Who is the assignee on this patent?

Microsoft Technology Licensing Llc

What technology area does this patent fall under?

Primary CPC classification H04L63/02. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Dec 26 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Passive web application firewall

US9853940B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9853940-B2
Application number	US-201514864858-A
Country	US
Kind code	B2
Filing date	Sep 24, 2015
Priority date	Sep 24, 2015
Publication date	Dec 26, 2017
Grant date	Dec 26, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

To protect network-based services, offering computer implemented functionality, from attacks, a passive web application firewall reactively identifies vulnerabilities, enabling such vulnerabilities to be quickly ameliorated, without intercepting communications or introducing other suboptimal aspects of traditional web application firewalls. Communications directed to the network-based services are logged and such logs are scanned for entries evidencing attacks, such as based on predetermined attack syntax. Further evaluation of the entries identified as evidencing attacks identifies a subset of those entries that correspond to likely successful attacks. Such further evaluation includes attacking the network-based service in an equivalent manner. Attacks that are found to be successful identify vulnerabilities, and a notification of such vulnerabilities is provided to facilitate amelioration of such vulnerabilities. Vulnerability amelioration can be automatic, such as by automatically adjusting the settings corresponding to the implementation of the network-based services to ameliorate identified vulnerabilities in a predetermined manner.

First claim

Opening claim text (preview).

We claim: 1. A method of protecting delivery of computer-implemented functionality that is offered over a network, the method comprising the steps of: obtaining logs of prior communications received from the network directed to the computer-implemented functionality to perform operation services; identifying, from the obtained logs, a first set of log entries as attacks based on each entry, of the first set of entries, matching a pre-determined attack syntax; in response to the identifying the first set of log entries, testing an actual vulnerability by: selecting a log entry from the identified first set of log entries; generating an attack communication directed to the computer-implemented functionality, the generated attack communication being analogous to an attack of the selected log entry; detecting, from the computer-implemented functionality, either results indicative that the generated attack communication resulted in execution of computer-executable instructions inserted by the generated attack communication or results indicative that one or more parameters defining operation of the computer-implemented functionality were either set improperly or incorrectly, thereby allowing the generated attack to succeed, or are now set improperly or incorrectly due to the generated attack; and flagging the selected entry only if the results were indicative that the generated attack communication resulted in the successful attack; repeating the testing the actual vulnerability for other entries from the set of entries; and generating notification of only the second set of entries, which is a subset of the identified first set of log entries. 2. The method of claim 1 , wherein the pre-determined attack syntax comprises identification of parameter names and values provided as part of a Uniform Resource Locator (URL). 3. The method of claim 1 , wherein the pre-determined attack syntax is updated based on attacks detected by a web application firewall that blocks detected attacks prior to those communications being received by the computer-implemented functionality. 4. The method of claim 1 , wherein the obtaining the logs comprises obtaining the prior communications directed to the computer-implemented functionality as streamed data. 5. The method of claim 1 , further comprising: changing at least some of the one or more parameters defining the operation of the computer-implemented functionality. 6. The method of claim 1 , wherein the generated attack communication comprises same parameters, but different values for the same parameters, as the attack of the selected log entry. 7. The method of claim 1 , wherein the generating the attack communication analogous to the attack of the selected log entry comprises both: generating a first attack communication having parameter values identical to corresponding parameter values of the attack of the selected log entry; and generating one or more other attack communications having parameter values differing from the corresponding parameter values of the attack of the selected log entry. 8. A computing device comprising: one or more hardware processing units; and computer-readable media comprising computer-executable instructions, which, when executed by the one or more processing units, cause the computing device to: obtain logs of prior communications received from the network directed to the computer-implemented functionality to perform operation services; identify, from the obtained logs, a first set of log entries as attacks based on each entry, of the first set of entries, matching a pre-determined attack syntax; in response to the identifying the first set of loci entries, testing an actual vulnerability by: selecting a log entry from the identified first set of log entries; generating an attack communication directed to the computer-implemented functionality, the generated attack communication being analogous to an attack of the selected log entry; detecting, from the computer-implemented functionality, either results indicative that the generated attack communication resulted in execution of computer-executable instructions inserted by the generated attack communication or results indicative that one or more parameters defining operation of the computer-implemented functionality were either set improperly or incorrectly, thereby allowing the generated attack to succeed, or are now set improperly or incorrectly due to the generated attack; and flagging the selected entry only if the results were indicative that the generated attack communication resulted in the successful attack; repeat the testing the actual vulnerability for other entries from the set of entries; and generate notification of only the second set of entries, which is a subset of the identified first set of log entries. 9. The computing device of claim 8 , wherein the pre-determined attack syntax is updated based on attacks detected by a web application firewall that blocks detected attacks prior to those communications being received by the computer-implemented functionality. 10. The computing device of claim 8 , wherein the computer-executable instructions causing the computing device to perform the obtaining the logs comprise computer-executable instructions, which, when executed by the one or more processing units, cause the computing device to obtain the prior communications directed to the computer-implemented functionality as streamed data. 11. The computing device of claim 8 , wherein the computer-readable media comprise further computer-executable instructions, which, when executed by the one or more processing units, cause the computing device to: change at least some of the one or more parameters defining the operation of the computer-implemented functionality. 12. The computing device of claim 8 , wherein the generated attack communication comprises same parameters, but different values for the same parameters, as the attack of the selected log entry. 13. The computing device of claim 8 , wherein the computer-executable instructions causing the computing device to perform the generating the attack communication analogous to the attack of the selected log entry comprise computer-executable instructions, which, when executed by the one or more processing units, cause the computing device to both: generate a first attack communication having parameter values identical to corresponding parameter values of the attack of the selected log entry; and generate one or more other attack communications having parameter values differing from the corresponding parameter values of the attack of the selected log entry. 14. A system for protecting delivery of computer-implemented functionality that is offered over a network comprising: a first set of computing devices performing steps comprising: obtaining logs of prior communications received from the network directed to the computer-implemented functionality to perform operating services; identifying, from the obtained logs, a first set of log entries as attacks based on each entry, of the first set of entries, matching a pre-determined attack syntax; and a second set of computing devices performing steps comprising: in response to the identifying the first set of log entries, testing an actual vulnerability by: selecting a log entry from the identified first set of log entries; generating an attack communication directed to the computer-implemented functionality, the generated attack communication being analogous to an attack of the selected log entry; detecting, from the computer-implemented functionality, either results indicative that th

Assignees

Microsoft Technology Licensing Llc

Inventors

Classifications

H04L63/1425
Traffic logging, e.g. anomaly detection · CPC title
H04L63/02Primary
for separating internal from external traffic, e.g. firewalls · CPC title
H04L63/1441
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
H04L63/1433
Vulnerability analysis · CPC title

Patent family

Related publications grouped by family.

View patent family 57018195

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9853940B2 cover?: To protect network-based services, offering computer implemented functionality, from attacks, a passive web application firewall reactively identifies vulnerabilities, enabling such vulnerabilities to be quickly ameliorated, without intercepting communications or introducing other suboptimal aspects of traditional web application firewalls. Communications directed to the network-based services …
Who is the assignee on this patent?: Microsoft Technology Licensing Llc
What technology area does this patent fall under?: Primary CPC classification H04L63/02. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Dec 26 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).