| I'm not the best expert at this, but I followed a couple of security courses, so I do have some understanding. From my understanding: it is a monitoring system that detects malicious activity. How do they do this? Attackers need to find weaknesses. Where these weaknesses are is a pretty well-known topic. Database calls and I/O processing are weaknesses because if you can manipulate that you have a system compromise. Rendering pages is a weakness because of cross-site scripting issues or cross-site request forgery issues. (Duckduckgo is your friend if I am speaking in an ancient magic language ;-) ) An attacker needs to do some crazy stuff in order to exploit these weaknesses. In a lot of cases you can detect divergent behavior. For example, Let's say that an attacker successfully performs an SQL injection in the username. Then upon processing by the server, it executes an SQL command. This means that the server needs to execute a child process via a system call (system calls are an API exposed by the operating system to do stuff like file I/O or spawning processes and underly all of the I/O functions in any framework that you use). So what you could do is monitor these system calls and do a check on where they come from (you could do many more complicated things, I'm making this up as I write this, e.g. see [1]). Since this system call has to go through the monitoring, you could detect that this is coming from an HTTP login request, for which database writes are not allowed. On that moment you could halt execution. I am not saying that this is what they are doing, but upon reading it. It seems this is kind of what they are doing. Here is a paper on it. It might seem daunting, but it isn't since the paper describes the architecture [1]. The implementation might be more daunting depending on. your familiarity with C. [1] https://www.cs.vu.nl/~giuffrida/papers/dsn-2016.pdf |