公开(公告)号：US20250071133A1

公开(公告)日：2025-02-27

申请号：US18237834

申请日：2023-08-24

Applicant: SAP SE

Inventor： Merve Sahin ,  Cedric Hebert

IPC: H04L9/40

Abstract: Application slicing can be applied to a web application with web application endpoints so that only the endpoints accessible by a given role are present in a given slice. Thus, role-based application slicing can be implemented. Subsequently, when requests for access to endpoints are received, the requests can be directed to a slice associated with a role of the user identifier making the request. Vulnerability chaining can thus be avoided because functionality in the slice is limited to that appropriate for the role of the user. The technologies can also be leveraged by extracting removed endpoints that can be used to detect intrusion in an active defense scenario.

公开(公告)号：US20240275780A1

公开(公告)日：2024-08-15

申请号：US18637239

申请日：2024-04-16

Applicant: SAP SE

Inventor： Cedric Hebert ,  Anderson Santana de Oliveira ,  Merve Sahin

IPC: H04L9/40

CPC classification number: H04L63/0853 ,  H04L63/0281 ,  H04L63/083 ,  H04L63/1416

Abstract: Systems, methods, and computer media for securing software applications are provided herein. Through an enhanced authentication token, an application session request can be deceptively authenticated. When a malicious session request is detected, an enhanced authentication token can be generated that appears to successfully authenticate the session but contains information indicating that the session is malicious. The attacker believes that the session has been authenticated, but the information in the token indicating that the session is malicious causes an application clone session to be established instead of an actual application session. The clone session appears to be an actual application session but protects the valid user's account by including fake data instead of the user's actual data.

公开(公告)号：US20240045955A1

公开(公告)日：2024-02-08

申请号：US17880385

申请日：2022-08-03

Applicant: SAP SE

Inventor： Merve Sahin ,  Cedric Hebert ,  Noemi Daniele ,  Francesco Di Cerbo

IPC: G06F21/56 ,  G06F21/55 ,  G06N20/00

CPC classification number: G06F21/563 ,  G06F21/552 ,  G06N20/00 ,  G06F2221/033

Abstract: A trained machine learning model can determine whether a portion of programming code contains a security event. The determination can be included in a security assessment. The category of security event can also be determined. During training, observed portions of programming code labeled according to whether they contain a security event and the category of security event can be tokenized. Vectors can be generated from the tokens. The machine learning model can generate a new vector for an incoming portion of programming code and compare against combined vectors for the observed portions of programming code. A security assessment can indicate whether the incoming portion of programming code contains a security event, the category of the event, or both. For training purposes, security logging statements can be removed from training code.

公开(公告)号：US20210160277A1

公开(公告)日：2021-05-27

申请号：US16696588

申请日：2019-11-26

Applicant: SAP SE

Inventor： Cedric Hebert ,  Andrea Palmieri ,  Merve Sahin ,  Anderson Santana de Oliveira

IPC: H04L29/06

Abstract: Systems, methods, and computer media for securing software applications are provided herein. The multi-factor fingerprints allow attackers to be distinguished from authorized users and allow different types of attacks to be distinguished. The multi-factor fingerprint can include, for example, a session identifier component, a software information component, and a hardware information component. The different components can be separately compared to components of stored fingerprints to determine whether an application session request is malicious, and if so, what type of attack, such as session cookie theft or a spoofing attack, is occurring.

公开(公告)号：US20200183820A1

公开(公告)日：2020-06-11

申请号：US16211126

申请日：2018-12-05

Applicant: SAP SE

Inventor： Cedric Hebert ,  Henrik Plate

IPC: G06F11/36 ,  G06F21/54 ,  G06F8/10 ,  G06F8/30

Abstract: Systems and methods, as well as computing architecture for implementing the same, for decoy injection into an application. The systems and methods include splitting a standard test phase operation into two complementary phases, and add new unit tests to the process, dedicated to testing the proper coverage of the decoys and avoiding non-regression of the original code.

公开(公告)号：US20180004978A1

公开(公告)日：2018-01-04

申请号：US15633830

申请日：2017-06-27

Applicant: SAP SE

Inventor： Cedric Hebert ,  Daniel Bernau ,  Amine Lahouel

IPC: G06F21/62 ,  G06F17/30

CPC classification number: G06F21/6254 ,  G06F16/2457

Abstract: A set of data is received for a data analysis. The set of data includes personal identifiable information. The set of data is anonymized to protect the privacy information. Risk rates and utility rates are determined for a number of combinations of anonymization techniques defined correspondingly for data fields from the set of data. A risk rate is related to a privacy protection failure when defining first anonymized data through applying a combination of anonymization techniques for the data fields. A utility rate is related to accuracy of the data analysis when applied over the anonymized data. Based on evaluation of the risk rates and the utility rates, one or more anonymization techniques from the number of anonymization techniques are determined. The set of data is anonymized according to a determined anonymization techniques and/or a combination thereof.

公开(公告)号：US20240291858A1

公开(公告)日：2024-08-29

申请号：US18114895

申请日：2023-02-27

Applicant: SAP SE

Inventor： Cedric Hebert ,  Thomas Barber ,  Suv Sanjit Patnaik

IPC: H04L9/40

CPC classification number: H04L63/1466 ,  H04L63/1425

Abstract: A tainting engine can work in conjunction with a syntax attack detection template to identify when a threat actor attempts a malicious attack in a cloud application scenario. Non-intrusive instrumentation can be used to provide detection of an attempted attack regardless of whether the cloud application is vulnerable to such attacks. Detection of attempted attacks can be an important part of maintaining network security, even in cases where an application itself is not vulnerable to such attacks. Further details about the attempted attack can be assembled, and a variety of actions can be taken in response to detection.

公开(公告)号：US20240048593A1

公开(公告)日：2024-02-08

申请号：US17882436

申请日：2022-08-05

Applicant: SAP SE

Inventor： Cedric Hebert ,  Merve Sahin

IPC: H04L9/40 ,  G06F16/958 ,  G06F40/143 ,  G06F40/103

CPC classification number: H04L63/20 ,  G06F16/986 ,  H04L63/1433 ,  G06F40/143 ,  G06F40/103

Abstract: The source code of an HTML form can be analyzed to derive parameter rules that are subsequently enforced when apparent content of the HTML form is received. Such parameter rules can be drawn from client-side restrictions that are extracted from the HTML source, which are then enforced to prevent content violating the rules from reaching the backend. A proxy can sit between the application and the apparent browser. Dynamically generated HTML can be supported via a headless browser that mirrors HTML that would be present at a browser. Useful for preventing HTML form-based attacks and identifying clear cases of malicious HTML form requests.

公开(公告)号：US20210109931A1

公开(公告)日：2021-04-15

申请号：US16598473

申请日：2019-10-10

Applicant: SAP SE

Inventor： Cedric Hebert ,  Manuel Karl

IPC: G06F16/2453 ,  G06F16/242 ,  G06F16/248 ,  G06F17/27 ,  G06F21/62

Abstract: Systems, methods, and computer media for securing data accessible through software applications are provided herein. By capturing path data such as returned results for a query and displayed results provided by an application (e.g., to or by a web browser) for an operation, it can be determined if the query returned more data than was needed for what was displayed. The query can be refined to limit the data returned and reduce the security risk of such over-provisioning of data.

公开(公告)号：US10027718B2

公开(公告)日：2018-07-17

申请号：US15231488

申请日：2016-08-08

Applicant: SAP SE

Inventor： Laurent Gomez ,  Jose Marquez ,  Cedric Hebert

IPC: H04L29/06

Abstract: Embodiments are configured for automating security design in IoT systems. The achievable security level for any given IoT system may be assessed based on the capabilities of each of the entities involved in its data path to generate a set of security policies for the IoT system. The capabilities of each entity involved in the IoT data path can be evaluated together with the capabilities of the communication links between entities. Based on these capabilities and user security preferences, the security policies can be generated to achieve a target level security. Based on this approach, security designs of IoT architectures can be developed through automated information collection.