News Column

"Hierarchical Rule Development and Binding for Web Application Server Firewall" in Patent Application Approval Process

July 31, 2014



By a News Reporter-Staff News Editor at Politics & Government Week -- A patent application by the inventors Ji, Peng (Beijing, CN); Luo, Lin (Beijing, CN); Sreedhar, Vugranam C. (Yorktown Heights, NY); Yang, Shun Xiang (Beijing, CN); Zhang, Yu (Beijing, CN), filed on January 6, 2014, was made available online on July 17, 2014, according to news reporting originating from Washington, D.C., by VerticalNews correspondents.

This patent application is assigned to International Business Machines Corporation.

The following quote was obtained by the news editors from the background information supplied by the inventors: "In a typical Web application a client, such as a browser, interacts with a Web server by exchanging a series of messages that are made up of hypertext transfer protocol (HTTP) requests and responses. An attacker often exploits vulnerabilities that exist in a Web application to launch attacks. Some of the predominant types of attacks against Web applications include Cross-Site Scripting (XSS), SQL Injection (SQL-I), and Cross-Site Request Forgery (CSRF) attacks."

In addition to the background information obtained for this patent application, VerticalNews journalists also obtained the inventors' summary information for this patent application: "Principles of the invention provide techniques for hierarchical rule development and binding for a web application server firewall. In one aspect, an exemplary method for operating a web application server firewall includes the steps of intercepting at least one of an HTTP request message and an HTTP response message; and identifying a corresponding HTTP message model, based on the intercepting step. The HTTP message model includes a plurality of message model sections. Additional steps include parsing a representation of the at least one of an HTTP request message and an HTTP response message into message sections in accordance with the message model sections of the HTTP message model; and binding a plurality of security rules to the message model sections. The plurality of security rules each specify at least one action to be taken in response to a given condition. The given condition is based, at least in part, on a corresponding given one of the message sections. A further step includes processing the at least one of an HTTP request message and an HTTP response message in accordance with the plurality of security rules.

"In another aspect, an exemplary method for developing rules for a web application server firewall includes the steps of anticipating at least one of an HTTP request message and an HTTP response message likely to be processed by the web application server firewall; and building a corresponding HTTP message model, based on the anticipating step. The HTTP message model includes a plurality of message model sections. An additional step includes developing a plurality of security rules each specifying at least one action to be taken in response to a given condition. The given condition is based, at least in part, on a corresponding section of an actual message. A further step includes binding the plurality of security rules to the message model sections. In some cases, rather than carrying out the anticipating step, such step is performed externally and the method includes building the HTTP message model based on the at least one of an HTTP request message and an HTTP response message anticipated from the externally-performed step as likely to be processed by the web application server firewall.

"As used herein, 'facilitating' an action includes performing the action, making the action easier, helping to carry the action out, or causing the action to be performed. Thus, by way of example and not limitation, instructions executing on one processor might facilitate an action carried out by instructions executing on a remote processor, by sending appropriate data or commands to cause or aid the action to be performed. For the avoidance of doubt, where an actor facilitates an action by other than performing the action, the action is nevertheless performed by some entity or combination of entities.

"One or more embodiments of the invention or elements thereof can be implemented in the form of a computer program product including a computer readable storage medium with computer usable program code for performing the method steps indicated. Furthermore, one or more embodiments of the invention or elements thereof can be implemented in the form of a system (or apparatus) including a memory, and at least one processor that is coupled to the memory and operative to perform exemplary method steps. Yet further, in another aspect, one or more embodiments of the invention or elements thereof can be implemented in the form of means for carrying out one or more of the method steps described herein; the means can include (i) hardware module(s), (ii) software module(s) stored in a computer readable storage medium (or multiple such media) and implemented on a hardware processor, or (iii) a combination of (i) and (ii); any of (i)-(iii) implement the specific techniques set forth herein.

"Techniques of the present invention can provide substantial beneficial technical effects. For example, one or more embodiments may provide one or more of the following advantages: Hierarchical rule development and binding can make rule configuration much more easy and accurate, and make rule definitions much better align with web application logic according to its hierarchical business needs and technical design Hierarchical rule development and binding can make security patching for web applications more efficient without any changes of the web application itself

"These and other features and advantages of the present invention will become apparent from the following detailed description of illustrative embodiments thereof, which is to be read in connection with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

"FIG. 1 depicts a cloud computing node according to an embodiment of the present invention;

"FIG. 2 depicts a cloud computing environment according to an embodiment of the present invention;

"FIG. 3 depicts abstraction model layers according to an embodiment of the present invention;

"FIG. 4 depicts an exemplary web application security protection architecture in a cloud environment, according to an aspect of the invention;

"FIG. 5 depicts an exemplary HTTP request, according to an aspect of the invention;

"FIG. 6 depicts an exemplary HTTP message model, according to an aspect of the invention;

"FIG. 7 presents an exemplary JSON representation of an HTTP request model, according to an aspect of the invention;

"FIG. 8 presents an exemplary rule definition in a rule development tool, according to an aspect of the invention;

"FIG. 9 presents an exemplary HTTP message and its hierarchical logic on URL, and rule binding to the HTTP message sections in a rule development tool, according to an aspect of the invention;

"FIG. 10 shows an exemplary rule and rule set model, according to an aspect of the invention;

"FIG. 11 shows an exemplary JSON representation for a URI template, according to an aspect of the invention;

"FIG. 12 presents an exemplary rule sample for ModSecurity, according to an aspect of the invention;

"FIG. 13 presents performance evaluation results for different modules enabled in web application security protection, according to an aspect of the invention;

"FIG. 14 presents an exemplary rule instance in Hierarchical Rule Schema (HRS) for the ModSecurity rules of FIG. 12, according to an aspect of the invention;

"FIG. 15 is a table showing a comparison for a Tomcat & Filter, ModSecurity, and web application security protection, according to an aspect of the invention;

"FIG. 16 is a table showing an experiment environment setting, according to an aspect of the invention;

"FIG. 17 shows average response time versus enabling different modules, according to an aspect of the invention;

"FIG. 18 shows maximum new connections versus enabling different modules, according to an aspect of the invention;

"FIG. 19 shows the cumulative transaction completed ratio versus enabling different modules, according to an aspect of the invention;

"FIG. 20 shows certain URLs and the like, according to an aspect of the invention; and

"FIG. 21 shows a flow chart of an exemplary method, according to an aspect of the invention."

URL and more information on this patent application, see: Ji, Peng; Luo, Lin; Sreedhar, Vugranam C.; Yang, Shun Xiang; Zhang, Yu. Hierarchical Rule Development and Binding for Web Application Server Firewall. Filed January 6, 2014 and posted July 17, 2014. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=46&p=1&f=G&l=50&d=PG01&S1=20140710.PD.&OS=PD/20140710&RS=PD/20140710

Keywords for this news article include: International Business Machines Corporation.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Politics & Government Week


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters