Determining origins of queries for a database intrusion detection system
First Claim
1. A method of determining an origin of a database query, comprising:
- identifying query data in a network communication sent between a client and an application server;
determining origin data describing an origin of the network communication sent between the client and the application server;
storing the query data in correspondence with the origin data in a cache;
identifying a portion of the database query derived from query data, the database query in a network communication between the application server and a database;
searching the cache for a cache entry having query data matching the identified portion of the database query; and
reporting the origin data corresponding to the matching query data.
2 Assignments
0 Petitions
Accused Products
Abstract
A database intrusion detection system (DIDS) monitors database queries to detect anomalous queries that might by symptomatic of a code injection attack on the database. A proxy server intercepts HTTP messages from clients that contain query data used to generate database queries. The proxy server extracts the query data from a message and determines origin data describing the origin of the message, such as the IP address of the client that sent the message. The proxy server stores the query and origin data in a cache. Upon detecting an anomalous query, the DIDS extracts a portion of the query, such as the literals. The DIDS searches the cache to identify entries having query data that match the extracted portions of the query. The DIDS reports the origin data of the matching cache entries.
107 Citations
16 Claims
-
1. A method of determining an origin of a database query, comprising:
-
identifying query data in a network communication sent between a client and an application server; determining origin data describing an origin of the network communication sent between the client and the application server; storing the query data in correspondence with the origin data in a cache; identifying a portion of the database query derived from query data, the database query in a network communication between the application server and a database; searching the cache for a cache entry having query data matching the identified portion of the database query; and reporting the origin data corresponding to the matching query data. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for determining an origin of a database query, comprising:
-
a proxy server configured to receive communications between clients and an application server, the proxy server comprising; a processor; and a computer-readable storage medium having processor-executable computer program instructions recorded thereon comprising; a proxy server data extraction module configured to identify communications between clients and the application server for creating database queries, to extract portions of the communications for creating database queries, and to store the extracted portions in entries of a cache in correspondence with origin data describing origins of the identified communications; and a cache lookup module configured to receive identified portions of database queries, to search the cache for matching entries having extracted portions matching the identified portions, and to output origin data corresponding to the matching entries; a database intrusion detection system (DIDS) configured to receive communications between the application server and a database, the DIDS comprising; a processor; and a computer-readable storage medium having processor-executable computer program instructions recorded thereon comprising; a DIDS data extraction module configured to identify a portion of a database query derived from query data in a network communication between the application server and the database; and a reporting module configured to provide the identified portion of the database query to the cache lookup module, to receive origin data of a matching entry in response, and to report the origin data. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer program product having a computer-readable storage medium having executable computer program instructions recorded thereon for determining an origin of a database query, the computer program instructions comprising:
-
a first data extraction module configured to identify a network communication for creating a database query destined for an application server, to extract query data from the identified network communication destined for the application server, and to store the query data in a cache; an origin determination module configured to determine origin data describing an origin of the identified network communication destined for the application server and to store the origin data in the cache in correspondence with the extracted query data; a second data extraction module configured to identify a portion of a database query in a network communication from the application server and destined for a database; a cache lookup module configured to search the cache of query data and corresponding origin data for a cache entry having query data matching the identified portion of the database query; and a reporting module configured to report the origin data corresponding to the matching query data. - View Dependent Claims (12, 13, 14, 15, 16)
-
Specification