Abstract: An approach is disclosed for processing one or more HTTP requests and responses, by a protection solution, where a version of the plurality of HTTP requests and responses is at least version 2. When an HTTP settings request is detected in the one or more HTTP requests, by the protection solution, a protected dynamic dictionary is allocated in a protected memory area and an allocation of an application dynamic dictionary in application space in an HTTP server is prevented. When an HTTP header request is detected in the one or more HTTP requests, fields of the HTTP header are decompressed into the protected dynamic dictionary, the HTTP header request is updated to form an updated header request based on content in the protected dynamic dictionary, and the updated header request is sent to the HTTP server.

Abstract: Techniques for identifying outlier application connections for computer security are described. These techniques include identifying one or more connections between a client application and one or more services, over a communication network, and determining to switch from an outlier connection learning phase to an outlier connection detection phase based on the identified or more connections, including determining, in real-time and based on a confidence level and a number of previously analyzed connections, to switch to the outlier connection detection phase. The techniques further include determining, based on the switch to the outlier connection detection phase, that a first connection of the identified one or more connections is an outlier connection, and acting to reduce a security risk relating to the first connection.

Abstract: Embodiments are disclosed for a method for identifying large database transactions. The method includes generating a token marker sequence of a database transaction. The token marker sequence includes multiple token markers. The token markers include a token of the database transaction and a position corresponding to the token. The method further includes sorting the token markers based on a probability that the token occurs in a stream of database transactions. Additionally, the method includes reducing a size of the token marker sequence based on a predetermined threshold.

Abstract: A mechanism is provided for monitoring and controlling data access. Responsive to intercepting a response from a server to a request for information from a client device, a security system agent applies pattern matching using a predefined set of sensitive data pattern rules to identify at least one sensitive data access included in the response. Responsive to identifying at least one sensitive data access matching one or more of the predefined set of sensitive data pattern rules, the security system agent modifies that the request from the client by marking the at least one sensitive data access as sensitive thereby forming a modified request. The security system agent sends the modified request to the security system thereby causing the security system to process the modified request without access the sensitive data associated with the at least one marked sensitive data access.

Abstract: A database protection system (DPS) detects anomalies in real time without reliance on discrete security rules, instead relying on a machine learning-based approach. In particular, a Bayesian machine learning model is trained on a set of database protocol metadata (DPM) that the system collects during its runtime operation. Typically, a set of DPM parameters is protocol-specific. The approach herein presumes that DPM parameters are not independent, and that their conditional dependencies (as observed from the database connections) can be leveraged for anomaly detection. To that end, the machine learning model is trained to detect dominant (repeating) patterns of connection DPM parameters. Once trained, the model is then instantiated in the DPS and used to facilitate anomaly detection by identifying connections that do not conform to these patterns, i.e. that represent unusual connection DPM parameters.

Abstract: A mechanism is provided for monitoring and controlling data access. Responsive to intercepting a response from a server to a request for information from a client device, a security system agent applies pattern matching using a predefined set of sensitive data pattern rules to identify at least one sensitive data access included in the response. Responsive to identifying at least one sensitive data access matching one or more of the predefined set of sensitive data pattern rules, the security system agent modifies that the request from the client by marking the at least one sensitive data access as sensitive thereby forming a modified request. The security system agent sends the modified request to the security system thereby causing the security system to process the modified request without access the sensitive data associated with the at least one marked sensitive data access.

Abstract: A database protection system (DPS) is configured to dynamically-optimize security rule validation throughput based on evaluating resource consumption data collected from prior validations. In particular, the DPS analyzes collected resource consumption information and determines which security rules in a set should then be active. To this end, the DPS is configured with multiple security rules engines (SREs), and each is configured to evaluate the same set of security rules. When an SRE applies a validation (to a request or response flow), an associated collector collects and analyzes associated resource consumption data. This data is provided to an optimizer, which receives similar resource consumption data from other SREs. Based on the resource consumption data collected from the SRE collector(s), the optimizer dynamically optimizes security rules validation in real-time, e.g., by dynamically switching on or off given security rule(s) in the set of security rules at given one(s) of the SREs.

Abstract: A network protection system (NPS) is augmented to determine and apply security information for a host on a network. The NPS is configured to monitor the host. In response to an occurrence, e.g., the host requesting a network host address, the NPS dynamically determines the security information and encodes it in a portion of the IP address that is assigned. The particular portion of the IP address that is configured for the security information is identified according to variable-length subnet masking (VLSM) notation and, in particular, by including an additional host identifier subdivision that identifies the portion that carries the relevant security data. The security information (e.g., a rank) is encoded in a bitmask. An IP address that has been extended in this manner is then provided on the network, where it is readily-evaluated by other applications and systems that recover the security information by simply applying the bitmask to the IP address.

Abstract: A database protection system (DPS) detects anomalies in real time without reliance on discrete security rules, instead relying on a machine learning-based approach. In particular, a Bayesian machine learning model is trained on a set of database protocol metadata (DPM) that the system collects during its runtime operation. Typically, a set of DPM parameters is protocol-specific. The approach herein presumes that DPM parameters are not independent, and that their conditional dependencies (as observed from the database connections) can be leveraged for anomaly detection. To that end, the machine learning model is trained to detect dominant (repeating) patterns of connection DPM parameters. Once trained, the model is then instantiated in the DPS and used to facilitate anomaly detection by identifying connections that do not conform to these patterns, i.e. that represent unusual connection DPM parameters.

Abstract: A database protection system (DPS) is augmented to enable efficient handling of security-violating database client connections. To this end, when the DPS determines to suspend a suspect database client connection several actions are taken. The DPS drops the request and sends a database protocol-specific message to the database server; upon receiving an acknowledgment, the DPS closes the associated transport layer connection mechanism The DPS then initiates an interaction with the client, preferably an exchange of periodic messages (e.g., keep-alive messages) configured to maintain the client in a suspended state. While in this state, the client does not detect any problem with the application or the connection and thus does not try to reconnect to the database server. The DPS then performs an additional assessment/investigation of the violation even as the connection remains open, but suspended. Further action is then taken depending on the results of this evaluation.

Abstract: Embodiments are disclosed for a method for identifying large database transactions. The method includes generating a token marker sequence of a database transaction. The token marker sequence includes multiple token markers. The token markers include a token of the database transaction and a position corresponding to the token. The method further includes sorting the token markers based on a probability that the token occurs in a stream of database transactions. Additionally, the method includes reducing a size of the token marker sequence based on a predetermined threshold.

Abstract: A network protection system (NPS) is augmented to determine and apply security information for a host on a network. The NPS is configured to monitor the host. In response to an occurrence, e.g., the host requesting a network host address, the NPS dynamically determines the security information and encodes it in a portion of the IP address that is assigned. The particular portion of the IP address that is configured for the security information is identified according to variable-length subnet masking (VLSM) notation and, in particular, by including an additional host identifier subdivision that identifies the portion that carries the relevant security data. The security information (e.g., a rank) is encoded in a bitmask. An IP address that has been extended in this manner is then provided on the network, where it is readily-evaluated by other applications and systems that recover the security information by simply applying the bitmask to the IP address.

Abstract: A database protection system (DPS) is configured to dynamically-optimize security rule validation throughput based on evaluating resource consumption data collected from prior validations. In particular, the DPS analyzes collected resource consumption information and determines which security rules in a set should then be active. To this end, the DPS is configured with multiple security rules engines (SREs), and each is configured to evaluate the same set of security rules. When an SRE applies a validation (to a request or response flow), an associated collector collects and analyzes associated resource consumption data. This data is provided to an optimizer, which receives similar resource consumption data from other SREs. Based on the resource consumption data collected from the SRE collector(s), the optimizer dynamically optimizes security rules validation in real-time, e.g., by dynamically switching on or off given security rule(s) in the set of security rules at given one(s) of the SREs.

Abstract: A database protection system (DPS) is augmented to enable efficient handling of security-violating database client connections. To this end, when the DPS determines to suspend a suspect database client connection several actions are taken. The DPS drops the request and sends a database protocol-specific message to the database server; upon receiving an acknowledgment, the DPS closes the associated transport layer connection mechanism The DPS then initiates an interaction with the client, preferably an exchange of periodic messages (e.g., keep-alive messages) configured to maintain the client in a suspended state. While in this state, the client does not detect any problem with the application or the connection and thus does not try to reconnect to the database server. The DPS then performs an additional assessment/investigation of the violation even as the connection remains open, but suspended. Further action is then taken depending on the results of this evaluation.

Abstract: An application server environment that uses connection pooling is augmented to include a database access control system having a database firewall. When the database firewall detects a security violation with respect to a request received via a pooled connection, the firewall skips over (i.e. do not forward) the violating request and instead creates an artificial error database protocol packet corresponding to the application request. The database firewall then sends the error database protocol packet as a response back to the application, using the pool connection. The application receives the database error as a response to the security violating request, and it responds by releasing the connection of the policy violation database user. By releasing the pool connection is this manner, the performance of other applications (or other clients) using the connection pool is not impacted. Preferably, the error packets include no sensitive information.

Abstract: An application server environment that uses connection pooling is augmented to include a database access control system having a database firewall. When the database firewall detects a security violation with respect to a request received via a pooled connection, the firewall skips over (i.e. do not forward) the violating request and instead creates an artificial error database protocol packet corresponding to the application request. The database firewall then sends the error database protocol packet as a response back to the application, using the pool connection. The application receives the database error as a response to the security violating request, and it responds by releasing the connection of the policy violation database user. By releasing the pool connection is this manner, the performance of other applications (or other clients) using the connection pool is not impacted. Preferably, the error packets include no sensitive information.

Abstract: A database access control system is augmented to provide additional functionality to enable an external security device (e.g., an EDSM) to fully and accurately assess a database query against one or more security policies even when the EDSM is overloaded. To this end, a pair of channels is established between the ISA and the ESM, wherein the channel pair includes a first channel that is expected to have relatively low packet rate, and a second channel that is expected to have a relatively high packet rate. Packets representing initial session information (i.e., user information sent at the beginning of a user session) are directed to the first channel, whereas packets received following session establishment are directed to the second channel, because the latter are likely to be present during a potential overload scenario.

Abstract: A database access control system is augmented to provide additional functionality to enable an external security device (e.g., an EDSM) to fully and accurately assess a database query against one or more security policies even when the EDSM is overloaded. To this end, a pair of channels is established between the ISA and the ESM, wherein the channel pair includes a first channel that is expected to have relatively low packet rate, and a second channel that is expected to have a relatively high packet rate. Internally, the ISA is configured to direct certain packets to the first channel, and to direct other packets to the second channel. Packets representing initial session information (i.e., user information sent at the beginning of a user session) are directed to the first channel, whereas packets received following session establishment are directed to the second channel, because the latter are likely to be present during a potential overload scenario.