1. Field
This field is generally related to network security.
2. Related Art
A communication network may, for example, allow data to be transferred between two geographically remote locations. Networks are used, for example, to provide applications, such as web and other Internet-based applications, to users. Typically, these applications operate by receiving a request, such as an Hypertext Transfer Protocol (HTTP) request, and, based on the request, supplying a response. The request and response may be formatted in accordance with a known application program interface (application). The requests are generally transmitted via a public or private network, such as the Internet or an internal network, to the service provider. The service provider has its own environment that services the request. The environment may include a plurality of different devices that coordinate with each other to provide the service. The devices may coordinate over a private network belonging to the service provider. Or, the devices may operate in a cloud or a public network.
Not all application and network requests are legitimate. Often times, these requests are meant to abuse the network or the application. Abuse can come in several forms. For example, some abuse mechanisms try to overwhelm a service so that it cannot service legitimate requests. These are referred to as denial of service requests, whether at the network or application layer. One common mechanism of abuse is referred to as application abuse. An example of this is an a malicious entity fraudulently creating accounts on a service provider platform and then transport unwanted requests across the service provider environment.
Another type of denial of service abuse is a Transport Control Protocol (TCP) SYN flood abuse. Normally when a client attempts to start a TCP connection to a server, the client requests a connection by sending a SYN (synchronize) message to the server, the server acknowledges this request by sending SYN-ACK back to the client, and the client responds with an ACK. A SYN flood abuse works by not responding to the server with the expected ACK code, failing to finish the transaction. Enough of these unfinished transactions can overwhelm a server, rendering it unable to respond to additional requests.
Other abuses may not be trying to bring down a service, but may instead be making requests for other improper purposes. In these abuses, an automated system may be making application requests that, for example, set up fake user accounts and try to entice a user to devolve confidential information, such as her password, credit card information, or Social Security number, or run other scams. These abuses are sometimes referred to as application or application abuse. Often times, these abuse vectors can be concealed inside of an encrypted transport method, such as SSL (Secure Sockets Layer) or IPSec (Internet Protocol Security).
Hardware appliances are available that try to control these type of network and application abuses. Some of these appliances may, for example, operate by maintaining a database of fingerprints of known threats. A database of known threats may be generated by human analysts and include fingerprints identifying different potential threats. As the appliance manufacturer becomes aware of new threats, it may send updates to the database. Using the database, the appliance scans for potential threats.
In addition to scanning against fingerprints, some appliances may check the rate of requests from particular source addresses. For example, an appliance may recognize that requests from a source address increase dramatically or exceed a threshold to detect potential abuses.
While these appliances have advantages, they suffer at least three primary drawbacks. First, they may be impossible to deploy in particular architectures, such as some cloud applications hosted by third parties. Second, they tend to operate in their own silos, often consisting only of their customer network and application transaction data to update threat databases. Operating in their own silos, these appliances may not effectively adapt and react to new threats. Third, they tend to be purpose-built for only a narrow class of abuse.
Limited in these respects, some malicious entities can spread their requests out from a variety of different source addresses and circumvent these security measures. New systems and methods are needed to better protect against these abuses.