Rule generalization for web application entry point modeling
First Claim
Patent Images
1. A method comprising:
- (a) maintaining, by a device intermediary to a client and a server, statistical data about messages of a user session that are rejected based on a rejection rule that rejects messages for having an identified attribute;
(b) determining, by the device, from the statistical data the frequency count at which messages of the user session having the identified attribute are rejected;
(c) comparing, by the device, the frequency count of the rejected messages within the user session to a threshold;
(d) generating, by the device for the user session, responsive to the comparison, an exception rule to the rejection rule, the exception rule allowing messages having the identified attribute to pass;
(e) receiving, by the device, via the user session a message having the identified attribute; and
(f) allowing, by the device, the message of the user session to pass between the client and the server based on the exception rule that allows messages having the identified attribute to pass.
8 Assignments
0 Petitions
Accused Products
Abstract
A security gateway receives messages, such as URL requests, rejected by a message filter based on a set of rules. The security gateway maintains frequencies with which the messages were rejected by the rules. The security gateway finds rejected messages having a high frequency of occurrence. Since messages having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow similar messages to pass through the gateway.
223 Citations
20 Claims
-
1. A method comprising:
-
(a) maintaining, by a device intermediary to a client and a server, statistical data about messages of a user session that are rejected based on a rejection rule that rejects messages for having an identified attribute; (b) determining, by the device, from the statistical data the frequency count at which messages of the user session having the identified attribute are rejected; (c) comparing, by the device, the frequency count of the rejected messages within the user session to a threshold; (d) generating, by the device for the user session, responsive to the comparison, an exception rule to the rejection rule, the exception rule allowing messages having the identified attribute to pass; (e) receiving, by the device, via the user session a message having the identified attribute; and (f) allowing, by the device, the message of the user session to pass between the client and the server based on the exception rule that allows messages having the identified attribute to pass. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
(a) maintaining, by a device intermediary to a client and a server, a count of a number of times within a user session that messages having a predetermined attribute are rejected based on a rejection rule that rejects messages having the predetermined attribute; (b) determining, by the device, that the count of the number of times within the user session that messages are rejected based on the rejection rule exceeds a threshold; (c) generating, by the device for the user session, an exception rule to the rejection rule responsive to the determination, the exception rule allowing messages having the predetermined attribute to pass; (d) receiving, by the device, via the user session a message having the predetermined attribute; and (e) allowing, by the device, the message of the user session to pass between the client and the server based on the exception rule that allows messages having the predetermined attribute to pass. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification