System and method for investigating a data operation performed on a database
First Claim
1. A computer-implemented method of investigating a database operation, the method comprising:
- suspending database operations;
searching an SQL (Structured Query Language) cache for an SQL injection attack;
identifying a System Change Number (SCN) of an unauthorized database operation;
from said SCN, identifying a transaction ID of a transaction comprising the unauthorized database operation; and
searching one or more of a Redo log and an Undo log for;
information regarding the transaction; and
other operations performed as part of the transaction.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for investigating a database operation, using forensic analysis. When a database intrusion is detected or suspected, various forensic techniques are applied to trace the intruder'"'"'s activity and to locate or identify the intruder. An SQL (Structured Query Language) cache may be searched for SQL statements that may comprise SQL injection attacks or that target a particular set of data (e.g., credit card numbers). A System Change Number (SCN) may be used to identify a particular transaction; Undo and/or Redo logs may be reviewed to find other operations performed by the intruder, to retrieve metadata regarding the intruders session and transaction(s). A Flashback utility may be employed to replay the intruder'"'"'s activity and/or to restore the integrity of the database. If available, an audit trail may also be examined.
52 Citations
30 Claims
-
1. A computer-implemented method of investigating a database operation, the method comprising:
-
suspending database operations;
searching an SQL (Structured Query Language) cache for an SQL injection attack;
identifying a System Change Number (SCN) of an unauthorized database operation;
from said SCN, identifying a transaction ID of a transaction comprising the unauthorized database operation; and
searching one or more of a Redo log and an Undo log for;
information regarding the transaction; and
other operations performed as part of the transaction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer readable medium storing instructions that, when executed by a computer, cause the computer to perform a method of investigating a database operation, the method comprising:
-
suspending database operations;
searching an SQL (Structured Query Language) cache for an SQL injection attack;
identifying a System Change Number (SCN) of an unauthorized database operation;
from said SCN, identifying a transaction ID of a transaction comprising the unauthorized database operation; and
searching one or more of a Redo log and an Undo log for;
information regarding the transaction; and
other operations performed as part of the transaction.
-
-
18. An apparatus for investigating a database operation, comprising:
-
a relational database management system (RDBMS);
an SQL (Structured Query Language) cache comprising SQL statements recently executed against the RDBMS;
a Redo log facilitating the re-execution of RDBMS activity from a first timestamp to a later timestamp;
an Undo log facilitating the undoing of RDBMS activity from a second timestamp to an earlier timestamp; and
a Flashback utility configured to facilitate rapid restoration of contents of the RDBMS. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification