Computing systems—i.e. devices capable of processing electronic data such as computers, telephones, Personal Digital Assistants (PDA), etc.—communicate with other computing systems by exchanging data messages according to a communications protocol that is recognizable by the systems. Such a system utilizes filter engines containing queries that are used to analyze messages that are sent and/or received by the system and to determine if and how the messages will be processed further.
A filter engine may also be called an “inverse query engine.” Unlike a database, wherein an input query is tried against a collection of data records, an inverse query engine tries an input against a collection of queries. Each query includes one or more conditions, criteria, or rules that must be satisfied by an input for the query to evaluate to true against the input.
For example, an XPath filter engine is a type of inverse query engine in which the filters are defined using the XPath language. The message bus filter engine matches filters against eXtensible Markup Language (XML) to evaluate which filters return true, and which return false. In one conventional implementation, the XML input may be a Simple Object Access Protocol (SOAP) envelope or other XML document received over a network.
A collection of queries usually takes the form of a tree like data structure, where each node in the tree represents an instruction and each path executed from a root node to a terminating node represents a query expression. Each data structure may include hundreds or thousands of query expression, and each query path may contain several conditions, criteria, or rules. As such, each query path may be seen as a series of instructions that include various functions, language constructs, and/or operations as defined by the inverse query specifications. As messages are received, their inputs are converted into a form conducive to the inverse query engine, which then evaluates the inputs against the instruction paths for each of the query expression.
Such query expressions operate well in confined and properly managed environments (e.g., environments in which only trusted parties use the system and/or the expressions and messages are properly built). These inverse query engines, however, are susceptible to attacks (e.g., Denial of Service (DoS) attacks) in third party settings or when the languages are not properly defined. More specifically, as is the case with most computer languages, there exist pairs of query expressions and inputs that take a long time to process and/or consume large amounts of memory resources. As such, the query system is open to attack whenever it accepts messages and/or query expressions from unreliable third party sources or when the messages or expressions are not well defined. Currently, however, there are few, in any, mechanisms in place that would allow for the mitigation of such attacks.