Determining origins of queries for a database intrusion detection system

US 7,558,796 B1
Filed: 05/19/2005
Issued: 07/07/2009
Est. Priority Date: 05/19/2005
Status: Active Grant

First Claim

Patent Images

1. A method of determining an origin of a database query, comprising:

identifying query data in a network communication sent between a client and an application server;

determining origin data describing an origin of the network communication sent between the client and the application server;

storing the query data in correspondence with the origin data in a cache;

identifying a portion of the database query derived from query data, the database query in a network communication between the application server and a database;

searching the cache for a cache entry having query data matching the identified portion of the database query; and

reporting the origin data corresponding to the matching query data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A database intrusion detection system (DIDS) monitors database queries to detect anomalous queries that might by symptomatic of a code injection attack on the database. A proxy server intercepts HTTP messages from clients that contain query data used to generate database queries. The proxy server extracts the query data from a message and determines origin data describing the origin of the message, such as the IP address of the client that sent the message. The proxy server stores the query and origin data in a cache. Upon detecting an anomalous query, the DIDS extracts a portion of the query, such as the literals. The DIDS searches the cache to identify entries having query data that match the extracted portions of the query. The DIDS reports the origin data of the matching cache entries.

107 Citations

View as Search Results

16 Claims

1. A method of determining an origin of a database query, comprising:
- identifying query data in a network communication sent between a client and an application server;
  
  determining origin data describing an origin of the network communication sent between the client and the application server;
  
  storing the query data in correspondence with the origin data in a cache;
  
  identifying a portion of the database query derived from query data, the database query in a network communication between the application server and a database;
  
  searching the cache for a cache entry having query data matching the identified portion of the database query; and
  
  reporting the origin data corresponding to the matching query data.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein identifying a portion of the database query derived from query data comprises:
    - identifying a literal in the database query.
  - 3. The method of claim 1, wherein identifying a portion of the database query derived from query data comprises:
    - identifying a portion of the database query containing a code injection.
  - 4. The method of claim 1, wherein the query data in the network communication sent between the client and the application server comprise form data sent via a hypertext transport protocol (HTTP) message.
  - 5. The method of claim 1, further comprising:
    - determining an identification of an end-user that generated the network communication sent between the client and the application server; and
      
      saving the identification of the end-user in the cache as the origin data.

6. A system for determining an origin of a database query, comprising:
- a proxy server configured to receive communications between clients and an application server, the proxy server comprising;
  
  a processor; and
  
  a computer-readable storage medium having processor-executable computer program instructions recorded thereon comprising;
  
  a proxy server data extraction module configured to identify communications between clients and the application server for creating database queries, to extract portions of the communications for creating database queries, and to store the extracted portions in entries of a cache in correspondence with origin data describing origins of the identified communications; and
  
  a cache lookup module configured to receive identified portions of database queries, to search the cache for matching entries having extracted portions matching the identified portions, and to output origin data corresponding to the matching entries;
  
  a database intrusion detection system (DIDS) configured to receive communications between the application server and a database, the DIDS comprising;
  
  a processor; and
  
  a computer-readable storage medium having processor-executable computer program instructions recorded thereon comprising;
  
  a DIDS data extraction module configured to identify a portion of a database query derived from query data in a network communication between the application server and the database; and
  
  a reporting module configured to provide the identified portion of the database query to the cache lookup module, to receive origin data of a matching entry in response, and to report the origin data.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the DIDS data extraction module is configured to identify a literal in the database query.
  - 8. The system of claim 6, wherein the DIDS data extraction module is configured to identify a portion of the database query containing a code injection.
  - 9. The system of claim 6, wherein the extracted portions of the communications for creating database queries comprise form data sent via a hypertext transport protocol (HTTP).
  - 10. The system of claim 6, wherein the proxy server further comprisesan origin determination module configured to determine origin data describing origins of identified communications between clients and the application server for creating database queries and to store the origin data in the cache.

11. A computer program product having a computer-readable storage medium having executable computer program instructions recorded thereon for determining an origin of a database query, the computer program instructions comprising:
- a first data extraction module configured to identify a network communication for creating a database query destined for an application server, to extract query data from the identified network communication destined for the application server, and to store the query data in a cache;
  
  an origin determination module configured to determine origin data describing an origin of the identified network communication destined for the application server and to store the origin data in the cache in correspondence with the extracted query data;
  
  a second data extraction module configured to identify a portion of a database query in a network communication from the application server and destined for a database;
  
  a cache lookup module configured to search the cache of query data and corresponding origin data for a cache entry having query data matching the identified portion of the database query; and
  
  a reporting module configured to report the origin data corresponding to the matching query data.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer program product of claim 11, wherein the second data extraction module is configured to identify a literal in the database query and wherein the cache lookup module is configured to search the cache for a cache entry having query data matching the identified literal.
  - 13. The computer program product of claim 11, wherein the second data extraction module is configured to identify a portion of the database query containing a code injection and wherein the cache lookup module is configured to search the cache for a cache entry having query data matching the identified portion of the database query containing the code injection.
  - 14. The computer program product of claim 11, wherein the query data in the network communication destined for the application server comprise form data sent via a hypertext transport protocol (HTTP) message.
  - 15. The computer program product of claim 11, further comprising:
    - an origin determination module configured to observe a network communication destined for the application server including authentication credentials for an end-user of a client and to store the authentication credentials in a cache entry associated with a subsequent network communication destined for the application server from the client.
  - 16. The computer program product of claim 11, wherein the cache is configured to purge entries in the cache according to a caching policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bromwich, Adam, Wilhelm, Jeffrey
Primary Examiner(s)
Wong; Leslie

Application Number

US11/133,498
Time in Patent Office

1,510 Days
Field of Search

707 3- 6, 707/10, 707/101, 707/104.1, 726/12, 726/23
US Class Current

1/1
CPC Class Codes

G06F 16/2358   Change logging, detection, ...

G06F 16/24   Querying

Y10S 707/99936   Pattern matching access

Determining origins of queries for a database intrusion detection system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

107 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Determining origins of queries for a database intrusion detection system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others