Claims
- 1. An application layer security system, the system comprising:
a) at least one application server system communication interface communicatively coupling the security system to one or more application server systems; b) a system data store capable of storing an electronic communication and accumulated data associated with received electronic communications; and c) a system processor in communication with the system data store and the at least one application server system communication interface, wherein the system processor comprises one or more processing elements and wherein the system processor:
i) receives an electronic communication directed to or from a selected application server system; ii) applies one or more tests to the received electronic communication, wherein each of the one or more tests evaluates the received electronic communication for a particular security risk; iii) stores in the system data store a risk profile associated with the received electronic communication based upon the applied one or more tests; iv) determines whether an anomaly exists with respect to the received electronic communication based upon the stored risk profile and accumulated data associated with received electronic communications from the system data store; and v) outputs an anomaly indicator signal if an anomaly is determined to exist.
- 2. The system of claim 1, wherein the received electronic communication comprises an e-mail communication, an HTTP communication, an FTP communication, a WAIS communication, a telnet communication or a Gopher communication.
- 3. The system of claim 2, wherein the received electronic communication is an e-mail communication.
- 4. The system of claim 1, wherein each of the one or more tests applied by the system processor comprises intrusion detection, virus detection, spam detection or policy violation detection.
- 5. The system of claim 1, wherein the system processor applies a plurality of tests.
- 6. The system of claim 5, wherein the system processor applies each of the plurality of tests in a parallel fashion.
- 7. The system of claim 5, wherein the system processor applies each of the plurality of tests in a sequential fashion.
- 8. The system of claim 7, wherein the system data store comprises:
i) a message data store capable of storing an electronic communication, and ii) a queue data store capable of storing a plurality of index queues; and wherein the system processor applies the plurality of tests in a sequential fashion by:
1) storing the received electronic communication in the message data store; 2) assigning a selected index to the stored electronic communication; 3) executing a plurality of testing engines, wherein each of the testing engines has a test type and has an index queue in the queue data store associated with it, wherein at any given time at least two of the executing testing engines have differing test types, and wherein each of the testing engines:
(a) monitors its associated index queue for a placed index; (b) retrieves the electronic communication associated with the placed index from the message data store; and (c) tests the retrieved electronic communication against a set of one or more criteria; and 4) placing the selected index into the index queue associated with a first testing engine, wherein the first testing engine has a first test type; and 5) placing the selected index into the index queue associated with a second testing engine, after the first testing engine performs its test upon the stored electronic communication associated with the selected index, wherein the second testing engine has a second test type that differs from the first test type.
- 9. The system of claim 8, wherein the test type of each executing test engine is intrusion detection, virus detection, spam detection or policy violation detection.
- 10. The system of claim 1, wherein the system processor applies each of the one or more tests based upon configuration information stored in the system data store.
- 11. The system of claim 1, wherein the system processor determines whether an anomaly exists further based upon configuration information stored in the system data store.
- 12. The system of claim 11, wherein the configuration information comprises anomaly types, anomaly threshold information, anomaly time period information or anomaly response information.
- 13. The system of claim 1, wherein the system processor further derives one or more anomaly thresholds from the accumulated data associated with received electronic communications in the system data store.
- 14. The system of claim 1, wherein the system processor determines whether an anomaly exists by:
1) determining a set of anomaly types of interest; 2) for each of the anomaly types of interest in the determined set,
(a) acquiring one or more anomaly thresholds associated with the respective anomaly type based at least in part upon accumulated data associated with received electronic communications from the system data store; (b) comparing information in the stored risk profile against at least one of the acquired one or more anomaly thresholds; and (c) determining whether an anomaly of the respective anomaly type exists with respect to the received electronic communication based upon the comparison.
- 15. The system of claim 14, wherein the system processor determines the set of anomaly types of interest by reading configuration information from the system data store.
- 16. The system of claim 14, wherein the system processor determines the set of anomaly types of interest based upon the received electronic communication.
- 17. The system of claim 14, wherein the system processor acquires the one or more anomaly thresholds by deriving at least one anomaly threshold from the accumulated data associated with received electronic communications.
- 18. The system of claim 17, wherein the derivation of the at least one anomaly threshold is further based upon a predetermined time period.
- 19. The system of claim 14, wherein the system processor acquires at least one anomaly threshold of the one or more anomaly thresholds by reading configuration information from the system data store.
- 20. The system of claim 1, wherein the anomaly indicator signal comprises a notification conveyed to an administrator.
- 21. The system of claim 20, wherein the notification comprises an e-mail message, a page, a facsimile, an telephone call, an SMS message, a WAP alert or an SMNP alert.
- 22. The system of claim 20, wherein the anomaly indicator signal further comprises an anomaly type and wherein the notification conveyed to the administrator comprises the anomaly type.
- 23. The system of claim 1, wherein the anomaly indicator signal comprises an anomaly type.
- 24. The system of claim 1, wherein the system is disposed between a firewall system and one or more application server systems.
- 25. The system of claim 24, further comprising a firewall communication interface communicatively coupling the system to the firewall system, wherein the system processor receives the electronic communication directed to the selected application server system via the firewall communication interface.
- 26. The system of claim 1, wherein the system processor further forwards the received electronic communication to a destination indicated by the received electronic communication.
- 27. The system of claim 1, wherein the system processor further aggregates the stored risk profile with the accumulated data associated with received electronic communications and stores aggregated accumulated data in the system data store.
- 28. The system of claim 1, wherein the system processor further stores the received electronic communication in the system data store.
- 29. The system of claim 1, wherein the system processor further determines tests to apply to the received communication.
- 30. The system of claim 29, wherein the system processor determines test to be applied based upon configuration information stored in the system data store.
- 31. The system of claim 29, wherein the system processor determines test to be applied based upon characteristics of the received electronic communication.
- 32. The system of claim 1, wherein the system processor further provides an interface via which an administrator enters configuration information, receives configuration information from the interface and stores the received configuration information in the system data store.
- 33. The system of claim 32, wherein the system processor applies the one or more tests based upon the stored configuration information.
- 34. The system of claim 32, wherein the system processor determines whether an anomaly exists based upon the stored configuration information.
- 35. The system of claim 34, wherein the stored configuration information comprises anomaly types, anomaly threshold information, anomaly time period information or anomaly response information.
- 36. The system of claim 32, wherein the system processor provides the interface to the administrator via a Web server, an e-mail server, an automated voice recognition system or an SMS message server.
- 37. The system of claim 32, wherein the system processor further populates the interface with default values prior to providing it to the administrator.
- 38. The system of claim 1, wherein the system processor further takes a corrective measure responsive to the anomaly indicator signal.
- 39. The system of claim 38, wherein the corrective measure comprises conveying a notification to an administrator, refusing acceptance of further communications from the source of the received communication, quarantine of the received communication, stripping the received communication of identified content, or throttling excessive numbers of incoming connections per second to levels manageable by internal application servers.
- 40. The system of claim 39, wherein the notification comprises an e-mail message, a page, a facsimile, an telephone call, an SMS message, a WAP alert or SMNP alert.
- 41. The system of claim 1, wherein the one or more application server systems comprise e-mail server systems, Web server systems, FTP server systems, telnet server systems, GOPHER server systems or WAIS server systems.
- 42. The system of claim 41, wherein the one or more application server systems are e-mail server systems.
- 43. A method for enhancing application layer communication security, the method comprising the steps of:
a) receiving an electronic communication directed to or from a selected application server system, wherein the received electronic communication is an application layer communication; b) applying one or more tests to the received electronic communication, wherein each of the one or more tests evaluates the received electronic communication for a particular security risk; c) determining whether an anomaly exists with respect to the received electronic communication based upon the applied one or more tests; and d) outputting an anomaly indicator signal if an anomaly is determined to exist.
- 44. The method of claim 43, wherein the received electronic communication comprises an e-mail communication, an HTTP communication, an FTP communication, a WAIS communication, a telnet communication or a Gopher communication.
- 45. The method of claim 44, wherein the received electronic communication is an e-mail communication.
- 46. The method of claim 43, wherein the step of applying one or more tests comprises applying one or more of an intrusion detection test, a virus detection test, a spam detection test or a policy violation test.
- 47. The method of claim 43, wherein the step of applying one or more tests comprises sequentially applying a plurality of tests.
- 48. The method of claim 47, wherein the step of applying one or more tests comprises for each of the plurality of tests performing the steps of:
i) selecting a test to perform, ii) performing the selected test on the received electronic communication, and iii) outputting a risk profile based upon the performed test.
- 49. The method of claim 48, and further comprising the step of receiving configuration information and wherein the step of selecting a test comprises selecting a test based upon the received configuration information.
- 50. The method of claim 48, wherein the step of selecting a test comprises selecting a test based upon a type associated with the received electronic communication.
- 51. The method of claim 43, and further comprising the step of receiving configuration information and wherein the step of determining whether an anomaly exists is further based upon the received configuration information.
- 52. The method of claim 51, wherein the received configuration information comprises anomaly types or anomaly response information.
- 53. The method of claim 52, and further comprising the step of receiving accumulated data associated with received communication and wherein the step of determining whether an anomaly exists comprises deriving anomaly threshold information from the received accumulated data.
- 54. The method of claim 52, wherein the received configuration information further comprises anomaly threshold information or anomaly time period information.
- 55. The method of claim 43, and further comprising the step of receiving accumulated data associated with received communication and wherein the step of determining whether an anomaly exists is further based upon the received accumulated data associated with received communications.
- 56. The method of claim 43, and further comprising the step of taking a corrective measure responsive to the anomaly indicator signal.
- 57. Computer readable storage media storing instructions that upon execution by a system processor cause the system processor to provide application layer security, the media having stored instruction that cause the system processor to perform the steps comprising of:
a) receiving an electronic communication directed to or from a selected application server system, wherein the received electronic communication is an application layer communication; b) applying one or more tests to the received electronic communication, wherein each of the one or more tests evaluates the received electronic communication for a particular security risk, thereby generating at least one risk profile associated with the electronic communication; c) determining whether an anomaly exists with respect to the received electronic communication based upon the at least one risk profile; and d) outputting an anomaly indicator signal if an anomaly is determined to exist.
- 58. The media of claim 57, wherein the instructions causing the system processor to receive the electronic communication comprise instructions causing the system processor to receive an e-mail communication, an HTTP communication, an FTP communication, a WAIS communication, a telnet communication or a Gopher communication.
- 59. The media of claim 57, wherein the instructions causing the system processor to receive the electronic communication comprise instructions causing the system processor to receive an e-mail communication.
- 60. The media of claim 57, wherein the instructions causing the system processor to apply one or more tests comprise instructions causing the system processor to apply one or more of an intrusion detection test, a virus detection test, a spam detection test or a policy violation test.
- 61. The media of claim 57, wherein the instructions causing the system processor to apply one or more tests comprise instructions causing the system processor to apply a plurality of tests.
- 62. The media of claim 61, wherein the instructions causing the system processor to apply a plurality of tests comprise instructions causing the system processor to:
i) select a test to perform; ii) perform the selected test on the received electronic communication; and iii) outputting a risk profile based upon the performed test.
- 63. The media of claim 57, wherein the instructions causing the system processor to determine whether an anomaly exists comprises instruction causing the system processor to:
i) determine a set of anomaly types of interest; ii) for each of the anomaly types of interest in the determined set,
1) acquire one or more anomaly thresholds associated with the respective anomaly type; 2) compare information in the at least one risk profile against at least one of the acquired one or more anomaly thresholds; and 3) determine whether an anomaly of the respective anomaly type exists with respect to the received electronic communication based upon the comparison.
- 64. The media of claim 57, wherein the instructions causing the system processor to output the anomaly indicator signal comprise instructions causing the system to convey a notification to an administrator, wherein the notification comprises an e-mail message, a page, a facsimile, an telephone call, an SMS message, a WAP alert or an SMNP alert.
- 65. An application layer security system, the system comprising:
a) receiving means for receiving an application layer electronic communication; b) storing means for storing an electronic communication and accumulated data associated with received electronic communications; c) assessment means for applying one or more tests to the received electronic communication, wherein each of the one or more tests evaluates the received electronic communication for a particular security risk, and for storing a risk profile in the storing means, wherein the risk profile was generated from applying the one or more tests to the received electronic communication; d) anomaly determining means for determining whether an anomaly exists with respect to the received communication based upon the risk profile and accumulated data associated with the received electronic communications in the storing means; and e) output means for outputting an anomaly indicator signal if an anomaly was determined to exist by the anomaly determining means.
CROSS-REFERENCE TO RELATED PATENT APPLICATIONS
[0001] This application is related to commonly assigned U.S. patent applications entitled “Systems and Methods for Adaptive Message Interrogation through Multiple Queues” and “Systems and Methods for Anomaly Detection in Patterns of Monitored Communications”, respectively Attorney Docket Nos. 03248.0002U1 and 03248.0003U1, filed on or about the same day as the present application and incorporated herein by reference.