System and method for investigating a data operation performed on a database

US 20050289187A1
Filed: 06/29/2004
Published: 12/29/2005
Est. Priority Date: 06/29/2004
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method of investigating a database operation, the method comprising:

suspending database operations;

searching an SQL (Structured Query Language) cache for an SQL injection attack;

identifying a System Change Number (SCN) of an unauthorized database operation;

from said SCN, identifying a transaction ID of a transaction comprising the unauthorized database operation; and

searching one or more of a Redo log and an Undo log for;

information regarding the transaction; and

other operations performed as part of the transaction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for investigating a database operation, using forensic analysis. When a database intrusion is detected or suspected, various forensic techniques are applied to trace the intruder'"'"'s activity and to locate or identify the intruder. An SQL (Structured Query Language) cache may be searched for SQL statements that may comprise SQL injection attacks or that target a particular set of data (e.g., credit card numbers). A System Change Number (SCN) may be used to identify a particular transaction; Undo and/or Redo logs may be reviewed to find other operations performed by the intruder, to retrieve metadata regarding the intruders session and transaction(s). A Flashback utility may be employed to replay the intruder'"'"'s activity and/or to restore the integrity of the database. If available, an audit trail may also be examined.

52 Citations

View as Search Results

30 Claims

1. A computer-implemented method of investigating a database operation, the method comprising:
- suspending database operations;
  
  searching an SQL (Structured Query Language) cache for an SQL injection attack;
  
  identifying a System Change Number (SCN) of an unauthorized database operation;
  
  from said SCN, identifying a transaction ID of a transaction comprising the unauthorized database operation; and
  
  searching one or more of a Redo log and an Undo log for;
  
  information regarding the transaction; and
  
  other operations performed as part of the transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising:
    - applying a Flashback utility to replay the unauthorized database operation.
  - 3. The method of claim 1, further comprising:
    - applying a Flashback utility to restore the database.
  - 4. The method of claim 1, further comprising:
    - generating a hash on data stored in the database, to facilitate a determination as to whether the investigating of the database operation changed the data.
  - 5. The method of claim 1, wherein said searching one or more of a Redo log and an Undo log further comprises:
    - identifying a session ID during which the unauthorized database operation was performed.
  - 6. The method of claim 1, wherein said searching one or more of a Redo log and an Undo log further comprises:
    - identifying a communication connection during which the unauthorized database operation was performed.
  - 7. The method of claim 1, wherein said searching one or more of a Redo log and an Undo log further comprises:
    - identifying a user that performed the unauthorized database operation.
  - 8. The method of claim 1, wherein said searching one or more of a Redo log and an Undo log further comprises:
    - searching for a DML (Data Manipulation Language) command.
  - 9. The method of claim 1, further comprising:
    - searching an audit log to identify an intruder that performed the unauthorized database operation.
  - 10. The method of claim 1, further comprising:
    - searching an audit log to identify the SCN of the unauthorized database operation.
  - 11. The method of claim 1, further comprising:
    - searching an audit log to identify a database session during which the unauthorized database operation was performed.
  - 12. The method of claim 11, further comprising:
    - searching the audit log to identify other operations performed during the database session.
  - 13. The method of claim 1, further comprising:
    - searching an audit log to identify a computing device from which the unauthorized database operation was initiated.
  - 14. The method of claim 13, further comprising:
    - searching the audit log to identify a other operations performed from the computing device.
  - 15. The method of claim 1, wherein said searching an SQL cache comprises searching the cache for a Select statement comprising the string “
    - or”
      
      or “
      
      union”
      
      .
  - 16. The method of claim 1, wherein said searching an SQL cache comprises searching the cache for an Update statement comprising the string “
    - or”
      
      or “
      
      union”
      
      .

17. A computer readable medium storing instructions that, when executed by a computer, cause the computer to perform a method of investigating a database operation, the method comprising:
- suspending database operations;
  
  searching an SQL (Structured Query Language) cache for an SQL injection attack;
  
  identifying a System Change Number (SCN) of an unauthorized database operation;
  
  from said SCN, identifying a transaction ID of a transaction comprising the unauthorized database operation; and
  
  searching one or more of a Redo log and an Undo log for;
  
  information regarding the transaction; and
  
  other operations performed as part of the transaction.

18. An apparatus for investigating a database operation, comprising:
- a relational database management system (RDBMS);
  
  an SQL (Structured Query Language) cache comprising SQL statements recently executed against the RDBMS;
  
  a Redo log facilitating the re-execution of RDBMS activity from a first timestamp to a later timestamp;
  
  an Undo log facilitating the undoing of RDBMS activity from a second timestamp to an earlier timestamp; and
  
  a Flashback utility configured to facilitate rapid restoration of contents of the RDBMS.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 19. The apparatus of claim 18, wherein each operation on the RDBMS that alters contents of the RDBMS is assigned an SCN (System Change Number).
  - 20. The apparatus of claim 18, further comprising:
    - an audit trail of user activity relating to a server computer hosting the RDBMS.
  - 21. The apparatus of claim 18, further comprising:
    - means for searching the SQL cache for possible SQL injection attacks.
  - 22. The apparatus of claim 18, further comprising:
    - means for searching the Redo log or the Undo log for an unauthorized operation on the RDBMS.
  - 23. The apparatus of claim 22, wherein the unauthorized operation comprises an SQL injection attack.
  - 24. The apparatus of claim 18, further comprising:
    - means for searching the Redo log or the Undo log for information relating to an unauthorized operation on the RDBMS.
  - 25. The apparatus of claim 18, further comprising:
    - means for determining the SCN of an unauthorized operation on the RDBMS.
  - 26. The apparatus of claim 25, further comprising:
    - means for determining the transaction ID of the unauthorized operation.
  - 27. The apparatus of claim 26, further comprising:
    - means for identifying other operations performed under the transaction ID.
  - 28. The apparatus of claim 25, further comprising:
    - means for identifying a session during which the unauthorized operation was performed.
  - 29. The apparatus of claim 28, further comprising:
    - means for identifying other operations performed during the session.
  - 30. The apparatus of claim 25, further comprising:
    - means for identifying a communication connection during which the unauthorized operation was performed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Wong, Daniel Manhung, Edwards, Kristy Browder

Application Number

US10/879,466
Publication Number

US 20050289187A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/24 Querying

G06F 21/554 involving event detection a...

System and method for investigating a data operation performed on a database

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for investigating a data operation performed on a database

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links