A database intrusion detection system (DIDS) monitors database queries to
detect anomalous queries that might by symptomatic of a code injection
attack on the database. A proxy server intercepts HTTP messages from
clients that contain query data used to generate database queries. The
proxy server extracts the query data from a message and determines origin
data describing the origin of the message, such as the IP address of the
client that sent the message. The proxy server stores the query and
origin data in a cache. Upon detecting an anomalous query, the DIDS
extracts a portion of the query, such as the literals. The DIDS searches
the cache to identify entries having query data that match the extracted
portions of the query. The DIDS reports the origin data of the matching
cache entries.