Distributed web application firewall

US 8,566,919 B2
Filed: 03/02/2007
Issued: 10/22/2013
Est. Priority Date: 03/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method for protecting web applications, the method comprising:

at a first web application firewall (WAF);

receiving a first HTTP request from over a network, the first HTTP request being destined for a first web server that is associated with a first web application that is running on the first web server, the first web application being categorized in a first class;

analyzing the first HTTP request based on at least one rule applied by a handler;

generating a second rule based on the analyzing, wherein said generating involves;

in response to determining that a referrer URL included in the first HTTP request is not present in a whitelist or a blacklist, incrementing a count corresponding to the referrer URL, wherein the count keeps track of HTTP requests that were received within a given time window that included the referrer URL, andin response to determining that the count corresponding to the referrer URL is above a threshold, generating the second rule, wherein the second rule redirects HTTP requests that include the referrer URL to a gray list URL; and

transmitting the second rule, over the network, to a global server unit; and

at a second web application firewall (WAF);

receiving the second rule from over the network from the global server unit;

receiving a second HTTP request from over a network, the second HTTP request being destined for a second web server that is associated with a second application that is running on the second web server and categorized in the first class; and

analyzing the second HTTP request based on the second rule, the second rule being communicated from the global server unit to the second WAF responsive to the global server unit identifying the first web application and the second web application as being members of the first class and the second web application running on the second web server.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for protecting a Web application running on a first local Web Server bases from hacker attacks, said Web Server being connectable to at least one client, the method comprising the following steps: —providing a plurality of preset rules on said Server, which correspond to specific characteristics of HTTP requests; —receiving an HTTP request on said server from the client, said HTTP request comprising a plurality of characteristics; —analyzing said characteristics of said received HTTP request in accordance with said rules provided on said server; —rejecting said HTTP request, if said rules identify said HTTP request as harmful request; —accepting said HTTP request, if said rules identify said HTTP request as trustable request; —classifying said HTTP request as doubtful request, if said rules identify said request neither as harmful request nor as trustable request; —evaluating the characteristics of said doubtful local request; —generating a learned rule on basis of the edge base evaluation.

40 Citations

View as Search Results

19 Claims

1. A method for protecting web applications, the method comprising:
- at a first web application firewall (WAF);
  
  receiving a first HTTP request from over a network, the first HTTP request being destined for a first web server that is associated with a first web application that is running on the first web server, the first web application being categorized in a first class;
  
  analyzing the first HTTP request based on at least one rule applied by a handler;
  
  generating a second rule based on the analyzing, wherein said generating involves;
  
  in response to determining that a referrer URL included in the first HTTP request is not present in a whitelist or a blacklist, incrementing a count corresponding to the referrer URL, wherein the count keeps track of HTTP requests that were received within a given time window that included the referrer URL, andin response to determining that the count corresponding to the referrer URL is above a threshold, generating the second rule, wherein the second rule redirects HTTP requests that include the referrer URL to a gray list URL; and
  
  transmitting the second rule, over the network, to a global server unit; and
  
  at a second web application firewall (WAF);
  
  receiving the second rule from over the network from the global server unit;
  
  receiving a second HTTP request from over a network, the second HTTP request being destined for a second web server that is associated with a second application that is running on the second web server and categorized in the first class; and
  
  analyzing the second HTTP request based on the second rule, the second rule being communicated from the global server unit to the second WAF responsive to the global server unit identifying the first web application and the second web application as being members of the first class and the second web application running on the second web server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising utilizing a network connection between the first WAF and the second WAF to share results concerning an attack that is associated with the receiving the first HTTP request.
  - 3. The method of claim 2, wherein the results concerning the attack are stored in a learned knowledge database that is coupled to the first WAF and wherein the network connection between the first WAF and the second WAF is through the global server unit.
  - 4. The method of claim 3, wherein the results concerning the attack include a plurality of attack descriptions.
  - 5. The method of claim 1, further comprising building a database that is coupled to the global server unit, wherein the database contains a plurality of profiles of a first plurality of web applications that are protected by the first WAF and a second plurality of web applications that are protected by the second WAF.
  - 6. The method of claim 5, wherein the building the database includes utilizing a clustering algorithm to discover the first class, and wherein the clustering algorithm compares the first web application that is being protected by the first WAF with the second web application that is being protect by the second WAF to discover the first class.
  - 7. The method of claim 1, further comprising:
    - receiving a first HTTP response from over a network from the first web server, the first HTTP response being communicated by the first web server responsive to the first HTTP request; and
      
      analyzing the first HTTP response.
  - 8. The method of claim 7, further comprising:
    - generating a cookie; and
      
      modifying the first HTTP response to contain the cookie.
  - 9. The method of claim 8, wherein the cookie includes a strong session identifier.

10. A system to protect web applications, the system comprising:
- a first web application firewall (WAF) executing on a first processor to receive a first HTTP request from over a network, the first HTTP is destined for a first web server that is associated with a first web application that is to run on the first web server, the first web application is categorized in a first class, the first WAF to analyze the first HTTP request based on at least one rule applied by a handler, generate a second rule based on the analysis, and transmit the second rule, over the network, to a global server unit, wherein said generating involves;
  
  in response to determining that a referrer URL included in the first HTTP request is not present in a whitelist or a blacklist, incrementing a count corresponding to the referrer URL, wherein the count keeps track of HTTP requests that were received within a given time window that included the referrer URL, andin response to determining that the count corresponding to the referrer URL is above a threshold, generating the second rule, wherein the second rule redirects HTTP requests that include the referrer URL to a graylist URL; and
  
  a second web application firewall (WAF) executing on a second processor to receive the second rule from over the network from the global server unit, receive a second HTTP request from over a network, the second HTTP request is destined for a second web server that is associated with a second application that is to run on the second web server and categorize in the first class, the second WAF to analyze the second HTTP request based on the second rule, the second rule is communicated from the global server unit to the second WAF responsive to an identification by the global serve unit of the first web application and the second web application as members of the first class and the second web application running on the second web server.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the first WAF and the second WAF utilize a network connection to share results concerning an attack that is associated with the first HTTP request.
  - 12. The system of claim 11, wherein the results concerning the attack are stored in a learned knowledge database that is coupled to the first WAF and wherein the network connection between the first WAF and the second WAF is through the global server unit.
  - 13. The system of claim 12, wherein the results concerning the attack includes a plurality of attack descriptions.
  - 14. The system of claim 13, wherein the database is built with a clustering algorithm to discover the first class, and wherein the clustering algorithm is to compare the first web application that is being protected by the first WAF with the second web application that is being protect by the second WAF to discover the first class.
  - 15. The system of claim 10, further comprising a database that is coupled to the global server unit, wherein the database contains a plurality of profiles of a first plurality of web applications that are protected by the first WAF and a second plurality of web applications that are protected by the second WAF.
  - 16. The system of claim 10, wherein the first WAF is to receive a first HTTP response from over a network from the first web server, the first HTTP response is communicated by the first web server responsive to the first HTTP request and wherein the first WAF is to analyze the first HTTP response.
  - 17. The system of claim 16, wherein the first WAF is to generate a cookie and modify the first HTTP response to contain the cookie.
  - 18. The system of claim 17, wherein the cookie includes a strong session identifier.

19. A computer program comprising computer program code stored on a non-transitory computer readable medium, the computer program code for performing a method protecting web applications, method comprising:
- at a first web application firewall (WAF);
  
  receiving a first HTTP request from over a network, the first HTTP request being destined for a first web server that is associated with a first web application that is running on the first web server, the first web application being categorized in a first class;
  
  analyzing the first HTTP request based on at least one rule applied by a handler;
  
  generating a second rule based on the analyzing, wherein said generating involves;
  
  in response to determining that a referrer URL included in the first HTTP request is not present in a whitelist or a blacklist, incrementing a count corresponding to the referrer URL, wherein the count keeps track of HTTP requests that were received within a given time window that included the referrer URL, andin response to determining that the count corresponding to the referrer URL is above a threshold, generating the second rule, wherein the second rule redirects HTTP requests that include the referrer URL to a graylist URL;
  
  transmitting the second rule, over the network, to a global server unit; and
  
  at a second web application firewall (WAF);
  
  receiving the second rule from over the network from the global server unit;
  
  receiving a second HTTP request from over a network, the second HTTP request being destined for a second web server that is associated with a second application that is running on the second web server and categorized in the first class; and
  
  analyzing the second HTTP request based on the second rule, the second rule being communicated from the global server unit to the second WAF responsive to the global server unit identifying the first web application and the second web application as being members of the first class and the second web application running on the second web server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Riverbed Technology Incorporated
Inventors
Meisel, Alexander
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
ELMORE, JOHN E

Application Number

US12/280,760
Publication Number

US 20090328187A1
Time in Patent Office

2,426 Days
Field of Search

726 11- 14, 709223-225
US Class Current

726/13
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

Distributed web application firewall

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed web application firewall

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links