Many web applications used structured query language (SQL) to query and update data in their database. In ordinary circumstances, inputs to web applications behave as they should and provide appropriate answers to a given request. However, attacks to web applications include injecting (e.g., an SQL Injection (SQLi)) something into an input of a web application that causes the database to perform outside its intended scope. In extreme cases, attacks can cause a database to download the entire database in small chunks, to delete data, or to break access controls.
To detect SQLi and other attacks, a number of different security architecture have been implemented previously. These are typically called web application firewalls (WAF). WAFs come in mostly two types. The first type is a traditional router or firewall approach. This type sits in front of the web server looking for attack patterns. This first type could be implemented as a hardware solution on site or it could be implemented in the cloud at third party system. However, installation is complicated for the first type since it requires reworking the existing network architecture, which may be not desirable or feasible. In extreme cases, the reworking of the existing network architecture means physically moving computers and rewiring them. The first type system is also a single point of failure, which is a concern for operability. If the WAF or if the network the WAF is on has problems, traffic to the website has problems as well. Also, the request is “inline”, which means that the request has to be completed in timely manner to ensure that the system performs adequately; in other words, the WAF has a limited amount of time to allow or block the request. This time requirement, limits the number and type of attacks that can be detected in real time. For example, because of the limited time for computation, the WAF may either block too many incoming requests impacting web server performance for some users that are legitimate or block too few requests essentially logging the traffic information and potentially letting some attacks through limiting effectiveness of the WAF.
The second type inserts the attack detection system inside the web server itself. This has the benefit of not re-architecting or re-configuring the network. However, the WAF system is often complex and many times larger than the web server itself, which can lead to limiting performance of the web server (e.g., using processor or memory resources) or crashing of the web server (e.g., in the event of a problem with the WAF).