| 摘要 |
According to one embodiment, a computing device is coupled to a set of web application layer attack detectors (AD), which are coupled between HTTP clients and web application servers. The computing device learns a new set of attribute values for a set of attribute identifiers for each of a sequence of rules through an iterative process having a plurality of iterations. The iterative process begins with an attack specific rule, and the sequence of rules includes an attacker specific rule and another attack specific rule. Each iteration includes receiving a current alert package from one of the ADs sent responsive to a set of packets carrying a web application layer request meeting a condition of a current rule used by the AD, automatically generating a new set of attribute values based upon the current alert package, and transmitting the new set of attribute values to the set of ADs. |
| 主权项 |
1. A method in a computing device communicatively coupled to a set of web application layer attack detectors (ADs), wherein the set of ADs are communicatively coupled between a set of one or more Hypertext Transfer Protocol (HTTP) clients and a set of one or more web application servers to protect the set of web application servers against web application layer attacks, and wherein each AD applies rules that each comprise a condition including a set of one or more attributes, wherein each of the set of attributes includes an attribute identifier and a set of one or more attribute values, the method comprising:
learning a new set of one or more attribute values for a set of one or more attribute identifiers for each of a sequence of rules through an iterative process having a plurality of iterations, wherein the iterative process begins with a current rule that is an attack specific rule that relies upon its set of attribute values of its set of attribute identifiers that are indicative of a first type of web application layer attack, wherein the sequence of rules includes an attacker specific rule that relies upon its set of attribute values of its set of attribute identifiers that identify an HTTP client of the set of HTTP clients, and wherein the last of the sequence of rules is another attack specific rule that relies upon its set of attribute values for its set of attribute identifiers that are indicative of a second type of web application layer attack, wherein each iteration of the iterative process includes,
receiving, from one of the set of ADs, a current alert package comprising a current web application layer request message sent by one of the set of HTTP clients to one of the set of web application servers, wherein the current alert package was sent responsive to a current set of one or more packets that collectively carried the current web application layer request message and that resulted in the condition of the current rule being met,automatically generating, using the current alert package, a current new set of one or more attribute values for each of a current set of one or more attribute identifiers, andtransmitting, for delivery to the set of ADs, the current new set of attribute values for each of the current set of attribute identifiers for a different rule than the current rule, wherein the different rule becomes the current rule in a subsequent iteration of the iterative process. |
