System for protecting database applications from unauthorized activity
First Claim
Patent Images
1. A method for detecting attempted intrusions in a database application, the method comprising:
- monitoring for an SQL statement, said SQL statement executable in said database application and intended to exploit a vulnerability;
actuating said SQL statement to discover an atomic SQL command;
analyzing said atomic SQL command against a pre-defined set of detection rules.
0 Assignments
0 Petitions
Accused Products
Abstract
A method for protecting database applications including analyzing the activity on the server, analyzing the response from the server, and blocking malicious or unauthorized activity. Commands are analyzed for suspicious or malicious SQL statements or access to unauthorized data. Server responses are monitored for suspicious results likely to have occurred from a successful attack or unauthorized access to data. When malicious or unauthorized activity occurs, activity by the source is blocked or an alert is issued.
157 Citations
88 Claims
-
1. A method for detecting attempted intrusions in a database application, the method comprising:
-
monitoring for an SQL statement, said SQL statement executable in said database application and intended to exploit a vulnerability;
actuating said SQL statement to discover an atomic SQL command;
analyzing said atomic SQL command against a pre-defined set of detection rules. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for detecting an anomalous command in a database application, the method comprising:
-
actuating said database application in order to discover a form of a set of authorized SQL statements and commands and to discover appropriate parameters for said statements and commands;
generating a rule set of said discovered form of said authorized SQL statements;
monitoring for SQL statements executable in said database application which do not match said generated rule set of forms of authorized SQL statements. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A method for detecting attempts to access a database application from invalid sources, the method comprising:
-
actuating said database application in order to discover a normal set of authorized SQL sources;
generating a rule set of characteristics of connecting at least one of said normal set of SQL sources;
monitoring for SQL statements executable in said database application which do not match said generated rule set of valid forms for authorized SQL statements. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A method for detecting unauthorized activity in a database application, the method comprising:
-
monitoring for SQL statements executable in said database application and intended to perform activities not authorized by an SQL source;
actuating each discrete database event;
analyzing each event against a pre-defined set of detection rules. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A method for detecting activity designed to breach security of a database application, the method comprising:
-
monitoring for discrete events executable in said database application and intended to breach a security mechanism associated with said database application;
actuating each discrete database event;
analyzing said database events against a pre-defined set of detection rules. - View Dependent Claims (32, 33, 34, 35)
-
-
36. A method for detecting suspicious activity in a database application, the method comprising:
-
monitoring for SQL statements executable in said database application which contain characteristics indicative of an attack;
actuating each batch statement in order to discover atomic SQL commands;
analyzing said atomic SQL commands against a pre-defined set of rules to identify said suspicious activity. - View Dependent Claims (37, 38, 39)
-
-
40. A method for detecting use of keywords to suppress auditing of attacks in a database application, the method comprising:
-
monitoring for SQL statements that contain a keyword, where said keyword results in audit data being suppressed;
detecting a suppressed SQL statement;
detecting a conclusion of said suppressed SQL statement;
determining that no execution of said keyword designed to suppress said SQL statement actually occurred. - View Dependent Claims (41)
-
-
42. A host-based intrusion prevention method for blocking attacks on database applications, the method comprising:
-
detecting an attack occurring through a session with said database application;
identifying a source of said attack;
implementing a method of stopping said attack source;
implementing a method of preventing further attacks from said attack source. - View Dependent Claims (43, 44, 45, 46, 47, 48, 49)
-
-
50. A method for detecting attempts to inject SQL into a database application, the method comprising:
-
monitoring for SQL statements executable in said database application and intended to run queries not designed to be run by a middle-tier application;
analyzing said SQL statement'"'"'s identifying characteristics indicative of SQL injection;
implementing an action upon detection of identifying characteristics indicative of SQL injection. - View Dependent Claims (51, 52)
-
-
53. A method for detecting attempts to inject SQL into a database application, the method comprising:
-
listening to SQL queries executable on said database application for a determined period of time;
tokenizing SQL statements into standard forms;
recording a combination and an order of tokens expected;
analyzing SQL statements received later to identify those that do not conform to said expected combination of tokens.
-
-
54. A method for detecting malicious activity in a database application, the method comprising:
-
listening to SQL queries executable on said database application;
analyzing SQL statements by applying regular expressions to detect vulnerabilities;
sending alerts when an SQL statement matching a regular expression is discovered. - View Dependent Claims (55, 56, 57, 58, 59)
-
-
60. A method for detecting activity which may result in cross-site scripting vulnerabilities, the method comprising:
-
monitoring for SQL statements executable in said database application;
actuating each batch statement in order to discover atomic SQL commands;
examining an atomic SQL command for HTML tags. - View Dependent Claims (61, 62, 63)
-
-
64. A method for monitoring all activity for security auditing, the method comprising:
-
monitoring for an event generated by a database application;
actuating said event;
recording said event. - View Dependent Claims (65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85)
-
-
86. A method for providing exceptions to security alerts, the method comprising:
-
monitoring for events generated by a database application;
filtering alerts raised that match a defined set of rules;
passing alerts not matching a normal definition of said defined set of rules. - View Dependent Claims (87, 88)
-
Specification