Web application exploit mitigation in an information technology environment

US 8,572,750 B2
Filed: 09/30/2011
Issued: 10/29/2013
Est. Priority Date: 09/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating security in an information technology environment, the method comprising:

inspecting, by a processor, behavior of a web application during execution thereof in the information technology environment, the inspecting determining whether a security vulnerability associated with execution of the web application in the information technology environment exists based on comparing baseline behavior of the web application to behavior of the web application observed in response to executing modified versions of requests issued to the web application to generate the baseline behavior; and

responsive to determining that the security vulnerability exists, generating at least one virtual patch, the at least one virtual patch comprising one or more logical pattern expressions representative of the security vulnerability determined based on the behavior of the web application during execution thereof, and the at least one virtual patch for patching one or more infrastructure components of the information technology environment to prevent exploitation of the security vulnerability in the information technology environment.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products are provided herein for facilitating security in an information technology environment. Web application security vulnerabilities are discovered and addressed by means of virtual patches deployed to components of the information technology environment. An intelligent feedback loop is created to fill the void in the security of the web application when implemented in the specific information technology environment, thereby providing end-to-end security application management through dynamic, pre-emptive, and proactive security awareness and protection in the information technology environment. As new web application security vulnerabilities are discovered, the vulnerability is diagnosed and resolved to preemptively prevent exploitation of the security vulnerability.

38 Citations

View as Search Results

25 Claims

1. A method for facilitating security in an information technology environment, the method comprising:
- inspecting, by a processor, behavior of a web application during execution thereof in the information technology environment, the inspecting determining whether a security vulnerability associated with execution of the web application in the information technology environment exists based on comparing baseline behavior of the web application to behavior of the web application observed in response to executing modified versions of requests issued to the web application to generate the baseline behavior; and
  
  responsive to determining that the security vulnerability exists, generating at least one virtual patch, the at least one virtual patch comprising one or more logical pattern expressions representative of the security vulnerability determined based on the behavior of the web application during execution thereof, and the at least one virtual patch for patching one or more infrastructure components of the information technology environment to prevent exploitation of the security vulnerability in the information technology environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising establishing the baseline behavior for the web application, the establishing the baseline behavior comprising issuing at least one baseline request of the requests to the web application for execution of the at least one baseline request, and, for each baseline request of the at least one baseline request, associating a respective baseline response of the web application, obtained responsive to execution of the baseline request, with the issued baseline request to form at least one baseline request/response pair.
  - 3. The method of claim 2, wherein inspecting the behavior of the web application comprises:
    - determining at least one variant request, the at least one variant request based on the at least one baseline request and comprising one or more modifications to at least one request element of the at least one baseline request;
      
      issuing the at least one variant request to the web application for execution thereof;
      
      for each variant request of the at least one variant request, associating a respective variant response of the web application, obtained responsive to execution of the variant request, with the variant request to form a variant request/response pair; and
      
      identifying at least one variant request/response pair that indicates existence of the security vulnerability, the identifying the at least one variant request/response pair comprising comparing the variant response of the variant request/response pair with the at least one baseline response and determining, based on the comparing, whether a difference between the at least one baseline response and the variant response indicates existence of the security vulnerability.
  - 4. The method of claim 3, further comprising, responsive to determining that a security vulnerability exists, determining a request type from which the security vulnerability originated, the request type being an external system request type or an internal system request type, and repeating the inspecting of the web application to determine whether the security vulnerability persists, wherein repeating the inspecting comprises tailoring variant requests for issuing to the web application according to the determined request type from which the security vulnerability originated, and wherein generating the at least one virtual patch is performed responsive to the repeating the inspecting indicating that security vulnerability persists.
  - 5. The method of claim 4, further comprising repeating the inspecting and the generating responsive to one or more other security vulnerabilities existing, to patch the one or more infrastructure components of the information technology environment to prevent exploitation of the one or more other security vulnerabilities in the information technology environment.
  - 6. The method of claim 3, wherein the one or more modifications to the at least one request element are stored as security scan metadata, and wherein generating the at least one virtual patch comprises:
    - collecting the identified at least one variant request/response pair and the scan metadata;
      
      determining one or more permutations of the at least one variant request/response pair, the computing identifying request elements of the at least one variant request that attempt to exploit the security vulnerability; and
      
      correlating the one or more permutations to obtain the logical pattern expressions for providing to the one or more infrastructure components of the information technology environment to facilitating patching thereof.
  - 7. The method of claim 6, wherein the one or more logical expressions encompasses permutations of a variant request/response pair indicative of the security vulnerability.
  - 8. The method of claim 6, wherein the method further comprises confirming that the at least one virtual patch was applied to prevent exploitation of the security vulnerability in the information technology environment, the confirming comprising:
    - reinitiating inspection of the behavior of the web application, wherein a variant request to exploit the security vulnerability is issued to the web application; and
      
      confirming that the variant request is blocked from exploiting the security vulnerability.
  - 9. The method of claim 1, further comprising logging the security vulnerability as a security event.
  - 10. The method of claim 1, wherein the generating the at least one virtual patch is performed responsive to determining that the one or more infrastructure components of the information technology environment are not already preventing exploitation of the security vulnerability in the information technology environment.
  - 11. The method of claim 1, wherein the one or more infrastructure components of the information technology environment comprise an intrusion protection system, wherein the at least one virtual patch comprises an identification for the intrusion protection system of an exploit scenario for exploiting the security vulnerability, and wherein the method further comprises providing the identification to the intrusion protection system for patching thereof, wherein patching thereof prevents exploitation of the security vulnerability in the information technology environment.
  - 12. The method of claim 1, wherein the method further comprises, responsive to determining that the security vulnerability exists:
    - checking a network history archive to determine whether the security vulnerability has already been subject to an unsuspected exploit thereof; and
      
      initiating a forensic investigation, responsive to determining that the security vulnerability was subject to an unsuspected exploit thereof.
  - 13. The method of claim 1, wherein the web application comprises a customized web application for the information technology environment, and wherein the security vulnerability comprises a security vulnerability specific to execution of the customized web application in the information technology environment.

14. A computer system for facilitating security in an information technology environment, the computer system comprising:
- a memory; and
  
  a processor, in communications with the memory, wherein the computer system is configured to perform;
  
  inspecting behavior of a web application during execution thereof in the information technology environment, the inspecting, determining whether a security vulnerability associated with execution of the web application in the information technology environment exists based on comparing baseline behavior of the web application to behavior of the web application observed in response to executing modified versions of requests to the web application to generate the baseline behavior; and
  
  responsive to determining that the security vulnerability exists, generating at least one virtual patch, the at least one Virtual patch comprising one or more logical pattern expressions representative of the security vulnerability determined based on the behavior of the web application during execution thereof, and the at least one virtual patch for patching one or more infrastructure components of the information technology environment to prevent exploitation of the security vulnerability in the information technology environment.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer system of claim 14, wherein the computer system is further configured to perform:
    - establishing the baseline behavior for the web application, the establishing the baseline behavior comprising issuing at least one baseline request of the requests to the web application for execution of the at least one baseline request, and, for each baseline request of the at least one baseline request, associating a respective baseline response of the web application, obtained responsive to execution of the baseline request, with the issued baseline request to form at least one baseline request/response pair.
  - 16. The computer system of claim 15, wherein inspecting the behavior of the web application comprises:
    - determining at least one variant request, the at least one variant request based on the at least one baseline request and comprising one or more modifications to at least one request element of the at least one baseline request;
      
      issuing the at least one variant request to the web application for execution thereof;
      
      for each variant request of the at least one variant request, associating a respective variant response of the web application, obtained responsive to execution of the variant request, with the variant request to form a variant request/response pair; and
      
      identifying at least one variant request/response pair that indicates existence of the security vulnerability, the identifying the at least one variant request/response pair comprising comparing the variant response of the variant request/response pair with the at least one baseline response and determining, based on the comparing, whether a difference between the at least one baseline response and the variant response indicates existence of the security vulnerability.
  - 17. The computer system of claim 16, wherein the computer system is further configured to perform:
    - responsive to determining that a security vulnerability exists, determining a request type from which the security vulnerability originated, the request type being an external system request type or an internal system request type, and repeating the inspecting of the web application to determine whether the security vulnerability persists, wherein repeating the inspecting comprises tailoring variant requests for issuing to the web application according to the determined request type from which the security vulnerability originated, and wherein generating the at least one virtual patch is performed responsive to the repeating the inspecting indicating that security vulnerability persists; and
      
      repeating the inspecting and the generating responsive to one or more other security vulnerabilities existing, to patch the one or more infrastructure components of the information technology environment to prevent exploitation of the one or more other security vulnerabilities in the information technology environment.
  - 18. The computer system of claim 16, wherein the one or more modifications to the at least one request element are stored as security scan metadata, and wherein generating the at least one virtual patch comprises:
    - collecting the identified at least one variant request/response pair and the scan metadata;
      
      determining one or more permutations of the at least one variant request/response pair, the computing identifying request elements of the at least one variant request that attempt to exploit the security vulnerability; and
      
      correlating the one or more permutations to obtain the logical pattern expressions for providing to the one or more infrastructure components of the information technology environment to facilitating patching thereof.
  - 19. The computer system of claim 14, wherein the one or more infrastructure components of the information technology environment comprise an intrusion protection system, wherein the at least one virtual patch comprises an identification for the intrusion protection system of an exploit scenario for exploiting the security vulnerability, and wherein the method further comprises providing the identification to the intrusion protection system for patching thereof, wherein patching thereof prevents exploitation of the security vulnerability in the information technology environment.
  - 20. The computer system of claim 14, wherein the web application comprises a customized web application for the information technology environment, and wherein the security vulnerability comprises a security vulnerability specific to execution of the customized web application in the information technology environment.

21. A computer program product for facilitating security in an information technology environment, the computer program product comprising:
- computer readable program code configured to inspect behavior of a web application during execution thereof in the information technology environment, the inspecting whether a security vulnerability associated with execution of the web application in the information technology environment exists based on comparing baseline behavior of the web application to behavior of the web application observed in response to executing modified versions of requests issues to the web application to generate the baseline behavior; and
  
  computer readable program code configured to, responsive to determining that the security vulnerability exists, generate at least one virtual patch, the at least one virtual patch comprising one or more logical pattern expressions representative of the security vulnerability determined based on the behavior of the web application during execution thereof, and the at least one virtual patch for patching one or more infrastructure components of the information technology environment to prevent exploitation of the security vulnerability in the information technology environment.
- View Dependent Claims (22, 23, 24)
- - 22. The computer program product of claim 21, further comprising computer readable program code to establish the baseline behavior for the web application, the establishing the baseline behavior comprising issuing at least one baseline request of the requests to the web application for execution of the at least one baseline request, and, for each baseline request of the at least one baseline request, associate a respective baseline response of the web application, obtained responsive to execution of the baseline request, with the issued baseline request to form at least one baseline request/response pair.
  - 23. The computer program product of claim 21, wherein the computer readable program code configured to inspect the behavior of the web application comprises:
    - computer readable program code configured to determine at least one variant request, the at least one variant request based on the at least one baseline request and comprising one or more modifications to at least one request element of the at least one baseline request;
      
      computer readable program code configured to issue the at least one variant request to the web application for execution thereof;
      
      computer readable program code configured to, for each variant request of the at least one variant request, associate a respective variant response of the web application, obtained responsive to execution of the variant request, with the variant request to form a variant request/response pair; and
      
      computer readable program code configured to identify at least one variant request/response pair that indicates existence of the security vulnerability, the identifying the at least one variant request/response pair comprising comparing the variant response of the variant request/response pair with the at least one baseline response and determining, based on the comparing, whether a difference between the at least one baseline response and the variant response indicates existence of the security vulnerability.
  - 24. The computer program product of claim 21, wherein the web application comprises a customized web application for the information technology environment, and wherein the security vulnerability comprises a security vulnerability specific to execution of the customized web application in the information technology environment.

25. A method for facilitating on demand security in an information technology environment of a customer, the method comprising:
- responsive to a customer request, inspecting behavior of a web application during execution thereof in the information technology environment of the customer, the inspecting determining whether a security vulnerability associated with execution of the web application in the information technology environment of the customer exists based on comparing baseline behavior of the web application to behavior of the web application observed in response to executing modified versions of requests issued to the web application to generate the baseline behavior; and
  
  responsive to determining that the security vulnerability exists, generating at least one virtual patch, the at least one virtual patch comprising one or more logical pattern expressions representative of the security vulnerability determined based on the behavior of the web application during execution thereof, and the at least one virtual patch to be provided to the customer for patching one or more infrastructure components of the information technology environment of the customer to prevent exploitation of the security vulnerability in the information technology environment of the customer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Blue, Inc. (SoftBank Group Corp.)
Original Assignee
International Business Machines Corporation
Inventors
Patel, Ashish, Aboualy, Tamer
Primary Examiner(s)
Smithers, Matthew

Application Number

US13/249,937
Publication Number

US 20130086688A1
Time in Patent Office

760 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

Web application exploit mitigation in an information technology environment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Web application exploit mitigation in an information technology environment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links