Methods, systems, and apparatus for mitigating network-based attacks

US 9,769,203 B2
Filed: 09/22/2014
Issued: 09/19/2017
Est. Priority Date: 09/22/2014
Status: Active Grant

First Claim

Patent Images

1. A method of mitigating a replay attack, the method comprising:

obtaining a first request associated with a transaction;

associating a request identifier of the first request with the transaction;

comparing a count of outstanding requests associated with a user to a throttling limit;

processing the first request if a request type and the request identifier of the first request corresponds to a current state of the transaction, the first request is an only request received having the request type and the request identifier of the first request, and the count of outstanding requests does not violate the throttling limit, the current state being one of a plurality of states for processing the transaction;

denying the first request if the request type of the first request does not correspond to the current state of the transaction, another received request has a same request type and a same request identifier of the first request, or the count of outstanding requests associated with the user violates the throttling limit;

obtaining an additional request associated with the transaction;

processing the additional request if a corresponding request identifier of the additional request matches the request identifier associated with the transaction; and

denying the additional request if the corresponding request identifier of the additional request does not match the request identifier associated with the transaction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, computer program products, and articles of manufacture for mitigating a network-based attack are described. A first request associated with a transaction is obtained and a tracking identifier of the first request is associated with the transaction. A count of outstanding requests associated with a user is compared to a throttling limit. If the count of outstanding requests associated with the user is greater than the throttling limit, processing of the first request may be denied.

Citations

19 Claims

1. A method of mitigating a replay attack, the method comprising:
- obtaining a first request associated with a transaction;
  
  associating a request identifier of the first request with the transaction;
  
  comparing a count of outstanding requests associated with a user to a throttling limit;
  
  processing the first request if a request type and the request identifier of the first request corresponds to a current state of the transaction, the first request is an only request received having the request type and the request identifier of the first request, and the count of outstanding requests does not violate the throttling limit, the current state being one of a plurality of states for processing the transaction;
  
  denying the first request if the request type of the first request does not correspond to the current state of the transaction, another received request has a same request type and a same request identifier of the first request, or the count of outstanding requests associated with the user violates the throttling limit;
  
  obtaining an additional request associated with the transaction;
  
  processing the additional request if a corresponding request identifier of the additional request matches the request identifier associated with the transaction; and
  
  denying the additional request if the corresponding request identifier of the additional request does not match the request identifier associated with the transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the request identifier is used as a tracking identifier.
  - 3. The method of claim 1, wherein the request identifier is based on a time of a creation of the first request.
  - 4. The method of claim 1, wherein a same request identifier is utilized for all valid requests of the transaction.
  - 5. The method of claim 1, further comprising:
    - obtaining a second additional request;
      
      processing the second additional request if a request type of the second additional request corresponds to the current state of the transaction; and
      
      denying the second additional request if the request type of the additional request does not correspond to the current state of the transaction.
  - 6. The method of claim 5, wherein the current state is one of a preview state, a create columnar table state, a data insert state, an alter table state, and an analytical view creation state.
  - 7. The method of claim 1, wherein the denying the first request comprises one or more of ignoring the first request, preventing submission of the first request, delaying processing of the first request, and requesting the user to delay submitting additional requests.

8. An apparatus for mitigating a replay attack, comprising:
- a processor; and
  
  memory to store instructions that;
  
  when executed by the processor;
  
  cause the processor to perform operations comprising;
  
  obtaining a first request associated with a transaction;
  
  associating a request identifier of the first request with the transaction;
  
  comparing a count of outstanding requests associated with a user to a throttling limit;
  
  processing the first request if a request type and the request identifier of the first request corresponds to a current state of the transaction, the first request is an only request received having the request type and the request identifier of the first request; and
  
  the count of outstanding requests does not violate the throttling limit, the current state being one of a plurality of states for processing the transaction;
  
  denying the first request if the request type of the first request does not correspond to the current state of the transaction, another received request has a same request type and a same request identifier of the first request, or the count of outstanding requests associated with the user violates the throttling limit;
  
  obtaining an additional request associated with the transaction;
  
  processing the additional request if a corresponding request identifier of the additional request matches the request identifier associated with the transaction; and
  
  denying the additional request if the corresponding request identifier of the additional request does not match the request identifier associated with the transaction.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The apparatus of claim 8, wherein the request identifier is used as a tracking identifier.
  - 10. The apparatus of claim 8, wherein the request identifier is based on a time of a creation of the first request.
  - 11. The apparatus of claim 8, wherein a same request identifier is utilized for all valid requests of the transaction.
  - 12. The apparatus of claim 8, wherein the current state is one of a preview state, a create columnar table state, a data insert state, an alter table state, and an analytical view creation state.
  - 13. The apparatus of claim 8, wherein mitigation module is further configured to perform operations comprising:
    - obtaining a second additional request;
      
      processing the second additional request if a request type of the second additional request corresponds to the current state of the transaction; and
      
      denying the second additional request if the request type of the additional request does not correspond to the current state of the transaction.
  - 14. The apparatus of claim 13, wherein the current state is one of a preview state, a create columnar table state, a data insert state, an alter table state, and an analytical view creation state.
  - 15. The apparatus of claim 8, wherein the denying the first request comprises one or more of ignoring the first request, preventing submission of the first request, delaying processing of the first request, and requesting the user to delay submitting additional requests.

16. A non-transitory machine-readable storage medium comprising instructions that, when executed by one or more processors of a machine, cause the machine to perform operations comprising:
- obtaining a first request associated with a transaction;
  
  associating a request identifier of the first request with the transaction;
  
  comparing a count of outstanding requests associated with a user to a throttling limit;
  
  processing the first request if a request type and the request identifier of the first request corresponds to a current state of the transaction, the first request is an only request received having the request type and the request identifier of the first request, and the count of outstanding requests does not violate the throttling limit, the current state being one of a plurality of states for processing the transaction;
  
  denying the first request if the request type of the first request does not correspond to the current state of the transaction, another received request has a same request type and a same request identifier of the first request, or the count of outstanding requests associated with the user violates the throttling limit;
  
  obtaining an additional request associated with the transaction;
  
  processing the additional request if a corresponding request identifier of the additional request matches the request identifier associated with the transaction; and
  
  denying the additional request if the corresponding request identifier of the additional request does not match the request identifier associated with the transaction.
- View Dependent Claims (17, 18, 19)
- - 17. The non-transitory machine-readable storage medium of claim 16, wherein a same request identifier is utilized for all valid requests of the transaction.
  - 18. The non-transitory machine-readable storage medium of claim 16, wherein the current state is one of a preview state, a create columnar table state, a data insert state, an alter table state, and an analytical view creation state.
  - 19. The non-transitory machine-readable storage medium of claim 16, further comprising instructions that, when executed by the one or more processors of the machine, cause the machine to perform operations comprising:
    - obtaining a second additional request;
      
      processing the second additional request if a request type of the second additional request corresponds to the current state of the transaction; and
      
      denying the second additional request if the request type of the additional request does not correspond to the current state of the transaction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Chandran, Lakshmy, Kunal, Parsewar, Tripathy, Manasa Ranjan, Vaitheeswaran, Ganesh, Harish, Vishnu Gowda, S, Praveen
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Savenkov, Vadim

Application Number

US14/492,254
Publication Number

US 20160088014A1
Time in Patent Office

1,093 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Methods, systems, and apparatus for mitigating network-based attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and apparatus for mitigating network-based attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links