Glossary 33

v14.
7 Database Activity Monitoring User Guide
v14.7 Database Activity Monitoring User

Guide
v14.7 Database Activity Monitoring User Guide 1

Contents
Contents
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
v14.7 Database Activity Monitoring User Guide

Glossary
Action Interface Types
An action interface defines the type of action and the part of its configuration which is user configurable. Action
interfaces can only be created by Administrators. The administrator defines the part of the set which is then no longer
configurable by the user. The user can define the remaining parameters. For example, the administrator sets up an
email and its contents, and the user fills in the actual email address of the recipients.
Each action interface is based on a predefined action type, which defines what the action performs. One of these
types is OsCommand, allowing great flexibility for performing a variety of actions.
Adaptive Learning
SecureSphere has the ability to build the Dynamic Profile based on the process of seeing network traffic and learning
the valid and legal use of the application. The process of seeing traffic and learning the legitimate use of the
application is called "adaptive learning". See also "Dynamic Profiling".
ADC
Imperva's Application Defense Center (ADC) comprises security experts, conducting ongoing research based on
multiple data sources. These include:
• Internal research of database implementations to discover security vulnerabilities (for example, several
vulnerabilities discovered by the ADC have been acknowledged and patched by Oracle
• Industry discovered security vulnerabilities
• Patches released by vendors
• Security best practices developed for databases including consultation with industry standard bodies
ADC Content Update
The Application Defense Center (ADC), part of the MX management server, allows you to update and view signatures
with their attributes and documentation, review pre-configured dictionaries, and define new dictionaries.
Additionally, the ADC allows you to configure and update policies, assessment tests, table groups, and so on. The
ability to Import objects enables continuous content updates to SecureSphere, supplied by the ADC. ADC packages
include:
• Security Policies
• Assessment tests
• Additional predefined reports
ADC Insight Services
Imperva's ADC offers a range of services to ensure the most up-to-date protection and adherence to best practices.
These include:
• Signature Updates
• Alert Profiles
• Audit Profiles

• Reports - generated using the reporting framework available to all users, these reports cover specific themes,
such as: regulation related reports (SOX, HIPAA, PCI, and so on), or enterprise applications (Oracle EBS, and so
on).
Alert
Collecting multiple events that have common characteristics (such as violation type, user and so on) into a single
Alert. See also "Alert", Event", and Violation".
The MX Management server aggregates detailed security alert information from multiple gateways and presents them
in a single consolidated view. Alerts are organized according to the type of violation (firewall, signature, profile,
correlated, and so on) and contain detailed forensic information ranging from IP address to session ID. Advanced
sorting and filtering technologies accelerate forensic investigation efforts.
Alert Aggregation
The SecureSphere system prevents alert storms (thousands of different warnings about what are essentially multiple
occurrences of the same thing) by aggregating similar alerts into a single alert.
Alert Reports
Reports based on alerts as the data source. See also "Report", "Alert".
Anomaly Detection
Behavior-based anomaly detection compares a profile of all allowed application behavior to actual traffic. Any
deviation from the profile is flagged as a potential attack. It is commonly referred to as a positive security model
because it seeks only to identify all "known good" behaviors and assumes that everything else is bad. Behavior
anomaly detection has the potential to detect attacks of all kinds – including "unknown" attacks on custom code. See
also "Dynamic Profiling".
Appliance
The hardware and operating system that comprise a manageable device.
Application Awareness
The ability to analyze network traffic in the application context. For example, the Dynamic Profile is part of
SecureSphere's application awareness. See also "Dynamic Profile".
Application Behavioral Layer
See also "Application Layer".
Application Defense Center
See ADC.
Application Group

A group of applications, which can facilitate the management of profiles and policies. You can work with application
groups as either logical representations of the protected domain, or physical representation of sites.
Applications from different sites or server groups using different services can be grouped together to enable
management according to the organizational structure
Administrative actions can be performed on these groups, for example:
• Managing the application profile and structure
Applying Security Policies
• Monitoring and reporting
Application Level
Analysis performed after the SecureSphere Gateway obtains the information that connects the network traffic to the
web application or database application. This analysis will be relevant to the application, for example is the
transaction permitted according to the application's dynamic profile. See also "Application", "DB Application", "Web
Application", "DB Profile", "Web Profile".
Application Protocol
See also "Protocol".
Application Security
Security functionality aimed to protect attacks that are focused on application and protocol elements. See also
"Protocol", "Application", "Web Application", "DB Application", "Dynamic Profile".
Application Signature
Signatures enforced on the application level. See also "Signatures", "Application Level".
APU
See also "Automatic Profile Update".
APU rule
A rule that indicates to SecureSphere when to apply APU i.e. when to update the profile.
Assessment
See also "DB Assessment".
Assessment Report
A SecureSphere report relating to the result of an assessment. See also "Report", "Assessment".
Assessment Test

A test run on the database server aimed to check if it is configured properly.
Attack
An attempt to subvert or bypass a system's security. Attacks may be passive or active. Active attacks attempt to alter
or destroy data. Passive attacks try to intercept or read data without changing it. See also: brute-force attack, Denial
of Service, hijacking, password attacks, password sniffing.
Attack Signatures
A signature identifying a specific attack. See also "Signature".
Attributes
Attributes are characteristics assigned to all files and directories. Attributes include: read-only, archive, hidden, or
system.
Audit
See also "Auditing".
Audit analysis
The process of analyzing the SecureSphere audit - can be done by doing reports on audit or by looking at the audit
information using audit view. See also "Audit View", "Auditing".
Audit Archive
The various SecureSphere gateways reserve a large portion of their disk space for storing the auditing data. However,
due to the potentially enormous quantities of auditing data and the long periods of time over which they need to be
stored, care needs to be taken to offload the auditing data from SecureSphere’s local disks periodically according to
specific needs (Archiving needs may differ from one organization to the next based on auditing requirements).
SecureSphere will write new event logs while overwriting the oldest ones stored in the local audit storage if the pre-
allocated storage area is exceeded. The archiving capabilities extend your ability to store this data for long-term
reference on media outside the SecureSphere system.
The archive process copies data from the SecureSphere system to a specified storage site, in the form of CSV files,
which can be then consumed by other event correlation systems (that can consume CSV files).
Audit Policy
A policy the defines what database traffic should be audited. This policy as a match criteria that is based on
correlation. See also "Match Criteria", "Policy", "Correlation".
Audit View
Indexing of DB Audit according to fields specified by the SecureSphere User. Applying this indexing on the audit data
enables applying queries on the data that use these fields in queries. For example if a view is defined on the data that

contains the "Source IP" field, it will be possible to see all audit data related to a specific source IP. See also "Audit
Data", Audit Policy".
Auditing
See also "Database Auditing".
Automatic Profile Update
The ability of SecureSphere to detect that an application has changed and update the profile automatically based on
this detection.
Background Scanning
Background scanning is a feature in some anti-virus software to automatically scan files and documents as they are
created, opened, closed, or executed.
Bayesian Filter
A Bayesian filter is a program that uses Bayesian logic (also called Bayesian analysis) to evaluate the header and
content of an incoming email message to determine the probability that it constitutes spam.
Black List
A list of objects that are marked as forbidden/negative/dangerous.
Bridge Mode
A deployment mode of the SecureSphere gateway where it is a transparent bridge on the network. This means that
the appliance can be added to the network or removed from the network with no change to the networks
configuration and definitions.
Brute Force
Brute force attacks use exhaustive trial and error methods in order to find legitimate authentication credentials.
Brute-force Attack
A brute-force attack is an attack in which each possible key or password is attempted until the correct one is found.
See also: attack.
Cookie
A part of the HTTP protocol which is personal information stored in a Web user's computer.
Cookie Poisoning Attack
Cookie poisoning attacks involve the modification of the contents of a cookie in order to bypass security mechanisms.
Using cookie poisoning attacks, attackers can gain unauthorized information about another user and steal his
identity. See also "Cookie".

Correlated Attack
An attack built of more than one elements.
Correlation
Applying a match criteria that consists of several divers match elements. For example - "Target Table is employees and
time of day is between 10am to 17pm".
Correlation Policy
A policy containing a correlation rule. See also "Policy", "Correlation Rule".
Correlation Rule
A rule that applies some action based on a correlation. See also "Correlation".
Cross-Site Scripting
Cross-site scripting ('XSS' or 'CSS') is an attack that takes advantage of a Web site vulnerability in which the site
displays content that includes un-sanitized user-provided data. For example, an attacker might place a hyperlink with
an embedded malicious script into an online discussion forum. That purpose of the malicious script is to attack other
forum users who happen to select the hyperlink. For example it could copy user cookies and then send those cookies
to the attacker.
Data Definition Language
Data Definition Language AKA DDL - a term in the database world that refers to SQL statements that can be used
either interactively or within programming language source code to define databases and their components.
Data Enrichment
The process of assigning customized attributes to events taking place in the network, for example extracting an SQL
literal from a query or a field from HTTP traffic, then attaching this information to an event.
Data Monitoring Gateway
See SecureSphere Data Monitoring Gateway.
Data Scope
The data type and specification to be used for a report. An example of a data scope is "alerts from the last 3 days".
Data Security Gateway
See SecureSphere Data Security Gateway.
Database Agent
See SecureSphere Database Agent.

Database Assessment
See also "DB Assessment".
Database Auditing
Database auditing allows you to save database queries for audit purposes. For each database server group you can
define an unlimited number of audit rules. The audit process runs in parallel with the mechanism that generates
alerts, meaning that it sees all the queries, not just those generating alerts.
Bear in mind that the amount of information stored for auditing could be immense, which could affect system
performance if prudent filtering is not employed. See also "Audit Policy".
Database Profile
The dynamic profile representing access of a DB application. See also "Dynamic Profiling", "DB application". The
database profile contains all the tables of a DB application, and the way these tables are accessed - including allowed
queries and users for these tables, as well as allowed operations on these tables.
DB Application
This term is specific for SecureSphere. It describes a collection of one or more pairs of database and schema. This
collection describes a part of the database in charge of a specific function that the SecureSphere User would like to
secure using SecureSphere.
DB Assessment
Part of the SecureSphere functionality. DB assessment is done by connecting to the target database, and performing a
collection of assessment tests on it in order to evaluate if the DB server is configured in a secure way. The result of a
DB assessment is a report indicating the result of each assessment test that was performed on the DB server. See also
"Assessment Test", "Direct Access Information", "DB Server".
DB Audit
See also "auditing".
DB Profile
Acronym for database profile. See also "database profile".
DB Server
A server that runs a database, and the database is accessed from the network by users and applications.
DB Service
A service that describes communications to DB applications. See also "DB Application".
Default Policy

Every new object is assigned the relevant default policies. For example, the default firewall and network signatures
are automatically applied to a new server group.
Deployment Guide
The two deployment guides (WAF and DxG) provide information to assist the SecureSphere administrator in the
configuration and management of the initial stages of a SecureSphere deployment. See also "SecureSphere user",
"SecureSphere system".
Deployment Topology
The network configuration into which the SecureSphere gateway is deployed This term usually refers to "Inline mode"
and "Sniffing Mode". See also "SecureSphere System", "SecureSphere gateway", "Inline mode", "Sniffing mode".
Derived Rights
Rights that are granted to a user through the granting of roles or permissions.
Dictionary
A filter on the signature database, for example, a dictionary that includes all highly accurate, medium severity
signatures for IIS 5 and 6. SecureSphere includes a set of predefined dictionaries.
Direct Access Information
Information that enables logging in to a server. This information contains user and password of the server. The
information is used in order to log in to the remote server and perform an assessment on it. See also "Assessment".
DmG
Acronym for "Data Monitoring Gateway". See also "Data Monitoring Gateway".
DsG
Acronym for "Data Security Gateway". See also "Data Security Gateway".
DxG
DxG denotes DsG and DmG.
Dynamic Profiling™
Dynamic Profiling automatically examines live application and database traffic to create a comprehensive model
(profile) of the structure and dynamics of the application and database. Valid application and database changes are
automatically recognized and incorporated into the profile over time.
Dynamic Protect Mode
Once SecureSphere finished building the Dynamic Profile, it starts protecting the application based on this profile.
The protection is made by passing the profile to "Protect Mode".

Event
A kind of record issued by the SecureSphere gateway describing an incident that has security implications such as
viruses or unauthorized access.
Fail Close(d)
A mode of the SecureSphere gateway where if the gateway does not function (for example because of a power outage)
the machine will not pass any traffic so that the protected domain will not be exposed to attacks.
Fail Open
A mode of the SecureSphere gateway where if the gateway does not function (for example because of a power outage)
the machine keeps passing traffic so that the connectivity to the protected domain is not harmed.
False Negative
A failure to identify a violation.
False Positive
An erroneous identification of an event as a violation when it is in fact not a violation.
Filtered Dictionary
A signature dictionary that has a filtering condition applied on it. For example a dictionary of signatures that are
related to web with a filter of only the signatures that are relevant for the web server of type IIS.
Followed Action
An action taken by SecureSphere after a specified event is detected.
Gateway Group
An defined collection of SecureSphere gateway object that is defined in the MX Server as a group. SecureSphere
gateways are grouped when all of the members of the group protect the same server group.
Gateway Management Screen
A screen in the SecureSphere administration interface on the MX server where SecureSPhere gateways can be added
or removed. In this screen the status of each SecureSphere gateway is displayed (status includes uptime, CPU
consumption and so on). See also "MX Server", "SecureSphere Gateway", "SecureSphere administration interface".
Global Object
The SecureSphere environment is hierarchical. Most objects in the system can be grouped, and then referenced as
global objects from policies, configuration, and so on.
Global Object Examples: Table groups, Stored procedures, Signatures and dictionaries.

The granularity supplied by SecureSphere requires that many of the system’s components be approachable from
anywhere in the system, i.e., global.
GW group
See also "Gateway group".
Host
An individual computer, sometimes used to mean a computer on which specific software is physically located or
which provides a specific service.
Implementation Life Cycle
The product implementation life cycle is a series of ongoing refinements divided into four phases (identify risks, set
policies & controls, monitor and protect, measure). The iterations through the cycle are driven by the changing
environment and reflected in SecureSphere's dynamic learning capabilities, as well as various feedback that the
system provides to the administrators and auditors.
When the system has acquired sufficient data, the learned behaviors are automatically enforced, and events are
generated for any occurrence that does not follow the learned behavior. Periodically, users need to verify that the
learned behaviors are in fact the desired ones. Users can view these events and refine the actions to be taken for
them.
Inline Mode
One of the deployment modes of SecureSphere gateway. In this mode the SecureSphere acts as a firewall device on
the network. It servers as one of the devices processing traffic on its way to the data center. This mode is usually used
when it is desired that the SecureSphere gateway will block malicious or unauthorized network access to the data
center.
Kick and Disable
After applying "kick user", disabling future logins of the same user. See also "Kick User".
Kick User
Terminate a session of a SecureSphere user who is using the administrative interface of the MX server. See also
"SecureSphere User", "Administrative Interface", "MX Server".
Known Attacks
The term "known attack" is frequently used to refer to attacks that target previously known vulnerabilities in
commercial or open source application software such as IIS, Apache, Oracle, and so on Hundreds of vulnerabilities in
such software are found and made public (www.cert.org, and so on) each year. Hackers use this information to
construct attacks. Examples of such attacks include Code Red, Nimda, and Spida.
License Summary
The page in the SecureSphere administrative interface that indicates the status of the SecureSphere software license.

Match Criteria
A collection of rules and conditions with relationship between them that once matched enable a specific action. An
example of a match criteria is: Source IP is 1.1.1.1, and the target URL is www.imperva.com.
Monitoring
The SecureSphere Monitoring tab collects and displays the system’s recorded activity, including the following
information:
• Dashboard: Constantly updated, easy to understand snapshot views of the gateways, server groups, system’s
load, connections per second, latest alerts, attack reports, and system events.
• Alerts: Detailed information on every alert.
• System Events: The SecureSphere Management Server log comprises information on each change to the
product configuration, and important system events.
• DB Audit – on-the-fly view
• View archived audit data
Monitoring Audit Events
Audit results can be viewed using the SecureSphere® GUI. The audit rule configuration lets you define up to 5 different
audit views, each comprising between 1 and 4 aggregation keys (selected from: source IP address, database
username, source OS username/hostname, destination table name, source applications, database operation, and
exception occurred).
The SecureSphere system provides a data management mechanism for effective management and analysis of the
audit results (potentially immense quantities of data). For greatest efficiency, events are stored sequentially in a flat
file as they occur, and indexed to an index file according to the preconfigured aggregation keys. Audit views are then
generated based on a combination of the flat file and index file.
MX Appliance
The SecureSphere appliance that has the MX server in it. See also "MX Server", "SecureSphere Appliance".
MX Management Server
See also "MX Server".
MX Server
This is the components in the SecureSphere system that performs the management function. This includes:
1. Dispatching the security policy to the SecureSphere gateways

2. Getting the status of the gateway appliances
3. Getting alerts and system events from the gateways
4. When the SecureSphere administrator wishes to configure the SecureSphere system, changes policies and so
on, he should communicate with the MX server in order to do so. Once the system is configured the
configuration changes are dispatched to the SecureSphere gateways by the MX server.
5. When the SecureSphere user wishes to view security alerts or system events he should communicate with the
MX server, where the alerts and system events from all of the gateways will be displayed

Network Security Layer
The functional part of the SecureSphere Security Engine that analyzes traffic on the network level and issues violation
on network related attacks, such as malformed IP packets. This is the initial analysis of the traffic before the service
level analysis and the application level analysis. See also "Network Level", "Service Level", "Application Level".
Parameter Tampering
Attack that is based on HTTP parameters manipulation. Parameter tampering is a simple attack targeting the
application business logic. This attack takes advantage of the fact that many programmers rely on hidden or fixed
fields (such as a hidden tag in a form or a parameter in a URL) as the only security measure for certain operations.
Attackers can easily modify these parameters to bypass the security mechanisms that rely on them.
PCI
A compliance standard created maintained be credit card companies such as VISA and that mandates securing card
holder data (i.e. credit card information) in merchants' web sites/data centers. See also "Compliance".
Peer-to-peer (P2P) networking
Peer-to-peer (P2P) networking is a distributed system of file sharing where any PC on the network can see any other
PC on the network. Users access each others’ hard drives to download files. This type of file sharing is valuable, but it
brings up copyright issues for music, movies, and other shared media files. Users are also vulnerable to viruses,
Trojans, and spyware hiding in files. See also: Trojan horse, spyware.
Permissions Tab
The screen in the SecureSphere administration interface where the operations each SecureSphere User may perform
are defined. See also "SecureSphere administration interface", "SecureSphere User".
Policy
A set of one or more rules related to a functional area in the system. A policy may contain a match criteria. A policy
may contain instructions on how to handle one or more violations - examples of such instructions would be if an alert
should be issued and if a user should be blocked by the SecureSphere gateway. See also "Violation", "Match Criteria".
Predefined Correlation Policies
A collection of correlation policies that are built in to SecureSphere and provide out-of-the-box protections against
certain attacks.
Privileged Operation
Privileged operations are special highly sensitive operations on a database such as database creation and deletion,
user creation and so on They can be defined as any operations other than basic data manipulation (i.e., update,
select, insert, and delete), either directly on the database, or via regular stored procedures.
Profile Components

The entities that comprise the Dynamic profile. For example for DB profile the profile components will be tables,
operations, users and queries. See also "Dynamic Profile", "DB Profile".
Profile Violation
A violation issued as a result of traffic that contradicts the information in the dynamic profile. See also "Dynamic
Profile", "Violation".
Protected Network
Server groups (SGs) comprise all the servers that the SecureSphere® system protects. The server group is a basic
reference unit, corresponding to a server or a cluster of servers (i.e., the system does not protect individual IP
addresses). A server group is defined as a layer 3 (IP) entity.
Protocol
A standard defining how a client and a server communicate with each other. A protocol defines a set of messages
passed between them, states and message order.
Protocol Violation
A violation issued by the SecureSphere Gateway as a result of incorrect protocol between the client and the server.
See also "Protocol", "SecureSphere Gateway", "Violation".
Protocol Violation Policies
SecureSphere® protocol compliance checks ensure that HTTP and SQL protocols meet RFC and expected usage
requirements. By ensuring that the HTTP and SQL protocols meets guidelines, protocol compliance prevents attacks
on both known and unknown vulnerabilities in commercial web and DB server implementations.
Imperva has conducted comprehensive research and collected a group of protocol violations that usually indicate
attack attempts. You can enable or disable each of these violations for each group of protected servers.
Protocol violation policies are relevant to both HTTP (web servers) and SQL databases.
Raw Data
The data as extracted from the network traffic.
Redirect
A redirect is an action used by some viruses to point a command to a different location. Often this different location is
the address of the virus and not the original file or application.
Regulatory Compliance
See also "Compliance".
Remote Agent
In SecureSphere this usually refers to the DB Agent. See also "DB Agent".

Rename
A rename is an action by which a user or program assigns a new name to a file. Viruses may rename program files and
take the name of the file so that running the program inadvertently runs the virus. Anti-virus programs may rename
infected files, making them unusable until they are manually cleaned or deleted.
Reverse Proxy
A web proxy that protects one or more web servers. All HTTP connections are opened to the reverse proxy. Once the
reverse proxy validates the connection from the client it opens a separate connection to the server and serves the
client connection.
Reverse Proxy Mode
A deployment mode of the SecureSphere gateway where it is a reverse proxy. See also "Reverse Proxy"
Rogue Program
A rogue program is a term the media uses to denote any program intended to damage programs or data, or to breach
a system's security. It includes Trojan horse programs, logic bombs, and viruses.
Scuba
Scuba is a name of a tool by Imperva that does assessment on the security of databases.
SecureSphere
SecureSphere is the name of the product line dealt with in this glossary. This product contains and delivers the overall
security solutions for security and compliance of data-centers both in the database and in the web functional areas.
The SecureSphere product line includes the SecureSphere WAF for web and the SecureSphere DxG for database
security and compliance.
SecureSphere Administration Interface
A central component in the MX server that allows the SecureSphere users to connect to the MX Server and perform the
user management function of SecureSphere. This communication is done technically using web - the SecureSphere
user uses a web browser, and the MX server has a web server that gets the requests from the SecureSphere user and
performs the appropriate management functions. See also "SecureSphere User", "MX Server".
SecureSphere Appliance
The appliance that runs the SecureSphere software. The SecureSphere appliance is the hardware unit purchased by
the Imperva customer in order to use the SecureSphere product line.
SecureSphere Data Monitoring Gateway
This is one of the products in the SecureSphere product line. It has similar function to the DsG, only that it does not
block traffic and is generally used to monitor access to the database and not to block unauthorized access. This
product includes the SecureSphere WAF capability. The product is deployed in Sniffing Mode (See also "DsG", "Sniffing
Mode").

SecureSphere Data Security Gateway
This is one of the products in the SecureSphere product line. This product secures databases by inspecting the
database transactions, blocking attacks and malicious traffic, blocking and alerting on unauthorized access to the
database and includes various reporting capabilities used for compliance. This product includes the SecureSphere
WAF capability. The product is deployed in Inline Mode (See also "DsG", "Inline Mode").
SecureSphere Database Agent
A component that is part of the SecureSphere System. The SecureSphere Database Agent is a software component
that is installed on the customer's database server, monitors database traffic and sends it to the SecureSphere
gateway for further analysis. It is used when there is access to the database server that cannot be monitors directly by
the SecureSphere gateway (for example when the DBA logs into the database server on an encrypted channel that is
not exposed to the SecureSphere gateway).
SecureSphere DB Agent
See also "SecureSphere Database Agent".
SecureSphere Gateway
This is the component in the SecureSphere system that inspects and analyzes network traffic to the database servers
and web servers. It detects malicious traffic and blocks it, and also reports to the management server (see MX server)
on both attacks and legitimate traffic for further analysis and compliance.
SecureSphere Management Server
See MX Server.
SecureSphere Security Engine
The SecureSphere security engine is the sum of the overall capabilities of the SecureSphere gateways to analyze
traffic and apply various security functions on it, such as blocking, alerting, and auditing (See also "Audit",
"SecureSphere Gateway").
SecureSphere Signature Database
A large collection of signatures that is managed and developed by Imperva's ADC. It is used to identify alert and block
on viruses, worms and other attacks (See also "ADC", "Worm", "Virus", "Signature Policy".
SecureSphere System
The collection of components that make up SecureSphere. The SecureSphere system is made up of a management
server (see MX Server) and one or more SecureSphere gateways (see SecureSphere gateway).
SecureSphere User
The person manages the SecureSphere product when deployed in the customer environment. This person does the
management function by handling the SecureSphere system. The SecureSphere Users are divided to "Administrator
Users" who are privileged users that have full access to all of the management functions, and users who are not

"Administrator Users". These users have only partial privileges and perform a more limited/specific management
function.
Security Policy
A security policy is a SecureSphere policy aimed to define security conditions and define SecureSphere's reaction to
these conditions (such as blocking a user). See also "Policy".
Server Group
A collection of servers that run identical web applications or DB applications on similar services. See also "Web
Application", "DB Application", "Service".
Service
A service is an object that is part of the SecureSphere MX Server. It describes how the application communicates to
the world and thus gives the SecureSphere gateway the information required in order to track the traffic that goes to
the application and understand it so that the Security Engine can be applied on it. Example of information in the
Service is encryption information, language oriented information, ports. See also "Port", "Application", "Security
Engine".
Service Level
Analysis that is done once the SecureSphere Gateway analyses the protocol entity related to the network traffic. An
example of service level enforcement is the validity of protocol messages. See also "Protocol".
Session
See also "Web Session"
See also "SecureSphere Signature Database"
Signature Detection
Detection of attacks based on signature match. See also "Signature", "ADC"
Signature Policy
A policy indicating what needs to be done when a signature violation is issued by the SecureSphere gateway. See also
"Violation", "Signature", "SecureSphere gateway"
Signatures
Signatures are text strings that match known server vulnerabilities and attack patterns. The SecureSphere® system
maintains a list of over 2500 signatures based on the Snort database and Imperva’s Application Defense Center (ADC).
The Imperva signature database also comprises signatures hand-crafted by the ADC to detect sophisticated
application-level attacks. See also "Snort", "ADC", Regular Expression".
Signing Policy

The set of instructions indicating if specific information that is exported by SecureSphere should be digitally signed,
and with which key.
Simulation mode
A mode of the SecureSphere gateway where attacks are detected and alerts are issued, but traffic is never dropped.
This mode is used in order to verify that SecureSphere does not generate false positives.
Site
An object on the MX Server that represents a geographic entity comprising any number of server groups (the virtual
entities protected by SecureSphere®). Every server group belongs to exactly one site (a default site exists after
installation). This object is very useful for administration purposes.
See also "MX Server", "Server Group"
Site Hierarchy
SecureSphere objects that describe the structure of the protected domain. They describe the server groups, services
and applications that are in the protected domain and the relations between them. See also "Protected Domain",
"Web Application", "DB Application".
Sniffer
A sniffer is a software program that monitors network traffic. Hackers use sniffers to capture data transmitted over a
network.
Sniffing
Sniffing happens when traffic that traverses between 2 network devices is copied to a third device for analysis
purposes, The device performing the sniffing is passive i.e. it does not take an active part in the communication.
Sniffing Mode
One of the deployment modes of SecureSphere gateway. In this mode the SecureSphere gateway acts as a sniffing
device on the network. The gateway analyzes the sniffed traffic and thus performs a monitoring function (See also
"Sniffing", "DmG", "SecureSphere gateway").
Snort
A public database of signatures (not maintained by Imperva). See also "Signatures", "Imperva".
Snort is a free software network intrusion detection and prevention system capable of performing packet logging and
real-time traffic analysis, on IP networks. Snort was written by Martin Roesch but is now owned and developed by
Sourcefire, of which Roesch is the founder and current CTO.
SOAP
Simple Object Access Protocol. A protocol that describes a model for packing XML enquiries and responses.
SOAP Action

SecureSphere® automatically identifies URLs comprising XML and SOAP content. For each SOAP/XML URL,
SecureSphere presents all the SOAP actions that have been learned for this URL. If the URL does not include any SOAP
actions but does contain XML, SecureSphere shows this as the Default SOAP action. When the URL is switched to
protect mode, SecureSphere invokes the Unauthorized SOAP Action violation whenever someone attempts to access
the URL with an unauthorized SOAP action. See also "SOAP".
SOX (Sarbanes-Oxley)
A compliance standard - an act passed by US Congress to protect investors from the possibility of fraudulent
accounting activities by corporations. According to SOX both management and the external auditor are responsible
for performing assessments and having controls for the appropriate function of the corporation See also
"Compliance".
SQL Injection
SQL injection is an attack that is used to take advantage of non-validated input vulnerabilities to pass SQL commands
through a Web application for execution by a backend database. Attackers take advantage of the fact that
programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL
commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or
commands on the backend database server through the Web application.
Stored Procedures
Stored procedures are scripts or code stored on the database that when called (externally by their names), perform
operations on the data stored on the database. See also "DB Server".
String
A string is a consecutive series of letters, numbers, and other characters. "afsH(*&@~" is a string; so is "The Mad
Hatter." Anti-virus applications often use specific strings, called virus signatures, to detect viruses. See also: signature.
Susceptible Directory
Susceptible Directories are directories on a web server that are prone to attacks by web worms.
System Boot Record
See: Boot record.
System Event
One of the message types that is issued by SecureSphere. It has an informative nature and deals with the internal
state of the system. Examples of system events are: changes to objects in the SecureSphere system that are made by
administrators as part of the configuration process. Another example is messages dealing with the CPU consumption
of the SecureSphere appliances.
System Objects
Objects that are created as an integral part of a database. For example, database schemas, tables, columns, or keys.

Table and Operations List
The tables and operations list is simply a learned list of all the tables and the operations performed on them. This list
is part of the DB Profile. See also "DB Profile".
Timestamp
The timestamp is the time of creation or last modification recorded on a file or another object. Users can usually find
the timestamp in the Properties section of a file.
TOM
TOM stands for Top of Memory. It is a design limitation at the 640kb mark on most PCs. Often the boot record does not
completely reach top of memory, thus leaving empty space. Boot-sector infectors often try to conceal themselves by
hiding around the top of memory. Checking the top of memory value for changes can help detect a virus, though there
are also non-viral reasons this value changes.
Transparent Inspection
Imperva’s Transparent Inspection technology delivers multi-gigabit performance, sub-millisecond latency, and
options for high availability that meet the requirements of the most demanding application and database
environment. Transparent Inspection enables SecureSphere to inspect network traffic at the highest level of security
while having a minimal effect on performance and it is very easy to deploy.
Triggered Event
A triggered event is an action built into a virus that is set off by a specific condition. Examples include a message
displayed on a specific date or reformatting a hard drive after the 10th execution of a program.
Unauthorized Database User
Access to the database by a user that is not included in the DB Profile. See also "DB Profile".
Unauthorized SOAP Action
A SOAP Action that is not included in the web profile. See also "Web Profile".
Has the following form: \\server\resource-pathname\subfolder\filename.
Unidirectional Tunnel
The SecureSphere DB agent captures all the database traffic throughout the monitoring process, and dispatches every
packet to a chosen SecureSphere gateway via a unidirectional tunnel. The agent only uses this tunnel to send these
audit records to a remote SecureSphere database gateway - not to listen to traffic from the gateway. The gateway
inspects these records just like regular traffic passing through it. However, due to the remote nature of the DB agent
(i.e., the traffic is not monitored in real time), SecureSphere does not block/terminate suspicious activity (using TCP
reset) detected in the traffic sent by the agent.
Unknown Attacks

The term "unknown attack", when used in the context of application security, generally refers to attacks that target
previously undocumented vulnerabilities in custom developed enterprise Web application code. Based on
penetration testing of over 250 private and public sector penetration tests, Imperva's Application Defense Center has
concluded that 92% of Web applications are vulnerable to targeted attacks on internally developed code.
URL Rewrite Group
URL Rewrite Container - The collection of URL rewrite rules to be applied on a web service (Reverse Proxy mode only).
User Enrichment
The process of enriching event data with information about users from an outside source, for example Active
Directory.
User Mapping
The process of mapping between Active Directory users and database users.
Violation
In SecureSphere a violation is a situation where the analysis of the network traffic indicates that the traffic is not right/
illegal/not as would be expected under normal conditions.
WAF
Acronym for Web Application FireWall. See also "Web Application FireWall"
Warm Boot
Warm booting is restarting a computer without first turning off the power. Using CTL+ALT+DEL or the reset button on
many computers can warm boot a machine. See also: cold boot, reset.
Web Application
A web application is an application that runs on a web server and is accessed from the internet using the HTTP
protocol (web). Several web applications can run on a single web server. Each application is identified by its own
specific HTTP header called "host" header. In SecureSphere a web application is identified by the HTTP "host" header
on a specific web server.
Web Application Firewall
The WAF protects web applications (malicious activity detection & prevention, overall application monitoring,
reporting). Offers unified protection (application logic, worms and platform attacks, network attacks). Uses
automated security policy (dynamic profiling models application structure and dynamics, adapts when application
changes). See also "FireWall".
Web Profile

The dynamic profile representing access of a web application. See also "Dynamic Profiling" and "web application".
The web profile contains all the URLs of a web application, and the way these URLs are accessed, including
parameters and HTTP methods.
XSS
See also "Cross-Site Scripting"
SSL Strip
SSL Strip is an attack that basically does not involve the target application. Here is how it works:
• A victim uses a browser to access an application by manually typing the application’s address in the browser’s
address bar (e.g. www.mybank.com)
• The browser’s default behavior is to use HTTP protocol to carry this initial request (and in fact most users who
bother would themselves type (http://www.mybank.com).
• The attacker has already launched a DNS related attack that would make the victim’s computer send the
request to an attacker controlled server rather than to the real server.
• Since the request is an HTTP request and not an SSL request, the attacker can launch a man-in-the-middle
attack without making the browser aware of it (if the connection was an SSL connection a browser warning
would have popped up).
• From that moment on the attacker has complete control over the session and can either use this for merely
credential theft (much like very simple phishing attacks) or control the entire session between the victim and
the target application.
• It has nothing to do with signatures, the victim does not necessarily interact with the target application during
the attack, nor does the attacker.

Glossary 33

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Glossary 33

Uploaded by

Copyright:

Available Formats

v14.

7 Database Activity Monitoring User Guide

v14.7 Database Activity Monitoring User

v14.7 Database Activity Monitoring User Guide 1

v14.7 Database Activity Monitoring User Guide

ADC Content Update

ADC Insight Services

v14.7 Database Activity Monitoring User Guide 3

The hardware and operating system that comprise a manageable device.

Application Behavioral Layer

See also "Application Layer".

Application Defense Center

v14.7 Database Activity Monitoring User Guide 4

• Managing the application profile and structure

Applying Security Policies

• Monitoring and reporting

See also "Protocol".

See also "Automatic Profile Update".

See also "DB Assessment".

v14.7 Database Activity Monitoring User Guide 5

A test run on the database server aimed to check if it is configured properly.

A signature identifying a specific attack. See also "Signature".

See also "Auditing".

v14.7 Database Activity Monitoring User Guide 6

See also "Database Auditing".

Automatic Profile Update

A list of objects that are marked as forbidden/negative/dangerous.

Cookie Poisoning Attack

v14.7 Database Activity Monitoring User Guide 7

An attack built of more than one elements.

A policy containing a correlation rule. See also "Policy", "Correlation Rule".

Data Definition Language

Data Monitoring Gateway

See SecureSphere Data Monitoring Gateway.

Data Security Gateway

See SecureSphere Data Security Gateway.

See SecureSphere Database Agent.

v14.7 Database Activity Monitoring User Guide 8

See also "DB Assessment".

See also "auditing".

Acronym for database profile. See also "database profile".

A service that describes communications to DB applications. See also "DB Application".

v14.7 Database Activity Monitoring User Guide 9

Direct Access Information

DxG denotes DsG and DmG.

Dynamic Protect Mode

v14.7 Database Activity Monitoring User Guide 10

A failure to identify a violation.

An erroneous identification of an event as a violation when it is in fact not a violation.

An action taken by SecureSphere after a specified event is detected.

Gateway Management Screen

v14.7 Database Activity Monitoring User Guide 11

See also "Gateway group".

Implementation Life Cycle

Kick and Disable

v14.7 Database Activity Monitoring User Guide 12

Monitoring Audit Events

See also "MX Server".

1. Dispatching the security policy to the SecureSphere gateways

v14.7 Database Activity Monitoring User Guide 13

Network Security Layer

Peer-to-peer (P2P) networking

Predefined Correlation Policies

v14.7 Database Activity Monitoring User Guide 14