Patent application number | Description | Published |
20080320567 | SYSTEM AND METHOD FOR PREVENTING WEB FRAUDS COMMITTED USING CLIENT-SCRIPTING ATTACKS - A method for detecting and blocking Javascript hijacking attacks, comprising checking if an incoming request belongs to a valid session established between a client and a trusted server. When said incoming request does belong to a valid session, it is checked if a Referer header of said incoming request includes a valid domain name. The incoming request is marked as suspicious, when said incoming request does not include a valid domain name. It is checked if a respective response of said suspicious incoming request includes a script code. A preventive action responsive to a user input is taken when said respective response includes a script code. | 12-25-2008 |
20120023132 | METHOD FOR MONITORING STORED PROCEDURES - A method for monitoring stored procedures is disclosed. The method performs on-line and inline monitoring of stored procedures for detecting table access operations performed by the procedures. This allows the enforcing of access control policies, correlation rules and audit rules on stored procedures. The monitoring is performed using mapping information gathered about each stored procedure that can be executed by a database server. The method comprises parsing an incoming transaction submitted by a client; determining whether the incoming transaction includes an invocation of a stored procedure; obtaining a query group corresponding to the stored procedure; applying an access control policy on the query group; and asserting an unauthorized event if the query group is not compliant with the access control policy. | 01-26-2012 |
20120180129 | SYSTEM AND METHOD FOR PREVENTING WEB FRAUDS COMMITTED USING CLIENT-SCRIPTING ATTACKS - A method for detecting and blocking Javascript hijacking attacks, comprising checking if an incoming request belongs to a valid session established between a client and a trusted server. When said incoming request does belong to a valid session, it is checked if a Referer header of said incoming request includes a valid domain name. The incoming request is marked as suspicious, when said incoming request does not include a valid domain name. It is checked if a respective response of said suspicious incoming request includes a script code. A preventive action responsive to a user input is taken when said respective response includes a script code. | 07-12-2012 |
20120227106 | SYSTEM AND METHOD FOR PREVENTING WEB FRAUDS COMMITTED USING CLIENT-SCRIPTING ATTACKS - A method for detecting and blocking Javascript hijacking attacks, comprising checking if an incoming request belongs to a valid session established between a client and a trusted server. When said incoming request does belong to a valid session, it is checked if a Referer header of said incoming request includes a valid domain name. The incoming request is marked as suspicious, when said incoming request does not include a valid domain name. It is checked if a respective response of said suspicious incoming request includes a script code. A preventive action responsive to a user input is taken when said respective response includes a script code. | 09-06-2012 |
20120291129 | DETECTING WEB BROWSER BASED ATTACKS USING BROWSER DIGEST COMPUTE TESTS LAUNCHED FROM A REMOTE SOURCE - The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken. | 11-15-2012 |
20120304296 | DETECTING WEB BROWSER BASED ATTACKS USING BROWSER RESPONSE COMPARISON TESTS LAUNCHED FROM A REMOTE SOURCE - The detection of web browser-based attacks using browser test launched from a remote source is described. In one example, it is determined that a test should be performed responsive to receiving an HTTP message sent by a client device and a policy. The test is performed with the client device to determine only whether content intended to be communicated between the HTTP client and the web application server using an HTTP message has been modified by malware on the HTTP client. The test includes the sending of an HTTP response to the HTTP client. The results of the test are analyzed and defensive measures are taken. | 11-29-2012 |
20130055384 | DEALING WITH WEB ATTACKS USING CRYPTOGRAPHICALLY SIGNED HTTP COOKIES - According to one embodiment, a security gateway (SG) is coupled between a hypertext transport protocol (HTTP) client and a web application server. Responsive to a first HTTP message being transmitted between the HTTP client and the web application server as part of an HTTP session, the SG generates security gateway session security state information (SGI) based on a policy. The SG also generates a digital signature (SGS) from the SGI, creates an SG signed session security state information cookie (SGC), and sends the SGC to the HTTP client for storage instead of storing the SGI in the SG. Responsive to a second HTTP message of the HTTP session, the SG attempts to validate a claim made in the second HTTP request using at least the policy and the SGC that is supposed to be returned with the second HTTP message. | 02-28-2013 |
20140258294 | ON-DEMAND CONTENT CLASSIFICATION USING AN OUT-OF-BAND COMMUNICATIONS CHANNEL FOR FACILITATING FILE ACTIVITY MONITORING AND CONTROL - Communications to a server over an in-band communications channel are monitored for requests to access a file. Based on the communications, a request to access a particular file stored by the server is identified. Security and/or audit rules are identified based on the request. A determination is thereafter made that the security and/or audit rules require evaluation of classification information for contents of the requested file. Thus, a determination is made as to whether classification information for the contents of the particular file is available, such as determining whether the classification information is stored in a local classification cache. Responsive to a determination that the classification information is not available, classification information is obtained for the contents of the particular file using an out-of-band communications channel. Thereafter, processing with respect to the request to access the particular file is performed based on the obtained classification information and the one or more security and/or audit rules. | 09-11-2014 |
20140289855 | DETECTING WEB BROWSER BASED ATTACKS USING BROWSER DIGEST COMPUTE TESTS USING DIGEST CODE PROVIDED BY A REMOTE SOURCE - The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken. | 09-25-2014 |
20140317738 | AUTOMATIC GENERATION OF ATTRIBUTE VALUES FOR RULES OF A WEB APPLICATION LAYER ATTACK DETECTOR - According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack. | 10-23-2014 |
20140317739 | ITERATIVE AUTOMATIC GENERATION OF ATTRIBUTE VALUES FOR RULES OF A WEB APPLICATION LAYER ATTACK DETECTOR - According to one embodiment, a computing device is coupled to a set of web application layer attack detectors (AD), which are coupled between HTTP clients and web application servers. The computing device learns a new set of attribute values for a set of attribute identifiers for each of a sequence of rules through an iterative process having a plurality of iterations. The iterative process begins with an attack specific rule, and the sequence of rules includes an attacker specific rule and another attack specific rule. Each iteration includes receiving a current alert package from one of the ADs sent responsive to a set of packets carrying a web application layer request meeting a condition of a current rule used by the AD, automatically generating a new set of attribute values based upon the current alert package, and transmitting the new set of attribute values to the set of ADs. | 10-23-2014 |
20140317740 | COMMUNITY-BASED DEFENSE THROUGH AUTOMATIC GENERATION OF ATTRIBUTE VALUES FOR RULES OF WEB APPLICATION LAYER ATTACK DETECTORS - According to one embodiment, a computing device is coupled to a set of web application layer attack detectors (ADs), which are coupled between HTTP clients and web application servers. The computing device automatically learns a new condition shared by a plurality of alert packages reported by the set of ADs due to a triggering of one or more rules that is indicative of a web application layer attack. The computing device automatically generates a new set of attribute values by analyzing the plurality of alert packages to identify the condition shared by the plurality of alert packages, and transmits the new set of attribute values for delivery to the set of ADs for a different rule to be used to protect against the web application layer attack from the HTTP clients or any other HTTP client. | 10-23-2014 |
20140317741 | AUTOMATIC GENERATION OF DIFFERENT ATTRIBUTE VALUES FOR DETECTING A SAME TYPE OF WEB APPLICATION LAYER ATTACK - According to one embodiment, a computing device is coupled to a web application layer attack detector (AD), which itself is coupled between an HTTP client and a web application server. The computing device automatically learns a new condition to detect a first type of web application layer attack. Responsive receiving a web application layer message from the HTTP client that violates a rule for detecting the first type of web application layer attack, the AD transmits an alert package to the computing device, which uses the alert package, and optionally other alert packages, to automatically generate a new set of attribute values for each of a set of attribute identifiers to be transmitted to the AD or optionally other ADs for use in a different rule than the violated rule. The different rule is another attack specific rule for detecting the first type of web application layer attack. | 10-23-2014 |