The accessibility and convenience of the Internet rapidly changed the way people access information. The World Wide Web (“WWW”), usually referred to as “the web”, is the most popular means for retrieving information on the Internet. The web gives users access to practically an infinite number of resources, such as interlinked hypertext documents accessed by, for example, a hyper text transfer protocol (HTTP) from servers located around the world.
Enterprises and organizations expose their business information and functionality on the web through software applications, usually referred to as “web applications”. The web applications use the Internet technologies and infrastructures. A typical web application uses a backend database to store application data. The backend database is accessed through some proprietary network protocol carrying Structured Query Language commands.
The web applications provide great opportunities for an organization. However, at the same time these applications are vulnerable to attack from malicious, irresponsible, or criminally minded individuals. In the related art, an effective protection of web applications is achieved by means of application level security systems. Such systems prevent attacks by restricting the network level access to the web applications, based on the applications' attributes. Specifically, the security systems constantly monitor requests received at interfaces and application components, gather application requests from these interfaces, correlate the application requests, and match them against predetermined application profiles. These profiles include attributes that determine the normal behavior of the protected application. If one or more application requests do not match the application profile, an irregular event is generated, and then an alert indicating a potential attack is produced.
Typically, web applications use a backend database and a single application account to access the database. Consequently, any web oriented or database oriented security mechanism is not able to correctly establish the web application context (e.g., a URL, a sessionID, or a UserID) in which a request to the database is made. There are numerous consequences to this inability. First, regulatory requirements demand that any access to sensitive information in the database must be attributed to a single actual user. Complying with these regulations is impossible given separate web and database security mechanisms. This should not be viewed as merely a regulatory burden. The ability to correlate any database access with a specific user is crucial for pinpointing an attacker either in real-time or during forensic analysis. Moreover, the number of false alarms issued on SQL injection attacks by such systems is relatively high. As for another example, the security systems cannot provide information about users who made changes to the database.