Abstract: Embodiments are disclosed for a method for identifying large database transactions. The method includes generating a token marker sequence of a database transaction. The token marker sequence includes multiple token markers. The token markers include a token of the database transaction and a position corresponding to the token. The method further includes sorting the token markers based on a probability that the token occurs in a stream of database transactions. Additionally, the method includes reducing a size of the token marker sequence based on a predetermined threshold.

Abstract: A security system that monitors requests to a protected resource is configured to determine that a syntactically-invalid language statement in a request is one that should be treated as a “security high risk” statement (SHRS) because it has a probability of containing sensitive data. A machine language that defines the structure and syntax of the language statements used by a client-server application may have multiple SHRSs. SHRSs are identified in advance by syntactical analysis of the language statements that comprise the machine language. The security system stores (or can otherwise obtain) a representation of each of the set of these high risk statements. In response to detecting that a request has a syntactically-invalid language statement, the system determines whether the invalid language statement has a measure of similarity sufficiently close to any of statement in the SHRS set. Upon a positive determination, an appropriate security action is taken to ensure sensitive data is not exposed.

Abstract: A mechanism is provided for monitoring and controlling data access. Responsive to intercepting a response from a server to a request for information from a client device, a security system agent applies pattern matching using a predefined set of sensitive data pattern rules to identify at least one sensitive data access included in the response. Responsive to identifying at least one sensitive data access matching one or more of the predefined set of sensitive data pattern rules, the security system agent modifies that the request from the client by marking the at least one sensitive data access as sensitive thereby forming a modified request. The security system agent sends the modified request to the security system thereby causing the security system to process the modified request without access the sensitive data associated with the at least one marked sensitive data access.

Abstract: A database protection system (DPS) detects anomalies in real time without reliance on discrete security rules, instead relying on a machine learning-based approach. In particular, a Bayesian machine learning model is trained on a set of database protocol metadata (DPM) that the system collects during its runtime operation. Typically, a set of DPM parameters is protocol-specific. The approach herein presumes that DPM parameters are not independent, and that their conditional dependencies (as observed from the database connections) can be leveraged for anomaly detection. To that end, the machine learning model is trained to detect dominant (repeating) patterns of connection DPM parameters. Once trained, the model is then instantiated in the DPS and used to facilitate anomaly detection by identifying connections that do not conform to these patterns, i.e. that represent unusual connection DPM parameters.

Abstract: A mechanism is provided for monitoring and controlling data access. Responsive to intercepting a response from a server to a request for information from a client device, a security system agent applies pattern matching using a predefined set of sensitive data pattern rules to identify at least one sensitive data access included in the response. Responsive to identifying at least one sensitive data access matching one or more of the predefined set of sensitive data pattern rules, the security system agent modifies that the request from the client by marking the at least one sensitive data access as sensitive thereby forming a modified request. The security system agent sends the modified request to the security system thereby causing the security system to process the modified request without access the sensitive data associated with the at least one marked sensitive data access.

Abstract: A database protection system (DPS) detects anomalies in real time without reliance on discrete security rules, instead relying on a machine learning-based approach. In particular, a Bayesian machine learning model is trained on a set of database protocol metadata (DPM) that the system collects during its runtime operation. Typically, a set of DPM parameters is protocol-specific. The approach herein presumes that DPM parameters are not independent, and that their conditional dependencies (as observed from the database connections) can be leveraged for anomaly detection. To that end, the machine learning model is trained to detect dominant (repeating) patterns of connection DPM parameters. Once trained, the model is then instantiated in the DPS and used to facilitate anomaly detection by identifying connections that do not conform to these patterns, i.e. that represent unusual connection DPM parameters.

Abstract: Embodiments are disclosed for a method for identifying large database transactions. The method includes generating a token marker sequence of a database transaction. The token marker sequence includes multiple token markers. The token markers include a token of the database transaction and a position corresponding to the token. The method further includes sorting the token markers based on a probability that the token occurs in a stream of database transactions. Additionally, the method includes reducing a size of the token marker sequence based on a predetermined threshold.

Abstract: A security system that monitors requests to a protected resource is configured to determine that a syntactically-invalid language statement in a request is one that should be treated as a “security high risk” statement (SHRS) because it has a probability of containing sensitive data. A machine language that defines the structure and syntax of the language statements used by a client-server application may have multiple SHRSs. SHRSs are identified in advance by syntactical analysis of the language statements that comprise the machine language. The security system stores (or can otherwise obtain) a representation of each of the set of these high risk statements. In response to detecting that a request has a syntactically-invalid language statement, the system determines whether the invalid language statement has a measure of similarity sufficiently close to any of statement in the SHRS set. Upon a positive determination, an appropriate security action is taken to ensure sensitive data is not exposed.