1. Technical Field
This disclosure relates generally to analysis of network traffic in a data processing system and more specifically to a hybrid architected two-tier deep analysis of hypertext transport protocol data in the data processing system.
2. Description of the Related Art
Internet information theft has become a new way of crime against organizations worldwide. While network level attacks, for example, denial of service and probing represent a constant threat, it is the application level attacks that produce most of the damage. The damage occurs because by successfully exploiting an application vulnerability an attacker is able to claim private data associated with various aspects of an organization that could be used to jeopardize not only the reputation of a company but ultimately the identity of different individuals or organizations. Web attacks such as cross-site scripting, structured query language (SQL) injection, and information leakage are examples of successfully carried attacker scenarios that lead to identity theft.
The reality is that most of the application level attacks targeted to hypertext transport layer protocol (HTTP) appear as a consequence of a web design error, and can be easily prevented by input sanitization. Despite this, examples including cross-site scripting and SQL injection still remain among the most prevalent attacks based on the reports published by the Web Application Security Consortium located at the following Web site (http://www.webappsec.org/projects/statistics/).
While the poor design is typically the main reason attributed to these attacks, the main problem is organizations that own the websites are usually not the same as the organizations that develop the websites. The separation of control introduces an inherent latency between detection of attacks and resolution. Thus, even though mitigation techniques for most types of attacks exist and are relatively easy to perform, mitigation deployment is dependent on responsiveness of an organization, which is typically lacking in either knowledge or resources. Adding to this problem, organizations may be oblivious to exposure to this vulnerability and as a consequence not act accordingly to remediate the problem.
Current solutions to this problem may typically involve using an intrusion prevention system (IPS), or a Web application firewalls (WAF), or a Web application scanners (WAS). Each of the solutions has advantages and disadvantages, and is specialized in solving specific aspects of the problem thus providing a partial solution to the problem. For instance, due to the tremendous amounts of data exchanged in an organization, an IPS faces a computational challenge, struggling to keep up with the speed. Thus, the time an IPS spends on each network packet has to be minimal, forcing the IPS to look for patterns in each packet rather than analyzing the current packet in the context of the packet connection. In addition, the number of protocols degrades the situation, and as a consequence forces the IPS to minimize either the scope (for example, the number of protocols supported) of detection or the level of analysis per protocol performed. Thus, the footprint advantage that an IPS offers is mitigated by the lack of application layer detection or protection. On the other hand the WAF and WAS devices have a deeper knowledge of the web traffic, however while the WAF has basic response capabilities and is limited by deployment, the WAS works off line and is incapable of preventing attacks.
A solution taking advantage of all these three devices and enabling the devices to collaborate to overcome their respective challenges is impracticable to accomplish, especially because of the communication challenges, speed requirements, and the type of data that these three devices consume. An improved solution for eradicating web attacks is required to help organizations reduce or eliminate exposure to the web attack vulnerabilities.