The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Intrusion detections systems are software components used to detect anomalous behavior or misuse of resources in a network and its elements. The presently used intrusion detections systems provide various auditing, monitoring, alerting, and reporting features. However, these systems are passive, that is, they only detect anomalous behavior or security breaches but generally do nothing in real-time to prevent such behavior or breaches from occurring.
The presently available intrusion detection systems form an integral part of information security solutions for large enterprises. These systems are generally used at the network/packet level to provide intrusion detection done by outside attackers. However, nowadays most security breaches and resource misuse in large enterprises is done by enterprise personnel that have at least some access to the enterprise computer network for legitimate purposes. The presently available intrusion detections systems are ineffective in, and are generally not suitable for, detecting subtle attacks or anomalous behavior initiated by enterprise personnel from within the enterprise network.
One of the most sensitive areas in an enterprise network includes the enterprise database systems because they store and manage information that is of crucial importance to the enterprise. Enterprise database systems are getting more and more Internet-enabled because Internet connectivity has provided for increased sharing of information, which, in turn, has resulted in higher enterprise productivity. However, getting the database systems more and more Internet-enabled has time and again led to information security breaches because the Internet is the source from which numerous security attacks and exploits have been launched.
For example, one such information security vulnerability that has surfaced recently is a simple buffer overflow in a widely-used database server program. This vulnerability was exploited by the SQL Slammer worm and enabled hackers to gain access to several financial institutions before database administrators could take appropriate corrective measures. This vulnerability also highlighted the fact that lapses in software applications and mid-tiers built on top of database systems render the information stored in a database vulnerable, because, while database systems are designed to deny unauthorized access to information stored in databases, the database systems generally do not provide information security once an attacker has gained legitimate access to the database system by acquiring a valid username/password combination.
Zero day exploits in software systems occur in the span of time between when a vulnerability is detected and when a patch for it is released. Generally, very few security systems provide support for preventing zero day exploits. More specifically, no database system currently provides support for preventing zero day exploits, where the database system, as opposed to a security system or a mid-tier security application that resides outside the database system, provides the support. The support currently provided at the database system level is for detection only, and is passive since all provided measures are undertaken after an attack has occurred. Thus, database systems currently do not provide support for real-time prevention of zero day exploits.
One available non-real-time approach for preventing zero day exploits supported at the database system level is to examine each Structured Query Language (SQL) statement before it enters the database engine in order to determine its validity. For example, after a database vulnerability is announced and until a patch for the vulnerability is released, system administrators have to examine the SQL statements that are targeted towards their databases to ensure that they are not malicious. This approach, however, may not prevent all future attacks, because system administrators may not be familiar with the database structure and may not be able to discern a malicious statement from a legitimate one. Moreover, this approach is practically impossible to implement in high-end database systems that service a heavy SQL statement load and that are required to provide fast response times. Furthermore, this approach may not be able to prevent every possible form of attack, because a SQL statement may be recursive, may access multiple tables, or may seek access to system-wide information, and because the system administrator may not be able to determine whether the SQL statement is malicious just by looking at the statement itself.
Another available non-real-time approach for preventing zero day exploits supported at the database system level involves the generation and inspection of database security logs and audit records. For example, after a database vulnerability is announced and until a patch for it is released, a human security vulnerability expert may have to go through the database system logs and audit records and periodically mine audit trails to ensure that there have been no intrusions. The approach, however, depends entirely on the skill and level of expertise of a human expert. Furthermore, while this approach does provide for intrusion detection, it cannot prevent attacks as they occur.
Based on the foregoing, there is clearly a need for techniques for real-time prevention of security exploits in database systems. Also needed are techniques for intrusion prevention that are effective in detecting and preventing a wide variety of attacks, and that overcome the shortcomings of the approaches described above.