1. Field of the Invention
The present invention relates generally to a method and system for tracking and analyzing changes in an application, particularly, the invention relates to detecting modifications in an application that may be the results of malicious or unauthorized activity including creating backdoors, Trojan horses, and viruses. As well, the invention provides for a method of determining what objects may have been modified in unauthorized ways by developers, administrators, attackers, or end users.
2. Description of Related Art
Organizations have traditional monitored their networks at the perimeter and at the operating system level to catch attacks. Unfortunately, in an ever-changing world, perimeter security has failed to provide adequate security. Modern networks are too complex to expect perimeter security to hold up. Organizations are forced to open up their networks to business partners and customers making perimeter security obsolete.
Attackers have traditional gone after network infrastructure including such devices as routers, virtual private networks (VPNs), and firewalls. While it was unfortunate when an attacker was able to break into one of these pieces of network infrastructure, the damage caused was never particularly crippling to the workings of the organization because these devices did not contain critical business data. The worst case scenario was that passwords would need to be reset, patches would need to be installed, and the hardware would need to be reset. Attackers have gradually become more sophisticated and have begun to direct their attention to a different target—the application.
One important aspect of security is being able to detect when an attack has been successful and when some unauthorized action is successful. A successful attacker will typically install back doors, Trojan horses, viruses, or other malware into an application in order to gather additional data or provide further access to the application. This type of malicious activity can be detected by monitoring critical components of the application watching for changes to components that shouldn't necessarily change. For instance, when a system stored procedure in a database is modified, the administrator or security officer for the database should be aware that a modification to a critical system object has been made. The administrator or security officer should then be able to go in and review the change and rollback the change if it is not authorized.