Runtime detection of database protocol metadata anomalies in database client connections

Assignee

• International Business Machines Corporation · US

Inventors

• Leonid Rodniansky · Brookline, US
• Shay Harel · Marlborough, US
• Tania Butovsky · Needham, US
• Peter Maniatis · Clinton, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/20
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

A database protection system (DPS) detects anomalies in real time without reliance on discrete security rules, instead relying on a machine learning-based approach. In particular, a Bayesian machine learning model is trained on a set of database protocol metadata (DPM) that the system collects during its runtime operation. Typically, a set of DPM parameters is protocol-specific. The approach herein presumes that DPM parameters are not independent, and that their conditional dependencies (as observed from the database connections) can be leveraged for anomaly detection. To that end, the machine learning model is trained to detect dominant (repeating) patterns of connection DPM parameters. Once trained, the model is then instantiated in the DPS and used to facilitate anomaly detection by identifying connections that do not conform to these patterns, i.e. that represent unusual connection DPM parameters.