UK company Secerno has devised an innovative way to
detect when a database is being attacked using the SQL (Structured
Query Language) injection hacking technique.
The databases at the heart of internet applications are
vulnerable to this relatively straightforward type of attack, which
is difficult to detect and block because it uses carefully crafted
standard SQL commands.
The technique used by Secerno to determine whether database
queries are valid was discovered by company founder and chief
technology officer Steve Moyle while he was researching his PhD in
computer learning at Oxford University.
By combining research in computational linguistics with work in
symbolic machine learning, Moyle's company has developed an
appliance that performs application-level protocol intrusion
detection.
The product uses computational lingustics to "understand" SQL
queries and symobolic machine learning to associate by example what
is valid and what is abnormal behaviour.
There are two parts to the product. A configuration tool works
by understanding normal usage of the database and assessing
database logs, which are presented to the IT administrators using a
graphical tool.
Database queries are then categorised into a hierarchical list.
The administrator is able to scan the list to allow, flag a
warning, or prevent categories of database query.
When the database application is run, the second part of the
product, an appliance, blocks unauthorised database queries as
abnormal behaviour.
The company worked with online DVD retailer DVD.co.uk to help
develop the product. Using the retailer's database application,
Secerno monitored normal database activity.
To test whether the appliance could stop real attacks, Secerno
hired security consultancy NGS Software to run a series of mock
attacks on the database application.
Along with tracking unusual activity, Moyle said, "We can check
if older database functions are still being used by the
application," which he said would allow a database to lock-down the
server so that only functions required by the application are
activated.
ICI chief security officer Paul Simmonds, who first looked at
the product nine months ago, said the information it produced was
"very useful". Simmonds said he believed the approach taken by
Sercerno would also reduce the chance of valid queries being
stopped.
The Secerno appliance is due to be released in late
September.
Vote for your IT greats
Who have been the most influential people in IT in the past 40
years? The greatest organisations? The best hardware and software
technologies? As part of Computer Weekly’s 40th anniversary
celebrations, we are asking our readers who and what has really
made a difference?
Vote now at:
www.computerweekly.com/ITgreats