Mitigation of injection security attacks against non-relational databases

US 10,657,280 B2
Filed: 01/29/2018
Issued: 05/19/2020
Est. Priority Date: 01/29/2018
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

integrating a database driver layer with a security layer;

setting a trigger associated with the security layer to implement a learning phase of the security layer;

in response to enabling the trigger, receiving a plurality of queries and query parameters associated with the respective queries;

for each query of at least a subset of the plurality of queries, identifying a previously-stored security pattern from a plurality of security patterns based on the query and the associated one or more query parameters;

resetting the trigger associated with the security layer to implement an execution of the security patterns;

in response to resetting the trigger, receiving an additional query and one or more additional query parameters associated with the additional query;

identifying a particular security pattern from the plurality of security patterns that is associated with the additional query and the additional one or more query parameters; and

determining that at least one of the additional query parameters does not match a corresponding query parameter of the particular security pattern.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For mitigation of injection security attacks against non-relational databases, a database driver layer is integrated with a security layer. A trigger associated with the security layer is set to implement a learning phase of the security layer. In response to enabling the trigger, queries and query parameters associated with the respective queries are received. For the queries, a previously-stored security pattern is identified based on the query and the associated query parameters. The trigger associated with the security layer is reset to implement an execution of the security patterns. In response to resetting the trigger, an additional query and additional query parameters associated with the additional query is received. A particular security pattern is identified that is associated with the additional query and the additional query parameters. At least one of the additional query parameters is determined to not match a corresponding query parameter of the particular security pattern.

17 Citations

20 Claims

1. A computer-implemented method, comprising:
- integrating a database driver layer with a security layer;
  
  setting a trigger associated with the security layer to implement a learning phase of the security layer;
  
  in response to enabling the trigger, receiving a plurality of queries and query parameters associated with the respective queries;
  
  for each query of at least a subset of the plurality of queries, identifying a previously-stored security pattern from a plurality of security patterns based on the query and the associated one or more query parameters;
  
  resetting the trigger associated with the security layer to implement an execution of the security patterns;
  
  in response to resetting the trigger, receiving an additional query and one or more additional query parameters associated with the additional query;
  
  identifying a particular security pattern from the plurality of security patterns that is associated with the additional query and the additional one or more query parameters; and
  
  determining that at least one of the additional query parameters does not match a corresponding query parameter of the particular security pattern.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein integrating further includes integrating the database driver layer with the security layer for mitigation of injection security attacks of a non-relational database associated with the database driver layer.
  - 3. The computer-implemented method of claim 2, further comprising in response to determining that at least one of the additional query parameters does not match the corresponding query parameter of the particular security pattern, triggering a security error for the non-relational database.
  - 4. The computer-implemented method of claim 3, wherein the non-relational database is a NOSQL database.
  - 5. The computer-implemented method of claim 1, further comprising for each query of at least a subset of the plurality of queries, updating the identified security pattern based on the associated one or more query parameters.
  - 6. The computer-implemented method of claim 5, wherein the trigger associated with the security layer is reset after updating the identified security pattern.
  - 7. The computer-implemented method of claim 1, for each query of at least a different subset of the plurality of queries, determining that that a security pattern is not associated with the query and the associated one or more query patterns, and in response, generating a new security pattern based on the query and the associated one or more queries.
  - 8. The computer-implemented method of claim 1, further comprising:
    - in response to resetting the trigger, receiving a second additional query and one or more second additional query parameters associated with the second additional query;
      
      identifying a specific security pattern from the plurality of security patterns that is associated with the second additional query and the one or more second additional query parameters; and
      
      determining that each second additional query parameter matches a corresponding query parameter of the specific security pattern.
  - 9. The computer-implemented method of claim 8, further comprising in response to determining that each second additional query parameter matches the corresponding query parameter of the specific security pattern, providing the second additional query to the database driver layer.
  - 10. The computer-implemented method of claim 9, further comprising executing the second additional query against a non-relational database associated with the database driver layer.

11. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising:
- integrating a database driver layer with a security layer;
  
  setting a trigger associated with the security layer to implement a learning phase of the security layer;
  
  in response to enabling the trigger, receiving a plurality of queries and query parameters associated with the respective queries;
  
  for each query of at least a subset of the plurality of queries, identifying a previously-stored security pattern from a plurality of security patterns based on the query and the associated one or more query parameters;
  
  resetting the trigger associated with the security layer to implement an execution of the security patterns;
  
  in response to resetting the trigger, receiving an additional query and one or more additional query parameters associated with the additional query;
  
  identifying a particular security pattern from the plurality of security patterns that is associated with the additional query and the additional one or more query parameters; and
  
  determining that at least one of the additional query parameters does not match a corresponding query parameter of the particular security pattern.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The computer-readable medium of claim 11, wherein integrating further includes integrating the database driver layer with the security layer for mitigation of injection security attacks of a non-relational database associated with the database driver layer.
  - 13. The computer-readable medium of claim 12, the operations further comprising in response to determining that at least one of the additional query parameters does not match the corresponding query parameter of the particular security pattern, triggering a security error for the non-relational database.
  - 14. The computer-readable medium of claim 11, the operations further comprising for each query of at least a subset of the plurality of queries, updating the identified security pattern based on the associated one or more query parameters.
  - 15. The computer-readable medium of claim 14, wherein the trigger associated with the security layer is reset after updating the identified security pattern.
  - 16. The computer-readable medium of claim 11, for each query of at least a different subset of the plurality of queries, determining that that a security pattern is not associated with the query and the associated one or more query patterns, and in response, generating a new security pattern based on the query and the associated one or more queries.
  - 17. The computer-readable medium of claim 11, the operations further comprising:
    - in response to resetting the trigger, receiving a second additional query and one or more second additional query parameters associated with the second additional query;
      
      identifying a specific security pattern from the plurality of security patterns that is associated with the second additional query and the one or more second additional query parameters; and
      
      determining that each second additional query parameter matches a corresponding query parameter of the specific security pattern.
  - 18. The computer-readable medium of claim 17, the operations further comprising in response to determining that each second additional query parameter matches the corresponding query parameter of the specific security pattern, providing the second additional query to the database driver layer.

19. A computer-implemented system, comprising:
- one or more computers; and
  
  one or more computer memory devices interoperably coupled with the one or more computers and having tangible, non-transitory, machine-readable media storing one or more instructions that, when executed by the one or more computers, perform one or more operations comprising;
  
  integrating a database driver layer with a security layer;
  
  setting a trigger associated with the security layer to implement a learning phase of the security layer;
  
  in response to enabling the trigger, receiving a plurality of queries and query parameters associated with the respective queries;
  
  for each query of at least a subset of the plurality of queries, identifying a previously-stored security pattern from a plurality of security patterns based on the query and the associated one or more query parameters;
  
  resetting the trigger associated with the security layer to implement an execution of the security patterns;
  
  in response to resetting the trigger, receiving an additional query and one or more additional query parameters associated with the additional query;
  
  identifying a particular security pattern from the plurality of security patterns that is associated with the additional query and the additional one or more query parameters; and
  
  determining that at least one of the additional query parameters does not match a corresponding query parameter of the particular security pattern.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein integrating further includes integrating the database driver layer with the security layer for mitigation of injection security attacks of a non-relational database associated with the database driver layer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Spiegel, Patrick, Johns, Martin
Primary Examiner(s)
Lewis, Cheryl

Application Number

US15/882,043
Publication Number

US 20190236301A1
Time in Patent Office

841 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2433   Query languages

G06F 16/245   Query processing

G06F 16/25   Integrating or interfacing ...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/6227   where protection concerns t...

Mitigation of injection security attacks against non-relational databases

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigation of injection security attacks against non-relational databases

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links