1. Field of the Invention
The present invention relates to information security, particularly to an application layer security method and system for protecting trusted computer applications from executing illegal or harmful operation requests originating from an unknown or distrusted source.
2. Description of Background
The ease, accessibility, and convenience of the Internet have rapidly changed the way people use computers and access information. The World Wide Web (“WWW”), often referred to as ‘the web,’ is one of the most popular means for retrieving information on the Internet. The web gives users access to an almost infinite number of resources such as interlinked hypertext documents retrieved via a hypertext transfer protocol (“HTTP”) from servers located around on the world. The web operates in a basic client-server format, wherein servers are dedicated computers or individual computer applications that execute resources in a certain matter, such as storing and transmitting web documents or binary objects, to client computers on the network. For example, a user can interact with a server through a web browser in order to view retrieved information or to request an application on the server to operate in a desired manner.
Documents on the web, referred to as web pages, are typically written in a hypertext markup language (“HTML”) or similar language, and identified by uniform resource locators (“URLs”) that specify a particular machine and pathname by which a file or resource can be accessed. Codes, often referred to as tags, embedded in an HTML document associate particular words and images in the document with URLs so that a user can access another file or page by pressing a key or clicking a mouse. These files generally comprise text, images, videos, and audio, as well as applets or other embedded software programs, written in for example, Java or ActiveX, that execute when the user activates them by clicking on a hyperlink. A user viewing a web page may also interact with components that, for example, forward requested information supplied by the user to a server through the use of forms, download files via file transfer protocol (“FTP”), facilitate user participation in chat rooms, conduct secure business transactions, and send messages to other users via e-mail by using links on the web page.
Typically, the components that legitimate users desire and that are likely to make a web site spectacular or popular can also make a server and surrounding network environment vulnerable to attack from malicious, irresponsible, or criminally-minded individuals. This is referred to as “web hacking” and generally involves taking advantage of mistakes or vulnerabilities in web design through the server applications themselves. Web hacking is different from traditional system or application hacking because an attack generally takes place via application layer protocols. Generally, the easier it is for clients to talk or interact directly to the server applications through a web page, the easier it is for someone to hack into those applications. Typical attacks include, but are not limited to, defacing a page by deleting graphics and replacing them with doctored, sometimes lurid, graphics; altering or stealing password files; deleting data files; pirating copyrighted works; tampering with credit and debit card numbers, or other customer information; publicizing private business information; accessing confidential or unauthorized information; and searching through internal databases. Thus, web hacking causes inconvenience and perhaps irreversible damage to users, customers, businesses, and operators of the server(s). Generally, conventional computer security methods fail to address or completely ignore web hacking concerns.
The International Organization for Standardization (“ISO”) developed a set of protocol standards designed to enable computers to connect with one another and to exchange information with as little error as possible. The protocols generally accepted for standardizing overall computer communications are designated in a seven-layer set of hardware and software guidelines known as the open systems interconnection (“OSI”) model. This protocol model forms a valuable reference and defines much of the language used in data communications. As illustrated in FIG. 1, the application layer is the highest layer of standards in the OSI model.
Conventional security methods are typically implemented between either the data link layer and physical layer by using a firewall or the session and transport layers by using a secure socket layer (“SSL”) or public key infrastructure (“PKI”). A firewall is a type of security implementation intended to protect a trusted environment or network against external threats at the data link layer originating from another network, such as the Internet. A firewall prevents computers behind the firewall from communicating directly with computers external to the trusted network. Instead, all communications are routed through a proxy server outside of a trusted network, and the proxy server decides whether it is safe to let a particular message type or file type pass through, based on a set of filters, to the trusted network. A secure socket layer is an open standard developed by Netscape Communications® for establishing a secure and encrypted communications channel to prevent the interception of critical information, such as credit card information. The primary purpose of using SSL is to enable secure and encrypted electronic transactions on public networks, such as the web. A public key infrastructure or trust hierarchy is a system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate each party involved in a communication session. PKIs are currently evolving and there is no single PKI nor even a single agreed-upon standard for setting up a PKI. One drawback of the above noted conventional technologies is that they do not perform an inspection of the application layer protocol, i.e., they do not scrutinize the application content of an incoming request. Therefore, these technologies can not prevent web hacking attacks directed through the application content of an operation request.
Web hackers can easily attack computer systems by exploiting flaws and vulnerabilities in web design. For example, default scripts may allow files to be uploaded onto a web server; a web server's treatment of environmental variables may be exploited; and the existences of ‘backdoors’ or flaws in third party products allow unauthorized access. These techniques can be potent attacks and are generally difficult to defend against through conventional means. Each month new software vulnerabilities are discovered, but many system operators typically leave these holes unpatched and their systems open to preventable attacks. Major corporations and government agencies utilizing well configured firewalls, PKI, and SSL implementations have been infiltrated by hackers using known application layer intrusions. These intrusions typically involve illegal and harmful requests that are sent to an application forcing it to execute out of its intended or authorized scope of operation. This may exploit the application to damage itself, files, buffers, other applications, performance, or confidentiality of information.
Two conventional approaches attempt to address some of these problems. One technique involves tracking a server operating system to identify suspicious events such as deleting a file or formatting a disk. However, this type of reactionary technique typically activates only after damage has commenced or been completed. A second technique involves the installation of a network filter in front of an application and updating the filter database with known patterns that can affect the application. However, this technique is limited in that it is unable to identify patterns, which are not yet “known” by the filter database. In other words, the capability of this technique is directly related to the comprehensiveness of the filter database that it draws the patterns from. To increase capability, the filter database requires continual updating. Further, these techniques will not protect against manipulations of environmental variables or the application's implemented business process.
In addition, conventional security solutions typically fail to address the increased hacking opportunities caused by the proliferation of electronic commerce (“e-commerce”), mobile, and interactive television (“iTV”) applications. These applications generally require the combination of numerous components operating on different platforms all working together using different technologies. For example, a single application can comprise a plurality of components, such as, a web server application; transaction server application; database; and Java, ActiveX, and Flash applets all working together. Generally, conventional security solutions are unable to meet the unique security needs of each component in a multiple component system.