The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
The attack surface of a networked computer system consists of the components within that computer system that are exposed to access by a potential attacker. Such components may include, for instance, applications executed by a web server and other server-based applications. It is typically desirable for user-operated clients to interact with these components over one or more computer networks. Thus the components feature various interfaces for interacting with clients over those one or more networks. For example, the components may expose web-based graphical user interfaces (“GUIs”) comprising user input controls, interfaces for receiving user input via predefined protocols such as Hyper-Text Transfer Protocol (“HTTP”) or Simple Object Access Protocol (“SOAP”), customized application programming interfaces (“APIs”), and/or other services by which the components receive and react to communications from user-operated client devices.
While user access to the components is typically desirable, providing the user access sometimes leaves the components vulnerable to unauthorized uses, in which an unauthorized user succeeds in causing the components to execute in manners that are unintended or undesired by the owner of the computer system. Examples of unauthorized uses, which are also known as “attacks,” include without limitation: passive attacks, such as wiretapping, and active attacks such as denial of service, scripted account creation, server or account hijacking, buffer overflow, heap overflow, and format string attacks.
For the purposes described herein, an attack need not necessarily be malicious in intent, but may rather be any undesirable behavior, including, for example, a user unintentionally over-using system resources. For instance, a computer system may provide access to a wide variety of media resources, and a user may unintentionally create or deploy software code, such as code for a media server, that when executed causes a computing device to repeatedly and systematically request access to the media resources, so as to compile and/or analyze a library of information about the media resources. This behavior may, however, be undesirable for the computer system, since it may negatively impact the system's ability to respond to more traditional ad hoc requests for media items. Various traffic management schemes may be devised to address this and other undesirable behavior.
A firewall is an example traffic management component of a networked computer system. Examples of firewall components include dedicated appliances, software-based applications running on computer devices within a system, or any other system components that act as gateways for network traffic. Many conventional networked computer systems are configured such that a firewall intercepts all, or at least the majority, of messages sent between potentially untrusted client devices outside of the computer system and trusted components within the computer system. The messages may be intercepted at one or at multiple levels. For instance, some firewalls intercept messages at a network layer or transport layer, such as messages in the form TCP or UDP packets, and/or at an application layer, such as messages in the form of FTP, DNS, or HTTP requests. Other firewalls intercept any of a wide-variety of message types, at any of a wide variety of layers.
Conventionally, a firewall is configured to compare one or more policies to the intercepted messages, so as to determine one or more actions to take with respect to the intercepted messages. A variety of different actions may be taken, such as allowing the message to reach its addressed destination, redirecting a message, blocking a message, manipulating a message, logging certain details about the message, and so forth. Policies are sometimes referred to as filters, in that they often “filter out” unwanted messages by blocking them altogether. A simple example of a policy is a rule that a message having characteristics that match certain criteria specified by the rule, such as a specified source address or destination port, should be blocked. A firewall may be configured to apply a variety of policies that are intended to block or minimize attacks on system assets. In some systems, a firewall may even be adaptive, in that it is configured to learn from previously-received traffic and adjust its policies to better react to future attacks.
In networked computer systems where the attack surface is highly distributed, it is often difficult to effectively deploy an adaptive firewall. A single attack may originate almost concurrently from a wide variety of sources, and affect many different assets on the attack surface. It is thus useful to centrally analyze the traffic passing through the networked computer system so as to recognize certain attacks and understand their scope. Yet, relying on a single, centralized firewall component to intercept and analyze each message is sometimes undesirable or infeasible.