Security-aware admission control of requests in a distributed system

US 9,231,970 B2
Filed: 03/08/2013
Issued: 01/05/2016
Est. Priority Date: 03/08/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying a request dropped by a first application component in a distributed system;

determining one or more actions to take with respect to the dropped request, said determining comprises;

identifying one or more policies of the first application component responsible for the dropped request; and

identifying one or more additional application components in the distributed system to be affected based on the identified one or more policies;

executing, at each of the one or more additional application components, a distinct one of said one or more actions to temporarily preclude admission of all requests of a given type associated with the dropped request at each of the one or more additional application components subsequent to a predetermined number of multiple instances of the request dropped by the first application;

enacting a change to the identified one or more policies of the first application component, wherein the change renders the request dropped by the first application component allowable by the first application component; and

transmitting a notification to the one or more additional application components to allow admission of one or more requests associated with the dropped request;

wherein at least one of the steps is carried out by a computer device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for security-aware admission control of requests in a distributed system. A method includes identifying a request dropped by a first application component in a distributed system, determining one or more actions to take with respect to the dropped request, said determining comprises identifying one or more policies of the first application component responsible for the dropped request and identifying one or more additional application components in the distributed system to be affected based on the identified one or more policies, and executing said one or more actions to control admission of one or more requests associated with the dropped request at the one or more additional application components.

13 Citations

15 Claims

1. A method comprising:
- identifying a request dropped by a first application component in a distributed system;
  
  determining one or more actions to take with respect to the dropped request, said determining comprises;
  
  identifying one or more policies of the first application component responsible for the dropped request; and
  
  identifying one or more additional application components in the distributed system to be affected based on the identified one or more policies;
  
  executing, at each of the one or more additional application components, a distinct one of said one or more actions to temporarily preclude admission of all requests of a given type associated with the dropped request at each of the one or more additional application components subsequent to a predetermined number of multiple instances of the request dropped by the first application;
  
  enacting a change to the identified one or more policies of the first application component, wherein the change renders the request dropped by the first application component allowable by the first application component; and
  
  transmitting a notification to the one or more additional application components to allow admission of one or more requests associated with the dropped request;
  
  wherein at least one of the steps is carried out by a computer device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein said executing said one or more actions comprises executing said one or more actions until the one or more policies responsible for the dropped request are determined to be consistent across the first application component and the one or more additional application components.
  - 3. The method of claim 1, wherein said one or more actions comprise recording the one or more requests associated with the dropped request.
  - 4. The method of claim 1, wherein said one or more actions comprise throttling the one or more requests associated with the dropped request.
  - 5. The method of claim 1, wherein said one or more actions comprise dropping the one or more requests associated with the dropped request.
  - 6. The method of claim 1, wherein said one or more actions comprise forwarding the one or more requests associated with the dropped request to a replica of the first application component.
  - 7. The method of claim 1, wherein said determining one or more actions to take comprises determining if credential information used by the first application component is the same credential information for the one or more additional application components.
  - 8. The method of claim 1, wherein said deter lining one or more actions to take comprises determining if credential information used by the dropped request to utilize a service of the first application component has expired and/or been revoked.
  - 9. The method of claim 1, wherein said determining one or more actions to take comprises determining if a session to which the dropped request refers is valid.
  - 10. The method of claim 1, wherein said determining one or more actions to take comprises determining if the one or more additional application components have received a pre-determined number of requests similar to the dropped request within a pre-determined time period.
  - 11. The method of claim 1, wherein said determining one or more actions to take comprises determining if the one or more policies of the one or more additional application components have been altered.
  - 12. The method of claim 1, comprising:
    - generating one or more alerts to one or more system administrators pertaining to the execution of the one or more actions.
  - 13. The method of claim 1, comprising:
    - storing one or more session attributes and one or more credentials of the dropped request.
  - 14. The method of claim 1, comprising:
    - storing a reason for which the dropped request was not authorized.
  - 15. The method of claim 14, wherein said reason comprises one or more of a lack of credentials, a value of one or more parameters that leads to an overflow of a buffer, an input that injects malicious code, and/or a parameter of the request that contributes to detection of a potential security violation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Blue, Inc. (SoftBank Group Corp.)
Original Assignee
International Business Machines Corporation
Inventors
Kundu, Ashish, Mohindra, Ajay, Sahu, Sambit
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Stoica, Adrian

Application Number

US13/790,040
Publication Number

US 20140259089A1
Time in Patent Office

1,033 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 63/10   for controlling access to d...

H04L 63/1441   Countermeasures against mal...

Security-aware admission control of requests in a distributed system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Security-aware admission control of requests in a distributed system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others