Systems and methods for improving accuracy in recognizing and neutralizing injection attacks in computer services

Abstract

Systems and methods for analyzing SQL queries for constraint violations for injection attacks. Tokenizing a SQL query generates a token stream. A parse tree is constructed by iterating over lexical nodes of the token stream. The parse tree is compared to a SQL schema and access configuration for a database in order to analyze the SQL query for constraint violations. Evaluation flaws are also detected. A step-wise, bottom-up approach is employed to walk through the parse tree to detect types and to ascertain from those types whether the condition for SQL execution is static or dynamic. SQL request security engine logic refers to predetermined protective action data and takes the particular type of action specified by the predetermined protective action data. Security is further enhanced by limiting service of requests to requests of one or more specific, accepted data types. Each request is parsed into individual data elements, each an associated key-value pair. If the key is any data element of the request matches a predetermined allowed key, detection and neutralization of any injection attack in the associated value data of the data element is bypassed. A number of patterns that match information to be obscured in logs are established and any matching information is replaced with obscured data. When recording information to the logs, any data whose key is a predetermined masked key is replaced with obscured data.