Dynamic comparative analysis method and apparatus for detecting and preventing code injection and other network attacks

摘要

A security appliance includes a vulnerable testbed that simulates at least one known vulnerability, and a secure testbed that simulates not having that vulnerability. A testbed monitor monitors run-time behavior of the vulnerable testbed and the secure testbed, obtaining at least one run-time behavior parameter. A comparative evaluator module compares the run-time behavior parameters with respect to the received client request to determine if it is legitimate or illegitimate. The security appliance outputs its determination with a message and/or by forwarding client requests deemed legitimate and dropping client requests deemed illegitimate. The determination can be based, on differences in the run-time behavior parameters. Illegitimate requests can be cached for later matching. The requests can be database data requests, XML formatted requests, operating system requests and/or other types of requests that would be differentially handled by a vulnerable server and a secure server.