The ease, accessibility, and convenience of the Internet have rapidly changed the way people use computers and access information. The World Wide Web (WWW), often referred to as “the web”, is one of the most popular means for retrieving information on the Internet. The web gives users or clients access to an almost infinite number of resources such as interlinked hypertext documents or server documents retrieved via a hypertext transfer protocol (HTTP) from servers located around on the world. The web operates in a basic client-server format, wherein servers are dedicated computers or individual computer applications that execute resources in a certain matter, such as storing and transmitting web documents or binary objects, to client computers or web-enabled devices on the network. For example, a user or client can interact with a server, or web server, through a web browser on a web-enabled device in order to view retrieved information or to request an application on the web server to operate in a desired manner.
Documents on the web, referred to as web pages, are typically written in a hypertext markup language (HTML) or similar mark-up language, and identified by uniform resource locators (URLs) or uniform resource identifiers (URIs) that specify a particular computer and pathname by which a file or resource can be accessed. Codes, often referred to as tags, embedded in an HTML document associate particular words and images in the document with URLs so that a user or client can access another file or page by pressing a key or clicking a mouse button. These files generally comprise text, images, videos, and audio, as well as applets or other embedded software programs, written in for example, Java or ActiveX, that execute when the user or client activates them by clicking on a hyperlink. A user or client viewing a web page can also interact with components that, for example, forward requested information supplied by the client to a server through the use of forms, download files via file transfer protocol (FTP), facilitate user or client participation in chat rooms, conduct secure business transactions, and send messages to other users or clients via e-mail by using links on the web page.
A web server and surrounding network environment can be vulnerable to attack from malicious or irresponsible individuals via one or more web-enabled devices communicating with the web server. This is referred to as “web hacking” and generally involves taking advantage of mistakes or vulnerabilities in web design through a web application on the web server. Web hacking is different from traditional system or application hacking because an attack generally takes place via application layer protocols. Generally, the easier it is for clients to talk or interact directly to the server applications through a web page or any other suitable type of computer-readable data, the easier it is for someone to hack into those applications. Typical attacks include defacing a page by deleting graphics and replacing them with doctored, sometimes lurid, graphics; altering or stealing password files; deleting data files; pirating copyrighted works; tampering with credit and debit card numbers, or other customer information; publicizing private business information; accessing confidential or unauthorized information; searching through internal databases; data mining; using the web application as a vehicle to attack other users or clients; and denial of service attack. Thus, web hacking causes inconvenience and perhaps irreversible damage to users, clients, customers, businesses, and operators of the web server. Generally, conventional computer security methods fail to properly address or completely ignore web hacking concerns.
The International Standards Organization (ISO) developed a set of protocol standards designed to enable computers to connect with one another and to exchange information with as little error as possible. The protocols generally accepted for standardizing overall computer communications are designated in a seven-layer set of hardware and software guidelines known as the open systems interconnection (OSI) model. This protocol model forms a valuable reference and defines much of the language used in data communications. The application layer is the highest layer of standards in the OSI model. The OSI model also includes the data link layer, the physical layer, the session layer, and the transport layer.
Conventional security methods are typically implemented between either the data link layer and physical layer by using a firewall or the session and transport layers by using a secure socket layer (SSL) or public key infrastructure (PKI). A firewall is a type of security implementation intended to protect a trusted environment, network, or web server against external threats at the data link layer originating from another network, such as the Internet. A firewall prevents computers behind the firewall from communicating directly with computers external to the protected environment, network, or web server. Instead, all communications are routed through a proxy server outside of a trusted environment, network, or web server. The proxy server decides whether it is safe to let a particular message type or file type pass through, based on a set of filters, to the trusted environment, network, or web or application server.
SSL is an open standard developed by Netscape Communications Corporation of Mountain View, Calif., for establishing a secure and encrypted communications channel to prevent the interception of critical information, such as credit card information. The primary purpose of using SSL is to enable secure and encrypted electronic transactions on public networks, such as the web. A public key infrastructure or trust hierarchy is a system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate each party involved in a communication session. PKIs are currently evolving and there is no single PKI nor even a single agreed-upon standard for setting up a PKI. One drawback of the above noted conventional technologies is that they do not perform an inspection of the application layer protocol, i.e., they do not scrutinize the application content of an incoming request. Therefore, these technologies cannot prevent web hacking attacks directed through the application content of an operation request.
Web hackers can easily attack computer systems by exploiting flaws and vulnerabilities in web design. For example, default scripts may allow files to be uploaded onto a web server; a web server's treatment of environmental variables may be exploited; and the existences of ‘backdoors’ or flaws in third party products allow unauthorized access. These techniques can be potent attacks and are generally difficult to defend against through conventional means. Each month new software vulnerabilities are discovered, but many system operators typically leave these holes unpatched and their systems open to preventable attacks. Major corporations and government agencies utilizing well configured firewalls, PKI, and SSL implementations have been infiltrated by hackers using known application layer intrusions. These intrusions typically involve illegal and harmful requests that are sent to an application forcing it to execute out of its intended or authorized scope of operation. This may exploit the application to damage itself, files, buffers, other applications, performance, or confidentiality of information.
Two conventional approaches attempt to address some of these problems. One technique involves tracking a server operating system to identify suspicious events such as deleting a file or formatting a disk. However, this type of reactionary technique typically activates only after damage has commenced or been completed. A second technique involves the installation of a network filter in front of an application and updating the filter database with known patterns that can affect the application. However, this technique is limited in that it is unable to identify patterns, which are not yet “known” by the filter database. In other words, the capability of this technique is directly related to the comprehensiveness of the filter database that it draws the patterns from. To increase capability, the filter database requires continual updating. Further, these techniques will not protect against manipulations of environmental variables or the application's implemented business process. These techniques also fail to account for and protect against vulnerabilities in the application itself such as input validation errors, authentication errors, authorization errors, and lack of usage policy enforcement.
In addition, conventional security solutions typically fail to address the increased hacking opportunities caused by the proliferation of electronic commerce (e-commerce), mobile, interactive television (iTV) applications, and web services applications. These applications generally require the combination of numerous components operating on different platforms all working together using different technologies. For example, a single application can comprise a plurality of components, such as, a web server application; transaction server application; database; and Java, ActiveX, and Flash applets all working together. Generally, conventional security solutions are unable to meet the unique security needs of each component in a multiple component system.
Based on the foregoing, it is apparent that it can be difficult to anticipate, recognize, or prevent all types of web or server hacking. Therefore, it is desirable to provide a system for monitoring communication between an application server and client application to alert operators to suspect activity. It is also desirable to provide a system for associating suspect activity with a particular web-enabled device, client, user name, or user session.