| CPC G06F 21/6218 (2013.01) [G06F 21/566 (2013.01); G06N 20/00 (2019.01); G06F 2221/034 (2013.01)] | 20 Claims |
|
1. A method for detecting malicious database access, the method comprising:
receiving, at a processor, a request including a query and referencing a database;
identifying, via the processor, at least one request attribute from a plurality of request attributes associated with the request, the plurality of request attributes including a representation of at least one of: a user from which the request originated, a time of submission of the request, a location from which the request was transmitted, an internet protocol (IP) address associated with the request, or a dataset referenced by the request;
identifying a query result based on the request and during a first time period;
analyzing the at least one request attribute during the first time period, using a self-learning machine learning algorithm, to identify an anomaly score for anomaly detection;
in response to the anomaly score exceeding a first threshold from a plurality of predefined thresholds, sending, via the processor and during a second time period, a signal representing a quarantine request;
in response to the anomaly score being between the first threshold and a second threshold from the plurality of predefined thresholds, sending, via the processor and during a second time period, a signal representing a notification, and sending a signal representing the query result; and
in response to the anomaly score being below the second threshold from the plurality of predefined thresholds, sending a signal representing a notification that the request is allowed without sending a signal representing content from the database referenced by the query.
|