Effective aggregation and presentation of database intrusion incidents

US 7,774,361 B1
Filed: 07/08/2005
Issued: 08/10/2010
Est. Priority Date: 07/08/2005
Status: Active Grant

First Claim

Patent Images

1. A computer program product for aggregating and presenting a database intrusion incident, the computer program product comprising a computer-readable storage medium containing executable computer program code for:

receiving, from a database intrusion detection system, an anomalous database query requesting data from a database, the database intrusion detection system configured to separate acceptable database queries from anomalous database queries that are expected to have undesired effects on the database, wherein database queries are determined to be anomalous when the database queries differ from the acceptable database queries observed by the database intrusion detection system, the anomalous database query having at least one anomalous attribute;

identifying an anomaly type for the anomalous database query received, the anomaly type defining a category of anomalous database queries having similar anomalous attributes;

converting the anomalous database query into a characteristic representation, the characteristic representation describing the anomalous attribute of the anomalous database query in a generic form for grouping according to the anomaly type;

aggregating the anomalous database query and other anomalous database queries with substantially similar characteristic representations into a group of anomalous database queries to represent a single intrusion incident, wherein the other anomalous database queries are identified for aggregation into the group using an index generated based on the characteristic representation of the anomalous database query; and

generating a database intrusion incident report describing the group of anomalous database queries.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An incident managing module aggregates related database intrusion incidents and presents them in a manageable manner. A receiving module receives an anomalous query requesting data from a database and a type-identification module identifies anomaly type for the query received. A conversion module converts the anomalous query into a characteristic representation. In some embodiments, this is done by replacing literal field values in the query with representative values. In other embodiments, this is done by creating a tuple describing anomaly parameters for the anomalous query. In still other embodiments, the query is converted into a characteristic representation that distinguishes between injected and non-injected portions of the query. An aggregation module then aggregates into a group the anomalous queries with substantially similar characteristic representations according to anomaly type and a generation module generates a database intrusion incident report describing the group of anomalous queries.

Citations

29 Claims

1. A computer program product for aggregating and presenting a database intrusion incident, the computer program product comprising a computer-readable storage medium containing executable computer program code for:
- receiving, from a database intrusion detection system, an anomalous database query requesting data from a database, the database intrusion detection system configured to separate acceptable database queries from anomalous database queries that are expected to have undesired effects on the database, wherein database queries are determined to be anomalous when the database queries differ from the acceptable database queries observed by the database intrusion detection system, the anomalous database query having at least one anomalous attribute;
  
  identifying an anomaly type for the anomalous database query received, the anomaly type defining a category of anomalous database queries having similar anomalous attributes;
  
  converting the anomalous database query into a characteristic representation, the characteristic representation describing the anomalous attribute of the anomalous database query in a generic form for grouping according to the anomaly type;
  
  aggregating the anomalous database query and other anomalous database queries with substantially similar characteristic representations into a group of anomalous database queries to represent a single intrusion incident, wherein the other anomalous database queries are identified for aggregation into the group using an index generated based on the characteristic representation of the anomalous database query; and
  
  generating a database intrusion incident report describing the group of anomalous database queries.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer program product of claim 1, wherein aggregating further comprises aggregating based on one or more aggregation constraints selected from a group consisting of:
    - query text, user name, query source IP address, or names of the specific parameters that were found to be anomalous.
  - 3. The computer program product of claim 1, wherein the anomaly type for the query received is selected from a group consisting of:
    - anomalous query text that has not been previously received, anomalous parameters but known query text that has been previously received, and anomalous code injected into known query text that has been previously received.
  - 4. The computer program product of claim 1, wherein converting further comprises converting the anomalous database query into the characteristic representation by replacing literal field values in the query with representative values in a canonical form.
  - 5. The computer program product of claim 1, wherein converting further comprises converting the anomalous database query into the characteristic representation by creating a tuple that describes anomaly parameters for the anomalous database query.
  - 6. The computer program product of claim 1, wherein the anomalous database query comprises injected code and non-injected code, and wherein converting further comprises converting the anomalous database query into a characteristic representation that distinguishes between injected and non-injected portions of the query.
  - 7. The computer program product of claim 1, wherein aggregating further comprises generating a hash of the characteristic representation for the anomalous database query and using the hash as the index to identify substantially similar anomalous database queries.
  - 8. The computer program product of claim 4, wherein aggregating further comprises aggregating the anomalous database query with the other anomalous database queries that have substantially similar canonicalized forms together into a group to represent a single intrusion incident.
  - 9. The computer program product of claim 5, wherein aggregating further comprises aggregating the anomalous database query with the other anomalous database queries that have substantially similar tuple field values in a same tuple field together into a group to represent a single intrusion incident.
  - 10. The computer program product of claim 6, wherein aggregating further comprises aggregating the anomalous database query with the other anomalous database queries by aggregating principally on the non-injected portion of the query.
  - 11. The computer program product of claim 1, further comprising a counter variable configured to determine how many instances of the anomalous database query were received.

12. A computer-implemented method for aggregating and presenting a database intrusion incident, the method comprising:
- using a computer processor configured to execute method steps, the steps comprising;
  
  receiving, from a database intrusion detection system, an anomalous database query requesting data from a database, the database intrusion detection system configured to separate acceptable database queries from anomalous database queries that are expected to have undesired effects on the database, wherein database queries are determined to be anomalous when the database queries differ from the acceptable database queries observed by the database intrusion detection system, the anomalous database query having at least one anomalous attribute;
  
  identifying an anomaly type for the query received, the anomaly type defining a category of anomalous database queries having similar anomalous attributes;
  
  converting the anomalous database query into a characteristic representation, the characteristic representation describing the anomalous attribute of the anomalous database query in a generic form for grouping according to the anomaly type;
  
  aggregating the anomalous database query and other anomalous database queries with substantially similar characteristic representations into a group of anomalous database queries to represent a single intrusion incident, wherein the other anomalous database queries are identified for aggregation into the group using an index generated based on the characteristic representation of the anomalous database query; and
  
  generating a database intrusion incident report describing the group of anomalous database queries.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein converting the anomalous database query into the characteristic representation further comprises replacing literal field values in the query with representative values in a canonical form.
  - 14. The method of claim 12, wherein converting the anomalous database query into the characteristic representation further comprises creating a tuple that describes anomaly parameters for the anomalous database query.
  - 15. The method of claim 12, wherein the anomalous query comprises injected code and non-injected code, and wherein converting the anomalous database query into the characteristic representation further comprises converting the anomalous database query into a characteristic representation that distinguishes between injected and non-injected portions of the query.
  - 16. The method of claim 12, further comprising:
    - generating a hash of the characteristic representation for the anomalous database query; and
      
      using the hash as the index to identify substantially similar anomalous database queries.
  - 17. The method of claim 12, wherein the anomaly type comprises anomalous query text.
  - 18. The method of claim 12, wherein the anomaly type comprises known query text with anomalous parameters.
  - 19. The method of claim 12, wherein the anomaly type comprises injected anomalous code.
  - 20. The method of claim 13, wherein aggregating further comprises aggregating the anomalous database query with the other anomalous database queries that have substantially similar canonicalized text.
  - 21. The method of claim 14, wherein aggregating further comprises aggregating the anomalous database query with the other anomalous database queries that have substantially similar tuple field values in the same tuple field.
  - 22. The method of claim 15, wherein aggregating further comprises aggregating the anomalous database query with the other anomalous database queries by aggregating principally on the non-injected portion of the query.

23. A computer system for a database intrusion system for aggregating and presenting a database intrusion incident, the computer system comprising:
- a computer-readable storage medium configured to store software modules comprising;
  
  a receiving module configured to receive, from a database intrusion detection system, an anomalous database query requesting data from a database, the database intrusion detection system configured to separate acceptable database queries from anomalous database queries that are expected to have undesired effects on the database, wherein database queries are determined to be anomalous when the database queries differ from the acceptable database queries observed by the database intrusion detection system, the anomalous database query having at least one anomalous attribute;
  
  a type-identification module configured to identify an anomaly type for the query received, the anomaly type defining a category of anomalous database queries having similar anomalous attributes;
  
  a conversion module configured to convert the anomalous database query into a characteristic representation, the characteristic representation describing the anomalous attribute of the anomalous database query in a generic form for grouping according to the anomaly type;
  
  an aggregation module configured to aggregate anomalous database queries the anomalous database query and other with substantially similar characteristic representations into a group of anomalous database queries to represent a single intrusion incident, wherein the other anomalous database queries are identified for aggregation into the group using an index generated based on the characteristic representation of the anomalous database query;
  
  a generation module configured to generate a database intrusion incident report describing the group of anomalous database queries; and
  
  a processor configured to execute the software modules stored by the computer-readable storage medium.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The system of claim 23, wherein the conversion module is further configured to convert the anomalous database query into the characteristic representation by replacing literal field values in the query with representative values in a canonical form.
  - 25. The system of claim 23, wherein the conversion module is further configured to convert the anomalous database query into the characteristic representation by creating a tuple that describes anomaly parameters for the anomalous database query.
  - 26. The system of claim 23, wherein the anomalous database query comprises injected code and non-injected code, and wherein the conversion module is further configured to convert the anomalous database query into a characteristic representation that distinguishes between injected and non-injected portions of the query.
  - 27. The system of claim 25, wherein the tuple is added as an attribute to the incident generated, the tuple including a count to indicate how many times the tuple of parameters was seen.
  - 28. The system of claim 27, wherein a maximum threshold number of tuples is stored with the incident before subsequent tuples are discarded.
  - 29. The system of claim 23, wherein the aggregation module is further configured aggregate the anomalous database query based on query text and on user name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Wawda, Abu, Sanders, Darren, Lee, On, Nachenberg, Carey, Bromwich, Adam
Primary Examiner(s)
Jalil; Neveen Abel
Assistant Examiner(s)
LIANG, VEI CHUNG

Application Number

US11/177,775
Time in Patent Office

1,859 Days
Field of Search

714/25, 714/48, 714/57, 714/701, 714/819, 726/22, 726/23, 726/25, 717/127, 380/1, 380/59
US Class Current

707/779
CPC Class Codes

G06F 16/217   Database tuning G06F16/2282...

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

Y10S 707/952   Malicious software

Effective aggregation and presentation of database intrusion incidents

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Effective aggregation and presentation of database intrusion incidents

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links