Abstract: One or more computer processors determine a runtime feature set for a first container, wherein the runtime feature set includes aggregated temporally collocated container behavior. The one or more computer processors cluster the first container with one or more peer containers or peer pods based on a shared container purpose, similar container behaviors, and similar container file structure. The one or more computer processors determine an additional runtime feature set for each peer container. The one or more computer processors calculate a variance between the first container and each peer container. The one or more computer processors, responsive to the calculated variance exceeding a variance threshold, identify the first container as anomalous.

Abstract: Context information of a handshake between a source entity and a target entity is obtained at a security proxy. The context information is transmitted from the security proxy to a key manager. The key manager maintains a first private key of the security proxy. A first handshake message is received from the key manager. The first handshake message is generated at least based on the context information and signed with the first private key. The first handshake message is then transmitted to the target entity.

Abstract: A method, a computer program product, and a system for implementing a dynamic virtual database honeypot. The method includes relaying a query request received from a database client to a database and receiving, from the database, a response relating to the query request. The method also includes determining the query request is an attack on the database based on session information relating to the database and the database client, generating a honey token based on information contained within the response, generating an alternate response formatted in a same format as the response and containing artificial information that masks the information contained within the response. The method further includes inserting the honey token into the alternate response and transmitting the alternate response to the database client.

Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.

Abstract: One or more computer processors determine a runtime feature set for a first container, wherein the runtime feature set includes aggregated temporally collocated container behavior. The one or more computer processors cluster the first container with one or more peer containers or peer pods based on a shared container purpose, similar container behaviors, and similar container file structure. The one or more computer processors determine an additional runtime feature set for each peer container. The one or more computer processors calculate a variance between the first container and each peer container. The one or more computer processors, responsive to the calculated variance exceeding a variance threshold, identify the first container as anomalous.

Abstract: A database protection system (DPS) mitigates injection attacks. DPS receives an unrestricted database query, extract a syntax tree, and evaluates whether it recognizes the query. To this end, DPS applies a hash function over the extracted syntax tree, and then determines whether the resulting hash has been seen by DPS before. If so, DPS retrieves a previously-generated prepared statement associated with the syntax tree, and that prepared statement is then forward to the database server in lieu of sending the original query. If the syntax tree is not recognized, DPS creates a new prepared statement, generates a hash of the syntax tree, and stores the hash and the new prepared statement, and forwards the new prepared statement. The prepared statements are configured based on the native wire protocol used by the database server, and DPS includes additional functionality by which it can learn the semantics of this protocol if necessary.

Abstract: A method, a computer program product, and a system for implementing a dynamic virtual database honeypot. The method includes relaying a query request received from a database client to a database and receiving, from the database, a response relating to the query request. The method also includes determining the query request is an attack on the database based on session information relating to the database and the database client, generating a honey token based on information contained within the response, generating an alternate response formatted in a same format as the response and containing artificial information that masks the information contained within the response. The method further includes inserting the honey token into the alternate response and transmitting the alternate response to the database client.

Abstract: A database protection system (DPS) mitigates injection attacks. DPS receives an unrestricted database query, extract a syntax tree, and evaluates whether it recognizes the query. To this end, DPS applies a hash function over the extracted syntax tree, and then determines whether the resulting hash has been seen by DPS before. If so, DPS retrieves a previously-generated prepared statement associated with the syntax tree, and that prepared statement is then forward to the database server in lieu of sending the original query. If the syntax tree is not recognized, DPS creates a new prepared statement, generates a hash of the syntax tree, and stores the hash and the new prepared statement, and forwards the new prepared statement. The prepared statements are configured based on the native wire protocol used by the database server, and DPS includes additional functionality by which it can learn the semantics of this protocol if necessary.

Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.

Abstract: Context information of a handshake between a source entity and a target entity is obtained at a security proxy. The context information is transmitted from the security proxy to a key manager. The key manager maintains a first private key of the security proxy. A first handshake message is received from the key manager. The first handshake message is generated at least based on the context information and signed with the first private key. The first handshake message is then transmitted to the target entity.

Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.

Abstract: A source code analysis tool is augmented to support rule-based analysis of code to attempt to identify certain lexical information indicative of hard-coded secret (e.g., password) support in the code. The tool takes the source code as input, parses the content with a lexical analyzer based on language grammar, and processes the resulting data through preferably a pair of rule-based engines. Preferably, one engine is configured to identify variables explicitly intended to be used as a hard-coded secret, and the other engine is configured to identify data strings that could potentially support such a secret. The outputs of these rules engines are consolidated and evaluated to identify a likelihood that the code under examination includes support for a hard-coded secret. The result is then provided to the developer for further action to address any potential security vulnerability identified by the analysis.

Abstract: Embodiments provide a computer implemented method in a data processing comprising a processor and a memory including instructions, which are executed by the processor to cause the processor to implement the method of terminating a connection between a database server and a database client through an enforcement point, the method including: continuously monitoring, by the enforcement point, information related to a connection to a database, and parsing one or more queries; continuously comparing, by the enforcement point, the information with a predefined plurality of rules, and checking whether there is a rule violation; if there is a rule violation, assembling, by the enforcement point, a termination packet including an error message indicative of the rule violation; sending, by the enforcement point, the termination packet to the database client; and terminating, by the enforcement point, a connection between the enforcement point and the database client.

Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.

Abstract: Embodiments can provide a computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement a system for network protection, the method comprising determining, by the processor, if an incoming connection comprising one or more packets has a false latency larger than a trigger latency; determining, by the processor, if an attack is currently in progress; and if the attack is in progress, injecting, by the processor, at least one of the one or more packets of the incoming connection or one or more packets of an outgoing connection with a false latency.

Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.

Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.

Abstract: A source code analysis tool is augmented to support rule-based analysis of code to attempt to identify certain lexical information indicative of hard-coded secret (e.g., password) support in the code. The tool takes the source code as input, parses the content with a lexical analyzer based on language grammar, and processes the resulting data through preferably a pair of rule-based engines. Preferably, one engine is configured to identify variables explicitly intended to be used as a hard-coded secret, and the other engine is configured to identify data strings that could potentially support such a secret. The outputs of these rules engines are consolidated and evaluated to identify a likelihood that the code under examination includes support for a hard-coded secret. The result is then provided to the developer for further action to address any potential security vulnerability identified by the analysis.

Abstract: Embodiments provide a computer implemented method in a data processing comprising a processor and a memory including instructions, which are executed by the processor to cause the processor to implement the method of terminating a connection between a database server and a database client through an enforcement point, the method including: continuously monitoring, by the enforcement point, information related to a connection to a database, and parsing one or more queries; continuously comparing, by the enforcement point, the information with a predefined plurality of rules, and checking whether there is a rule violation; if there is a rule violation, assembling, by the enforcement point, a termination packet including an error message indicative of the rule violation; sending, by the enforcement point, the termination packet to the database client; and terminating, by the enforcement point, a connection between the enforcement point and the database client.

Abstract: A method, computer system, and a computer program product for verification and authentication in a microservice framework is provided. The present invention may include configuring a container within a microservice framework. The present invention may also include receiving a generated salt file. The present invention may then include injecting the salt file into the container. The present invention may further include hashing the container image and the salt file.