System for real-time intrusion detection of SQL injection web attacks

US 20090049547A1
Filed: 08/13/2007
Published: 02/19/2009
Est. Priority Date: 08/13/2007
Status: Abandoned Application

First Claim

Patent Images

1. A system comprising:

means for the learning normal Database and Web application standard query language (SQL) query data for a website;

means for capturing real-time Database and Web application SQL query data for the website; and

means for detecting an anomaly representative of an SQL injection attack based on the normal Database and Web application SQL query data and the real-time Database and Web application SQL query data.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A real-time anomaly SQL Injection detection system is provided to detect anomalies specific to the backend Database layer and the Web application layer of a Website. To reduce false alarms, the system correlates abnormal scores for the Database layer and Web application layer to detect and catch different forms of SQL injection attacks. The attacks are detected based on anomalies and not signatures or patterns.

Citations

43 Claims

1. A system comprising:
- means for the learning normal Database and Web application standard query language (SQL) query data for a website;
  
  means for capturing real-time Database and Web application SQL query data for the website; and
  
  means for detecting an anomaly representative of an SQL injection attack based on the normal Database and Web application SQL query data and the real-time Database and Web application SQL query data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 19, 20)
- - 2. The system of claim 1, wherein the learning means includes:
    - means for determining Database layer attributes; and
      
      means for determining Web application layer attributes.
  - 3. The system of claim 2, wherein the means for determining the Database layer attributes includes:
    - means for sniffering traffic between a web server and a database of the website.
  - 4. The system of claim 2, wherein the means for determining the Database layer attributes includes means for obtaining the Database layer attributes from a database auditing feature.
  - 5. The system of claim 2, wherein the means for determining the Database layer attributes includes means for collecting SQL action data needed by the website.
  - 6. The system of claim 2, wherein the Database layer attributes includes user data, action data, target object data and status code data.
  - 7. The system of claim 6, wherein the Web application layer attributes includes at least one of status code, InTraffic to the website, OutTraffic from the website, and value length.
  - 8. The system of claim 1, wherein the detecting means comprises:
    - means for generating a first anomaly score between the normal Web application SQL query data and the real-time Web application SQL query data; and
      
      means for generating a second anomaly score between the normal Database SQL query data and the real-time Database SQL query data;
      
      means for correlating the first anomaly score with the second anomaly score.
  - 9. The system of claim 8, wherein the correlating means includes means for determining a joint score (S) between the first anomaly score (S1) and the second anomaly score (S2) defined by
    S=S1×
    - S2/(S1+S2).
  - 10. The system of claim 1, wherein the detecting means is adapted to detect 0-day SQL injection attacks.
  - 11. The system of claim 1, where the system has no means of predicting as to what a signature/pattern attack resembles.
  - 19. The computer program product of claim 2, wherein the instructions to detect includes instructions causing the computer to:
    - generate a first anomaly score between the normal Web application SQL query data and the real-time Web application SQL query data;
      
      generate a second anomaly score between the normal Database SQL query data and the real-time Database SQL query data; and
      
      correlate the first anomaly score with the second anomaly score.
  - 20. The computer program product of claim 19, wherein the instructions to correlate includes instructions causing the computer to:
    - determine a joint score (S) between the first anomaly score (S1) and the second anomaly score (S2) defined by
      S=S1×
      
      S2/(S1+S2).

12. A computer program product including a computer readable medium having instructions causing a computer to:
- learn normal Database and Web application standard query language (SQL) query data for a website;
  
  capture real-time Database and Web application SQL query data for the website; and
  
  detect an anomaly representative of an SQL injection attack based on the normal Database and Web application SQL query data and the real-time Database and Web application SQL query data.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 21, 22)
- - 13. The computer program product of claim 12, wherein instructions to learn includes instructions causing the computer to:
    - determine Database layer attributes; and
      
      determine Web application layer attributes.
  - 14. The computer program product of claim 13, wherein the instructions to determine the Database layer attributes includes instructions causing the computer to:
    - sniffer traffic between a web server and a database of the website.
  - 15. The computer program product of claim 13, wherein the instructions to determine the Database layer attributes includes instructions causing the computer to:
    - obtain the Database layer attributes from a database auditing feature.
  - 16. The computer program product of claim 13, wherein the instructions to determine the Database layer attributes includes instructions causing the computer to:
    - collect SQL action data needed by the website.
  - 17. The computer program product of claim 13, wherein the Database layer attributes includes user data, action data, target object data and status code data.
  - 18. The computer program product of claim 17, wherein the Web application layer attributes includes at least one of status code, InTraffic to the website, OutTraffic from the website, and value length.
  - 21. The computer program product of claim 12, wherein the instructions to detect are adapted to detect 0-day SQL injection attacks.
  - 22. The computer program product of claim 12, where instructions have no means of predicting as to what a signature/pattern attack resembles.

23. A method comprising the steps of:
- learning normal Database and Web application standard query language (SQL) query data for a website;
  
  capturing real-time Database and Web application SQL query data for the website; and
  
  detecting an anomaly representative of an SQL injection attack based on the normal Database and Web application SQL query data and the real-time Database and Web application SQL query data.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 24. The method of claim 23, wherein the learning step includes the steps of:
    - determining Database layer attributes; and
      
      determining Web application layer attributes.
  - 25. The method of claim 24, wherein the determining the Database layer attributes step includes the step of:
    - sniffering traffic between a web server and a database of the website.
  - 26. The method of claim 24, wherein the determining the Database layer attributes step includes the step of:
    - obtaining the Database layer attributes from a database auditing feature.
  - 27. The method of claim 24, wherein the determining the Database layer attributes step includes the step of collecting SQL action data needed by the website.
  - 28. The method of claim 24, wherein the Database layer attributes includes user data, action data, target object data and status code data.
  - 29. The method of claim 28, wherein the Web application layer attributes includes at least one of status code, InTraffic to the website, OutTraffic from the website, and value length.
  - 30. The method of claim 23, wherein the detecting step comprises the steps of:
    - generating a first anomaly score between the normal Web application SQL query data and the real-time Web application SQL query data;
      
      generating a second anomaly score between the normal Database SQL query data and the real-time Database SQL query data; and
      
      correlating the first anomaly score with the second anomaly score.
  - 31. The method of claim 30, wherein the correlating step includes the step of determining a joint score (S) between the first anomaly score (S1) and the second anomaly score (S2) defined by
    S=S1×
    - S2/(S1+S2).
  - 32. The method of claim 23, wherein the detecting step includes detecting 0-day SQL injection attacks.

33. A system comprising:
- a processor operable to execute a sequence of instructions to learn normal Database and Web application standard query language (SQL) query data for a website in a learning mode, capture real-time Database and Web application SQL query data for the website in a detection mode, and detect an anomaly representative of an SQL injection attack based on the normal Database and Web application SQL query data and the real-time Database and Web application SQL query data in the detection mode; and
  
  memory coupled to the processor for storing the results from the learning mode and detection mode.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 34. The system of claim 33, wherein the processor when operable to learn or capture is operable to execute instructions to determine Database layer attributes and determine Web application layer attributes.
  - 35. The system of claim 34, wherein the processor when operable to determine the Database layer attributes is further operable to sniffer traffic between a web server and a database of the website.
  - 36. The system of claim 34, wherein the processor when operable to determine the Database layer attributes is further operable to obtain the Database layer attributes from a database auditing feature.
  - 37. The system of claim 34, wherein the processor when operable to determine the Database layer attributes is further operable to collect SQL action data needed by the website.
  - 38. The system of claim 34, wherein the Database layer attributes includes user data, action data, target object data and status code data.
  - 39. The system of claim 38, wherein the Web application layer attributes includes at least one of status code, InTraffic to the website, OutTraffic from the website, and value length.
  - 40. The system of claim 33, wherein the processor when operable to detect is further operable to:
    - generate a first anomaly score between the normal Web application SQL query data and the real-time Web application SQL query data;
      
      generate a second anomaly score between the normal Database SQL query data and the real-time Database SQL query data; and
      
      correlate the first anomaly score with the second anomaly score.
  - 41. The system of claim 40, wherein the processor when operable to correlate is further operable to:
    - determine a joint score (S) between the first anomaly score (S1) and the second anomaly score (S2) defined by
      S=S1×
      
      S2/(S1+S2).
  - 42. The system of claim 33, wherein the processor when operable to detect is adapted to detect 0-day SQL injection attacks.
  - 43. The system of claim 33, where instructions have no means of predicting as to what a signature/pattern attack resembles.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Yuan Fan
Original Assignee
Yuan Fan
Inventors
Fan, Yuan

Application Number

US11/891,612
Publication Number

US 20090049547A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/168 above the transport layer

System for real-time intrusion detection of SQL injection web attacks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

System for real-time intrusion detection of SQL injection web attacks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links