WO2004025460A2 - Screening for illegitimate requests to a computer application - Google Patents

Screening for illegitimate requests to a computer application Download PDF

Info

Publication number
WO2004025460A2
WO2004025460A2 PCT/CA2003/001333 CA0301333W WO2004025460A2 WO 2004025460 A2 WO2004025460 A2 WO 2004025460A2 CA 0301333 W CA0301333 W CA 0301333W WO 2004025460 A2 WO2004025460 A2 WO 2004025460A2
Authority
WO
WIPO (PCT)
Prior art keywords
request
condition
rule
uri
http
Prior art date
Application number
PCT/CA2003/001333
Other languages
French (fr)
Other versions
WO2004025460A3 (en
Inventor
Richard Reiner
Original Assignee
Richard Reiner
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Richard Reiner filed Critical Richard Reiner
Priority to AU2003269619A priority Critical patent/AU2003269619A1/en
Priority to US10/527,758 priority patent/US20050246545A1/en
Priority to CA002498649A priority patent/CA2498649A1/en
Priority to EP03750183A priority patent/EP1540917A2/en
Priority to JP2004534897A priority patent/JP2005538620A/en
Publication of WO2004025460A2 publication Critical patent/WO2004025460A2/en
Publication of WO2004025460A3 publication Critical patent/WO2004025460A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0254Stateful filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • This invention relates to screening for illegitimate requests to a computer application.
  • information is conventionally transmitted in the form of packets.
  • the information flow is typically in the form of a request made to a computer application and a reply by the application to the request. If the packets arrive from an untrusted source, such as the public Internet, there is a risk that they comprise or contain an illegitimate request to the computer application.
  • an illegitimate request may constitute an unauthorised attempt to access proprietary information, an unauthorised attempt to alter information, or an attempt to interfere with the normal operations of the application (a so- called "denial of service attack").
  • An application on a computer may be shielded from illegitimate requests by a computer firewall which filters packets destined for the application. More particularly, the firewall inspects packets and either passes them to the application or drops them depending upon whether they conform to a set of predefined access rules. For packets following the Internet Protocol (IP), a packet filtering firewall performs this screening based upon one or more of the Internet Protocol (IP) number; the Transport Control Protocol (TCP) port number; the User Datagram Protocol (UDP) port number; the Internet Control Messaging Protocol (ICMP) type code; and other related features of the packets.
  • IP Internet Protocol
  • TCP Transport Control Protocol
  • UDP User Datagram Protocol
  • ICMP Internet Control Messaging Protocol
  • a packet filtering firewall may be stateless or stateful. The stateless firewall filters each IP datagram independently. A stateful firewall tracks the datagrams that belong to a connection, which allows more effective filtering.
  • proxy firewalls acts as the destination for packets arriving through a public network and strips off the overhead from each packet that was used in directing the packet through the public network. With this approach, any attacks using the network overhead of packets are avoided.
  • proxy firewalls can be quite effective, existing proxy firewalls can still allow breaches; further, a proxy firewall slows packet traffic, often considerably.
  • Illegitimate requests to a computer application may be screened with a rule having at least one of an existential condition; a statistical condition; and a complex universal condition.
  • Illegitimate Hypertext Transfer Protocol (HTTP) requests to a computer application may be screened with a rule applied to an element of the HTTP request.
  • HTTP Hypertext Transfer Protocol
  • a method of screening for illegitimate requests to a computer application comprising: screening a request with a rule having at least one of an existential condition; a statistical condition; and a complex universal condition.
  • a computer readable medium and a screener for achieving the method are also provided.
  • a method of screening for illegitimate Hypertext Transfer Protocol (HTTP) requests to a computer application comprising: screening an HTTP request with a rule, said rule comprising a condition for at least one of the following parts of a request: Headers; Cookies; HTTP version indicators; Universal Resource Identifier (URI) parameters; URI-encoded fields; multi-part encoded fields; Simple Object Access Protocol (SOAP) elements; URI format.
  • URI Universal Resource Identifier
  • SOAP Simple Object Access Protocol
  • figures 1A, IB, 1C, and ID illustrate the contents of example HTTP requests
  • figure 2 is an example of a portion of a rule set in accordance with this invention in human readable form
  • figure 3 is a schematic view of a network employing embodiments of this invention.
  • Packets transmitted across the Internet comprise a top level link layer, a mid- level network layer, a lower level transport layer, and a low level application layer.
  • Each of the higher layers is, in essence, a packet.
  • the link layer is a packet with a header and data that comprises a network layer packet and the network layer packet has a header and data that comprises a transport layer packet.
  • the header of the link layer almost invariably indicates that the protocol followed by the packet is the Internet Protocol (IP) (older protocols being now substantially obsolete and/or not in use on the Internet).
  • IP Internet Protocol
  • the network layer is known as an IP datagram.
  • the header of the transport layer will indicate the transport protocol, the Transport Control Protocol (TCP) of the IP being by far the most common transport protocol as it is used for web browsing, e- mail, and web services.
  • TCP Transport Control Protocol
  • web services are machine-to-machine interactions whereby one application may make requests of another application).
  • the data of a transport layer packet comprises the application layer (which is typically distributed across a number of transport layer packets).
  • the port number at the transport layer, and/or the context, indicates the application layer protocol.
  • the transport protocol is TCP
  • the application layer protocol may be any of various application layer protocols, the most important are hyper-text transfer protocol (HTTP), secure HTTP (HTTPS), file transfer protocol (FTP), and simple mail transfer protocol (SMTP).
  • HTTP hyper-text transfer protocol
  • HTTPS secure HTTP
  • FTP file transfer protocol
  • SMTP simple mail transfer protocol
  • Known packet filtering firewalls may apply rules to the packet headers of one or more of the link layer, network layer, and transport layer in order to verify the protocols used.
  • Known proxy firewalls may verify the application protocol.
  • Each rule applied by known packet filtering firewalls and proxy firewalls has a form that may be termed "simple universal".
  • a rule specifies a type of element to which it applies.
  • the rule is a simple universal rule if it applies to all elements of the type specified by the rule. As an example, in the rule "All packets must be addressed to destination port number 80", the element to which the rule applies is a packet. And, since this rule applies to all packets, it is a simple universal rule.
  • HTTP HyperText Transfer Protocol
  • HTTPS HyperText Transfer Protocol
  • URI Universal Resource Identifier
  • the URI is a link to an entity on the web and is commonly a Universal Resource Locator (URL).
  • the URI also includes any URI parameters, which are also known as GET fields. There may be zero or more headers and zero or more cookies in the HTTP request.
  • the body is optional and, if present, may have a URI-encoded format, a form multi-part encoded format, a Simple Object Access Protocol (SOAP) format, or the body may have unstructured content.
  • a body having a URI encoded format or a form multi-part encoded format is written in hyper-text mark-up language (HTML) or extensible HTML (XHTML).
  • a body having a SOAP format is written in extensible mark-up language (XML).
  • an HTTP request 10 has a GET method 12, a URI 14, an HTTP version indicator 16, and headers 18 with embedded cookies 20, and a body 22.
  • This particular HTTP request has no body.
  • the URI is comprised of URL 24 and URI parameter 26.
  • FIG. IB illustrates a second example HTTP request 10' with a POST method 12', a URI 14' having no URI parameters, an HTTP version indicator 16, and headers 18' with an embedded cookie 20'.
  • HTTP request 10' also has a body 22'.
  • the body is comprised of fields 25', each having a name 24' and value 26' pair.
  • the example HTTP request 10" of figure 1C has a method 12", URI 14", HTTP version indicator 16", headers 18", and body 22". It will be noted that there are no cookies embedded in the headers.
  • Header 18a" indicates that the body 22" has a multi-part form encoded format. With a multi-part form format, the fields of the body are known as parts. Header 18a" specifies a part boundary 28" which delineates each part. A part boundary is followed by one or more headers 30" incorporating the name 24" of the data field, followed by the field value 26".
  • the example HTTP request 10'" of figure ID has a header 18a'" indicating the body 22'" has a SOAP format, such that the elements 25'" of the body comprise XML elements, their attributes, and data objects according to the specification of the SOAP message format.
  • an illegitimate request generator (which may be a human hacker or a machine) employing parts of the actual payload data (the application layer) of a packet in launching an attack on an application.
  • an attack could use parts of an HTTP request.
  • it is contemplated to apply screening rules to parts of each HTTP request in order to screen for illegitimate requests.
  • Each rule may have a trigger clause and one or more conditions.
  • the trigger clause indicates a sub-set of all possible requests to which the rule applies.
  • the conditions are strictures applied to requests that satisfy the trigger clause to determine whether such requests satisfy the rule.
  • the trigger clause is most usefully formulated as a specification of some subset of the URIs which might appear in requests.
  • a trigger clause may be "All URLs ending in the extension '.gif"; "All URLs beginning with the character '/scripts'”; or "All URLs comprising a sequence of one or more occurrences of a lowercase letter, followed by a single underscore character, followed by one lowercase letter”.
  • Conditions are strictures that are applied to any or all remaining elements of a request (i.e., to elements of the request other than that used to determine if the trigger clause is satisfied). Conditions are most usefully formulated as stating strictures upon a single type of element in a request (such as the headers of the request) which strictures may be combined with other such strictures (as, for example, by using Boolean, if-then, or fuzzy logic) to formulate conditions of any desired complexity.
  • a rule may be written with one or more conditions applicable to one or more of the following HTTP elements: any embedded Cookies, the fields of the body of the request, the URI format, the URI parameters, the HTTP version, and the Headers.
  • the rule may also have one or more conditions on the Methods.
  • Each of the following types of elements of a request may be present in multiple instances in the request: Headers; Cookies; URI parameters; URI-encoded fields (of the body of the request); Multi-part encoded fields (of the body of the request); and SOAP elements (of the body of the request).
  • a condition on any of these types of elements, which condition applies to all elements of such type, is a simple universal condition.
  • the condition "All of the cookies must have alphabetical values" is a simple universal condition.
  • Simple universal conditions applied to elements of the application layer are useful in screening for illegitimate requests. However, I have recognised that it is useful to screen requests with conditions that are not simple universal conditions. More particularly, I have found that existential conditions, statistical conditions, and complex universal conditions are useful in rules for screening requests. The following explains each of these types of conditions.
  • a condition that requires the existence of a specified number of an element of a given type, or a specified number of an element of a given type having a specified property is existential. If the condition simply requires the existence of an element of a given type, or an element of a given type having a specified property, then the condition is a simple existential condition. For example, the condition "There must be a cookie named 'SessionlD'" is a simple existential condition on a name property of a cookie element. If the condition has a more complicated stricture on the number required, then the condition is a complex existential condition. Thus, for example; the conditions "There must be five headers" and "There must be between three and five POST fields with numeric values" are complex existential conditions.
  • a condition is considered to be a statistical condition if it is based on a statistical measure of a property of elements of a certain type in a request. For example, the following are statistical conditions: "The mean length of the URI parameter values must be greater than three"; "For a POST method, the standard, deviation of the length of the fields in the body of the request must be between three and seven.” (In the first example, the type of element is the URI parameters and the property is their value. In the second example, "length” is the specified property, and "fields" is the type of element.)
  • a complex universal condition takes all elements of a given type into account but then applies a stricture to less than all of such elements. Examples of such a condition are as follows: "For a POST method, all but one of the fields must have a value which is numeric"; "50% of the headers must be under one hundred characters in length”; "For a POST method, between 30% and 70% of the fields must have non-blank values”. [0030] Screening with rules having conditions that are not simple universal conditions permit a more accurate reflection of the form of permissible interactions between a user and an application than is possible with rules having simple universal conditions alone. For example, with an existential condition, it is possible to require the presence of a "SessionlD" cookie.
  • a condition may compare the relative frequency of the use of characters in the fields of the request with that typical of human language. If the relative frequency of use of characters in the fields deviated from what is typical of human language by more than a threshold, the condition would not be satisfied.
  • a further condition for the POST method could consider the proportion of blank and non-blank fields. And if the request failed to meet either of these conditions, it could be screened out.
  • Figure 2 illustrates a portion of an example rule set, expressed in human readable form.
  • rules for requests are typically stored in a table and may be symbolically expressed in a manner allowing finer distinctions than can conveniently be expressed in human readable form.
  • a trigger 50 will have a number of conditions 52 associated with it. Each condition establishes strictures 54 on types 56 of elements, or on properties 58 of types 56 of elements, that may appear in requests meeting the trigger condition.
  • a request is in violation of the rules if it fails to satisfy the trigger condition of any rule. (In other words, it must be the case that there is at least one rule that applies to each request so that all requests are screened by a rule.)
  • a request is in violation of the rules if it satisfies the trigger clause of a rule and it fails to satisfy every condition of that rule.
  • a request may be considered to be in conformance with the rules if, in each instance where it satisfies the trigger clause of a rule, it satisfies all of the conditions of that rule.
  • a request may be considered to be in conformance with the rules if, for the first rule in the list for which it satisfies the trigger clause, it satisfies all of the conditions of that rule.
  • any one or more of the following actions may be taken: the request may be screened out (i.e., blocked and, therefore, not passed to the application to which it was directed), the violation may be logged, and/or the violation may result in a notification or alarm (to a system administrator).
  • FIG. 3 illustrates an example network employing embodiments of this invention.
  • network 100 comprises a public Internet 110 to which a web server 112 is connected through a screener 114.
  • a local area network (LAN) 116 is connected to the Internet 110 through a firewall 118.
  • a number of work stations 120 as well as web servers 122, 123 are connected to the LAN 116.
  • Web server 130 is connected to the Internet 110 through firewall 132.
  • a screener 134 is also connected to firewall 132 through an input/output 136.
  • Several applications may run on server 112, each of which may provide a web service or support a web site. Each of these applications will have a URI which differs in its hostname portion, or in a prefix segment of its path portion.
  • Screener 114 is a special purpose device, such as a dedicated chip or ASIC, adapted to receive requests addressed to any of the applications on web server 112 and to pass them through to the web server only if they accord with an internally stored rule set, which rule set is in accordance with this invention.
  • screener 134 is a special purpose device adapted to drop requests that are in violation of an internally stored rule set made in accordance with this invention. Screener 134 is adapted to return requests that are in conformance with its rule set.
  • Firewall 132 may be any known firewall modified to pass all incoming requests that it does not block to screener 134. The firewall 132 is also modified so that it will direct requests returned from screener 134 to web server 130. Thus, where a request addressed to an application on web server 130 reaches firewall 132, the firewall operates on the request in its usual fashion. If the firewall does not block the request, it passes it (possibly in modified form) to screener 134.
  • the screener applies its internal rule set to the application layer of the request and either drops the request or returns it to the firewall. If the request is returned to the firewall, it is passed on to web server 130. It will be apparent from this example configuration that screening in accordance with this invention may be employed with any pre-existing firewall technique in order to further enhance security.
  • Firewall 118 is an application running on a processor with memory.
  • the firewall application is modified by screening software loaded from a computer readable medium 126, which may be, for example, a disk, a read-only memory chip, or a file downloaded from a remote source.
  • the screening software adapts firewall 118 so that, in addition to operating in its usual fashion, it acts as a screener, screening incoming requests with a rule set in accordance with this invention.
  • a request may be logged in order to allow for forensic record keeping.
  • the log may be kept by the screener, an associated firewall, or by another server capable of recording logs.
  • the log may be associated with the application to which the request was directed. Further, where a screener protects more than one application, the logs for groups of applications (e.g., the applications of one enterprise) may be associated together.

Abstract

Illegitimate requests to a computer application may be screened with a rule having at least one of an existential condition; a statistical condition; and a complex universal condition. Illegitimate Hypertext Transfer Protocol (HTTP) requests to a computer application may be screened with a rule applied to an element of the request, such as the Headers.

Description

SCREENING FOR ILLEGITIMATE REQUESTS TO A COMPUTER APPLICATION
BACKGROUND OF THE INVENTION
[0001] This invention relates to screening for illegitimate requests to a computer application.
[0002] In computer networks, information is conventionally transmitted in the form of packets. The information flow is typically in the form of a request made to a computer application and a reply by the application to the request. If the packets arrive from an untrusted source, such as the public Internet, there is a risk that they comprise or contain an illegitimate request to the computer application. Such an illegitimate request may constitute an unauthorised attempt to access proprietary information, an unauthorised attempt to alter information, or an attempt to interfere with the normal operations of the application (a so- called "denial of service attack").
[0003] An application on a computer may be shielded from illegitimate requests by a computer firewall which filters packets destined for the application. More particularly, the firewall inspects packets and either passes them to the application or drops them depending upon whether they conform to a set of predefined access rules. For packets following the Internet Protocol (IP), a packet filtering firewall performs this screening based upon one or more of the Internet Protocol (IP) number; the Transport Control Protocol (TCP) port number; the User Datagram Protocol (UDP) port number; the Internet Control Messaging Protocol (ICMP) type code; and other related features of the packets. A packet filtering firewall may be stateless or stateful. The stateless firewall filters each IP datagram independently. A stateful firewall tracks the datagrams that belong to a connection, which allows more effective filtering.
[0004] Although packet filtering firewalls have been effective in screening out many illegitimate requests, successful "attacks" that breach such firewalls still occur. [0005] Another approach to shielding an application from illegitimate requests is to employ a proxy firewall. A proxy firewall acts as the destination for packets arriving through a public network and strips off the overhead from each packet that was used in directing the packet through the public network. With this approach, any attacks using the network overhead of packets are avoided. Although proxy firewalls can be quite effective, existing proxy firewalls can still allow breaches; further, a proxy firewall slows packet traffic, often considerably.
[0006] Therefore, there is a need for an approach to effectively screen for illegitimate requests, ideally without significant impact on packet traffic flow.
SUMMARY OF INVENTION
[0007] Illegitimate requests to a computer application may be screened with a rule having at least one of an existential condition; a statistical condition; and a complex universal condition. Illegitimate Hypertext Transfer Protocol (HTTP) requests to a computer application may be screened with a rule applied to an element of the HTTP request.
[0008] According to this invention, there is provided a method of screening for illegitimate requests to a computer application, comprising: screening a request with a rule having at least one of an existential condition; a statistical condition; and a complex universal condition. A computer readable medium and a screener for achieving the method are also provided.
[0009] According to another aspect of this invention, there is provided a method of screening for illegitimate Hypertext Transfer Protocol (HTTP) requests to a computer application, comprising: screening an HTTP request with a rule, said rule comprising a condition for at least one of the following parts of a request: Headers; Cookies; HTTP version indicators; Universal Resource Identifier (URI) parameters; URI-encoded fields; multi-part encoded fields; Simple Object Access Protocol (SOAP) elements; URI format. A computer readable medium and a screener for achieving the method are also provided. [0010] Other features and advantages will become apparent after a review of the following description in conjunction with the drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
[0011] In the figures which describe example embodiments of the invention, figures 1A, IB, 1C, and ID illustrate the contents of example HTTP requests, figure 2 is an example of a portion of a rule set in accordance with this invention in human readable form, and figure 3 is a schematic view of a network employing embodiments of this invention.
DETAILED DESCRIPTION
[0012] Packets transmitted across the Internet comprise a top level link layer, a mid- level network layer, a lower level transport layer, and a low level application layer. Each of the higher layers is, in essence, a packet. Thus, the link layer is a packet with a header and data that comprises a network layer packet and the network layer packet has a header and data that comprises a transport layer packet. The header of the link layer almost invariably indicates that the protocol followed by the packet is the Internet Protocol (IP) (older protocols being now substantially obsolete and/or not in use on the Internet). Where the packet is an IP packet, the network layer is known as an IP datagram. The header of the transport layer will indicate the transport protocol, the Transport Control Protocol (TCP) of the IP being by far the most common transport protocol as it is used for web browsing, e- mail, and web services. (As will be appreciated by those skilled in the art, web services are machine-to-machine interactions whereby one application may make requests of another application).
[0013] The data of a transport layer packet comprises the application layer (which is typically distributed across a number of transport layer packets). The port number at the transport layer, and/or the context, indicates the application layer protocol. Where the transport protocol is TCP, while the application layer protocol may be any of various application layer protocols, the most important are hyper-text transfer protocol (HTTP), secure HTTP (HTTPS), file transfer protocol (FTP), and simple mail transfer protocol (SMTP).
[0014] Known packet filtering firewalls may apply rules to the packet headers of one or more of the link layer, network layer, and transport layer in order to verify the protocols used. Known proxy firewalls may verify the application protocol. Each rule applied by known packet filtering firewalls and proxy firewalls has a form that may be termed "simple universal". By way of explanation, a rule specifies a type of element to which it applies. The rule is a simple universal rule if it applies to all elements of the type specified by the rule. As an example, in the rule "All packets must be addressed to destination port number 80", the element to which the rule applies is a packet. And, since this rule applies to all packets, it is a simple universal rule.
[0015] Currently, HTTP (or HTTPS) is used for web browsing and web services. An HTTP request has the following general form:
<method> <URI> <HTTP version>
<HTTP headers with embedded cookies>
<body of request> where "URI" denotes Universal Resource Identifier. The URI is a link to an entity on the web and is commonly a Universal Resource Locator (URL). The URI also includes any URI parameters, which are also known as GET fields. There may be zero or more headers and zero or more cookies in the HTTP request. The body is optional and, if present, may have a URI-encoded format, a form multi-part encoded format, a Simple Object Access Protocol (SOAP) format, or the body may have unstructured content. A body having a URI encoded format or a form multi-part encoded format is written in hyper-text mark-up language (HTML) or extensible HTML (XHTML). A body having a SOAP format is written in extensible mark-up language (XML).
[0016] By way of example, turning to figure 1A, an HTTP request 10 has a GET method 12, a URI 14, an HTTP version indicator 16, and headers 18 with embedded cookies 20, and a body 22. This particular HTTP request has no body. The URI is comprised of URL 24 and URI parameter 26.
[0017] As will be apparent from figure 1A, a URI parameter 26 has the format "name" = "value" (the example HTTP request 10 having two URI parameters). As is typical, the URI parameters identify the user's current session. The headers 18 have the format "name":"value". Each cookie has an embedded name and value pair, with each pair being separated by a colon. Thus, cookies 20 have the format: "Cookie":"namel = "valuel"; "name2" = "value2"; "name3" = "value3" ...
[0018] Figure IB illustrates a second example HTTP request 10' with a POST method 12', a URI 14' having no URI parameters, an HTTP version indicator 16, and headers 18' with an embedded cookie 20'. HTTP request 10' also has a body 22'. The body is comprised of fields 25', each having a name 24' and value 26' pair. Header 18a' of the request 10' indicates that the body 22' has a URL-encoded format, consequently, the name- value pairs are of the form "name" = "value", with each pair being separated by an ampersand.
[0019] The example HTTP request 10" of figure 1C has a method 12", URI 14", HTTP version indicator 16", headers 18", and body 22". It will be noted that there are no cookies embedded in the headers. Header 18a" indicates that the body 22" has a multi-part form encoded format. With a multi-part form format, the fields of the body are known as parts. Header 18a" specifies a part boundary 28" which delineates each part. A part boundary is followed by one or more headers 30" incorporating the name 24" of the data field, followed by the field value 26".
[0020] The example HTTP request 10'" of figure ID has a header 18a'" indicating the body 22'" has a SOAP format, such that the elements 25'" of the body comprise XML elements, their attributes, and data objects according to the specification of the SOAP message format.
[0021] There is a possibility of an illegitimate request generator (which may be a human hacker or a machine) employing parts of the actual payload data (the application layer) of a packet in launching an attack on an application. Thus, an attack could use parts of an HTTP request. To frustrate such attacks, it is contemplated to apply screening rules to parts of each HTTP request in order to screen for illegitimate requests.
[0022] Each rule may have a trigger clause and one or more conditions. The trigger clause indicates a sub-set of all possible requests to which the rule applies. The conditions are strictures applied to requests that satisfy the trigger clause to determine whether such requests satisfy the rule.
[0023] The trigger clause is most usefully formulated as a specification of some subset of the URIs which might appear in requests. For example, a trigger clause may be "All URLs ending in the extension '.gif"; "All URLs beginning with the character '/scripts'"; or "All URLs comprising a sequence of one or more occurrences of a lowercase letter, followed by a single underscore character, followed by one lowercase letter".
[0024] Conditions are strictures that are applied to any or all remaining elements of a request (i.e., to elements of the request other than that used to determine if the trigger clause is satisfied). Conditions are most usefully formulated as stating strictures upon a single type of element in a request (such as the headers of the request) which strictures may be combined with other such strictures (as, for example, by using Boolean, if-then, or fuzzy logic) to formulate conditions of any desired complexity.
[0025] Thus, a rule may be written with one or more conditions applicable to one or more of the following HTTP elements: any embedded Cookies, the fields of the body of the request, the URI format, the URI parameters, the HTTP version, and the Headers. The rule may also have one or more conditions on the Methods.
[0026] Each of the following types of elements of a request may be present in multiple instances in the request: Headers; Cookies; URI parameters; URI-encoded fields (of the body of the request); Multi-part encoded fields (of the body of the request); and SOAP elements (of the body of the request). A condition on any of these types of elements, which condition applies to all elements of such type, is a simple universal condition. Thus, for example, the condition "All of the cookies must have alphabetical values" is a simple universal condition. Simple universal conditions applied to elements of the application layer are useful in screening for illegitimate requests. However, I have recognised that it is useful to screen requests with conditions that are not simple universal conditions. More particularly, I have found that existential conditions, statistical conditions, and complex universal conditions are useful in rules for screening requests. The following explains each of these types of conditions.
[0027] A condition that requires the existence of a specified number of an element of a given type, or a specified number of an element of a given type having a specified property (e.g., a specified "name" or "value"), is existential. If the condition simply requires the existence of an element of a given type, or an element of a given type having a specified property, then the condition is a simple existential condition. For example, the condition "There must be a cookie named 'SessionlD'" is a simple existential condition on a name property of a cookie element. If the condition has a more complicated stricture on the number required, then the condition is a complex existential condition. Thus, for example; the conditions "There must be five headers" and "There must be between three and five POST fields with numeric values" are complex existential conditions.
[0028] A condition is considered to be a statistical condition if it is based on a statistical measure of a property of elements of a certain type in a request. For example, the following are statistical conditions: "The mean length of the URI parameter values must be greater than three"; "For a POST method, the standard, deviation of the length of the fields in the body of the request must be between three and seven." (In the first example, the type of element is the URI parameters and the property is their value. In the second example, "length" is the specified property, and "fields" is the type of element.)
[0029] A complex universal condition takes all elements of a given type into account but then applies a stricture to less than all of such elements. Examples of such a condition are as follows: "For a POST method, all but one of the fields must have a value which is numeric"; "50% of the headers must be under one hundred characters in length"; "For a POST method, between 30% and 70% of the fields must have non-blank values". [0030] Screening with rules having conditions that are not simple universal conditions permit a more accurate reflection of the form of permissible interactions between a user and an application than is possible with rules having simple universal conditions alone. For example, with an existential condition, it is possible to require the presence of a "SessionlD" cookie. And with a complex universal condition, it is possible to stipulate that a form may not be submitted with the majority of its fields blank. Employing conditions that are not simple universal conditions can facilitate a determination of whether a request is composed by a human or by a machine. In situations where legitimate requests would be human generated, this can isolate illegitimate requests. For example, for a POST method to a web site (typically resulting from a user submitting a filled out form), a condition may compare the relative frequency of the use of characters in the fields of the request with that typical of human language. If the relative frequency of use of characters in the fields deviated from what is typical of human language by more than a threshold, the condition would not be satisfied. A further condition for the POST method could consider the proportion of blank and non-blank fields. And if the request failed to meet either of these conditions, it could be screened out.
[0031] Figure 2 illustrates a portion of an example rule set, expressed in human readable form. (In practice, rules for requests are typically stored in a table and may be symbolically expressed in a manner allowing finer distinctions than can conveniently be expressed in human readable form.) Turning to figure 2, a trigger 50 will have a number of conditions 52 associated with it. Each condition establishes strictures 54 on types 56 of elements, or on properties 58 of types 56 of elements, that may appear in requests meeting the trigger condition.
[0032] The rules are used to screen requests as follows:
• A request is in violation of the rules if it fails to satisfy the trigger condition of any rule. (In other words, it must be the case that there is at least one rule that applies to each request so that all requests are screened by a rule.)
• A request is in violation of the rules if it satisfies the trigger clause of a rule and it fails to satisfy every condition of that rule.
• A request may be considered to be in conformance with the rules if, in each instance where it satisfies the trigger clause of a rule, it satisfies all of the conditions of that rule. Alternatively, where the rules are ordered from more specific to more general, a request may be considered to be in conformance with the rules if, for the first rule in the list for which it satisfies the trigger clause, it satisfies all of the conditions of that rule.
[0033] Where a request is in violation of the rules, any one or more of the following actions may be taken: the request may be screened out (i.e., blocked and, therefore, not passed to the application to which it was directed), the violation may be logged, and/or the violation may result in a notification or alarm (to a system administrator).
[0034] Figure 3 illustrates an example network employing embodiments of this invention. Turning to figure 3, network 100 comprises a public Internet 110 to which a web server 112 is connected through a screener 114. A local area network (LAN) 116 is connected to the Internet 110 through a firewall 118. A number of work stations 120 as well as web servers 122, 123 are connected to the LAN 116. Web server 130 is connected to the Internet 110 through firewall 132. A screener 134 is also connected to firewall 132 through an input/output 136.
[0035] Several applications may run on server 112, each of which may provide a web service or support a web site. Each of these applications will have a URI which differs in its hostname portion, or in a prefix segment of its path portion. Screener 114 is a special purpose device, such as a dedicated chip or ASIC, adapted to receive requests addressed to any of the applications on web server 112 and to pass them through to the web server only if they accord with an internally stored rule set, which rule set is in accordance with this invention.
[0036] Similar to screener 114, screener 134 is a special purpose device adapted to drop requests that are in violation of an internally stored rule set made in accordance with this invention. Screener 134 is adapted to return requests that are in conformance with its rule set. Firewall 132 may be any known firewall modified to pass all incoming requests that it does not block to screener 134. The firewall 132 is also modified so that it will direct requests returned from screener 134 to web server 130. Thus, where a request addressed to an application on web server 130 reaches firewall 132, the firewall operates on the request in its usual fashion. If the firewall does not block the request, it passes it (possibly in modified form) to screener 134. The screener applies its internal rule set to the application layer of the request and either drops the request or returns it to the firewall. If the request is returned to the firewall, it is passed on to web server 130. It will be apparent from this example configuration that screening in accordance with this invention may be employed with any pre-existing firewall technique in order to further enhance security.
[0037] Firewall 118 is an application running on a processor with memory. The firewall application is modified by screening software loaded from a computer readable medium 126, which may be, for example, a disk, a read-only memory chip, or a file downloaded from a remote source. The screening software adapts firewall 118 so that, in addition to operating in its usual fashion, it acts as a screener, screening incoming requests with a rule set in accordance with this invention.
[0038] Where a request is in violation of a rule set, it may be logged in order to allow for forensic record keeping. The log may be kept by the screener, an associated firewall, or by another server capable of recording logs. The log may be associated with the application to which the request was directed. Further, where a screener protects more than one application, the logs for groups of applications (e.g., the applications of one enterprise) may be associated together.
[0039] Currently, web searching is keyword based. Attempts are being made to develop semantic web searching. To support this, web pages may be coded in XML rather than HTML or XHTML as XML allows a user to mark up (tag) any data element on the page. If web pages become XML-based, requests will be coded in XML rather than HTML. It will be recognised that this invention is applicable to XML-based requests and, indeed, to requests based on any other suitable language. Further, the invention has application to requests that follow HTTP or any other suitable protocol. ■
[0040] While the rules described involve a trigger and one or more conditions, a trigger is not necessary. In the absence of a trigger, a rule is applied to all requests.
[0041] Other features and advantages will be apparent to those skilled in the art and, therefore, the invention is defined in the claims.

Claims

WHAT IS CLAIMED IS:
1. A method of screening for illegitimate requests to a computer application, comprising: screening a request with a rule having at least one of an existential condition; a statistical condition; and a complex universal condition.
2. The method of claim 1 wherein screening with said rule is triggered by said request being of a certain type.
3. The method of claim 2 wherein said rule has a plurality of conditions and wherein said plurality of conditions are triggered by said request being of said certain type.
4. The method of claim 3 wherein said certain type is a certain type of universal resource identifier (URI).
5. The method of claim 1 wherein said existential condition requires that a specified number of elements of a given type exists in said request.
6. The method of claim 5 wherein said elements of a given type are one of Headers; Cookies; Universal Resource Identifier (URI) parameters; URI-encoded fields; multi-part encoded fields; Simple Object Access Protocol (SOAP) encoded elements.
7. The method of claim 1 wherein said existential condition requires that a specified number of elements of a given type with a given property exists in said request.
8. The method of claim 1 wherein said complex universal condition requires that a specified proportion of elements of a given type exist in said request.
9. The method of claim 1 wherein said statistical condition is based on a statistical measure of a property of elements of a certain type in a request.
10. The method of claim 9 wherein said property of elements of a certain type is one of a name or value of said elements of a certain type.
11. The method of claim 1 wherein said request is an hypertext transfer protocol (HTTP) request.
12. The method of claim 11 wherein said rule comprises conditions for one or more of the following parts of a request: Headers; Cookies; Methods; HTTP versions; Universal Resource Identifier (URI) parameters; URI-encoded fields; multi-part encoded fields; Simple Object Access Protocol (SOAP) elements.
13. The method of claim 3 wherein said body of said request follows Simple Object Access Protocol (SOAP).
14. A method of screening for illegitimate requests to a computer application, comprising: screening a request with a rule having an existential condition.
15. A method of screening for illegitimate Hypertext Transfer Protocol (HTTP) requests to a computer application, comprising: screening an HTTP request with a rule, said rule comprising a condition for at least one of the following parts of a request: Headers; Cookies; HTTP version indicators; Universal Resource Identifier (URI) parameters; URI-encoded fields; multi-part encoded fields; Simple Object Access Protocol (SOAP) elements; URI format.
16. The method of claim 15 wherein screening with said rule is triggered by a URI of said request being of a certain type.
17. The method of claim 15 further comprising, upon finding a request not meeting a condition, blocking said request.
18. The method of claim 15 further comprising, upon finding a request not meeting a condition, adding an entry to an event log.
19.' The method of claim 15 further comprising, upon finding a request not meeting a condition, alerting.
20. A method of screening for illegitimate Hypertext Transfer Protocol (HTTP) requests to a computer application, comprising: screening an HTTP request with a rule, said rule comprising a condition for fields or elements in a body of said request and a separate condition for Cookies of said request.
21. The method of claim 20 wherein said rule also comprises a condition for Universal Resource Identifier (URI) parameters of said request.
22. The method of claim 21 wherein said rule also comprises a condition for Methods of said request.
23. The method of claim 22 wherein said rule set also comprises a condition for an hypertext transfer protocol (HTTP) version indicator of said request.
24. The method of claim 23 wherein said rule also comprises a condition for a URI format of said request.
25. The method of claim 24 wherein said rule also comprises a condition for a Header of said request.
26. A computer readable medium containing computer executable instructions which when loaded into a processor cause said processor to: screen a request with a rule having one of an existential condition; a statistical condition; and a complex universal condition.
27. A computer readable medium containing computer executable instructions which when loaded into a processor cause said processor to: screen an HTTP request with a rule, said rule comprising a condition for at least one of the following parts of a request: Headers; Cookies; HTTP version indicators; Universal Resource Identifier (URI) parameters; URI-encoded fields; multi-part encoded fields; Simple Object Access Protocol (SOAP) elements; URI format.
28. A screener comprising: an input for receiving requests; and means for screening a received request with a rule having one of an existential condition; a statistical condition; and a complex universal condition.
29. A screener comprising: an input for receiving HTTP requests; and means for screening an HTTP request with a rule, said rule comprising a condition for at least one of the following parts of a request: Headers; Cookies; HTTP version indicators; Universal Resource Identifier (URI) parameters; URI-encoded fields; multi-part encoded fields; Simple Object Access Protocol (SOAP) elements; URI format.
30. A method of screening for illegitimate Hypertext Transfer Protocol (HTTP) requests to a computer application, comprising: screening an HTTP request with a rule, said rule comprising a condition for at least two of the following parts of a request: Headers; Cookies; Methods; HTTP versions; Universal Resource Identifier (URI) parameters; URI-encoded fields; multi-part encoded fields; Simple Object Access Protocol (SOAP) elements; URI format.
PCT/CA2003/001333 2002-09-13 2003-09-12 Screening for illegitimate requests to a computer application WO2004025460A2 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
AU2003269619A AU2003269619A1 (en) 2002-09-13 2003-09-12 Screening for illegitimate requests to a computer application
US10/527,758 US20050246545A1 (en) 2002-09-13 2003-09-12 Screening for illegitimate requests to a computer application
CA002498649A CA2498649A1 (en) 2002-09-13 2003-09-12 Screening for illegitimate requests to a computer application
EP03750183A EP1540917A2 (en) 2002-09-13 2003-09-12 Screening for illegitimate requests to a computer application
JP2004534897A JP2005538620A (en) 2002-09-13 2003-09-12 Screening malicious requests to computer applications

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US41028802P 2002-09-13 2002-09-13
US60/410,288 2002-09-13

Publications (2)

Publication Number Publication Date
WO2004025460A2 true WO2004025460A2 (en) 2004-03-25
WO2004025460A3 WO2004025460A3 (en) 2004-09-23

Family

ID=31994104

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CA2003/001333 WO2004025460A2 (en) 2002-09-13 2003-09-12 Screening for illegitimate requests to a computer application

Country Status (6)

Country Link
US (1) US20050246545A1 (en)
EP (1) EP1540917A2 (en)
JP (1) JP2005538620A (en)
AU (1) AU2003269619A1 (en)
CA (1) CA2498649A1 (en)
WO (1) WO2004025460A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009211725A (en) * 2009-06-18 2009-09-17 Toshiba Corp Abnormal data detecting system, abnormal data detecting method, abnormal data detecting program

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7318097B2 (en) * 2003-06-17 2008-01-08 International Business Machines Corporation Security checking program for communication between networks
US8812638B2 (en) * 2006-07-12 2014-08-19 Telefonaktiebolaget Lm Ericsson (Publ) Method, apparatus and computer program product for controlling devices
US8266687B2 (en) * 2009-03-27 2012-09-11 Sophos Plc Discovery of the use of anonymizing proxies by analysis of HTTP cookies
US8958306B2 (en) 2009-10-16 2015-02-17 Tekelec, Inc. Methods, systems, and computer readable media for providing diameter signaling router with integrated monitoring functionality
US8750126B2 (en) 2009-10-16 2014-06-10 Tekelec, Inc. Methods, systems, and computer readable media for multi-interface monitoring and correlation of diameter signaling information
EP2534794B1 (en) 2010-02-12 2019-03-27 Tekelec, Inc. Methods, systems, and computer readable media for providing peer routing at a diameter node
IN2012CN06919A (en) * 2010-02-12 2015-07-31 Tekelec Inc
JP5732550B2 (en) 2011-03-03 2015-06-10 テケレック・インコーポレイテッドTekelec, Inc. Method, system, and computer-readable medium for enhancing Diameter signaling messages
JP6033021B2 (en) * 2012-09-24 2016-11-30 三菱スペース・ソフトウエア株式会社 Unauthorized communication detection device, cyber attack detection system, computer program, and unauthorized communication detection method

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999057866A1 (en) * 1998-05-04 1999-11-11 Auric Web Systems User specific automatic data redirection system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5386412A (en) * 1993-05-11 1995-01-31 Park; Jung S. Telecommunication system protocol for asynchronous data communication between multiport switch control processor and information support personal computer terminal
US5913024A (en) * 1996-02-09 1999-06-15 Secure Computing Corporation Secure server utilizing separate protocol stacks
US5958053A (en) * 1997-01-30 1999-09-28 At&T Corp. Communications protocol with improved security
US5896499A (en) * 1997-02-21 1999-04-20 International Business Machines Corporation Embedded security processor
US7159237B2 (en) * 2000-03-16 2007-01-02 Counterpane Internet Security, Inc. Method and system for dynamic network intrusion monitoring, detection and response

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999057866A1 (en) * 1998-05-04 1999-11-11 Auric Web Systems User specific automatic data redirection system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHAPMAN & ZWICKY: "building internet firewalls" November 1995 (1995-11), 0'REILLY , SEBASTOPOL,CA,US 238550 , XP002290823 page 142, paragraph 4 page 145, paragraph 5 - paragraph 6 page 147, paragraph 3 page 148, paragraph 3 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009211725A (en) * 2009-06-18 2009-09-17 Toshiba Corp Abnormal data detecting system, abnormal data detecting method, abnormal data detecting program

Also Published As

Publication number Publication date
EP1540917A2 (en) 2005-06-15
JP2005538620A (en) 2005-12-15
CA2498649A1 (en) 2004-03-25
WO2004025460A3 (en) 2004-09-23
US20050246545A1 (en) 2005-11-03
AU2003269619A8 (en) 2004-04-30
AU2003269619A1 (en) 2004-04-30

Similar Documents

Publication Publication Date Title
US7302480B2 (en) Monitoring the flow of a data stream
US7774832B2 (en) Systems and methods for implementing protocol enforcement rules
US7706378B2 (en) Method and apparatus for processing network packets
EP1904988B1 (en) Immunizing html browsers and extensions from known vulnerabilities
US8261340B2 (en) Using statistical analysis to generate exception rules that allow legitimate messages to pass through application proxies and gateways
US9800608B2 (en) Processing data flows with a data flow processor
US8195833B2 (en) Systems and methods for managing messages in an enterprise network
KR101111433B1 (en) Active network defense system and method
US8161538B2 (en) Stateful application firewall
US20080196099A1 (en) Systems and methods for detecting and blocking malicious content in instant messages
US20150207806A1 (en) Automatic generation of attribute values for rules of a web application layer attack detector
CN112602301B (en) Method and system for efficient network protection
US20050229246A1 (en) Programmable context aware firewall with integrated intrusion detection system
US20110231564A1 (en) Processing data flows with a data flow processor
US20110213869A1 (en) Processing data flows with a data flow processor
US20110238855A1 (en) Processing data flows with a data flow processor
US20110214157A1 (en) Securing a network with data flow processing
US20040111623A1 (en) Systems and methods for detecting user presence
US20110219035A1 (en) Database security via data flow processing
EP1547335B1 (en) Rule creation for computer application screening
US8695083B2 (en) Rule generalization for web application entry point modeling
WO2004019186A2 (en) Determining threat level associated with network activity
US20050246545A1 (en) Screening for illegitimate requests to a computer application
Stanciu Technologies, methodologies and challenges in network intrusion detection and prevention systems.
Tanakas et al. A novel system for detecting and preventing SQL injection and cross-site-script

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2498649

Country of ref document: CA

Ref document number: 10527758

Country of ref document: US

WWE Wipo information: entry into national phase

Ref document number: 2004534897

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 2003750183

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2003750183

Country of ref document: EP