Real-time training for a computer code intrusion detection system

US 7,568,229 B1
Filed: 07/01/2003
Issued: 07/28/2009
Est. Priority Date: 07/01/2003
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for training a database intrusion detection system in real time, said method comprising the steps of:

observing, in real time, commands that are accessing the database during a training phase;

establishing categories responsive to the observed commands;

grouping the commands into the categories;

performing a statistical analysis of the categories, the analysis comprising determining whether a predetermined threshold number of categories has been exceeded;

deriving from said commands, in real time, a set of acceptable commands; and

ending the training phase responsive to a determination that the predetermined threshold number of categories has been exceeded.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer-readable media for training a computer code intrusion detection system in real time. A method embodiment of the present invention comprises the steps of observing (22), in real time, commands (5) that are accessing the computer code (1); and deriving (23) from said commands (5), in real time, a set (6) of acceptable commands.

Citations

19 Claims

1. A computer-implemented method for training a database intrusion detection system in real time, said method comprising the steps of:
- observing, in real time, commands that are accessing the database during a training phase;
  
  establishing categories responsive to the observed commands;
  
  grouping the commands into the categories;
  
  performing a statistical analysis of the categories, the analysis comprising determining whether a predetermined threshold number of categories has been exceeded;
  
  deriving from said commands, in real time, a set of acceptable commands; and
  
  ending the training phase responsive to a determination that the predetermined threshold number of categories has been exceeded.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein the commands are SQL commands.
  - 3. The method of claim 1 wherein at least one observed command is selected from the group of commands consisting of a query, an add, a delete, and a modify.
  - 4. The method of claim 1 wherein the categories comprise at least one category selected from the group of categories consisting of:
    - canonicalized commands;
      
      dates and times at which commands access the computer code;
      
      logins of users that issue commands;
      
      identities of users that issue commands;
      
      departments of users that issue commands;
      
      applications that issue commands;
      
      IP addresses of issuing users;
      
      frequency of issuing commands by users;
      
      identities of users accessing a given field within the database;
      
      times of day that a given user accesses a given field within the database;
      
      fields accessed by commands;
      
      combinations of fields accessed by commands;
      
      tables within the database accessed by commands; and
      
      combinations of tables within the database accessed by commands.
  - 5. The method of claim 1 wherein:
    - the categories comprise canonicalized commands; and
      
      each category is a command stripped of literal field data.
  - 6. The method of claim 1 wherein the observing step comprises at least one of:
    - real-time auditing; and
      
      in-line interception.
  - 7. The method of claim 6 wherein the observing step comprises real-time auditing;
    - and at least one of the following is used to extract the commands for observation;
      
      an API that accesses the database;
      
      code injection;
      
      patching; and
      
      direct database integration.
  - 8. The method of claim 6 wherein the observing step comprises in-line interception;
    - and at least one of the following is interposed between senders of the commands and the database;
      
      a proxy;
      
      a firewall; and
      
      a sniffer.
  - 9. The method of claim 1 wherein:
    - during the deriving step, a suspicious activity is tracked; and
      
      subsequent to the deriving step, the suspicious activity is reported to a system administrator.
  - 10. The method of claim 1 further comprising, subsequent to the deriving step, an operational phase in which commands that are accessing the database are compared against the set of acceptable commands.
  - 11. The method of claim 10 wherein a command that is accessing the database during the operational phase that does not match a command in the set of acceptable commands is flagged as suspicious.
  - 12. The method of claim 11 wherein, when a command is flagged as suspicious, at least one of the following is performed:
    - an alert is sent to a system administrator;
      
      the command is not allowed to access the database;
      
      the command is allowed to access the database, but the access is limited;
      
      the command is augmented;
      
      a sender of the command is investigated.
  - 13. The method of claim 1, wherein:
    - the statistical analysis further determines whether a predetermined frequency threshold for establishing the categories has been exceeded; and
      
      the training phase ends responsive to a determination that the predetermined frequency threshold has been exceeded.
  - 14. The method of claim 1, further comprising:
    - determining whether a predetermined period of time for the training phase has elapsed; and
      
      ending the training phase responsive to a determination that the predetermined period of time has elapsed.

15. A computer-readable storage medium containing computer program instructions for training a database intrusion detection system in real time, said computer program instructions performing the steps of:
- observing, in real time, commands that are accessing the database during a training phase;
  
  establishing categories responsive to the observed commands;
  
  grouping the commands into the categories;
  
  performing a statistical analysis of the categories, the analysis comprising determining whether a predetermined threshold number of categories has been exceeded;
  
  deriving from said commands, in real time, a set of acceptable commands; and
  
  ending the training phase responsive to a determination that the predetermined threshold number of categories has been exceeded.
- View Dependent Claims (16, 17)
- - 16. The computer-readable storage medium of claim 15 wherein:
    - the categories comprise canonicalized commands; and
      
      each category is a command stripped of literal field data.
  - 17. The computer-readable storage medium of claim 16 further comprising, subsequent to the deriving step, an operational phase in which commands that are accessing the database are compared against the set of acceptable commands.

18. A computer-readable storage medium storing computer executable program code for training a database intrusion detection system in real time, the computer-executable code comprising:
- a training module adapted for observing, in real time, commands that are accessing the database during a training phase, establishing categories responsive to the observed commands, grouping the commands into the categories, performing a statistical analysis of the categories to determine whether a predetermined threshold number of categories has been exceeded, deriving from the commands, in real time, a set of acceptable commands, and ending the training phase responsive to a determination that the predetermined threshold number has been exceeded; and
  
  coupled to the set of acceptable commands, a comparison module for comparing the commands that access the database during an operational phase with the commands in the set of acceptable commands.
- View Dependent Claims (19)
- - 19. The computer-readable storage medium of claim 18, wherein:
    - the statistical analysis further determines whether a predetermined frequency threshold for establishing the categories has been exceeded; and
      
      the training phase ends responsive to a determination that the predetermined frequency threshold has been exceeded.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey, Barajas, Frank
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
Davis; Zachary A

Application Number

US10/612,198
Time in Patent Office

2,219 Days
Field of Search

726 22- 25, 707/1, 707/9, 707/10, 709/225, 709/229
US Class Current

726/23
CPC Class Codes

G06F 16/217   Database tuning G06F16/2282...

G06F 21/554   involving event detection a...

Y10S 707/99939   Privileged access

Real-time training for a computer code intrusion detection system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Real-time training for a computer code intrusion detection system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links