Network threat detection and management system based on user behavior information
US-10412106-B2 · Sep 10, 2019 · US
Inline anomaly detection for multi-request operations
US11405412B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11405412-B2 |
| Application number | US-201916730752-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 30, 2019 |
| Priority date | Dec 30, 2019 |
| Publication date | Aug 2, 2022 |
| Grant date | Aug 2, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method is described for a proxy to mitigate attacks from web application clients based on context of web application layer requests. The method includes receiving a plurality of web application layer requests from a web application layer client; aggregating a first set of requests from the plurality of web application layer requests, wherein the first set of requests are part of a first session; determining a profile based on the first set of requests, wherein the profile describes a baseline of expected behavior for a user of the web application layer client; and determining a first threat value associated with the first set of requests based on the first set of requests and the profile, wherein the first threat value describes the likelihood that the first set of requests are part of an attack on one or more web application servers.
First claim
Opening claim text (preview).
What is claimed is: 1. A method by one or more network devices implementing a web application layer proxy for detecting and mitigating attacks from web application clients based on context of web application layer requests, wherein the web application layer proxy is communicatively coupled between one or more web application clients and one or more web application servers, the method comprising: receiving, by the web application layer proxy, a plurality of web application layer requests from a web application layer client of the one or more web application clients; aggregating, by the web application layer proxy, a first set of web application layer requests from the plurality of web application layer requests, wherein the first set of web application layer requests are part of a first session; determining, by the web application layer proxy, a profile based on the first set of web application layer requests, wherein the profile describes a baseline of expected behavior for a user of the web application layer client; determining, by the web application layer proxy based on the profile, a first context tag and a second context tag for a first flow described in the first set of web application layer requests, wherein the first flow in the first set of web application layer requests is defined by one or more web application layer requests, wherein the first context tag indicates a first business operation performed by the first flow and the second context tag indicates a second business operation performed by the first flow; and determining, by the web application layer proxy, a first threat value associated with the first set of web application layer requests based on the first set of web application layer requests and the profile, wherein the first threat value describes the likelihood that the first set of web application layer requests are part of an attack on the one or more web application servers. 2. The method of claim 1 , further comprising: receiving, by the web application layer proxy, a set of configurations that describe security policies, including a mapping one or more of (1) threat values, (2) characteristics of web application layer requests, and (3) context tags to actions to be taken by the web application layer proxy. 3. The method of claim 2 , further comprising: determining, by the web application layer proxy, a first action in relation to the first set of web application layer requests based on a comparison with the set of configurations and one or more of (1) the first threat value, (2) characteristics of the first set of web application layer requests, and (3) the first and second context tags; and performing, by the web application layer proxy, the first action to mitigate a potential attack by the first set of web application layer requests. 4. The method of claim 3 , wherein the first action includes one or more of (1) limiting web application layer requests, (2) blacklisting a first type of web application layer requests, (3) whitelisting a second type of web application layer requests, and (4) challenging one or more web application layer requests from the web application layer client following the plurality of web application layer requests to validate the authenticity of the web application layer client. 5. The method of claim 3 , further comprising: aggregating, by the web application layer proxy, a second set of web application layer requests from the plurality of web application layer requests, wherein the second set of web application layer requests are part of a second session; determining, by the web application layer proxy, the profile based on the first set of web application layer requests and the second set of web application layer requests; and determining, by the web application layer proxy, a second threat value associated with the second set of web application layer requests based on the second set of web application layer requests and the profile, wherein the second threat value describes the likelihood that the second set of web application layer requests is part of an attack on the one or more web application servers. 6. The method of claim 5 , further comprising: determining, by the web application layer proxy based on the profile, a third context tag for a second flow described in the second set of web application layer requests, wherein the second flow in the second set of web application layer requests is defined by one or more web application layer requests and the third context tag indicates a business operation performed by the second flow; determining, by the web application layer proxy, a second action in relation to the second set of web application layer requests based on a comparison with the set of configurations and one or more of (1) the second threat value, (2) characteristics of the second set of web application layer requests, and (3) the third context tag; and performing, by the web application layer proxy, the second action to mitigate a potential attack by the second set of web application layer requests. 7. A set of one or more non-transitory machine-readable storage media storing instructions which, when executed by one or more processors of one or more network devices implementing a web application layer proxy that is communicatively coupled between one or more web application clients and one or more web application servers, cause the one or more network devices to perform operations for detecting and mitigating attacks from web application clients based on context of web application layer requests, the operations comprising: receiving a plurality of web application layer requests from a web application layer client of the one or more web application clients; aggregating a first set of web application layer requests from the plurality of web application layer requests, wherein the first set of web application layer requests are part of a first session; determining a profile based on the first set of web application layer requests, wherein the profile describes a baseline of expected behavior for a user of the web application layer client; determining, by the web application layer proxy based on the profile, a first context tag and a second context tag for a first flow described in the first set of web application layer requests, wherein the first flow in the first set of web application layer requests is defined by one or more web application layer requests, wherein the first context tag indicates a first business operation performed by the first flow and the second context tag indicates a second business operation performed by the first flow; and determining a first threat value associated with the first set of web application layer requests based on the first set of web application layer requests and the profile, wherein the first threat value describes the likelihood that the first set of web application layer requests are part of an attack on the one or more web application servers. 8. The set of one or more non-transitory machine-readable storage media of claim 7 , wherein the operations further comprise: receiving a set of configurations that describe security policies, including a mapping one or more of (1) threat values, (2) characteristics of web application layer requests, and (3) context tags to actions to be taken by the web application layer proxy. 9. The set of one or more non-transitory machine-readable storage media of claim 8 , wherein the operations further comprise: determining a first action in relation to the first set of web application layer requests based on a comparison with the set of configurations and one or more of (1) the first threat value, (2) characteristics of the first set of web application layer requests, and (3) the f
Assignees
Inventors
Classifications
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Traffic logging, e.g. anomaly detection · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
- H04L67/02Primary
based on web technology, e.g. hypertext transfer protocol [HTTP] · CPC title
User profiles · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11405412B2 cover?
- A method is described for a proxy to mitigate attacks from web application clients based on context of web application layer requests. The method includes receiving a plurality of web application layer requests from a web application layer client; aggregating a first set of requests from the plurality of web application layer requests, wherein the first set of requests are part of a first sessi…
- Who is the assignee on this patent?
- Imperva Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L67/02. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 02 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).