US 12,189,786 B2
Method and system for data flow monitoring to identify application security vulnerabilities and to detect and prevent attacks
Andreas Berger, Linz (AT); and Christian Schwarzbauer, Linz (AT)
Assigned to Dynatrace LLC, Waltham, MA (US)
Filed by Dynatrace LLC, Waltham, MA (US)
Filed on Dec. 14, 2023, as Appl. No. 18/539,660.
Application 18/539,660 is a continuation of application No. 17/481,737, filed on Sep. 22, 2021, granted, now 11,886,599.
Claims priority of provisional application 63/084,759, filed on Sep. 29, 2020.
Prior Publication US 2024/0160748 A1, May 16, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/57 (2013.01); G06F 21/55 (2013.01); G06F 21/56 (2013.01)
CPC G06F 21/577 (2013.01) [G06F 21/552 (2013.01); G06F 21/566 (2013.01)] 17 Claims
OG exemplary drawing
 
1. A computer-implemented method for identifying a security vulnerability in an application executing on a host computing device in a distributed computing environment, comprising:
registering, by a source sensor, input data in a security status repository on the host computing device, where the input data is received from a source external to the host computing device and the source sensor is instrumented in a request handling method of the application;
detecting, by a modification tracking sensor, the execution of a modification operation that creates modified data which contains a portion of the input data, where the modification tracking sensor is instrumented in the modification operation;
logging, by the modification tracking sensor, the detected modification operation in the security status repository, where logging the modification operation includes creating an entry for the modification operation in the security status repository, where the entry includes the modified data and data for location of the portion of the input data within the modified data;
logging, by a sink sensor, a sink call made by the application in the security status repository, where the logging of the sink call is in response to execution of the sink call and the execution of the sink call uses at least a portion of the modified data;
determining, by an agent, whether parameter values for the sink call include the modified data containing the portion of input data using data in the security status repository;
in response to a determination that parameter values for the sink call include the modified data containing the portion of the input data, performing an analysis of the portion of the modified data containing the portion input data to determine whether the portion of the input data contains malicious data; where performing the analysis includes using the data for the location of the portion of the input data within the modified data to select data to be analyzed and the agent is deployed in an execution environment shared with the application; and
in response of a determination that the portion of input data contains malicious data, reporting, by the agent, an identified attack.