, the profile of acceptable behavior including probability values of network communication parameters developed from a collection of historical network communication; and a control module stored in the non-transitory computer readable medium and configured to receive a current network communication, the current network communication including multiple current network communication parameters, each of the current network communication parameters independent of each other, wherein the control module is configured to assign an updateable probability value indicative of each of the current network communication parameters, the updateable probability value based on a comparison of each of the current network communication parameters against the profile of acceptable behavior, to determine probability value of the current network communication by a calculation comprising the updateable probability value of each of the current network communication parameters, to validate the current network communication against the profile of acceptable behavior based upon the probability value of the current network communication and a threshold criteria, to update the probability values of historical network communication parameters in the profile of acceptable behavior, and to trigger a responsive action based on the result of the validation. - View Dependent Claims (30, 31, 32, 33, 34, 35)
-
Specification