Techniques for tracking actual users in web application security systems
First Claim
Patent Images
1. A method for tracking and identifying an identity of a user using a client to access a web application on a protected server, the method comprising:
- monitoring, by a secure gateway on a device, client requests for the web application sent from a client to the protected sever, and replies to those client requests sent from the protected server to the client;
identifying candidate authentication forms in the replies to the client requests sent from the protected server to the client;
determining which of the candidate authentication forms in those replies are authentication forms;
generating a normal behavior profile (NBP) for the web application, wherein said NBP includes authentication form identifiers corresponding to those of the candidate authentication forms determined to be the authentication forms;
monitoring, by the secure gateway using the authentication form identifiers, login requests sent from the client to the protected server, and login responses sent from the protected server to the client in response to the login requests;
identifying, for each of the authentication form identifiers in the NBP, a combination of login indications and corresponding values in the login responses that indicates a successful login request;
generating an updated NBP by adding to the NBP, for each of the authentication form identifiers in the NBP, the combination of login indications and corresponding values identified to be indicating a successful login request;
determining by the secure gateway using the updated NBP whether a subsequent login request submitted by the user was successful;
saving a first actionable data if the subsequent login request is determined to be successful, wherein the first actionable data comprises user identifiers associated with the user for tracking the user across a plurality of sessions; and
saving a second actionable data if the subsequent login request is determined to be unsuccessful.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for tracking and identifying an identity of a user accessing a web application. An application normal behavior profile (NBP), wherein said NBP includes a plurality of authentication identifiers of the web application is generated. It is determined using the NBP whether an authentication request submitted by the user was successful. A first actionable data on a successful authentication request is saved. A second actionable data on an unsuccessful authentication request is saved.
28 Citations
81 Claims
-
1. A method for tracking and identifying an identity of a user using a client to access a web application on a protected server, the method comprising:
-
monitoring, by a secure gateway on a device, client requests for the web application sent from a client to the protected sever, and replies to those client requests sent from the protected server to the client; identifying candidate authentication forms in the replies to the client requests sent from the protected server to the client; determining which of the candidate authentication forms in those replies are authentication forms; generating a normal behavior profile (NBP) for the web application, wherein said NBP includes authentication form identifiers corresponding to those of the candidate authentication forms determined to be the authentication forms; monitoring, by the secure gateway using the authentication form identifiers, login requests sent from the client to the protected server, and login responses sent from the protected server to the client in response to the login requests; identifying, for each of the authentication form identifiers in the NBP, a combination of login indications and corresponding values in the login responses that indicates a successful login request; generating an updated NBP by adding to the NBP, for each of the authentication form identifiers in the NBP, the combination of login indications and corresponding values identified to be indicating a successful login request; determining by the secure gateway using the updated NBP whether a subsequent login request submitted by the user was successful; saving a first actionable data if the subsequent login request is determined to be successful, wherein the first actionable data comprises user identifiers associated with the user for tracking the user across a plurality of sessions; and saving a second actionable data if the subsequent login request is determined to be unsuccessful. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer program product including a non-transitory computer-readable storage medium comprising instructions, said instructions when executed on a computer enables the computer to implement a method to track and identify identity of a user using a client to access a web application on a protected server, the method comprising:
-
monitoring client requests for the web application sent from a client to the protected sever, and replies to those client requests sent from the protected server to the client; identifying candidate authentication forms in the replies to the client requests sent from the protected server to the client; determining which of the candidate authentication forms in those replies are authentication forms; generating a normal behavior profile (NBP) associated with the web application, wherein said NBP includes authentication form identifiers corresponding to those of the candidate authentication forms determined to be the authentication forms; monitoring, using the authentication form identifiers, login requests sent from the client to the protected server, and login responses with login indications sent from the protected server to the client in response to the login requests; identifying, for each of the authentication form identifiers in the NBP, a combination of login indications and corresponding values in the login responses that indicates a successful login request; generating an updated NBP by adding to the NBP, for each of the authentication form identifiers in the NBP, the combination of login indications and corresponding values identified to be indicating a successful login request; determining, using the updated NBP, whether a subsequent login request submitted by the user was successful; saving a first actionable data if the subsequent login request is determined to be successful; and saving a second actionable data if the subsequent login request is determined to be unsuccessful. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A security system having user awareness capabilities for tracking and identifying the identity of users accessing a web application on a protected server, the system comprises:
-
a secure server coupled to a secure gateway and operable to generate an application normal behavior profile (NBP) that includes; authentication form identifiers of the web application, wherein the authentication form identifiers corresponds to those of candidate authentication forms, that are in replies sent from the protected server to a client in response to client requests for the web application, determined to be actual authentication forms; and for each of the authentication form identifiers, a combination of login indications and corresponding values indicating a successful login request, wherein the login indications are in login responses sent from the protected server to the client in response to the login requests associated with the authentication forms; and at least one secure gateway installed in a line of traffic between a client and a web server and operable to determine using the application NBP whether a login request from the client was successful. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33)
-
-
34. A method for tracking and identifying an identity of a user using a client to access a web application on a protected server, the method comprising:
-
receiving an application normal behavior profile (NBP) of the web application at a secure gateway on a device, wherein the application NBP includes; authentication form identifiers corresponding to authentication forms that have been in replies sent from the protected server to a client in response to client requests for the web application; and for each of the authentication form identifiers, a successful login pattern that includes a combination of login indications and corresponding values indicating a successful login request, wherein the successful login pattern was sent in login responses from the protected server to the client in response to the login requests that include the authentication forms with user entered information and that have been successfully authenticated; determining by the secure gateway using the application NBP whether a subsequent login request submitted by the user was successful; and storing a first actionable data if the subsequent login request was successful, wherein the first actionable data comprises user identifiers associated with the user to track the user across a plurality of sessions. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A computer program product including a non-transitory computer-readable storage medium comprising instructions, said instructions when executed on a computer enables the computer to implement a method to track and identify identity of a user using a client to access a web application on a protected server, the method comprising:
-
receiving an application normal behavior profile (NBP) of the web application at a secure gateway on a device, wherein the application NBP includes; authentication form identifiers corresponding to authentication forms that have been in replies sent from the protected server to a client in response to client requests for the web application; and for each of the authentication form identifiers, a successful login pattern that includes a combination of login indications and corresponding values indicating a successful login request, wherein the successful login pattern was sent in login responses from the protected server to the client in response to the login requests that include the authentication forms with user entered information and that have been successfully authenticated; determining by the secure gateway using the application NBP whether a subsequent login request submitted by the user was successful; and storing a first actionable data if the subsequent login request was successful, wherein the first actionable data comprises user identifiers associated with the user to track the user across a plurality of sessions. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51)
-
-
52. A method in a system coupled between a protected server and a client for tracking successful logins to the protected server by a user using the client, the method comprising:
-
automatically learning an authentication form by inspecting replies being sent from the protected server to the client, wherein the protected server sends the authentication form to the client as part of an authentication service to allow the user to log on to the protected server; automatically learning, using the learnt authentication form, a combination of login indications and values for those login indications that indicates a successful login, wherein the automatically learning the combination of login indications and the values includes; monitoring login responses being sent from the protected server to the client, wherein the login responses are those responses sent by the protected server to the client in reply to login requests that include the learnt authentication form with user entered information and that are sent from the client to the protected server; generating an application normal behavior profile (NBP) that includes, for the learnt authentication form, the combination of login indications and the values of those login indications determined to indicate the successful login; and determining by a secure gateway on a device of the system using the application NBP whether a subsequent login request was successful by using the application NBP and respective login response to that subsequent login request. - View Dependent Claims (53, 54, 55, 56, 57)
-
-
58. A computer program product including a non-transitory computer-readable storage medium comprising instructions, said instructions when executed on a computer enables the computer to implement a method for tracking successful logins to a protected server by a user using a client, the method comprising:
-
automatically learning an authentication form by inspecting replies being sent from the protected server to the client, wherein the protected server sends the authentication form to the client as part of an authentication service to allow the user to log on to the protected server; automatically learning, using the learnt authentication form, a combination of login indications and values for those login indications that indicates a successful login, wherein the automatically learning the combination of login indications and the values includes; monitoring login responses being sent from the protected server to the client, wherein the login responses are those responses sent by the protected server to the client in reply to login requests that include the learnt authentication form with user entered information and that are sent from the client to the protected server; generating an application normal behavior profile (NBP) that includes, for the learnt authentication form, the combination of login indications and the values of those login indications determined to indicate the successful login; and determining by a secure gateway on a device of the system using the application NBP whether a subsequent login request was successful by using the application NBP and respective login response to that subsequent login request. - View Dependent Claims (59, 60, 61, 62, 63)
-
-
64. A method in a system coupled between a protected server and clients for tracking successful logins to the protected server by users using the clients, the method comprising:
-
automatically learning authentication forms by monitoring replies being sent from the protected server to the clients for identifier parameters indicative of authentication forms, wherein the protected server sends such authentication forms to the clients as part of an authentication service to allow the users to log on to the protected server; automatically learning, for the learnt authentication forms, login patterns that when present in login responses being sent from the protected server to the client indicate successful logins, the automatically learning the login patterns includes, identifying login attempts, sent from the clients to the protected server, in the form of login requests that include the learnt authentication forms with user entered information; monitoring, by a secure gateway on a device of the system, the login responses sent from the protected server to the clients that are in reply to the identified login attempts; and determining which combinations of login indications and their values in the login responses are the login patterns of successful logins; generating, by a secure server, an application normal behavior profile (NBP) that represents, for the learnt authentication forms, the login patterns of successful logins; and determining by the secure gateway whether a subsequent login request was successful by using the application NBP and respective login response to that subsequent login request. - View Dependent Claims (65, 66, 67, 68, 69)
-
-
70. A computer program product including a non-transitory computer-readable storage medium comprising instructions, said instructions when executed in a system enables a method for tracking successful logins to a protected server by users using clients, the method comprising:
-
automatically learning authentication forms by monitoring replies being sent from the protected server to the clients for identifier parameters indicative of authentication forms, wherein the protected server sends such authentication forms to the clients as part of an authentication service to allow the users to log on to the protected server; automatically learning, for the learnt authentication forms, login patterns that when present in login responses being sent from the protected server to the client indicate successful logins, the automatically learning the login patterns includes, identifying login attempts, sent from the clients to the protected server, in the form of login requests that include the learnt authentication forms with user entered information; monitoring, by a security gateway on a device of the system, the login responses sent from the protected server to the clients that are in reply to the identified login attempts; and determining which combinations of login indications and their values in the login responses are the login patterns of successful logins; generating, by a secure server, an application normal behavior profile (NBP) that represents, for the learnt authentication forms, the login patterns of successful logins; and determining by the secure gateway whether a subsequent login request was successful by using the application NBP and respective login response to that subsequent login request. - View Dependent Claims (71, 72, 73, 74, 75)
-
-
76. A system, coupled between a protected server and clients, having user awareness capabilities for tracking, across a plurality of sessions, successful logins to the protected server by users using the clients, the system comprises:
-
a secure gateway installed in a line of traffic between the client and the protected server and to; inspect, as part of an automatic process for learning an authentication form used as part of an authentication service to allow the users to log on to the protected server, for occurrences of the authentication form in replies being sent from the protected server to the clients; monitor, as part of an automatic process for learning a login pattern indicative of a successful login, for observations of the login patterns in login responses being sent from the protected server to the clients, wherein the login responses are in those responses sent by the protected server to the clients in reply to login attempts being sent from the clients to the protected server that include the authentication form with user entered information; a secure server coupled to the secure gateway and to automatically generate an application NBP that represents the login pattern of the successful login for the authentication form; and the secure gateway is also to determine whether a subsequent login request was successful by using the application NBP and respective login response to that subsequent login request. - View Dependent Claims (77, 78, 79, 80, 81)
-
Specification