Method and apparatus for detection of information transmission abnormalities

US 8,180,886 B2
Filed: 11/13/2008
Issued: 05/15/2012
Est. Priority Date: 11/15/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of adapting to changed conditions and analyzing network communication with a web application with respect to a profile of acceptable behavior including probability values of network communication attributes developed from a collection of historical network communication with the web application in order to detect and prevent attacks on the web application, the method where one or more processors are programmed to perform steps comprising:

receiving a plurality of network communications in succession, the plurality of network communications each including a plurality of parameters, each of the plurality of network communications being independent of the next successive network communication;

extracting a plurality of attributes from the plurality of parameters of each network communication;

assigning a plurality of probability values indicative of each of the plurality of attributes of each network communication, the plurality of probability values based on a comparison of each attribute against the profile of acceptable behavior;

augmenting the profile of acceptable behavior based on the comparison of the plurality of attributes against the profile of acceptable behavior for each successive network communication;

receiving a current network communication, including a plurality of current network communication parameters;

extracting a plurality of attributes from the plurality of current network communication parameters;

assigning a plurality of probability values indicative of each of the plurality of current network communication attributes, the plurality of probability values based on a comparison of each current network communication attribute against the profile of acceptable behavior, the plurality of probability values for each of the plurality of current network communication attributes being statistically independent of the plurality of previous network communications attribute probability values;

updating the profile of acceptable behavior based on the comparison of the plurality of current network attributes against the augmented profile of acceptable behavior;

determining an overall probability value of the current network communication based on a calculation comprising the plurality of attribute probability values of the current network communication;

validating the current network communication against the profile of acceptable behavior based upon the probability value of the current network communication and a threshold criteria; and

triggering a responsive action based on the result of the validation.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method for securing a network application is described. The method for securing a network application includes receiving network information within a network application and assigning a probability value to an independent aspect of the network information. The probability value is based on a verification of the independent aspect of the information against a profile of acceptable behavior. The method for securing a network application also includes aggregating the probability values of the independent aspects of the network information to determine the probability of the entire network traffic. In addition, the method for securing a network application includes determining whether the probability value of the entire network information is above or below a threshold probability value. The entire network information is screened out based on the probability value of the entire message with respect to the threshold probability value.

163 Citations

35 Claims

1. A computer-implemented method of adapting to changed conditions and analyzing network communication with a web application with respect to a profile of acceptable behavior including probability values of network communication attributes developed from a collection of historical network communication with the web application in order to detect and prevent attacks on the web application, the method where one or more processors are programmed to perform steps comprising:
- receiving a plurality of network communications in succession, the plurality of network communications each including a plurality of parameters, each of the plurality of network communications being independent of the next successive network communication;
  
  extracting a plurality of attributes from the plurality of parameters of each network communication;
  
  assigning a plurality of probability values indicative of each of the plurality of attributes of each network communication, the plurality of probability values based on a comparison of each attribute against the profile of acceptable behavior;
  
  augmenting the profile of acceptable behavior based on the comparison of the plurality of attributes against the profile of acceptable behavior for each successive network communication;
  
  receiving a current network communication, including a plurality of current network communication parameters;
  
  extracting a plurality of attributes from the plurality of current network communication parameters;
  
  assigning a plurality of probability values indicative of each of the plurality of current network communication attributes, the plurality of probability values based on a comparison of each current network communication attribute against the profile of acceptable behavior, the plurality of probability values for each of the plurality of current network communication attributes being statistically independent of the plurality of previous network communications attribute probability values;
  
  updating the profile of acceptable behavior based on the comparison of the plurality of current network attributes against the augmented profile of acceptable behavior;
  
  determining an overall probability value of the current network communication based on a calculation comprising the plurality of attribute probability values of the current network communication;
  
  validating the current network communication against the profile of acceptable behavior based upon the probability value of the current network communication and a threshold criteria; and
  
  triggering a responsive action based on the result of the validation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - storing the current network communication in a buffer of a threat detection module until enough data has been accumulated for the current network communication to be statistically valid.
  - 3. The method of claim 2, wherein the current network communication is determined to be statistically valid based on one of time since the collection of the current network communication started, the number of a current inbound communication and a current outbound communication of the current network communication and diversity of the current network communication.
  - 4. The method of claim 2, further comprising:
    - storing the plurality of network communication attributes in a buffer until enough data has been accumulated for the plurality of network communication attributes to be statistically valid.
  - 5. The method of claim 1, further comprising:
    - storing the plurality of network communication parameters in a buffer until enough data has been accumulated for the plurality of network communication parameters to be statistically valid.
  - 6. The method of claim 1, further comprising:
    - merging the current network communication to the profile of acceptable behavior when the current network communication meets the threshold criteria,wherein the merging the current network communication further comprises executing at least one merge algorithm to incorporate the current network communication into the profile of acceptable behavior.
  - 7. The method of claim 1, wherein the triggering comprises transmitting an alert when the current network communication fails to meet the threshold criteria.
  - 8. The method of claim 1, further comprising:
    - forwarding the current network communication to an administrator for further analysis when the current network communication fails to meet the threshold criteria.
  - 9. The method of claim 1, wherein the threshold criteria is based on a threshold probability value.
  - 10. The method of claim 1, wherein the threshold probability value comprises a range of probability values.
  - 11. The method of claim 1, wherein the probability value of the current network communication is 1 if it meets the threshold criteria and the probability value is unchanged if it fails to meet the threshold criteria.
  - 12. The method of claim 1, wherein the current network communication is rejected when the probability of the current network communication is below the threshold probability value.
  - 13. The method of claim 1, wherein the plurality of successive network communication attributes and the plurality of current network communication attributes are mutually exclusive.
  - 14. The method of claim 1, wherein the probability value of the current network communication is a multiplication of the probability values of the plurality of attributes of the current network communication.

15. A computer-implemented method of adapting to changed conditions and analyzing network traffic related to a web application in a network application system to detect and prevent attacks on the network application system, where one or more processors are programmed to perform steps comprising:
- developing a profile of acceptable behavior for network communication for transmission over a network, the profile of acceptable behavior including probability values of network communication parameters developed from a collection of historical network communication;
  
  receiving a current network communication, the current network communication including multiple current network communication parameters, each of the current network communication parameters independent of each other;
  
  assigning an updateable probability value indicative of each of the current network communication parameters, the updateable probability value based on a comparison of each of the current network communication parameters against the profile of acceptable behavior;
  
  determining the probability value of the current network communication by a calculation comprising the updateable probability value of each of the current network communication parameters;
  
  validating the current network communication against the profile of acceptable behavior based upon whether or not the probability value of the current network communication meets a threshold criteria;
  
  updating the probability values of historical network communication parameters in the profile of acceptable behavior; and
  
  triggering a responsive action based on the result of the validation.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The method of claim 15, further comprising:
    - storing the multiple current network communication parameters of the current network communication in a buffer until enough information has been accumulated for each of the network communication parameters to be statistically valid.
  - 17. The method of claim 16, wherein the current network communication parameter is determined to be statistically valid based on one of time since the collection of the current network communication parameter started, number of network communication including current network communication parameter and the diversity of the current network communication.
  - 18. The method of claim 15, further comprising:
    - merging the current network communication to the profile of acceptable behavior when the current network communication meets the threshold criteria.
  - 19. The method of claim 15, further comprising:
    - triggering an alert when the current network communication fails to meet the threshold criteria.
  - 20. The method of claim 15, further comprising:
    - forwarding the current network communication to an administrator for further analysis when the current network communication fails to meet the threshold criteria.
  - 21. The method of claim 15, wherein the threshold probability criteria is based on a threshold probability value.
  - 22. The method of claim 21, further comprising:
    - generating different threshold probability values depending on the severity of the variation from the profile of acceptable behavior.
  - 23. The method of claim 21, wherein the probability value of the current network communication is 1 if it is above the threshold probability value and the probability value is unchanged if it is below the threshold probability value.
  - 24. The method of claim 21, wherein the threshold probability value comprises a range of probability values.
  - 25. The method of claim 21, wherein the current network communication is rejected when the current network communication is below the threshold probability value.
  - 26. The method of claim 15, wherein the multiple current network communication parameters of the current network communication are mutually exclusive.
  - 27. The method of claim 15, wherein the probability value of the current network communication is a multiplication of the probability value of each current network communication parameter of the current network communication.
  - 28. The method of claim 15, wherein the probability value of the network communication is the weighted average of probabilities of the multiple current network communication parameters.

29. A system for adapting to changed conditions and analyzing network traffic in a network application system comprising:
- a non-transitory computer readable medium configured to store computer executable programmed modules;
  
  a processor communicatively coupled with the non-transitory computer readable medium configured to execute programmed modules stored therein;
  
  a dynamic profiling module stored in the non-transitory computer readable medium and configured to develop a profile of acceptable behavior for network communication for transmission over a network, the profile of acceptable behavior including probability values of network communication parameters developed from a collection of historical network communication; and
  
  a control module stored in the non-transitory computer readable medium and configured to receive a current network communication, the current network communication including multiple current network communication parameters, each of the current network communication parameters independent of each other,wherein the control module is configuredto assign an updateable probability value indicative of each of the current network communication parameters, the updateable probability value based on a comparison of each of the current network communication parameters against the profile of acceptable behavior,to determine probability value of the current network communication by a calculation comprising the updateable probability value of each of the current network communication parameters,to validate the current network communication against the profile of acceptable behavior based upon the probability value of the current network communication and a threshold criteria,to update the probability values of historical network communication parameters in the profile of acceptable behavior, andto trigger a responsive action based on the result of the validation.
- View Dependent Claims (30, 31, 32, 33, 34, 35)
- - 30. The system of claim 29, further comprising:
    - a buffer configured to store the multiple current network communication parameters of the current network communication in a buffer until enough information has been accumulated for each of the network communication parameters to be statistically valid.
  - 31. The system of claim 30, wherein the current network communication parameter is determined to be statistically valid based on one of time since the collection of the current network communication parameter started, number of network communication including current network communication parameter and the diversity of the current network communication.
  - 32. The system of claim 29, further comprising:
    - an adaptation module configured to merge the current network communication to the profile of acceptable behavior when the current network communication meets the threshold criteria.
  - 33. The system of claim 29, wherein the control module is further configured to trigger an alert when the current network communication fails to meet the threshold criteria.
  - 34. The system of claim 29, wherein the control module is further configured to forward the current network communication to an administrator for further analysis when the current network communication fails to meet the threshold criteria.
  - 35. The system of claim 29, further comprising:
    - a correlation and analysis module configured to analyze the current network communication to determine the security risk of the current network communication when the current network communication fails to meet the threshold criteria.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Overcash, Kevin, Kolton, Doron, Mizrahi, Rami
Primary Examiner(s)
Bayard, Djenane

Application Number

US12/270,635
Publication Number

US 20090138592A1
Time in Patent Office

1,279 Days
Field of Search

709/224, 709/225, 709/227
US Class Current

709/224
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 43/16   Threshold monitoring

H04L 63/1425   Traffic logging, e.g. anoma...

Method and apparatus for detection of information transmission abnormalities

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

163 Citations

35 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for detection of information transmission abnormalities

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

163 Citations

35 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others