Effective aggregation and presentation of database intrusion incidents
First Claim
1. A computer program product for aggregating and presenting a database intrusion incident, the computer program product comprising a computer-readable storage medium containing executable computer program code for:
- receiving, from a database intrusion detection system, an anomalous database query requesting data from a database, the database intrusion detection system configured to separate acceptable database queries from anomalous database queries that are expected to have undesired effects on the database, wherein database queries are determined to be anomalous when the database queries differ from the acceptable database queries observed by the database intrusion detection system, the anomalous database query having at least one anomalous attribute;
identifying an anomaly type for the anomalous database query received, the anomaly type defining a category of anomalous database queries having similar anomalous attributes;
converting the anomalous database query into a characteristic representation, the characteristic representation describing the anomalous attribute of the anomalous database query in a generic form for grouping according to the anomaly type;
aggregating the anomalous database query and other anomalous database queries with substantially similar characteristic representations into a group of anomalous database queries to represent a single intrusion incident, wherein the other anomalous database queries are identified for aggregation into the group using an index generated based on the characteristic representation of the anomalous database query; and
generating a database intrusion incident report describing the group of anomalous database queries.
3 Assignments
0 Petitions
Accused Products
Abstract
An incident managing module aggregates related database intrusion incidents and presents them in a manageable manner. A receiving module receives an anomalous query requesting data from a database and a type-identification module identifies anomaly type for the query received. A conversion module converts the anomalous query into a characteristic representation. In some embodiments, this is done by replacing literal field values in the query with representative values. In other embodiments, this is done by creating a tuple describing anomaly parameters for the anomalous query. In still other embodiments, the query is converted into a characteristic representation that distinguishes between injected and non-injected portions of the query. An aggregation module then aggregates into a group the anomalous queries with substantially similar characteristic representations according to anomaly type and a generation module generates a database intrusion incident report describing the group of anomalous queries.
-
Citations
29 Claims
-
1. A computer program product for aggregating and presenting a database intrusion incident, the computer program product comprising a computer-readable storage medium containing executable computer program code for:
-
receiving, from a database intrusion detection system, an anomalous database query requesting data from a database, the database intrusion detection system configured to separate acceptable database queries from anomalous database queries that are expected to have undesired effects on the database, wherein database queries are determined to be anomalous when the database queries differ from the acceptable database queries observed by the database intrusion detection system, the anomalous database query having at least one anomalous attribute; identifying an anomaly type for the anomalous database query received, the anomaly type defining a category of anomalous database queries having similar anomalous attributes; converting the anomalous database query into a characteristic representation, the characteristic representation describing the anomalous attribute of the anomalous database query in a generic form for grouping according to the anomaly type; aggregating the anomalous database query and other anomalous database queries with substantially similar characteristic representations into a group of anomalous database queries to represent a single intrusion incident, wherein the other anomalous database queries are identified for aggregation into the group using an index generated based on the characteristic representation of the anomalous database query; and generating a database intrusion incident report describing the group of anomalous database queries. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method for aggregating and presenting a database intrusion incident, the method comprising:
using a computer processor configured to execute method steps, the steps comprising; receiving, from a database intrusion detection system, an anomalous database query requesting data from a database, the database intrusion detection system configured to separate acceptable database queries from anomalous database queries that are expected to have undesired effects on the database, wherein database queries are determined to be anomalous when the database queries differ from the acceptable database queries observed by the database intrusion detection system, the anomalous database query having at least one anomalous attribute; identifying an anomaly type for the query received, the anomaly type defining a category of anomalous database queries having similar anomalous attributes; converting the anomalous database query into a characteristic representation, the characteristic representation describing the anomalous attribute of the anomalous database query in a generic form for grouping according to the anomaly type; aggregating the anomalous database query and other anomalous database queries with substantially similar characteristic representations into a group of anomalous database queries to represent a single intrusion incident, wherein the other anomalous database queries are identified for aggregation into the group using an index generated based on the characteristic representation of the anomalous database query; and generating a database intrusion incident report describing the group of anomalous database queries. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
23. A computer system for a database intrusion system for aggregating and presenting a database intrusion incident, the computer system comprising:
-
a computer-readable storage medium configured to store software modules comprising; a receiving module configured to receive, from a database intrusion detection system, an anomalous database query requesting data from a database, the database intrusion detection system configured to separate acceptable database queries from anomalous database queries that are expected to have undesired effects on the database, wherein database queries are determined to be anomalous when the database queries differ from the acceptable database queries observed by the database intrusion detection system, the anomalous database query having at least one anomalous attribute; a type-identification module configured to identify an anomaly type for the query received, the anomaly type defining a category of anomalous database queries having similar anomalous attributes; a conversion module configured to convert the anomalous database query into a characteristic representation, the characteristic representation describing the anomalous attribute of the anomalous database query in a generic form for grouping according to the anomaly type; an aggregation module configured to aggregate anomalous database queries the anomalous database query and other with substantially similar characteristic representations into a group of anomalous database queries to represent a single intrusion incident, wherein the other anomalous database queries are identified for aggregation into the group using an index generated based on the characteristic representation of the anomalous database query; a generation module configured to generate a database intrusion incident report describing the group of anomalous database queries; and a processor configured to execute the software modules stored by the computer-readable storage medium. - View Dependent Claims (24, 25, 26, 27, 28, 29)
-
Specification