Automatic stability determination and deployment of discrete parts of a profile representing normal behavior to provide fast protection of web applications

US 9,781,133 B2
Filed: 04/16/2014
Issued: 10/03/2017
Est. Priority Date: 12/02/2003
Status: Active Grant

First Claim

Patent Images

1. A non-transitory, tangible computer-readable media which has stored in it instructions, which when executed by a computer that participates in protection of a web application that is installed on a protected device and to which clients send hypertext transfer protocol (HTTP) requests, cause the computer to perform the steps of:

responsive to a sensor collecting the HTTP requests sent by the clients to the web application installed on the protected device, automatically creating for the web application a profile with a plurality of discrete parts that will represent normal behavior so that deviations from the profile can be considered anomalous;

automatically determining that a first discrete part of the plurality of discrete parts of the profile has become a stable representation of normal behavior so that deviations from the first discrete part can be considered anomalous while a second discrete part of the plurality of discrete parts of the profile is not a stable representation; and

responsive to the automatically determining, automatically deploying by the computer the first discrete part of the profile to the sensor that now will compare with the first discrete part of the profile subsequent HTTP requests sent by the clients to the web application to detect deviations from the normal behavior represented by the first discrete part but not detect deviations from the normal behavior represented by the second discrete part while the second discrete part of the profile remains not a stable representation.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for automatic stability determination and deployment of discrete parts of a profile representing normal behavior to provide fast protection of web applications is disclosed. The system, in response to a sensor collecting from HTTP requests sent by the clients to the web application installed on the protected device, automatically creates for a web application a profile with discrete parts that will represent normal behavior so that deviations from the profile can be considered anomalous. The system automatically determines that a first of the discrete parts of the profile has become stable. The system then automatically deploys the first discrete part of the profile to the sensor that now will compare with the first discrete part of the profile subsequent HTTP requests sent by the clients to the web application to detect deviations from the normal behavior represented by the first discrete part.

23 Citations

23 Claims

1. A non-transitory, tangible computer-readable media which has stored in it instructions, which when executed by a computer that participates in protection of a web application that is installed on a protected device and to which clients send hypertext transfer protocol (HTTP) requests, cause the computer to perform the steps of:
- responsive to a sensor collecting the HTTP requests sent by the clients to the web application installed on the protected device, automatically creating for the web application a profile with a plurality of discrete parts that will represent normal behavior so that deviations from the profile can be considered anomalous;
  
  automatically determining that a first discrete part of the plurality of discrete parts of the profile has become a stable representation of normal behavior so that deviations from the first discrete part can be considered anomalous while a second discrete part of the plurality of discrete parts of the profile is not a stable representation; and
  
  responsive to the automatically determining, automatically deploying by the computer the first discrete part of the profile to the sensor that now will compare with the first discrete part of the profile subsequent HTTP requests sent by the clients to the web application to detect deviations from the normal behavior represented by the first discrete part but not detect deviations from the normal behavior represented by the second discrete part while the second discrete part of the profile remains not a stable representation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The non-transitory, tangible computer-readable media of claim 1, wherein the instructions, when executed by the computer, also cause the computer to perform the step of:
    - responsive to the automatically determining and prior to the automatically deploying, automatically changing a current state of the first discrete part to enforceable.
  - 3. The non-transitory, tangible computer-readable media of claim 1, wherein the automatically creating, automatically determining, and automatically deploying are performed without any prior knowledge of semantics of the web application.
  - 4. The non-transitory, tangible computer-readable media of claim 1, wherein the profile is a hierarchic data structure.
  - 5. The non-transitory, tangible computer-readable media of claim 1, wherein the automatically creating further comprises:
    - performing a lexical analysis; and
      
      performing a syntax analysis.
  - 6. The non-transitory, tangible computer-readable media of claim 5, wherein the performing the lexical analysis comprises:
    - breaking each of the HTTP requests into tokens; and
      
      creating a representation of the HTTP requests using properties of the tokens.
  - 7. The non-transitory, tangible computer-readable media of claim 5, wherein the performing the syntax analysis comprises:
    - breaking each of the HTTP requests into functional units; and
      
      classifying the functional units as identification units and property units.
  - 8. The non-transitory, tangible computer-readable media of claim 7, wherein the identification units are used for identifying the HTTP requests.
  - 9. The non-transitory, tangible computer-readable media of claim 7, wherein the property units describe properties of the HTTP requests.
  - 10. The non-transitory, tangible computer-readable media of claim 7, wherein the automatically creating further comprises:
    - gathering the property units having at least one similar identification unit to form a profile property; and
      
      attaching the profile property to its corresponding profile item.
  - 11. The non-transitory, tangible computer-readable media of claim 1, wherein automatically determining comprises computing a Bayesian probability for a mistake.
  - 12. The non-transitory, tangible computer-readable media of claim 1, wherein the automatically determining comprises:
    - computing a percentage of learning progress for the discrete parts of the profile; and
      
      determining the respective discrete part is a stable representation when the percentage of learning progress exceeds a predefined threshold.
  - 13. The non-transitory, tangible computer-readable media of claim 1, wherein:
    - the profile comprises a plurality of profile items and a plurality of profile properties, wherein each of the plurality of profile items comprises at least one profile property; and
      
      the automatically determining comprises;
      
      computing a percentage of learning progress for each profile item and profile property out of the total number of the HTTP requests received over a predefined time; and
      
      determining the respective profile item or the profile property is a stable representation when the percentage of learning progress exceeds a predefined threshold.
  - 14. The non-transitory, tangible computer-readable media of claim 1, wherein the profile is an adaptive profile that is automatically updated while the computer is operating in a protect mode.
  - 15. The non-transitory, tangible computer-readable media of claim 1, wherein the sensor sniffs traffic.
  - 16. The non-transitory, tangible computer-readable media of claim 1, wherein the sensor operates in a line of traffic between the clients and the web application.
  - 17. The non-transitory, tangible computer-readable media of claim 1, wherein the discrete parts include a URL item and a parameter item, and wherein profile properties corresponding to the parameter item include a length restriction on a parameter'"'"'s value and a parameter type for a parameter of HTTP requests.
  - 18. The non-transitory, tangible computer-readable media of claim 17, wherein the URL item describes a single URL within the web application.
  - 19. The non-transitory, tangible computer-readable media of claim 18, wherein the parameter item describes a list of parameters of HTTP requests submitted to the web application.
  - 20. The non-transitory, tangible computer-readable media of claim 1, wherein the automatically creating comprises:
    - gathering property units having similar identification units to form a profile property, wherein the property units describe properties of the HTTP requests, and wherein the identification units are used for identifying the HTTP requests; and
      
      attaching the profile properties to corresponding profile items that are based on the identification units.
  - 21. The non-transitory, tangible computer-readable media of claim 20, wherein the automatically creating further comprises, prior to the gathering, the following:
    - performing syntax analysis to generate functional units; and
      
      classifying the functional units as identification units and property units.
  - 22. The non-transitory, tangible computer-readable media of claim 1, wherein said second discrete part is not deployed along with the first discrete part.
  - 23. The non-transitory, tangible computer-readable media of claim 1, wherein said second discrete part is deployed along with the first discrete part although the sensor will not detect deviations from the normal behavior represented by the second discrete part due to the second discrete part of the profile not being a stable representation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Shulman, Amichai, Boodaei, Michael, Kramer, Shlomo
Primary Examiner(s)
King, John B

Application Number

US14/254,564
Publication Number

US 20140230058A1
Time in Patent Office

1,266 Days
Field of Search

726 26
US Class Current
CPC Class Codes

G06F 16/217   Database tuning G06F16/2282...

G06F 21/577   Assessing vulnerabilities a...

H04L 41/142   using statistical or mathem...

H04L 41/16   using machine learning or a...

H04L 43/00   Arrangements for monitoring...

H04L 43/106   using time related informat...

H04L 63/102   Entity profiles

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

Automatic stability determination and deployment of discrete parts of a profile representing normal behavior to provide fast protection of web applications

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic stability determination and deployment of discrete parts of a profile representing normal behavior to provide fast protection of web applications

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links