System and method for real-time asynchronous multitenant gateway security

US 10,761,913 B2
Filed: 05/04/2018
Issued: 09/01/2020
Est. Priority Date: 05/08/2017
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

at least one processor; and

a memory operatively coupled to the at least one processor, the at least one processor configured to;

receive, by a management component from a global event stream, an event via a stream listener component, wherein the event includes event type information and event content information,determine, by the management component, that the event content information includes at least a portion of service transaction information and the at least portion of the service transaction information partially matches service transaction information that is registered with the management component by a reverse proxy component,determine, by the management component, that the event is a security event, based on the event type information, wherein the security event indicates that an internal service request generated by the reverse proxy component based at least on the external service request and transmitted to a service of an application has been identified as a security threat,determine, by the management component, whether at least a portion of an external content response has been transmitted to a client device via a validated connection having associated service transaction information that partially matches at least a portion of the service transaction information received in the security event and that the validated connection has not been disconnected, andinterrupt, by the management component, the reverse proxy component to invalidate the external content response based on protocol specific rules and to disconnect the validated connection, after determining that at least a portion of the external content response has been transmitted to the client device and that the validated connection has not been disconnected, wherein to disconnect the validated connection, the at least one processor is further configured to;

terminate, by the reverse proxy component, the validated connection;

publish, by the reverse proxy component, a disconnection event to the global event stream via a stream publisher component, wherein the published disconnection event indicates that the validated connection has been terminated;

de-register, by the reverse proxy component, the service transaction information associated with the validated connection from the management component; and

de-allocate, by the reverse proxy component, one or more allocated resources utilized in processing the external service request.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are system, apparatus, article of manufacture, method, and/or computer program product embodiments for real-time asynchronous multitenant gateway security with respect to one or more client devices. An embodiment operates by receiving an event and determining that event content information includes at least a portion of service transaction information and the at least portion of the service transaction information is registered. The embodiment may further operate by determining that the event is a security event based on event type information. The embodiment may then determine whether at least a portion of an external content response has been transmitted to the client device and that a validated connection associated with the service transaction information has not yet been disconnected. Based on those determinations, the embodiment may then interrupt the reverse proxy component to invalidate the external content response and disconnect the validated connection.

61 Citations

View as Search Results

19 Claims

1. A system, comprising:
- at least one processor; and
  
  a memory operatively coupled to the at least one processor, the at least one processor configured to;
  
  receive, by a management component from a global event stream, an event via a stream listener component, wherein the event includes event type information and event content information,determine, by the management component, that the event content information includes at least a portion of service transaction information and the at least portion of the service transaction information partially matches service transaction information that is registered with the management component by a reverse proxy component,determine, by the management component, that the event is a security event, based on the event type information, wherein the security event indicates that an internal service request generated by the reverse proxy component based at least on the external service request and transmitted to a service of an application has been identified as a security threat,determine, by the management component, whether at least a portion of an external content response has been transmitted to a client device via a validated connection having associated service transaction information that partially matches at least a portion of the service transaction information received in the security event and that the validated connection has not been disconnected, andinterrupt, by the management component, the reverse proxy component to invalidate the external content response based on protocol specific rules and to disconnect the validated connection, after determining that at least a portion of the external content response has been transmitted to the client device and that the validated connection has not been disconnected, wherein to disconnect the validated connection, the at least one processor is further configured to;
  
  terminate, by the reverse proxy component, the validated connection;
  
  publish, by the reverse proxy component, a disconnection event to the global event stream via a stream publisher component, wherein the published disconnection event indicates that the validated connection has been terminated;
  
  de-register, by the reverse proxy component, the service transaction information associated with the validated connection from the management component; and
  
  de-allocate, by the reverse proxy component, one or more allocated resources utilized in processing the external service request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein:
    - the security event is generated by a vulnerability management component of an accelerated application development, deployment, orchestration, and management application (AADDOMA),the vulnerability management component is configured to intercept and analyze communications to and from the service of the application to detect unauthorized, malicious, and/or negatively impacting behavior or activity, andthe service of the application is configured to process at least one internal service request and/or at least one internal service response.
  - 3. The system of claim 2, wherein to intercept and analyze the communications, the vulnerability management component of the AADDOMA is further configured to publish the security event to the global event stream after determining that the internal service request includes an unauthorized action or includes an action that negatively impacts processing of at least one external/internal service request and/or at least one external/internal service response by the service of the application.
  - 4. The system of claim 1, wherein the at least one processor is further configured to operate one or more configured operations of the management component and one or more configured operations of the reverse proxy component in parallel.
  - 5. The system of claim 1, wherein to invalidate the external content response based on the protocol specific rules, the at least one processor is further configured to transmit unrecognizable information as a remaining portion of the external content response via the validated connection, andthe external service request further includes external source information that identifies an internet protocol (IP) address associated with the client device that transmitted the external service request and the credential information includes a user identifier associated with a user of the client device.
  - 6. The system of claim 1, wherein the at least one processor is further configured to:
    - determine, by the management component, whether any external service responses have been transmitted to the client device by the reverse proxy component, in response to the external service request having the associated service transaction information, andinterrupt, by the management component, the reverse proxy component to disconnect the validated connection having associated service transaction information that at least partially matches at least a portion of the service transaction information received in the security event, after determining that no external service response has been transmitted to the client device.
  - 7. The system of claim 1, wherein the at least one processor is further configured to:
    - determine, by the management component, whether all external service responses transmitted to the client device by the reverse proxy component in response to the external service request are external status responses; and
      
      interrupt, by the management component, the reverse proxy component to disconnect the validated connection having associated service transaction information that at least partially match at least a portion of the service transaction information received in the security event, after determining that all external service responses transmitted to the client device are external status responses.
  - 8. The system of claim 1, wherein the at least one processor is further configured to:
    - receive, by the reverse proxy component from the client device, at least a portion of the external service request for access to the service of the application, wherein the external service request includes external resource location information and credential information, andassign, by the reverse proxy component, the service transaction information to the external service request, wherein the service transaction information includes a service transaction identifier that uniquely identifies the external service request.
  - 9. The system of claim 8, wherein the at least one processor is further configured to:
    - determine, by the reverse proxy component, an internal resource location information based on the received external service request, wherein the internal resource location information identifies an endpoint to the service of the application configured to process the internal service request, andauthenticate, by at least one distributed security component, the credential information associated with the external service request to determine whether the external service request is authorized to access the service of the application, wherein the reverse proxy component and the at least one distributed security component are configured to determine the internal resource location information and authenticate the credential information, respectively, in parallel.
  - 10. The system of claim 9, wherein the at least one processor is further configured to:
    - authorize, by the at least one distributed security component, the external service request based at least on the credential information associated with the external service request and the determined internal resource location information, andestablish, by the reverse proxy component, the validated connection to the client device after a successful authentication and authorization of the external service request, wherein the validated connection is associated with the service transaction information assigned by the reverse proxy component.
  - 11. The system of claim 10, wherein the at least one processor is further configured to:
    - transmit, by the reverse proxy component to the endpoint identified by the internal resource location information, the internal service request, andregister, by the reverse proxy component with the management component, the service transaction information associated with the external service request to monitor at least one security event associated with processing of the external service request, wherein the reverse proxy component is configured to transmit the internal service request and register the service transaction information with the management component in parallel.
  - 12. The system of claim 11, wherein the at least one processor is further configured to:
    - receive, by the reverse proxy component from the service of the application, an internal status response, wherein the internal status response indicates a status associated with the service of the application processing the internal service request, andtransmit, by the reverse proxy component to the client device, an external status response generated based at least on the internal status response.
  - 13. The system of claim 1, wherein to transmit the at least portion of the external content response, the at least one processor is further configured to:
    - receive, by the reverse proxy component from the service of the application, a first portion of an internal content response, in response to the internal service request, andtransmit, by the reverse proxy component to the client device, a first portion of the external content response generated based at least on the first portion of the internal content response via the validated connection.
  - 14. The system of claim 13, wherein to transmit the at least portion of the external content response, the at least one processor is further configured to:
    - receive, by the reverse proxy component, a remaining portion of the internal content response from the service of the application in response to the external content request,transmit, by the reverse proxy component, a remaining portion of the external content response generated based on the remaining portion of the internal content response to the client device via the validated connection, anddisconnect, by the reverse proxy component, the validated connection to the client device after transmitting the remaining portion of the external content response.

15. A computer-implemented method, comprising:
- receiving, by a management component from a global event stream, an event via a stream listener component, wherein the event includes event type information and event content information,determining, by the management component, that the event content information includes at least a portion of service transaction information that is associated with an external service request received by a reverse proxy component and the at least portion of the service transaction information partially matches service transaction information that is registered with the management component by the reverse proxy component,determining, by the management component, that the event is a security event, based on the event type information, wherein the security event indicates that an internal service request generated by the reverse proxy component based at least on the external service request and transmitted to a service of an application has been identified as a security threat;
  
  determining, by the management component, whether at least a portion of an external content response has been transmitted via a validated connection having associated service transaction information that partially matches at least a portion of the service transaction information received in the security event, and that the validated connection has not been disconnected; and
  
  interrupting, by the management component, the reverse proxy component to invalidate the external content response based on protocol specific rules, and to disconnect the validated connection, after determining that the at least portion of the external content response has been transmitted to the client device, and that the validated connection has not been disconnected, wherein to disconnect the validated connection, the method further comprises;
  
  terminating, by the reverse proxy component, the validated connection;
  
  publishing, by the reverse proxy component, a disconnection event to the global event stream via a stream publisher component, wherein the published disconnection event indicates that the validated connection has been terminated;
  
  de-registering, by the reverse proxy component, the service transaction information associated with the validated connection from the management component; and
  
  de-allocating, by the reverse proxy component, one or more allocated resources utilized in processing the external service request.
- View Dependent Claims (16, 17)
- - 16. The computer-implemented method of claim 15, wherein:
    - the security event is generated by a vulnerability management component of an accelerated application development, deployment, orchestration, and management application (AADDOMA);
      
      the vulnerability management component intercepts and analyzes communications to and from the service of the application to detect unauthorized, malicious, and/or negatively impacting behavior or activity; and
      
      the service of the application processes at least one internal service request and/or at least one internal service response.
  - 17. The computer-implemented method of claim 16, wherein to intercept and analyze the communications, the vulnerability management component of the AADDOMA publishes the security event to the global event stream after determining that the internal service request includes an unauthorized action or includes an action that negatively impacts processing of at least one external/internal service request and/or at least one external/internal service response by the service of the application.

18. A non-transitory tangible computer-readable device having instructions stored thereon that, when executed by at least one computing device, causes the at least one computing device to perform operations comprising:
- receiving, by a management component from a global event stream, an event via a stream listener component, wherein the event includes event type information and event content information,determining, by the management component, that the event content information includes at least a portion of service transaction information that is associated with an external service request received by a reverse proxy component and the at least portion of the service transaction information partially matches service transaction information that is registered with the management component by the reverse proxy component,determining, by the management component, that the event is a security event, based on the event type information, wherein the security event indicates that an internal service request generated by the reverse proxy component based at least on the external service request and transmitted to a service of an application has been identified as a security threat;
  
  determining, by the management component, whether at least a portion of an external content response has been transmitted via a validated connection having associated service transaction information that partially match the at least portion of the service transaction information received in the security event, and that the validated connection has not been disconnected; and
  
  interrupting, by the management component, the reverse proxy component to invalidate the external content response based on protocol specific rules, and to disconnect the validated connection, after determining that the at least portion of the external content response has been transmitted to the client device, and that the validated connection has not been disconnected wherein to disconnect the validated connection, the operations further comprise;
  
  terminating, by the reverse proxy component, the validated connection;
  
  publishing, by the reverse proxy component, a disconnection event to the global event stream via a stream publisher component, wherein the published disconnection event indicates that the validated connection has been terminated;
  
  de-registering, by the reverse proxy component, the service transaction information associated with the validated connection from the management component; and
  
  de-allocating, by the reverse proxy component, one or more allocated resources utilized in processing the external service request.
- View Dependent Claims (19)
- - 19. The non-transitory tangible computer-readable device of claim 18, wherein:
    - the security event is generated by a vulnerability management component of an accelerated application development, deployment, orchestration, and management application (AADDOMA);
      
      the vulnerability management component intercepts and analyzes communications to and from the service of the application to detect unauthorized, malicious, and/or negatively impacting behavior or activity; and
      
      the service of the application processes at least one internal service request and/or at least one internal service response.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DataPipe, Inc. (Apollo Global Management, Inc.)
Original Assignee
DataPipe, Inc. (Apollo Global Management, Inc.)
Inventors
McClory, Thomas Patrick, Damania, Jatil Chandrakant, Vidmar, Scott Matthew
Primary Examiner(s)
Ho, Dao Q

Application Number

US15/971,149
Publication Number

US 20180324204A1
Time in Patent Office

851 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3684   for test design, e.g. gener...

G06F 11/3688   for test execution, e.g. sc...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2209/501   Performance criteria

G06F 2209/541   Client-server

G06F 2209/548   Queue

G06F 8/30   Creation or generation of s...

G06F 8/41   Compilation

G06F 8/60   Software deployment

G06F 8/71   Version control security ar...

G06F 8/77   Software metrics

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5027   the resource being a machin...

G06F 9/505   considering the load

G06F 9/546   Message passing systems or ...

G06Q 10/06398   Performance of employee wit...

H04L 41/5041   characterised by the time r...

H04L 41/5054   Automatic deployment of ser...

H04L 41/5083 : wherein the managed service...

H04L 63/0236 : Filtering by address, proto...

H04L 63/0281 : Proxies

H04L 63/1433 : Vulnerability analysis

H04L 67/10 : in which an application is ...

View All

System and method for real-time asynchronous multitenant gateway security

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for real-time asynchronous multitenant gateway security

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links