Application and network abuse detection with adaptive mitigation utilizing multi-modal intelligence data

Abstract

In an embodiment, a computer-implemented method detects a network or application abuse to a service provider environment. In the method, data is collected describing incoming requests from plurality of different external source addresses to the service provider environment. The collected data is used to compare the incoming requests against a heuristic. When the incoming requests are determined to match the heuristic, the requests, having the plurality of different external source addresses, are from a common abuse entity. Finally, the collected data is evaluated to determine that the common abuse entity is a potential network abuser of the service provider environment.

Description

BACKGROUND[0001]1. Field[0002]This field is generally related to network security.[0003]2. Related Art[0004]A communication network may, for example, allow data to be transferred between two geographically remote locations. Networks are used, for example, to provide applications, such as web and other Internet-based applications, to users. Typically, these applications operate by receiving a request, such as an Hypertext Transfer Protocol (HTTP) request, and, based on the request, supplying a response. The request and response may be formatted in accordance with a known application program interface (application). The requests are generally transmitted via a public or private network, such as the Internet or an internal network, to the service provider. The service provider has its own environment that services the request. The environment may include a plurality of different devices that coordinate with each other to provide the service. The devices may coordinate over a private ne...

AI Technical Summary

Problems solved by technology

Not all application and network requests are legitimate.

Often times, these requests are meant to abuse the network or the application.

For example, some abuse mechanisms try to overwhelm a service so that it cannot service legitimate requests.

An example of this is an a malicious entity fraudulently creating accounts on a service provider platform and then transport unwanted requests across the service provider environment.

A SYN flood abuse works by not responding to the server with the expected ACK code, failing to finish the transaction.

Enough of these unfinished transactions can overwhelm a server, rendering it unable to respond to additional requests.

Other abuses may not be trying to bring down a service, but may instead be making requests for other improper purposes.

In these abuses, an automated system may be making application requests that, for example, set up fake user accounts and try to entice a user to devolve confidential information, such as her password, credit card information, or Social Security number, or run other scams.

While these appliances have advantages, they suffer at least three primary drawbacks.

First, they may be impossible to deploy in particular architectures, such as some cloud applications hosted by third parties.

Second, they tend to operate in their own silos, often consisting only of their customer network and application transaction data to update threat databases.

Operating in their own silos, these appliances may not effectively adapt and react to new threats.

Third, they tend to be purpose-built for only a narrow class of abuse.

Limited in these respects, some malicious entities can spread their requests out from a variety of different source addresses and circumvent these security measures.

Images