Automatic training of a database intrusion detection system
First Claim
1. A computer program product having a non-transitory computer-readable medium having executable computer program instructions recorded thereon for training a database intrusion detection system, the computer program instruction comprising instructions configured to:
- receiving a query requesting data from a database;
determining whether the query is anomalous;
if the query is not anomalous, classifying the query as legitimate;
if the query is anomalous, determining whether the anomaly is due to a change in the database by determining whether a label used in the query is in a set of labels that are used by legitimate database queries; and
if the anomaly is due to a change in the database, classifying the query as legitimate.
2 Assignments
0 Petitions
Accused Products
Abstract
A database intrusion detection system (DIDS) automatically trains itself to account for changes to the database. The DIDS monitors upstream queries sent to the database and downstream data provided in response to the queries. The DIDS classifies an upstream query as legitimate or anomalous. If the query is anomalous, the DIDS determines whether the anomaly resulted from a change in the database by performing one or more tests. One test determines whether the query references new fields or tables. Another test determines the frequency at which the query is received, and/or whether the query is received from multiple sources. A third test determines whether the query accesses sensitive information. Together, the results of these tests describe whether the query should be classified as anomalous or legitimate.
-
Citations
25 Claims
-
1. A computer program product having a non-transitory computer-readable medium having executable computer program instructions recorded thereon for training a database intrusion detection system, the computer program instruction comprising instructions configured to:
-
receiving a query requesting data from a database; determining whether the query is anomalous; if the query is not anomalous, classifying the query as legitimate; if the query is anomalous, determining whether the anomaly is due to a change in the database by determining whether a label used in the query is in a set of labels that are used by legitimate database queries; and if the anomaly is due to a change in the database, classifying the query as legitimate. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A database intrusion detection system (DIDS) comprising:
-
a computer processor adapted to execute computer program modules; and a non-transitory computer-readable storage medium storing executable computer program modules comprising; a receiving module adapted to receive a query requesting data from a database; a query analysis module adapted to determine whether the query is anomalous; a change adaptation module adapted to determine whether an anomalous query is anomalous due to a change in the database by determining whether a label used in the query is in a set of labels that are used by legitimate database queries and, responsive to a positive determination, classify the query as legitimate. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method of training a database intrusion detection system, comprising:
-
receiving a query requesting data from a database; determining whether the query is anomalous; if the query is not anomalous, classifying the query as legitimate; if the query is anomalous, determining whether the anomaly is due to a change in the database by determining whether a label used in the query is in a set of labels that are used by legitimate database queries; and if the anomaly is due to a change in the database, classifying the query as legitimate. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
Specification