Abstract: A method, a computer program product, and a system for implementing a dynamic virtual database honeypot. The method includes relaying a query request received from a database client to a database and receiving, from the database, a response relating to the query request. The method also includes determining the query request is an attack on the database based on session information relating to the database and the database client, generating a honey token based on information contained within the response, generating an alternate response formatted in a same format as the response and containing artificial information that masks the information contained within the response. The method further includes inserting the honey token into the alternate response and transmitting the alternate response to the database client.

Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.

Abstract: A database protection system (DPS) mitigates injection attacks. DPS receives an unrestricted database query, extract a syntax tree, and evaluates whether it recognizes the query. To this end, DPS applies a hash function over the extracted syntax tree, and then determines whether the resulting hash has been seen by DPS before. If so, DPS retrieves a previously-generated prepared statement associated with the syntax tree, and that prepared statement is then forward to the database server in lieu of sending the original query. If the syntax tree is not recognized, DPS creates a new prepared statement, generates a hash of the syntax tree, and stores the hash and the new prepared statement, and forwards the new prepared statement. The prepared statements are configured based on the native wire protocol used by the database server, and DPS includes additional functionality by which it can learn the semantics of this protocol if necessary.

Abstract: A method, a computer program product, and a system for implementing a dynamic virtual database honeypot. The method includes relaying a query request received from a database client to a database and receiving, from the database, a response relating to the query request. The method also includes determining the query request is an attack on the database based on session information relating to the database and the database client, generating a honey token based on information contained within the response, generating an alternate response formatted in a same format as the response and containing artificial information that masks the information contained within the response. The method further includes inserting the honey token into the alternate response and transmitting the alternate response to the database client.

Abstract: A method includes retrieving a server certificate from a server in response to a request from a client to negotiate a connection between the client and the server and generating a new server public key and a new client public key in response to the request. The method also includes generating a new server certificate using information in the server certificate. The method further includes signing the new server certificate to produce a new signed server certificate, communicating the new signed server certificate, which includes the new server public key, to the client, and generating a new client certificate using information in a client certificate received from the client. The method also includes signing the new client certificate to produce a new signed client certificate and communicating the new signed client certificate, which includes the new client public key, to the server to establish the connection.

Abstract: A database protection system (DPS) mitigates injection attacks. DPS receives an unrestricted database query, extract a syntax tree, and evaluates whether it recognizes the query. To this end, DPS applies a hash function over the extracted syntax tree, and then determines whether the resulting hash has been seen by DPS before. If so, DPS retrieves a previously-generated prepared statement associated with the syntax tree, and that prepared statement is then forward to the database server in lieu of sending the original query. If the syntax tree is not recognized, DPS creates a new prepared statement, generates a hash of the syntax tree, and stores the hash and the new prepared statement, and forwards the new prepared statement. The prepared statements are configured based on the native wire protocol used by the database server, and DPS includes additional functionality by which it can learn the semantics of this protocol if necessary.

Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.

Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.

Abstract: Embodiments provide a computer implemented method in a data processing comprising a processor and a memory including instructions, which are executed by the processor to cause the processor to implement the method of terminating a connection between a database server and a database client through an enforcement point, the method including: continuously monitoring, by the enforcement point, information related to a connection to a database, and parsing one or more queries; continuously comparing, by the enforcement point, the information with a predefined plurality of rules, and checking whether there is a rule violation; if there is a rule violation, assembling, by the enforcement point, a termination packet including an error message indicative of the rule violation; sending, by the enforcement point, the termination packet to the database client; and terminating, by the enforcement point, a connection between the enforcement point and the database client.

Abstract: A network protection system (NPS) is augmented to provide additional functionality—preferably within the SSL/TLS connection at the OSI presentation layer—to enable efficient management and handling of security-violating client connections. When the NPS determines to suspend a suspect application client connection, the NPS modifies the request (the TLS encrypted packet) at a random offset to include a random byte value. When the modified request is then received at the server, a TLS decryption error occurs. In response, the server drops the request gracefully and, in particular, a termination response is returned from the server to the NPS, which then passes the termination response back to the requesting client.

Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.

Abstract: A network protection system (NPS) is augmented to provide additional functionality—preferably within the SSL/TLS connection at the OSI presentation layer—to enable efficient management and handling of security-violating client connections. When the NPS determines to suspend a suspect application client connection, the NPS modifies the request (the TLS encrypted packet) at a random offset to include a random byte value. When the modified request is then received at the server, a TLS decryption error occurs. In response, the server drops the request gracefully and, in particular, a termination response is returned from the server to the NPS, which then passes the termination response back to the requesting client.

Abstract: Embodiments provide a computer implemented method in a data processing comprising a processor and a memory including instructions, which are executed by the processor to cause the processor to implement the method of terminating a connection between a database server and a database client through an enforcement point, the method including: continuously monitoring, by the enforcement point, information related to a connection to a database, and parsing one or more queries; continuously comparing, by the enforcement point, the information with a predefined plurality of rules, and checking whether there is a rule violation; if there is a rule violation, assembling, by the enforcement point, a termination packet including an error message indicative of the rule violation; sending, by the enforcement point, the termination packet to the database client; and terminating, by the enforcement point, a connection between the enforcement point and the database client.

Abstract: Embodiments can provide a computer implemented method in a data processing system including a processor and a memory having instructions, which are executed by the processor to cause the processor to implement the method for accessing a shared resource. The method includes the following steps: identifying a process having elevated privileges as a background process; providing an authorized user list including at least one user identification number; providing a communication endpoint connectable to a user or a program; receiving a user identification number of the user or the program through the communication endpoint; checking whether the user identification number is in the authorized user list. If the user identification number is in the list, a file descriptor associated with the shared resource is provided; and the file descriptor is transferred to the user or the program through the communication endpoint.

Abstract: Embodiments can provide a computer implemented method in a data processing system including a processor and a memory having instructions, which are executed by the processor to cause the processor to implement the method for accessing a shared resource. The method includes the following steps: identifying a process having elevated privileges as a background process; providing an authorized user list including at least one user identification number; providing a communication endpoint connectable to a user or a program; receiving a user identification number of the user or the program through the communication endpoint; checking whether the user identification number is in the authorized user list. If the user identification number is in the list, a file descriptor associated with the shared resource is provided; and the file descriptor is transferred to the user or the program through the communication endpoint.

Abstract: The techniques herein provide for “time-shifting” of intercepted system calls to enable a one-to-many (1:n) or a many-to-one (n:1) mapping of intercepted-to-real system calls. Any action that needs to be applied on the logical boundaries of the data (instead of the physical boundaries) presented upon system call interception spools (buffers) the data before taking the action and then unspools the result when finished. The action may be quite varied, e.g., examining the data, redacting the data, changing the data, restricting the data, processing the data, and updating the data, among others. The technique may be implemented in a database access control system.

Abstract: The techniques herein provide for “time-shifting” of intercepted system calls to enable a one-to-many (1:n) or a many-to-one (n:1) mapping of intercepted-to-real system calls. Any action that needs to be applied on the logical boundaries of the data (instead of the physical boundaries) presented upon system call interception spools (buffers) the data before taking the action and then unspools the result when finished. The action may be quite varied, e.g., examining the data, redacting the data, changing the data, restricting the data, processing the data, and updating the data, among others. The technique may be implemented in a database access control system.