Using statistical analysis to generate exception rules that allow legitimate messages to pass through application proxies and gateways

US 8,261,340 B2
Filed: 01/27/2010
Issued: 09/04/2012
Est. Priority Date: 02/18/2004
Status: Active Grant

First Claim

Patent Images

1. A method for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the method comprising:

rejecting, by a filter of a security gateway, a first message of a first user session, the first message having an attribute identified by a rejection rule;

incrementing, by a learning engine of the security gateway responsive to the rejection of the first message, a count representing the number of user sessions having one or more messages rejected based on the attribute;

rejecting, by the filter, a second message of a second user session, the second message having the attribute identified by the rejection rule;

incrementing, by the learning engine, the count responsive to the rejection of the second message;

generating, by the learning engine responsive to determining that the count exceeds a predetermined threshold, an exception rule to the rejection rule identifying the attribute;

receiving, by the filter after generating the exception rule, a third message of the first user session having the attribute; and

allowing, by the filter, the third message to pass responsive to the exception rule.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security gateway receives messages rejected by a message filter based on a set of rules. The security gateway also receives attributes of the rejected messages that triggered the rules. The security gateway maintains frequencies with which the messages with a particular attribute were rejected by the rules. The security gateway finds rejected messages or attributes having a high frequency of occurrence. Since messages or attributes having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow messages that have similar attributes to pass through the gateway.

226 Citations

20 Claims

1. A method for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, the method comprising:
- rejecting, by a filter of a security gateway, a first message of a first user session, the first message having an attribute identified by a rejection rule;
  
  incrementing, by a learning engine of the security gateway responsive to the rejection of the first message, a count representing the number of user sessions having one or more messages rejected based on the attribute;
  
  rejecting, by the filter, a second message of a second user session, the second message having the attribute identified by the rejection rule;
  
  incrementing, by the learning engine, the count responsive to the rejection of the second message;
  
  generating, by the learning engine responsive to determining that the count exceeds a predetermined threshold, an exception rule to the rejection rule identifying the attribute;
  
  receiving, by the filter after generating the exception rule, a third message of the first user session having the attribute; and
  
  allowing, by the filter, the third message to pass responsive to the exception rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein each user session comprises a pre-determined time frame for communicating messages associated with a user.
  - 3. The method of claim 1, wherein each user session comprises a pre-determined time frame for communicating messages between a user and a server via the security gateway.
  - 4. The method of claim 1, wherein the filter comprises:
    - a first component for rejecting messages having the attribute identified by the rejection rule; and
      
      a second component for allowing messages responsive to an exception rule to the rejection rule.
  - 5. The method of claim 1, further comprising determining, by the learning engine, not to increment the count responsive to a rejection of a fourth message of the first user session, the fourth message rejected after rejecting the first message of the first user session.
  - 6. The method of claim 1, wherein the identified attribute is one of a message component, a value, a data type, and a length.
  - 7. The method of claim 6, wherein the identified attribute comprises one or more of a Uniform Resource Locator (URL) component, a cookie session identifier value, a password field and a user login field.
  - 8. The method of claim 1, further comprising incrementing the count by a weighted value based on a second attribute of the rejected message.
  - 9. The method of claim 1, wherein the threshold is a product of a total number of messages received by the security gateway over a time interval and a percentage of the messages that should be allowed to pass.
  - 10. The method of claim 1, further comprising allowing, by the filter, a message having the attribute to pass responsive to the exception rule, the message received after generating the exception rule.

11. A system for adaptively filtering messages routed across a network by generating exception rules to rejection rules based on attributes of messages previously received and rejected, comprising:
- a filter of a security gateway, rejecting a first message of a first user session, the first message having an attribute identified by a rejection rule;
  
  a learning engine executing on a processor of the security gateway, incrementing, responsive to the rejection of the first message, a count representing the number of user sessions having one or more messages rejected based on the attribute, whereinthe filter rejects a second message of a second user session, the second message having the attribute identified by the rejection rule, the learning engine increments the count responsive to the rejection of the second message, and generates, responsive to determining that the count exceeds a predetermined threshold, an exception rule to the rejection rule identifying the attribute, and the filter receives, after generating the exception rule, a third message of the first user session having the attribute, and allows the third message to pass responsive to the exception rule.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein each user session comprises a pre-determined time frame for communicating messages associated with a user.
  - 13. The system of claim 11, wherein each user session comprises a pre-determined time frame for communicating messages between a user and a server via the security gateway.
  - 14. The system of claim 11, wherein the filter comprises:
    - a first component for rejecting messages having the attribute identified by the rejection rule; and
      
      a second component for allowing messages responsive to an exception rule to the rejection rule.
  - 15. The system of claim 11, wherein the learning engine determines not to increment the count responsive to a rejection of a fourth message of the first user session, the fourth message rejected after rejecting the first message of the first user session.
  - 16. The system of claim 11, wherein the identified attribute comprises one of a message component, a value, a data type, and a length.
  - 17. The system of claim 16, wherein the identified attribute comprises one or more of a Uniform Resource Locator (URL) component, a cookie session identifier value, a password field and a user login field.
  - 18. The system of claim 11, wherein the learning engine increments the count by a weighted value based on a second attribute of the corresponding rejected message.
  - 19. The system of claim 11, wherein the threshold is a product of a total number of messages received by the security gateway over a time interval and a percentage of the messages that should be allowed to pass.
  - 20. The system of claim 11, wherein the filter allows a message having the attribute to pass responsive to the exception rule, the message received after generating the exception rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Chauhan, Abhishek, Mirani, Rajiv, Kohli, Prince
Primary Examiner(s)
LANIER, BENJAMIN E

Application Number

US12/694,902
Publication Number

US 20100132029A1
Time in Patent Office

951 Days
Field of Search

None
US Class Current

726/13
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/029 Firewall traversal, e.g. tu...

Using statistical analysis to generate exception rules that allow legitimate messages to pass through application proxies and gateways

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

226 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Using statistical analysis to generate exception rules that allow legitimate messages to pass through application proxies and gateways

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

226 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links