JP4862079B2 - System and method for determining character set encoding for request submission decoding at gateway - Google Patents

Description

  The present invention generally relates to determining character encoding for an application request. More specifically, the present invention relates to a system and method for determining character encoding for decoding application requests submitted via a gateway.

  A commonly known method of obtaining information from a user on a global computer network known as the Internet is a page that provides one or more fields for the user of the browser that populates the data. form) ”. However, there are many different encodings for characters that can be submitted via the form, and there may be no way to indicate which character set should be used in the request in the request. The use of a character encoding set (“character set”) to decode a form submission, which is different from that used to create it, results in a form rejection or misunderstanding by the server. obtain. This problem is exacerbated for intermediate network devices such as application firewalls deployed between servers and clients because the network devices do not have access to the application logic responsible for form generation and processing.

  One technique that has been attempted to solve this character set problem relies on network devices that re-encode the character set used to generate the form and send it to the client. However, this technique does not work if the form is fully generated on the client, for example using Java® script. The network device may also attempt to solve this problem by assuming that all form requests use an encoding known as “utf-8”. However, this approach has obvious drawbacks.

  The system and method of the present invention may comprise content encoded in a different manner or content that is encoded with an unidentified character set without requiring the server application or client browser to be re-encoded. Provide a solution to handle, decrypt and analyze requests from applications effectively and reliably. The described techniques may also be extended to allow policies to be applied to requests to use different character sets for different situations. As a result, form submissions and other requests between the server and client are inspected to ensure that malicious requests (such as SQL deployment requests) are not allowed to reach the server application with a minimum number of false positives. It may be.

  In one aspect, the invention relates to a method for determining a character encoding used to decode a request. The method includes receiving a request and determining an application program of a plurality of application programs to which the request corresponds. The method identifies the character encoding associated with the determined application program and uses the identified character encoding to examine the request.

  In one embodiment, the method determines from the request attributes which one of the plurality of application programs corresponds to the request. In some embodiments, the request attributes are: 1) source identifier, 2) destination identifier, 3) port identifier, 4) protocol identifier, 5) header information, or 6) uniform resource locator (URL). Contains an address. In another embodiment, the method uses a cookie included in the received request to determine which one of the plurality of application programs corresponds to the request.

  In other embodiments, the method identifies a character encoding associated with the determined application program using a file containing the association between the character encoding and the application. In some embodiments, the method identifies a character encoding associated with the determined application program using a database containing associations between the character encoding and the application.

  In one embodiment, a method receives a second request, determines a second one of a plurality of application programs to which the second request corresponds, and a determined second Identifying a second character encoding associated with the application program. In another embodiment, the method includes receiving a request generated by the client. The method may use a client attribute to determine which one of the plurality of application programs corresponds to the request. In yet another embodiment, the method includes receiving a request based on a cached form page.

  In another aspect, the invention relates to a gateway capable of determining the character encoding used to decode a request. The system includes a receiver that is in communication with a client over a network and receives requests from the client. The system also includes a character set engine in communication with the receiver. The character set engine identifies the character encoding associated with the received request in response to the application to which the request is directed and uses the identified character set to inspect the request.

  In one embodiment, the gateway communicates with multiple clients. In some embodiments, the gateway contains 1) the source identifier, 2) the destination identifier, 3) the port identifier, 4) the protocol identifier, 5) contained in the request to determine the application program to which the request is directed. Use one of the header information or 6) uniform resource locator address. In another embodiment, the character set engine includes a database that associates character encodings and applications. In other embodiments, the character set engine includes a file that associates character encodings and applications.

  In yet another aspect, the invention relates to a method for inspecting a client request having an encoded portion by a gateway. The method includes receiving a request from an application program on a client by a gateway. The method also includes determining, by the gateway, which one of the plurality of application programs corresponds to the request and identifying a character encoding associated with the determined application program. The method further includes decoding the portion of the request using the identified character encoding by the gateway and examining or analyzing the decoded portion of the request.

  In one embodiment of the method, the gateway uses the request attributes to determine which one of the plurality of application programs corresponds to the request. In another embodiment, the gateway uses the client attributes to determine which one of the plurality of application programs corresponds to the request. In yet another embodiment, the gateway applies a policy to the request based on inspection of the decrypted portion of the request.

  In some embodiments, the method includes receiving, by the gateway, a second request from a second application program at one of the client or the second client. The gateway determines which one of the plurality of application programs corresponds to the second request and identifies a second character encoding associated with the determined application program. The gateway uses the identified second character encoding to decode a portion of the second request. In some embodiments, the gateway examines or analyzes the decoded portion of the second request. In another embodiment, the method includes applying a policy to the second request by the gateway based on inspection of the decoded portion of the second request.

  The details of various embodiments of the invention are set forth in the accompanying drawings and the description below. The foregoing and other objects, aspects, features, and advantages of the present invention will become more apparent and better understood by reference to the following detailed description, taken in conjunction with the accompanying drawings, in which: be able to.

FIG. 1A is a block diagram of an example network environment for deploying a gateway having a system for determining character set encoding for an application. FIG. 1B is a block diagram of another network environment that deploys a system for determining character set encoding for an application on a client and / or server. 1C and 1D are block diagrams of an embodiment of a computing device for practicing an exemplary embodiment of the system of the present invention. 1C and 1D are block diagrams of an embodiment of a computing device for practicing an exemplary embodiment of the system of the present invention. FIG. 2 is a block diagram of a system for determining character set encoding for an application used to decode and analyze requests from clients. FIG. 3 is a flow diagram of the steps performed in practicing an embodiment of a technique for determining character set encoding for an application used to decode and analyze client requests.

  The features and advantages of the present invention will become more apparent from the best mode for carrying out the invention described below, when taken in conjunction with the drawings in which like reference characters identify corresponding elements throughout. In the drawings, like reference numbers generally indicate identical, functionally similar, and / or structurally similar elements.

  Certain exemplary embodiments of the invention are described below. However, the invention is not limited to these embodiments, but rather the intent is that additions and modifications to those explicitly described herein are also included within the scope of the invention. Described. Further, the features of the various embodiments described herein are not mutually exclusive and may exist in various combinations and substitutions, even if such combinations or substitutions are not explicitly made in this application. It will be understood that it does not depart from the spirit and scope of the invention.

  FIG. 1A shows a block diagram of a network environment having a gateway deploying an application character set encoding and checking system 120. As shown in FIG. 1A, an example network environment includes a plurality of clients 101a-101n, a plurality of servers 106a-106n, and a gateway 105, which may be referred to as an appliance, gateway appliance, gateway server, or gateway device. Servers 106a-106n manage applications, databases, and other information systems that provide requested content to clients 101a-101n. Each of clients 101a-101n and servers 106a-106n may be any type and form of computing device, such as computing device 100 described in more detail below in conjunction with FIGS. 1C and 1D. For example, any of the clients 101a to 101n is a mobile computing device such as a laptop or notebook computer in addition to a communication device, for example, a mobile phone or a personal digital assistant, or any type of desktop computer. There may be.

  Each of clients 101a-101n is communicatively coupled to gateway 105 via network 104, while gateway 105 is communicatively coupled to servers 106a-106n via network 104 '. In one embodiment, the network 104 comprises the Internet and the network 104 'comprises a private data communication network such as a corporate or corporate network. The networks 104, 104 'can be any type and type of network, public, private, or otherwise, and in some cases may be the same network.

  Although FIG. 1 shows the network 104 and the network 104 'between the clients 101a-101n and the servers 106a-106n, the clients 101a-101n and the servers 106a-106n may be on the same network 104 or 104'. Networks 104 and 104 'can be the same type of network or different types of networks. The networks 104, 104 'can be a local area network (LAN) such as a corporate intranet, a metropolitan area network (MAN), or a wide area network (WAN) such as the World Wide Web. The network 104, 104 ′ may be any type and / or type of network, point-to-point network, broadcast network, wide area network, local area network, telecommunication network, data communication network, computer network, ATM ( Any of an Asynchronous Transfer Mode (SONET) network, a SONET (Synchronous Optical Network) network, an SDH (Synchronous Digital Hierarchy) network, a wireless network, and a wired network may be included. The topology of the networks 104, 104 'may be a bus, star, or ring network topology. The network 104, 104 'and the network topology may be any network or network topology as known to those skilled in the art that can support the operations described herein.

  As shown in FIG. 1A, the gateway 105 is deployed between a first network 104, such as a public data communication network, and a second network 104 ', such as a private data communication network. In other embodiments, the gateway 105 may be located on the first network 104 or on the second network 104 '. In other embodiments, the gateway 105 can be an integral part of any individual client 101a-101n or any individual server 106a-106n on the same or different network 104 as the clients 102a-102n. As such, gateway 105 may be located at any point in the network or network communication path between clients 101a-101n and servers 106a-106n.

  Each of clients 101a-101n may execute, operate, or provide applications 110a-110n, generally referred to herein as applications or applications 110. Application 110 may be any type and / or type of web browser, web-based client, client / server application, thin client computing client, ActiveX control, or Java applet, etc. It can be any form of software, program, or executable instruction, or any type and / or form of executable instruction that can be executed on the clients 101a-101n. In some embodiments, applications 110a-110n may be server-based or remote-based applications that run on behalf of clients 101a-101n on servers 106a-106n. In one embodiment, the servers 106a-106n are registered with Citrix Systems, Inc. of Lauderdale, Florida. Display output to clients 101a-101n using any thin client or remote display protocol such as the manufactured Independent Computing Architecture (ICA) protocol or the Remote Desktop protocol (RDP) manufactured by Microsoft Corporation of Redmond, Washington May be.

In some embodiments, the servers 106a-106n or server farm may be running one or more applications 110, such as an application that provides thin client computing or a remote display presentation application. In one embodiment, the servers 106a-101n or server farm may be configured as an application 110, such as a Citrix Systems, Inc., such as MetaFrame or Citrix Presentation Server ^™ . Run any part of Citrix Access Suite ^™ by Microsoft and / or Microsoft® Windows®® Terminal Services manufactured by Microsoft Corporation. In one embodiment, application 110 is a Citrix Systems, Inc., Fort Lauderdale, Florida. Development ICA client. In other embodiments, the application 110 includes a Remote Desktop (RDP) client developed by Microsoft Corporation of Redmond, Washington. In other embodiments, servers 106a-106n may stream application 110 to clients 101a-101n. Servers 106a-106n may also run application 230, which may be an application server that provides email services, such as Microsoft Exchange manufactured by Microsoft Corporation of Redmond, Washington, a web or Internet server, or desktop sharing. It may be a server or a joint server. In some embodiments, any of the applications 110 is a Citrix Online Division, Inc. of Santa Barbara, California. Provided by GoToMeeting ^™ , WebEx, Inc. of Santa Clara, California. Any type of hosted service or product may be provided, such as WebEx ^™ provided, or Microsoft Office Live Meeting provided by Microsoft Corporation of Redmond, Washington.

  In accordance with one embodiment, the gateway 105 includes an application character set encoding and checking system 120. As described in more detail below, the system 120 receives requests from clients 101a-101n that comprise encoded content. For example, client 101 may submit an HTTP form or request with encoded content, such as a url encoded portion. In some cases, the type of encoding scheme may not be known from the request. The system 120 determines the application that generates or is associated with the request. For example, the system 120 may identify an internet protocol address and / or port associated with the application from the request. Based on the determined application, the system 120 identifies a character encoding scheme associated with or used for the application. For example, the system 120 may retrieve an encoding scheme from a database, configuration information, or policy engine. The system 120 then uses the identified character encoding scheme to decode a portion of the request and apply any rules or policies to the request. In some embodiments, system 120 operates as an application firewall or security control system that applies policies to encoded application network traffic that it can decode according to the encoding scheme associated with each application.

  Although generally described as gateway 105, a gateway may be any type and form of computing device 100 as described below, such as an appliance, network device, or server. In some embodiments, the gateway 105 establishes or provides a virtual private network connection between the first network 104 and the second network 104 '. In one embodiment, the gateway 105 establishes a Secure Socket Layer (SSL) VPN connection between the networks 104, 104 '. In another embodiment, the gateway 105 establishes a first transport layer connection, such as a TCP connection between the clients 101a-101n and the gateway 105, and a second between the gateway 105 and the servers 106a-106n. Establish a transport layer connection. In another embodiment, the gateway 105 also establishes or provides an encrypted session between the clients 101a-101n and the servers 106a-106n. In one embodiment, the gateway 105 also uses any pooling and / or multiplexed connection techniques at the transport or application layer to accelerate the delivery of applications to the clients 101a-101n over the transport layer connection. May be. In yet another embodiment, gateway 105 compresses one or more network communications, or portions thereof, between clients 101a-101n and servers 106a-106n. In other embodiments, the gateway 105 may also include a cache for storing any one or more network communications between the clients 101a-101n and the servers 106a-106n, or a portion thereof in the cache.

  Although the application character set encoding / checking system 120 is generally shown deployed at the gateway 105 as in FIG. 1A, the system 120 may also be deployed at any computing device 100. Referring now to FIG. 1B for example, the application character set encoding / inspection system 120 may be deployed in any one or more of clients 101a-101n, such as client 101a. In one embodiment, in response to a client 101 request to access the network 104 via the gateway 105, the gateway may provide the system 120 and install on the client 101. In some embodiments, the system 120 is automatically installed by the client 101 upon receipt from the gateway 105. In another embodiment, application character set encoding / checking system 120 may be deployed on any server 106a-106n, such as server 106b. In yet another embodiment, the system 120 may have any one or more portions that are distributed and execute on the client 101, the gateway 105, and / or the server 106. In one embodiment, multiple instances of system 120 may run on any combination of client 101, gateway 105, and / or server 106.

  1C and 1D show block diagrams of computing device 100, and in some embodiments, network devices useful for practicing embodiments of application character set encoding / checking system 120 described herein. Also called a network appliance or appliance 100. As shown in FIGS. 1C and 1D, each computing device 100 includes a central processing unit (CPU) 102 and a main memory unit 122. As shown in FIG. 1C, the exemplary computing device 100 includes a visual display device 124, a keyboard 126, and / or a pointing device 127 such as a mouse. Each computing device 100 also includes additional optical elements, such as one or more input / output devices 130a-130b (generally referred to using reference numeral 130), and a cache memory 140 in communication with the central processing unit 102. May be included.

  The central processing unit 102 is an arbitrary logic circuit that processes in response to an instruction fetched from the main memory unit 122. In many embodiments, the central processing unit is manufactured by Intel Corporation, Mountain View, California, manufactured by Motorola Corporation, Schaumburg, Illinois, manufactured by Transmeta Corporation, Santa Clara, California, White, New York. Provided by a microprocessor unit, such as that manufactured by Plains' International Business Machines, or manufactured by Advanced Micro Devices, Sunnyvale, California. The computing device 100 may be based on any of these processors, or any other processor capable of operating as described herein.

  The main memory unit 122 includes a static random access memory (SRAM), a burst SRAM or a synchronous burst SRAM (BSRAM), a dynamic random access memory (DRAM), a fast page mode DRAM (FPM DRAM), an end DRAM. (EDO RAM), Extended Data Output DRAM (EDO DRAM), Burst Extended Data Output DRAM (BEDO DRAM), Enhanced DRAM (EDRAM), Synchronous DRAM (SDRAM), JEDEC SRAM, PC1 Storing data such as 00 SDRAM, Double Data Rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), SyncLink DRAM (SLDRAM), Direct Rambus DRAM (DRDRAM), or Ferroelectric RAM (FRAM) There may be one or more memory chips that can be directly accessed by the microprocessor 102. Main memory 122 may be based on any of the memory chips described above, or any other available memory chip capable of operating as described herein. In the embodiment shown in FIG. 1C, processor 102 communicates with main memory 122 via system bus 150 (described in more detail below). FIG. 1C shows an embodiment of the computing device 100 in which the processor communicates directly with the main memory 122 via the memory port 103. For example, in FIG. 1D, the main memory 122 may be a DRDRAM.

  FIG. 1D shows an embodiment in which the main processor 102 communicates directly with the cache memory 140 via a secondary bus, sometimes referred to as a backside bus. In other embodiments, the main processor 102 communicates with the cache memory 140 using the system bus 150. Cache memory 140 typically has a faster response time than main memory 122 and is typically provided by SRAM, BSRAM, or EDRAM.

  In the embodiment shown in FIG. 1C, processor 102 communicates with various input / output devices 130 via local system bus 150. Various buses may be used to connect the central processing unit 102 to any of the input / output devices 130, such as a VESA VL bus, an ISA bus, an EISA bus, a MicroChannel Architecture (MCA) bus, a PCI bus, Includes PCI-X bus, PCI-Express bus, or NuBus. For embodiments in which the input / output device is a video display 124, the processor 102 may use an Advanced Graphics Port (AGP) to communicate with the display 124. FIG. 1D illustrates an embodiment of a computer 100 in which the main processor 102 communicates directly with the input / output device 130b via HyperTransport, Rapid I / O, or InfiniBand. FIG. 1D also illustrates a mixed local bus and direct communication embodiment, where the processor 102 communicates with the input / output device 130a using the local interconnect bus while communicating directly with the input / output device 130b.

  The computing device 100 includes a floppy (registered trademark) disk drive, a CD-ROM drive, and a CD-R / RW drive for receiving a floppy (registered trademark) disk such as a 3.5 inch, 5.25 inch, or ZIP disk. Suitable for installing software and programs such as, any DVD-ROM drive, various format tape drives, USB devices, hard drives, or any software 120 or part thereof for application character set encoding / inspection system 120 Any suitable attachment device 116 may be supported, such as any other device. The computing device 100 further includes one or more application software programs for storing an operating system (OS) and other related software, and for storing application software programs, such as any programs related to the application character set encoding / checking system 120. A storage device 128 such as a hard disk drive or an independent disk redundant array may be provided. Optionally, any of the attachment devices 116 can be used as the storage device 128.

  Further, the computing device 100 includes a network interface 118 and includes a local area network (LAN), a wide area network (WAN), or a standard telephone line, LAN or WAN link (eg, 802.11, T1, T3, 56 kb, X.25), broadband connection (eg, ISDN, Frame Relay, ATM), wireless connection, or Internet connection through various connections including, but not limited to, any combination of any or all of the above May be. The network interface 118 may be a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem, or any capable of performing communications and operations described herein. Any other device suitable for interfacing the computing device 100 to a type of network may be provided.

  A wide variety of input / output devices 130 a to 130 n may exist in the computing device 100. Input devices include keyboards, mice, trackpads, trackballs, microphones, and drawing tablets. Output devices include video displays, speakers, inkjet printers, laser printers, and sublimation printers. The input / output device may be controlled by the input / output control device 123 as shown in FIG. 1C. The input / output control device may control one or more input / output devices such as a keyboard 126 and a pointing device 127, eg, a mouse or an optical pen. Further, the input / output device may also provide storage 128 and / or mounting media 116 for the computing device 100. In still other embodiments, the computing device 100 provides a USB connection and is provided by Twintech Industry, Inc., Alamitos, California. A handheld USB storage device, such as a manufactured USB Flash Drive device, may be received.

  In a further embodiment, the input / output device 130 includes a system bus 150, a USB bus, an Apple Desktop bus, an RS-232 serial connection, a SCSI bus, a FireWire bus, a FireWire 800 bus, an Ethernet (registered trademark) bus, an AppleTalk bus, a Gigabit. Between Ethernet (registered trademark) bus, Asynchronous Transfer mode bus, HIPPI bus, Super HIPPI bus, Serial Plus bus, SCI / LAMP bus, Fiber Channel bus, or Serial Attached small computer in-bridge communication system It may be.

  A computing device 100 of the type shown in FIGS. 1C and 1D typically operates under the control of an operating system that controls the scheduling of access to tasks and system resources. The computing device 100 may be one of the versions of the Microsoft® Windows® operating system, a different release of the Unix® and Linux operating systems, any version of MacOS® for Macintosh computers, On any embedded operating system, any network operating system, any real-time operating system, any open source operating system, any dedicated operating system, any operating system for mobile computing or network devices, or computing devices Any other operating system that is capable of performing and performing the operations described herein , It is possible to execute any operating system. 2. Typical operating systems are WINDOWS®, all manufactured by Microsoft Corporation, Redmond, Washington, among others. x, WINDOWS (registered trademark) 95, WINDOWS (registered trademark) 98, WINDOWS (registered trademark) 2000, WINDOWS (registered trademark) NT 3.51, WINDOWS (registered trademark) NT 4.0, WINDOWS (registered trademark) CE, And WINDOWS XP, MacOS manufactured by Apple Computer, Cupertino, California, OS / 2 manufactured by International Business Machines, Armonk, New York, and Caldera Corp., Salt Lake City, Utah. It includes the freely available operating system Linux distributed, or any type and / or form of the Unix operating system.

  In other embodiments, computing device 100 may have different processors, operating systems, and input devices that are consistent with the device. The computing device 100 can be any workstation, desktop computer, laptop or notebook computer, server, handheld computer, mobile phone or other portable telecommunications device, media playback device, combination device, special, special, custom, Or a dedicated device or any other type and / or form of computing or telecommunications device capable of communicating and having sufficient processor power and memory capacity to perform the operations of the invention described herein. obtain.

  Referring now to FIG. 2, an embodiment of application character set encoding / checking system 120 is shown. The system 120 can reside and / or operate on any type and type of computing device 100, such as a network device, appliance, gateway, client, or server device. In overview, the system 120 includes a receiver 215, a transmitter 220, a character set engine 225, and a rule or policy engine 250. Receiver 215 and transmitter 220 may be used to send and receive communications over network 104 or between networks 104 and 104 '. Character set engine 225 is used to process network communications, such as requests, and determine the type and / or format of encoding used for applications associated with network communications. The rules / policy engine 250 applies one or more rules or policies to network communications processed by the system 120. For example, based on the type of encoding determined by the character set engine 225 to be associated with the application, the policy engine 250 may control, limit, or block network communications being transmitted from the transmitter 220. In one embodiment, policy engine 250 enables system 120 to operate or function as a firewall or security controller. In addition, the policy engine 250 may provide policies to determine and control the encoding used and the actions taken on the decoded content.

  Receiver 215 may comprise software, hardware, or any combination of software and hardware and receive signals via the medium of connection of device 100 to network 104. Similarly, transmitter 220 may comprise software, hardware, or any combination of software and hardware, and transmit signals via the medium of connection of device 100 to network 104. The network 104 and the network connection include any type of transmission medium such as electrical wiring or cable, optical fiber, electromagnetic radiation, etc. between any of the computing devices 100a-100n, or perform the operations described herein. Any other form of transmission medium that can be supported may be included. In one embodiment, the receiver 215 receives one or more signals via a first type of medium. In some embodiments, the transmitter 220 transmits one or more signals via a second type of medium. In other embodiments, receiver 215 and transmitter 220 receive and transmit signals on the same type of media. In another embodiment, the transmitter includes a receiver 215 and a transmitter 220 to receive and transmit signals over the medium.

  The device 100 and / or system 120 includes a network stack 210. In some embodiments, receiver 215 and / or transmitter 220 may include a network stack 210. In other embodiments, receiver 215 and / or transmitter 220 may include multiple network stacks. In another embodiment, receiver 215 and / or transmitter 220 interface, integrate, or communicate with one or more network stacks 210. Network stack 210 may comprise any type and form of software, hardware, or any combination thereof to provide connectivity and communication with the network. In one embodiment, network stack 210 comprises software execution for network protocols. The network stack 210 may comprise one or more network layers, such as any network layer of the Open Systems Interconnection (OSI) communication model, as those skilled in the art will recognize and appreciate. As such, the network stack 210 includes 1) physical link layer, 2) data link layer, 3) network layer, 4) transport layer, 5) session layer, 6) presentation layer, and 7) application layer. Any type and form of protocol may be provided for any of the layers of the OSI model. In one embodiment, the network stack 210 may comprise a transport control protocol (TCP) over an Internet Protocol (IP) network layer protocol, generally referred to as TCP / IP. In some embodiments, the TCP / IP protocol may comprise any of a group of IEEE wide area network (WAN) or local network (LAN) protocols, such as the protocol covered by IEEE 802.3. , May be executed on the Ethernet® protocol. In some embodiments, the network stack 210 comprises any type and portable wireless protocol, such as IEEE 802.11 and / or mobile internet protocol.

  In view of embodiments of the TCP / IP-based network 104, in one embodiment, Messaging Application Programming Interface (MAPI) (email), File Transfer Protocol (FTP), HyperText Transfer Protocol (HTTPIn) (CIFS) protocol (file transfer), Independent Competing Architecture (ICA) protocol, Remote Desktop Protocol (RDP), Wireless Application Protocol (WAP), Mobile IP protocol, and Voice Ove Including IP (VoIP) protocol, may use any TCP / IP based protocol. In another embodiment, the network stack 210 may use any type and form of transport control protocol such as a modified transport control protocol, eg, Transaction TCP (T / TCP), TCP with selection confirmation (TCP-SACK), A congestion prediction protocol such as TCP (TCP-LW) with a large window and a TCP-Vegas protocol, and a TCP spoofing protocol are provided. In other embodiments, any type and form of User Datagram Protocol (UDP), such as UDP over IP, may be used by the network stack 210, such as for voice communication or real-time data communication.

  Further, the network stack 210 may include one or more network drivers that support one or more layers, such as TCP drivers or network layer drivers. The network driver may be included as part of the operating system of computing device 100, or as part of any network interface card or other network access component of computing device 100. In some embodiments, any of the network drivers in the network stack 210 may be customized, modified, or adapted to support any of the inventive techniques described herein to support a custom of the network stack 210. Or a correction part may be provided. In other embodiments, the system 120 is designed and configured to operate or function in conjunction with the network stack 210 installed or provided by the operating system of the device 100.

  Still referring to FIG. 2, the character set engine 225 is associated with an application with any kind and form of logic, functionality, and operation for determining character set encoding. Character set engine 225, and any portion thereof, may comprise software, hardware, or any combination of software and hardware. In summary, the character set engine 225 includes a parser 230, an application determination mechanism 235, and an analyzer 240. In some embodiments, the character set engine 225 receives or intercepts network communications to and from applications such as applications 110a-110b as illustrated in FIGS. 1A and 1B. For example, the application 110a in the client 100a may transmit the request to the server 110d via the network 104. In one embodiment, character set engine 225 is interfaced with or in communication with receiver 215, transmitter 220, and / or network stack 220.

  In some embodiments, the character set engine parser 230 comprises logic, functions, or operations that parse any network communications received or intercepted by the device 100. In one embodiment, parser 230 identifies, parses, extracts, and / or interprets any part of the network communication. In one embodiment, the parser 230 analyzes any application layer protocol communication such as HyperText Transfer Protocol (HTTP), Extensible Markup Language (XML) protocol, or Simple Mail Transfer protocol (SMTP). For example, parser 230 may identify and parse or extract one or more fields submitted via a form, such as an HTTP form submission, from client 100a to server 100d. In another example, parser 230 may identify and parse or extract any part of a request, such as any attribute, cookie, name / value pair, URL, data string, object, or HTTP form submission. .

  In one embodiment, the parser 230 identifies data elements that identify attributes, headers, fields, or content types such as text, images, mixed data types in the request. For example, in an HTTP protocol embodiment, a content type header is used to identify the media type and subtype in the body of the message and to identify the natural representation of such data. In some embodiments, parser 230 identifies that a portion of the request is encoded. For example, in an HTTP protocol embodiment, the content type header may identify that a portion of the URL request is encoded. In another embodiment, the parser 230 identifies an attribute in the request that identifies a character set that is used to encode or decode a portion of the content of the request.

  In one embodiment, parser 230 parses any portion of a transport layer protocol packet, such as a TCP or UDP packet. In some embodiments, the parser 230 identifies 1) a source internet protocol address, 2) a destination internet protocol address, 3) a source port, 4) a destination port, 5) a protocol from a transport layer protocol packet such as a packet. Identify and analyze any of the header and / or payload data of the packet to be performed, 6) any field of the packet header. In another embodiment, the parser 230 creates or provides an object model display, or object-based application programming interface, for any of the analyzed network communications or identified elements of the network communications.

  Application determination mechanism 235 comprises any logic, function, and / or operation that determines an application associated with a network communication, such as a message or request. In one embodiment, application determination mechanism 235 is in communication with or interfaced with parser 230 to obtain one or more parsed information from network communications. In some embodiments, the application determination mechanism 235 determines any information from the request or any information that represents the request, the type, name, or identification of the application associated with the request. In one embodiment, the application determination mechanism 235 identifies the type of encoding for the application and / or request. The encoded information may be used to decode, inspect, analyze, or process the request.

  In some embodiments, the application determination mechanism 235 may provide the application name, type, or identifier to one of the network communications, such as a source Internet protocol address and / or port, or a destination Internet protocol address, and / or a destination port. It is configured to be associated with the above data elements. For example, network communication from a particular client may be associated with an application. In another example, the system 120 may associate network communications to one or more servers within the Internet protocol range or using ports or port ranges. In other embodiments, the application determination mechanism 235 may provide the name, type, or identifier of the encoding scheme, character encoding set, or encoding mechanism, network communication such as any parsed field provided by the parser 230. Are configured to be associated with one or more data elements. In yet another embodiment, the application determination mechanism 235 determines the type, name, or identification of the application and / or encoding scheme via analysis of the network communication, such as by information carried by the payload of the network packet.

  In some embodiments, the application determination mechanism 235 may store a database, file, object, data structure, or other information store to store network communications to the application and / or encoding scheme or any portion thereof. Use media. For example, an application may be mapped to one or more internet protocol addresses and / or ports. In another example, the application determination mechanism 235 may search for applications that are associated with or based on one or more data elements identified in a network communication from any type and type of search table. In one embodiment, the application determination mechanism 235 can be configured by one or more users via any type and form of interface, such as a command line interface or a graphical user interface. In another embodiment, application determination mechanism 235 is configured via an application programming interface by another program, script, application, or system.

  Upon determining an application associated with the network communication, such as a request, the system 120 determines, identifies, or obtains the type of encoding used to decode any encoded portion of the network communication. In one embodiment, system 120 such as application determination mechanism 235 and / or analyzer 240 identifies the type of encoding from any part or data element of the network communication itself. For example, the system 120 may identify the type of encoding from any analyzed element of network communication, such as data in the payload of a network packet. In another embodiment, the system 120 may be from a query or search, such as via an application programming interface, to a table, database, file, object, data structure, or other storage medium or configuration mechanism having such information. Identify or obtain the type of encoding for the application.

  In yet another embodiment, the system 120 identifies or obtains an encoding scheme for the application from the rules / policy engine 250. For example, application determination mechanism 235 and / or analyzer 240 may query policy engine 250 to obtain an encoding scheme for a given application. In some embodiments, the application includes a plurality of encodings associated therewith based on temporal information, client information, user information, device information, network status, arbitrary system status, historical information, and statistical information. There may be a kind of. In one embodiment, the system 120 requests an encoding type for the application from the rules / policy engine 250 based on one or more of the above types of information. For example, the first application may or uses the first encoding type on the first day or time of the week and the second encoding type on the second day or time of the week. You may be allowed to. In one example, the system 120 may query the policy engine 250 with the identified application and temporal information to determine the type of encoding used to process the network communication of the application.

  Analyzer 240 comprises any logic, functionality, and / or operation that analyzes network communications or any portion thereof. In one embodiment, analyzer 240 decodes a portion of a network communication, such as a request, encoded in a character set. In some embodiments, analyzer 240 may obtain the encoding scheme used for the application from any other part of character set engine 225, such as parser 230 or application determination mechanism 235. In other embodiments, analyzer 240 obtains the encoding scheme for the application from rules / policy engine 250. In one embodiment, parser 230 or application determination mechanism 235 provides the network communication to analyzer 240 with an encoded portion of the network communication that is decoded using the type of encoding for the application.

  In one embodiment, analyzer 240 uses application identification and / or associated encoding types to inspect or analyze the content of network communications. In some embodiments, analyzer 240 performs one-way and two-way analysis on the network traffic flow received by system 120. For example, the analyzer 240 may perform a deep stream inspection on each of the network packets. In other embodiments, the analyzer 240 examines and analyzes HTTP and HTML headers and payloads. In one embodiment, the system 120 can perform full HTML parsing, such as through a parser 230, and the analyzer 240 can inspect and analyze any part of the HTML communication. In yet another embodiment, analyzer 240 identifies, maintains, and tracks sessions, and the state of sessions and network traffic received and processed by system 120.

  Still referring to FIG. 2, the system 120 may also include a rules / policy engine 250 for applying a set of one or more policies based on inspection, filtering, or analysis of network communications. In one embodiment, the policy engine 250 comprises a date, time, or schedule policy that allows an application to access the network 204. In another embodiment, the policy engine 250 comprises a date, time, or schedule policy that allows the identified computing device 100 or the identified user to use the application. In yet another embodiment, the policy engine 250 comprises a date, time, or schedule policy whereby an encoding scheme is used or can be used for an application. For example, the user configures the rules or policies of the system 120 so that the first application uses the first encoding scheme during the first day of the week or during the first specified time range, It may be possible to use the second encoding scheme during the second day of the second or during the second specified time range.

  In one embodiment, the system 120 includes an endpoint detection and scanning mechanism that identifies and determines one or more attributes or characteristics of the client. For example, the system 120 may be the client side of 1) operating system and / or operating system version, 2) operating system service pack, 3) running service, 4) running process, and 5) file. Identify and determine any one or more of the attributes. The system 120 also identifies and determines the presence or version of any one or more of 1) antivirus software, 2) personal firewall software, 3) anti-spam software, and 4) Internet security software at the client. May be. The policy engine 250 may have one or more policies based on any one or more of client attributes or characteristics or client-side attributes. In some embodiments, the policy engine 250 may identify the type of encoding scheme associated with the application, or the type of decoding used for the application, based on any client attribute. For example, the policy engine 250 may use an encoding scheme associated with a particular language to decode an encoding request from an application running on that client if the client is running a particular language version of the operating system. A policy may be provided that is used.

  In some embodiments, the rules / policy engine 240 is 1) buffer overflow, 2) CGI-BIN parameter operation, 3) form / hidden field operation, 4) forced browsing, 5) cookie or session positioning, 6) Corrupted access control list (ACL) or weak password, 7) Cross-site scripting (XSS), 8) Command introduction, 9) SQL introduction, 10) Error-induced confidential information leakage, 11) Insecure use of encryption, 12 Various categories and types, such as :) Server misconfiguration, 13) Backdoor and debugging options, 14) Website modifications, 15) Platform or operating system vulnerabilities, and 16) Zero-day vulnerabilities Against web or internet based vulnerabilities To provide protection, comprises one or more application firewall or security control policies. In one embodiment, the system 120 1) the required fields are returned, 2) the additional fields are invalid, 3) read-only and hidden field execution, 4) drop-down list and radio button field adaptation, and 5) form Provide HTML form field protection for one or more of the maximum field length executions in the form of examining or analyzing network communications. In some embodiments, the system 120 ensures that cookies are not modified. In other embodiments, the system 120 protects against forced browsing by executing a legitimate URL.

  In yet another embodiment, the system 120 protects any confidential information contained in network communications. System 120 may inspect or analyze any network communication in accordance with rules or policies of engine 250 and identify any confidential information in any field of the network packet. In some embodiments, the system 120 identifies one or more occurrences of a credit card number, password, social security number, name, patient code, contact information, and age in network communications. The encoded part of the network communication may comprise these occurrence or secret information. Based on these occurrences, in one embodiment, system 120 may take policy measures for network communications, such as preventing transmission of network communications. In another embodiment, system 120 may rewrite, remove, or hide such identified occurrence or confidential information.

  Because of the per-application coding identification and decoding functionality of the system 120, the analyzer 240 and policy engine 250 each use one or more different coding types simultaneously or later to provide multiple application firewall and security controls. The present invention may be applied to the encoded network communication of the application. As such, the rules and policies configured in the rules / policy engine 250 are the application type, name, or instance and encoding associated with the application as determined according to the operation of the system described herein. It is possible to apply in both schemes. In addition, the system 120 allows analysis of the encoded portion of network communications that could not be decoded, examined, and analyzed without knowing the encoding scheme. By doing so, the system 120 applies policies, such as application firewall and security policies, on a per application and / or per encoding scheme basis to the encoded portion of network communications such as requests with url encoded content. Is possible.

  The parser 230, application determination mechanism 235, and analyzer 240 are illustrated in FIG. 2 as being included in the character set engine 225, but any of the parser 230, application determination mechanism 235, and analyzer 240, or any of them May reside, operate, or execute on any part of device 100 or application character set encoding / decoding system 120. In addition, although shown as a single logical entity or component, the application character set encoding / verification system 120 is also a first part executing on a first device 100a, such as a client, and a server or gateway, etc. The second part executed in the second device 100b may operate in a distributed manner. In yet another embodiment, multiple application character set encoding / decoding systems, e.g., 120, 120 ', etc., operate together or in conjunction with each other for one or more applications, gateways, clients, or servers. May provide the functionality and techniques described in.

  The operation of the application character set encoding / checking system 120 may support any type and form of encoding scheme or character encoding set (character set). In some embodiments, the application character set encoding / checking system 120 may include, by way of example, UTF-7, UTF-8, CESU-8, UTF-16 / UCS-2, UTF-32 / UCS-4, UTF -Works with any kind and form of Unicode schemes, including EBCDIC, SCSU, Punicode, GB 18030. Unicode is Western European, Eastern European, Cyrillic, Greek, Arabic, Hebrew, Chinese, Japanese, Korean, Thai, Urdu, Hindi, and whether or not it exists. Rather, it is a character or set that allows characters from all other major world languages to be encoded into a single character set. In one embodiment, the character set is 16 bits. In other embodiments of the encoding scheme, the character set may be 6, 7, 8, 10, 12, 20, 24, 32, or 64 bits, or any other number of bits. The Unicode standard also includes compression standard schemes and extensive photosetting information required for global field support. In one embodiment, the application character set encoding / inspection system 120 operates using the ISO 10646 standards that define several character encoding forms for the universal character set. In some embodiments, the application character set encoding / checking system 120 uses an ASCII encoding scheme. In other embodiments, the application character set encoding / checking system 120 operates on non-ASCII encoding requests, or portions thereof. In another embodiment, the application character set encoding / checking system 120 uses the ANSI or WGL4 character set to perform that operation in the request.

  In some embodiments, the application character set encoding / inspection system 120 may include any type and form of language, such as a Japanese, Korean, Russian, or Chinese language, including dialects and differences therein, and Operates on any encoding scheme, character encoding set, or character set used to support or represent any one or more encoding schemes used against. By way of example and without any intention to be limiting or exclusive, for Russian, the system 120 is 1) Cyrillic (CP1251), 2) KOI8r, KOI-8 Alternative, KOI-8 Unified, Or K0I-8RU, 3) Unicode or UTF-8, 4) DosCyllicRussian (CP866), 5) ISO-8859-5, or 6) ECMA-Cyrilic (ISO-IR-111). It may operate as a set.

  As an example, and without any intention to be limited or exclusive, for Japanese, the system 120 is: 1) utf-8, 2) JIS (Japan Industry Standard), 3) shift_jis (SJIS, X -Also known as SJIS, or MS Kanji), 4) EUC / EUC-JP (Extended Unix® code), 5) EBDIC, 6) ISO2022 / ISO2022-JP, 7) ANSI Z39.64, 8) CCCII, 9) DEC Kanji, 10) GTcode, 11) IBM DBCS, 12) JEF (Japan Extended Features), 13) CCCII, 14) ISO-8850, 15) JIS X 0201 (JISROMAN), 16) JIS X 0208 (JIS C 6226), 17) JIS X 0212, JIS X 0213 or JIS X 0221,, and 18) Mojikyo, such coding schemes, may operate in a character coding set or character set. As an example, and without any intention to be limiting or exclusive, for Korean, the system 120 is 1) utf-8, 2) EUC or EUC-KR, 3) KEIS, 4) ANSI Z39. .64, 5) ISO-2022 or ISO-2022-KR, 6) CCCII, 7) Unified Hangul Code (CP949), 8) GB 12052, 7) IBM DBCS, 8) JOHAB, 9) KS C 5601, 10) It may operate with any of the encoding schemes or character sets such as KS C 5636 (KS ROMAN), 11) KS C 5657, 12) KS C 5700, and 13) Mojikyo.

  By way of example and without any intention to be limiting or exclusive, for Chinese, the system 120 is 1) utf-8, 2) ANSI Z39.64, 3) Big5, Big5 +, Big5ETen, or Big5-HKSCS, 4) CCCII, 5) CNS 11643, 6) GBK (CP936), 7) CP90, 8) EUC / EUC-CN / EUC-TW, 9) GB 12050/12052, 10) GB13000-1, 11 ) GB 13134, 12) GB 16959, 13) GB 18030, 14) GB 1988, 15) GB 2312, 16) GB 7589, 17) GB 7590, 18) GB 8045, 19) GB / T 12345, GB / T 13131, or GBT / 13132, 20) HZ, 21) ISO2022 / 2002-CN / CN-EXT, and 22) may work with encoding schemes or character sets such as Mojikyo.

  System 120 may operate in multiple languages and multiple encoding schemes used at once, after each other, or simultaneously. In some embodiments, the system 120 uses the same encoding scheme for multiple languages, such as using the same encoding for Japanese, Korean, and Chinese, or Japanese May operate with different encoding schemes for each of multiple languages, such as different encoding schemes for Korean, and Chinese.

  Referring now to FIG. 3, an embodiment of a method for determining the type of encoding associated with an application or applying techniques of system 120 is shown. In overview of the method 300, at step 310, the application character set encoding / checking system 120 receives a request. In step 315, the system 120 determines which application of the plurality of applications corresponds to the request. In step 320, the system 120 identifies the encoding scheme associated with the determined application. In step 325, the system 120 uses the identified encoding scheme to decode, inspect, and / or analyze the request. Upon decoding and analyzing the request, at step 330, the system 120 may apply one or more policies to the request.

  More specifically, at step 310, system 120 may receive or intercept network communications, such as requests, using any means and / or mechanism. In one embodiment, the receiver 210 receives a request from the client 101. In another embodiment, the receiver 210 intercepts requests from the network stack 210 when communicated to or from the server 106. In some embodiments, the system 120, such as the receiver 210, comprises a network driver, filter, or hooking mechanism for intercepting requests in the network stack 210. In some embodiments, the gateway 105 deploying the system 120 receives or intercepts the request. In yet another embodiment, the client 101 is configured to send a request to the gateway 105 and acts as a proxy for the client 101. In other embodiments, the client 101 or server 106 deploying the system 120 receives or intercepts requests from the client 101. In some embodiments, the system 120 receives a cached form page. In yet another embodiment, the system 120 uses a cached form page that is stored in the cache of a device employing the system 120 or the system 120, such as the gateway 105.

  In some embodiments, the system 120 has no prior knowledge of the encoding scheme used by the request. In one embodiment, the request itself does not identify the encoding scheme used for the encoded portion of the request. For example, in one embodiment, the request includes the submission of a form, such as an HTML form, using a form-url-encoded content type. In another embodiment, the request does not provide a tag that identifies the character encoding. In yet other embodiments, the request includes an identification of the encoding system. In yet another embodiment, the system 120 understands the encoding scheme for the request by inferring the type of encoding using heuristic rules or logic. In some embodiments, the system 120 may determine an encoding scheme based on application or client behavior. In one embodiment, the system determines an encoding scheme based on the use of encoding schemes known between system 120, gateway 105, server 106, and / or client 101.

  In step 315, the system 120 determines one of a plurality of applications to which the request corresponds. In one embodiment, application determination mechanism 235 determines an application from one or more data elements identified and / or parsed from the request, such as by parser 230. In some embodiments, the application determination mechanism 235 maps the Internet protocol address and / or port to a corresponding application search from a database, table, file, object, data structure, or other storage medium, Generate the request or determine the application associated with it. In one embodiment, the application determination mechanism 235 determines an application from a data element in the payload of the request that identifies the application by name, type, or instance.

  In step 320, system 120, such as character set engine 225, identifies the encoding scheme or character set for the application determined in step 315. In one embodiment, the character set engine 225 may query one or more databases, files, tables, objects, data structures, or applications, such as via the application determination mechanism 235 or analyzer 240. Search the encoding scheme for the application from other storage media that maps to the scheme. In yet another embodiment, the character set engine 225 determines the encoding scheme for the application from any part of the request. In one embodiment, the character set engine 225 identifies an encoding scheme for one or more data elements that are identified or parsed by the parser 230. In some embodiments, the character set engine 225 identifies the encoding scheme for the application from a cache, memory or storage element that stores the encoding scheme associated with the application. For example, in one embodiment, the character set engine 225 keeps track of previously used encoding schemes for the application. In yet another embodiment, the character set engine 225 identifies the encoding scheme for the application from a network communication such as a response to a client request having information identifying the character set. For example, in one embodiment, the system 120 identifies and analyzes such information from the server's network communications.

  In some embodiments, the character set engine 225 obtains the encoding scheme used for the application from the rules / policy engine 250, such as via the application determination mechanism 235 or the analyzer 240. For example, the policy engine 250 may identify the encoding scheme to use for the application based on any temporal information about the request, such as date and time. In another example, policy engine 250 may identify the encoding scheme to use for the application based on any system information or attributes of the client that communicates the request. In one embodiment, the system 120 performs client endpoint detection and scanning to determine one or more attributes or characteristics of the client. Policy engine 250 may apply one or more policies to the request or to decode the encoded portion of the request based on any attributes of the client. For example, the policy engine 250 may specify to use the first type of encoding scheme for the application when the client is running a type of operating system.

  In step 325, the system 120 uses an identification encoding scheme to decode the encoded portion of the request. In one embodiment, the character set engine 225 applies the identified encoding scheme to the encoded portion of the request, such as via the parser 230, the application determination mechanism 235, and / or the analyzer 240. As such, the analyzer 240 decodes the encoded portion into data elements, text, or strings that can be examined or analyzed by the analyzer 240. For example, in one embodiment, the decrypted portion of the request may form an SQL or other type of command that is executed at the server 106. In some embodiments, the analyzer 240 examines or analyzes a request that includes decrypted content, and the request conforms to any of the rules and / or policies configured via the rules / policy engine 250 or Decide whether to violate. As described above in conjunction with FIG. 2, the analyzer 240 can provide interactive analysis, deep stream inspection, HTML inspection, session state management, HTML form field protection, cookie poison protection, forced browser protection, and web vulnerability protection, etc. Any logic, function, and operation may be performed.

  In step 330, the system 120 applies one or more rules or policies to the request based on the analysis of the decrypted request. In one embodiment, if the request does not meet the policy of engine 250 for transmission on network 104 (or further transmission on network 104), system 120, such as system 120 deployed at gateway 105, rejects the request. Or you may withdraw. In another embodiment, the system 120 may isolate the application or the user of the application if the request does not follow the policy. In yet another embodiment, the system 120 may demote or restrict an application's network access if the request does not follow the policy. In other embodiments, the system 120 may disconnect the client's connection to the network 104, such as disconnecting the client's SSL VPN connection. In some embodiments, the system 120 may disconnect or terminate the application session if the request does not follow the policy or does not meet the policy.

  Although the techniques of method 300 are generally described above in the context of requests from applications, the method 300 may be performed for multiple applications after and / or simultaneously with each other. System 120 may receive or intercept multiple requests at step 310 from different applications, each with an encoding portion that uses the same or different encoding scheme as another application. For example, the system 120 may be deployed on a gateway 105 that provides information to multiple clients and applications. For each request of the plurality of requests, the system 120 determines the application associated with the request at step 315, the character set encoding used for the application at step 320, and at step 325 the encoded portion of the request. And the decrypted request is analyzed, and in step 330 any relevant policies are applied to the request. As such, in some embodiments, the system 120 performs the technique 300 method for each application and applies the associated encoding scheme for each request. In one embodiment, the system 120 may use a first encoding scheme for the application in response to the first request, and a second different code for the same application in response to the second and subsequent requests. A chemical scheme may be used.

  Application encoding / checking system 120 may be deployed in a gateway or network appliance for enterprise network 104 having multiple applications that use different character sets or encoding schemes. For example, the gateway 105 may be deployed as an application firewall and security control device for a company network having Japanese users. The first application 110a in the first client 101a may use a first character set called UTF-8. The second application 110b in the first client 101a or the second client 101b may use a second character set called JIS. The third application 110c in either the first client 101a or the second client 101b and / or the third client 101c may use a third character set called MS Kanji.

  Each of the first application 110a, the second application 110b, and the third application 110c submits one or more requests to one or more servers 106a-106n via the gateway 105. Applications 110a-110c may comprise a web browser that submits HTTP, HTML, and / or XML requests to web servers 106a-106n. Any one or more of these requests may comprise a form url encoding submission, where the character set identification is not part of the submitted data. Part of the request is generated completely or otherwise from Java script or other script on the browser. Also, one or more of the requests are generated using AJAX, or Asynchronous Java® Script and XML-based technology. As such, for any one or more of these requests, the gateway 105 may not have prior knowledge of the character set used to encode a portion of the request.

  Given the structure, functionality, and operation of the system 120 described above, the gateway 105 can apply application firewall and security control policies to the encoded portion of the request. For a received request, the gateway 105 determines the application associated with the request and the encoding scheme associated with the application. In this example, the gateway 105 determines that the first request is received from the first application 110a and identifies the UTF-8 encoding scheme as associated with the first application 110a. The gateway 105 decodes the first request with the UTF-8 encoding scheme, analyzes the decoded request, and applies an arbitrary policy to the request. The gateway 105 determines that the second request is received from the second application 110b and identifies the JIS encoding scheme as associated with the second application 110b. The gateway 105 decodes the first request with the identified encoding scheme of JIS, analyzes the decoded request, and applies an arbitrary policy to the request. Similarly, the gateway 105 determines that a third request is received from the third application 110c and identifies the MS Kanji encoding scheme as associated with the third application 110c. The gateway 105 decodes the first request with the identified encoding scheme of MS Kanji, analyzes the decoded request, and applies any policy to the request.

  In some cases, application 110a may switch to or use a different encoding scheme, such as when starting another instance, during another period or another day. For example, the first application 110a may use a JIS character set instead of UTF-8 during this second instance. In such a case, the gateway 105 determines that a later request has been received from the first application 110a and identifies a UTF-8 encoding scheme as associated with the first application 110a. For example, the policy engine 250 may identify that a UTF-8 encoding scheme should be used for the first application 110a during a specified period. The gateway 105 then decodes the subsequent request according to the identified encoding scheme of UTF-8, analyzes the decoded request, and applies any policy to the request.

  The gateway 105 described herein allows the gateway to use different encoding schemes to decode, analyze, and apply policies from multiple applications. The gateway 105 may provide a decryption mechanism for each application and for each request, and may be in a network environment deployed for users of Japanese, Korean, Russian, or Chinese applications, etc. It provides great flexibility in applying the policy to an environment that deploys multiple different character set encoding applications. The gateway 105 can protect the network environment from vulnerabilities and security concerns that may be found in the encoded content to apply application firewalls and security controllers to network communications encoded in different ways To.

  Many changes and modifications may be made by those skilled in the art without departing from the spirit and scope of the invention. Accordingly, it should be expressly understood that the described embodiments are presented for purposes of example only and are not to be construed as limiting the invention as defined by the following claims. There must be. These claims should be read as they are literally described, and include equivalent elements that are slightly different, if not otherwise identical to those shown and described in the above description. It is what

Claims (22)

A method for determining the character encoding used for decoding a request, comprising:
(A) receiving a request to the server by a device between the plurality of clients and the server ;
(B) determining by the apparatus which one of the plurality of application programs corresponds to the request;
(C) identifying , by the device, a character encoding associated with the determined application program, the character encoding representing a language ;
By (d) said device, in order to inspect the request, and a step of decoding the request using the identified character encoding method. Step (b), from the attribute of the request includes determining what 1 Tsuni該request of the plurality of application programs corresponding method according to claim 1.   The method of claim 2, wherein the attribute comprises one of a source identifier, a destination identifier, a port identifier, a protocol identifier, header information, or a uniform resource locator address. Step (b) involves using a cookie contained in the received request to determine which 1 Tsuni該request of the plurality of application programs corresponding, according to claim 1 the method of. Step (c) uses a file containing associations between character encoding and application involves identifying the character encoding associated with the determined application program to claim 1 The method described. Step (c), using a database containing an association between character encoding and application involves identifying the character encoding associated with the determined application program to claim 1 The method described. (A) receiving , by the device, a second request to the server ;
By (b) the apparatus, comprising the steps of requesting the second corresponds, to determine a second application program of the plurality of application programs,
By (c) said apparatus further includes identifying a second character encoding associated with the second application program the determination method according to claim 1. Step (a) includes receiving a request generated by a client, the method according to claim 1. Step (b), using the attributes of the client, which one to the request of the plurality of application programs includes determining whether the corresponding method according to claim 8. Step (a) includes receiving a request based on a cached form page The method of claim 1. A gateway capable of determining the character encoding used to decode the request, the gateway comprising:
A receiver in communication with a client over a network and receiving a request from the client;
A character set engine in communication with the receiver, the character set engine identifies the character encoding associated with the received request in response to a luer application the request is directed, the character coding Is a character set engine that represents languages
With
The gateway inspects the request by decoding the request using the identified character encoding .   The gateway of claim 11, wherein the receiver communicates with a plurality of clients.   Using one of a source identifier, destination identifier, port identifier, protocol identifier, header information, or uniform resource locator address contained in the request to determine an application program to which the request is directed. Item 12. The gateway according to Item 11.   The gateway of claim 11, wherein the character set engine comprises a database associating character encodings with applications.   The gateway of claim 11, wherein the character set engine comprises a file associating character encoding with an application. A method for inspecting a request having an encoded part received from a client by a gateway comprising:
(A) receiving a request from an application program on a client by a gateway;
(B) determining by the gateway which one of a plurality of application programs corresponds to the request;
(C) identifying, by the gateway, a character encoding associated with the determined application program, the character encoding representing a language of the determined application program ;
(D) decoding a portion of the request using the identified character encoding by the gateway;
(E) examining the decoded portion of the request by the gateway. By the gateway, by using the attributes of the request, which 1 Tsuni該request of the plurality of application programs includes determining whether the corresponding method according to claim 16. By the gateway, by using the attribute of the client, which one to the request of the plurality of application programs includes determining whether the corresponding method according to claim 16. By the gateway, based on inspection of the decoded portion of the request, comprises applying to the request policy, the method according to claim 16. (F) by the gateway, receiving the client or a second request from a second application program in one of the second client,
By (g) said gateway, and determining which one to the second request of the plurality of application programs corresponding,
By (h) said gateway, and it identifies the second character encoding associated with the application program which is the determined,
By (i) the gateway uses the second character encoding is the identified, and a decoding a part of the second request, the method according to claim 16. By the gateway includes examining the decoded portion of the second request, the method according to claim 20. By the gateway, the second based on inspection of the decoded portion of the request, including applying to the second request policy, the method according to claim 21.

Images