Any developer or security engineer would agree when I say this: injection attacks never start loudly.
They slip in through everyday moments like a login box, a search bar, an API call that looks harmless. One tiny input field, and suddenly a database is doing something no one asked it to do. Logs look clean and dashboards stay green. But the application’s behavior quietly drifts into territory that doesn’t feel right.
That’s the gap US11736499B2 tries to close. Instead of scanning for suspicious keywords or signatures, it learns what normal looks like inside an application. Then it catches anything that behaves differently, whether that’s SQL, NoSQL, OS commands, JSON payloads, or LDAP queries.
This technology has already made its way into a case in the Eastern District of Texas, underscoring how significant it has become.
Using the Global Patent Search tool, we examined where this invention fits within the broader shift toward behavior-based exploit detection.
What US11736499B2 Patent Is Actually Solving
To understand US11736499B2, it helps to picture what really happens inside an application the moment it receives external input. A user clicks a button, submits a form, or hits an API endpoint, and the application runs a function that accepts that free-form data.
Most of the time, the function executes exactly the way the developers intended. But when an attacker slips in malicious code like a command, a query, or a payload, the execution path quietly changes.
The patent focuses on spotting that shift. Instead of trying to guess what malicious input looks like, it builds a model of legitimate behavior immediately after an execution function is invoked. Then it compares the real behavior to that model. If the application starts making unusual calls, accessing unexpected files, or building queries that don’t fit the normal pattern, the system flags it.
To avoid false alarms, it also checks whether the unusual behavior came from functions that actually accept external input, which is often where injection attacks hide.
In simple terms, the patent teaches the system to understand this is how the app behaves when things are fine so it can immediately recognize this isn’t fine.
The Core Capabilities That Make US11736499B2 Work
Here’s the breakdown of the core capabilities that make this patent actually effective in real-world environments.
1. Builds a model of normal execution behavior: Instead of scanning every request for suspicious strings, the system learns how the application usually behaves right after it receives external input. This baseline becomes the reference point for spotting anything unusual.
2. Detects when behavior quietly deviates: If a user input leads the application down a different execution path, spawns unexpected processes, constructs unfamiliar queries, or touches files it normally wouldn’t, the system immediately notices the drift.
3. Validates the source of the anomaly: The system checks whether the deviation actually came from a function that accepts user input, a crucial step that reduces noise and avoids false positives.
4. Works across multiple injection types: Whether the exploit is SQL, NoSQL, OS command, JSON, XPath, or LDAP-based, the system detects it by analyzing the behavior that follows, not the input itself.
5. Uses call graphs, ASTs, and parse trees for deeper insight: Behind the scenes, the system builds structured representations of the code’s execution flow. These models help it spot injected logic that doesn’t belong in the legitimate sequence.
Together, these features give the system a clear sense of what normal looks like, making it far easier to spot when an injection exploit tries to push the application into unfamiliar territory.
You see a similar pattern in multi-step verification systems where even small shifts in how credentials are exchanged can reveal early signs of abnormal behavior.
How Earlier Patents Shaped the Path to US11736499B2
Before understanding where US11736499B2 stands today, it helps to look back at the ideas that came before it. Injection exploits aren’t new, and neither are the attempts to detect or contain them.
Using the Global Patent Search tool, we traced the earlier filings that tackled pieces of the same problem. When placed side by side, these patents show how the field gradually moved toward behavior-based exploit detection, ultimately setting the stage for the approach in US11736499B2.
Let’s have a look at some of them:
1. US2009049547A1
US2009049547A1 was filed in 2007 by a team trying to deal with one of the most common web attacks at the time: SQL injection.
Back then, security tools mostly depended on signature lists. If a request contained a familiar pattern like 1=1 or certain special characters, the system flagged it. The problem was that attackers kept changing their techniques. As soon as a new trick appeared, signature-based tools had no idea what to look for.
This patent tried something smarter. Instead of hunting for dangerous characters, it learned what normal web requests and database queries usually looked like. It studied how long parameters typically were, which characters they contained, and how these inputs translated into SQL activity. When a request behaved differently from the usual pattern, the system treated it as a possible attack.
That idea connects neatly to US11736499B2. Both inventions believe that behavior gives away an attack more reliably than keywords. The difference is in how far they go. This older patent focuses on unusual parameter values and odd SQL queries, while US11736499B2 digs deeper into the execution flow itself and looks at how an application behaves after the input is processed.
The Bigger Picture
The patent represents an early move toward behavior-based detection. It shows how the industry was starting to realize that SQL injections cannot be caught only by scanning text. By learning the normal rhythm of an application and its database, the patent helped set the stage for more advanced systems that watch execution, not just inputs.
Behavior-based approaches also appear in network DoS defense systems, which monitor execution paths that drift away from the normal traffic rhythm.
2. CN107222494A
CN107222494A was filed in 2017 by Shanghai Red Array Mdt Infotech Ltd., trying to solve a problem most security engineers were already frustrated with. Traditional SQL injection defenses depended almost entirely on blacklists. If the input contained certain characters or known patterns, the system blocked it. The problem was that attackers kept inventing new variations. Every time a new SQL injection trick showed up, these systems failed because they only knew how to detect yesterday’s attacks.
The patent approached the issue from a different angle. Instead of guessing what an attack might look like, it marked every SQL keyword in the outgoing query with a unique tag before any user input was added. When the user’s parameters were later merged into the SQL statement, the system checked whether every keyword still carried the original tag. If it found a keyword that appeared without the expected tag, it knew the input contained injected SQL and blocked it.
This approach matters for US11736499B2 because both inventions try to address the same blind spot in older solutions. They look beyond signature lists and attempt to validate the integrity of what the application actually executes. CN107222494A focuses on tagging SQL keywords to ensure the query stays unaltered, while US11736499B2 goes deeper by modeling the application’s behavior itself rather than analyzing the query structure.
The Bigger Picture
The patent reflects an interesting shift in SQL injection defense. It shows how developers began focusing on validating the structure of the final query instead of scanning user input alone. By tagging SQL keywords and verifying them before execution, the invention introduced a simple but effective safeguard against unknown injection patterns.
If you want to see how secure communication works at the network level, our analysis of US7233664B2 explains how dynamic key updates and synchronized authentication help protect wireless nodes from insider threats and unauthorized access.
3. CN109324985A
CN109324985A, filed in 2018 by China Network Information Security, looks to solve a growing problem in SQL injection detection. Older systems depended heavily on hand-written rules, blacklists and developer-defined patterns. These worked for known attacks, but once something new appeared, the system simply could not recognize it. As attackers began automating their tools, rule-based detection quickly fell behind.
It rethinks the entire approach by using machine learning instead of fixed signatures. Rather than relying on background knowledge of the database or the application, the system studies real user inputs and learns which ones resemble normal behavior. When a request looks unusual, the model flags it and assigns a threat level. Because the system generates a dynamic whitelist based on actual traffic patterns, it adapts to each environment instead of depending on predefined rules.
This matters for US11736499B2 because both filings move away from rigid pattern matching. CN109324985A focuses on learning input characteristics automatically, while US11736499B2 takes the next step by learning the behavior of the application after the input is processed. One watches what the user submits. The other watches what the application does in response.
The Bigger Picture
This patent marks an early shift toward adaptive, machine-learning-based defense. It shows how security teams began accepting that static rules cannot keep up with modern attack methods. By learning input patterns automatically and adjusting to the environment, the idea paved the way for richer behavioral models.
4. CN102833270A
CN102833270A was published in 2012, at a time when most SQL injection defenses were still built on regular expressions. Security tools tried to catch attacks by matching certain characters or known patterns. The problem was obvious. There were too many attack variations, and regular expressions could never cover them all. The moment a new injection pattern appeared, these systems had no way to recognize it. If you kept adding more expressions, the false positives went up, and system performance went down.
CN102833270A approached the problem very differently. Instead of scanning for suspicious strings, it broke each incoming request into structured components and applied lexical analysis, grammar analysis, and semantic analysis. By building an SQL syntax tree from the user’s input, it checked whether the final structure still made sense according to the SQL language rules. If the syntax tree could only be built by including harmful operations, or if the input produced SQL code that violated the expected structure, the system treated it as a likely injection attempt.
This is relevant to US11736499B2 because both filings move away from surface-level input checks and focus on understanding what the application is actually executing. CN102833270A evaluates the shape and meaning of the SQL being formed, while US11736499B2 models the execution behavior itself. One examines the structure of the query. The other examines the path the application follows when processing it.
The Bigger Picture
This patent shows how the industry began shifting from static pattern matching to deeper structural analysis. By using lexical processing, SQL grammar rules, and semantic checks, it provided a more intelligent way to distinguish real SQL code from injected fragments. It offered better accuracy, fewer false alarms, and clearer insight into the attacker’s intent.
You can have a look at US7249262B2 to know how browser-level execution tracking often uses the same idea by tracing how a command moves through an execution path instead of only validating the raw input.
5. CN108521392A
CN108521392A was published in 2018, when security teams were struggling with a different challenge. They could often detect SQL injection attempts, but they could not easily tell which attacks had actually succeeded. Most tools only looked at the request going into the server. They never checked the response coming back out. As a result, defenders had no visibility into whether the attacker managed to steal data or not.
The patent takes a more practical and investigative approach. Instead of looking at just one side of the conversation, it analyzes traffic in both directions. First, it uses layered regular expressions to capture anything that resembles SQL injection behaviour. Then it compares the suspicious request with the response from the server. If the response contains the same patterns that appeared in the request, the system concludes that the injection actually worked and leaked data. Once the attack is confirmed, the method extracts the stolen information to help security teams understand what was exposed.
CN108521392A naturally connects to US11736499B2 because both inventions aim to overcome shallow pattern matching. CN108521392A focuses on matching the attacker’s request with the server’s response to determine if the attack succeeded. US11736499B2 goes further by analyzing the application’s internal execution behaviour.
The Bigger Picture
This patent shows a shift toward understanding the real impact of an attack instead of just detecting suspicious inputs. By examining both request and response traffic, it gives a more accurate picture of what actually happened. It not only identifies the attack but also reveals what data was leaked.
Systems built for secure mobile verification follow a comparable principle by monitoring how user inputs influence the final transaction flow rather than relying only on static filters. You can explore our article on US10032156B2 to know more about the mobile verification system.
A Quick Look at How These Patents Compare
When you place these patents next to each other, the bigger pattern becomes obvious. Every inventor was trying to catch SQL injection, but each one approached the threat from a different angle.
Some relied on tags, others trusted machine learning, and some focused entirely on traffic behaviour. By lining them up, you can see what each idea solved, what it missed, and how US11736499B2 pushes the field forward.
| Patent | Core Approach | What It Detects Well | How It Compares to US11736499B2 |
| US2009049547A1 | Learns normal SQL behavior and flags unusual patterns | Great for catching unknown and zero-day SQL injections | Shares the idea of baseline learning, but US11736499B2 models full execution behavior instead of just SQL traffic |
| CN107222494A | Tags SQL keywords and checks whether injected input breaks expected structure | Strong at identifying structural manipulation in SQL statements | More rule-driven, while US11736499B2 adapts to varied execution flows |
| CN109324985A | Machine learning classifier for risky SQL input | Adapts well to new or evolving patterns | US11736499B2 avoids training data dependency through execution-flow modeling |
| CN102833270A | Builds SQL syntax trees and analyzes semantics | Detects deeper, grammar-based SQL manipulations | US11736499B2 identifies anomalies earlier during function execution rather than at query level |
| CN108521392A | Inspects both request and response traffic to confirm attack success | Useful for confirming data leakage after an exploit | US11736499B2 focuses on stopping exploits during execution, before leakage occurs |
Seeing the Bigger Security Story with GPS
Each patent you’ve just explored tackles SQL or command injection from a different angle. Some lean on anomaly detection, some tag SQL keywords, some build syntax trees, and others analyze both request and response traffic. When you stitch them together, you begin to see how the entire field has evolved.
That’s exactly what the Global Patent Search tool helps you do. Instead of looking at these inventions in isolation, GPS lets you follow how ideas build on each other and how newer solutions like US11736499B2 push the boundary further.
Here are 5 simple steps to use GPS:
- Start with the patent number and instantly see related inventions on the technology. For US11736499B2, the surfaced patents could be related to SQL detection, anomaly scoring, OS-level monitoring, or traffic analysis.
- View short, meaningful snippets that highlight how each idea improved on earlier weaknesses.
- Jump into full documents when you want deeper technical context.
- Spot patterns across different domains, like intrusion detection, behavior modeling, and machine learning.
- Understand how approaches matured from keyword filtering to full execution-flow monitoring.
With GPS, you’re not just searching patents, you’re following the story of how injection-attack defense became smarter, faster, and more adaptive.
Explore more such patents and try to tool today!
Disclaimer: The information provided in this article is for informational purposes only and should not be considered legal advice. The related patent references mentioned are preliminary results from the Global Patent Search tool and do not guarantee legal significance. For a comprehensive related patent analysis, we recommend conducting a detailed search using GPS or consulting a patent attorney.
Frequently Asked Questions
1. What exactly is an injection exploit?
An injection exploit happens when an attacker sneaks malicious commands or queries into a system through user input fields. Instead of treating the input as data, the system mistakenly treats it as executable code, allowing the attacker to run commands or change queries.
2. Why are injection attacks still so common?
Most applications rely heavily on external input. Any field that accepts user data like search boxes, forms, API calls, URL parameters, can become an entry point if validation is weak. Attackers only need a browser and some crafted inputs to find vulnerabilities.
3. What is an execution function?
An execution function is any application-level function that receives external values and uses them to build or run commands. Examples include SQL query builders, shell command executors, JSON parsers, or script evaluators. Because these functions interact closely with interpreters, they become natural targets for attackers who want to influence program behavior through carefully shaped input.
4. What role do dynamic call graphs play?
Dynamic call graphs map the sequence of function calls triggered by a request. In normal operation, these patterns remain consistent. When an attacker injects malicious content, the execution flow often branches into unexpected paths, introduces new nodes, or triggers functions that shouldn’t be accessed.
