Restricted replication for protection of replicated databases

US 10,043,026 B1
Filed: 11/09/2015
Issued: 08/07/2018
Est. Priority Date: 11/09/2015
Status: Active Grant

First Claim

Patent Images

1. An apparatus for providing protection for a plurality of data servers configured to provide data replication for a database, the apparatus comprising at least one processing circuit configured to:

receive records indicating respective modifications performed on a first version of the database stored in a first data server of the plurality of data servers; and

for at least one of the records;

determine a first risk level of the modification indicated by the record based on a first set of factors indicated in a security profile and deviation of the first set of factors from one or more baselines for data transactions, the first set of factors being indicative of anomalous data access activity and including a plurality of factors selected from the group consisting of;

size of data transactions, frequency of data transactions, historical pattern of data transactions, and authentication metrics of a user initiating the data transaction, and combinations thereof;

perform the modification indicated by the record on a second version of the database, stored in a second data server of the plurality of data servers, in response to the first risk level being less than a first threshold level indicated in the security profile; and

prevent the modification indicated by the record from being performed on the second version of the database in response to the first risk level being greater than or equal to the first threshold level.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatuses and methods are disclosed for protection of data servers configured for data replication of a database. An example apparatus includes a processing circuit configured to receive records indicating respective modifications performed on a first version of the database stored in a first data server of the plurality of data servers. The processing circuit determines a risk level of a modification indicated by a record based on a set of factors indicated in a security profile, the set of factors being indicative of anomalous data access activity. The processing circuit performs the modification in a second data server, in response to the risk level being less than a threshold level indicated in the security profile. The processing circuit prevents the modification indicated by the record from being performed in the second data server in response to the risk level being greater than or equal to the threshold level.

Citations

20 Claims

1. An apparatus for providing protection for a plurality of data servers configured to provide data replication for a database, the apparatus comprising at least one processing circuit configured to:
- receive records indicating respective modifications performed on a first version of the database stored in a first data server of the plurality of data servers; and
  
  for at least one of the records;
  
  determine a first risk level of the modification indicated by the record based on a first set of factors indicated in a security profile and deviation of the first set of factors from one or more baselines for data transactions, the first set of factors being indicative of anomalous data access activity and including a plurality of factors selected from the group consisting of;
  
  size of data transactions, frequency of data transactions, historical pattern of data transactions, and authentication metrics of a user initiating the data transaction, and combinations thereof;
  
  perform the modification indicated by the record on a second version of the database, stored in a second data server of the plurality of data servers, in response to the first risk level being less than a first threshold level indicated in the security profile; and
  
  prevent the modification indicated by the record from being performed on the second version of the database in response to the first risk level being greater than or equal to the first threshold level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein the at least one processing circuit is further configured and arranged to:
    - determine a second risk level of the modification indicated by the record based upon a second set of factors indicated in the security profile;
      
      perform the modification indicated by the record on a third version of the database stored in a third data server of the plurality of data servers in response to the second risk level being less than a second threshold level indicated in the security profile; and
      
      prevent the modification indicated by the record from being performed on the third version of the database in response to the second risk level being greater than or equal to the second threshold level, wherein the second threshold level is different than the first threshold level.
  - 3. The apparatus of claim 2, wherein the at least one processing circuit is communicatively coupled to each of the plurality of data servers via a data network, wherein the modification is prevented from the first or second version of the database responsive to a weighted sum of quantized values of the respective set of factors exceeding the first or second threshold level.
  - 4. The apparatus of claim 2, wherein the at least one processing circuit includes a first processing circuit in the second data server and a second processing circuit in the third data server, wherein the first and second threshold levels are different levels and which are specified in the security profile.
  - 5. The apparatus of claim 2, wherein the at least one processing circuit is further configured and arranged to:
    - store the records indicating respective modifications; and
      
      prevent performance of the modification indicated by the record on the second version of the database stored in the second data server until the record has been stored for a first length of time specified for the second data server in the security profile, wherein the first and second set of factors are different from one other.
  - 6. The apparatus of claim 5, wherein the at least one processing circuit is further configured and arranged to prevent performance of the modification indicated by the record on the third version of the database stored in the third data server until the record has been stored for a second length of time specified for the third data server in the security profile.
  - 7. The apparatus of claim 6, wherein the at least one processing circuit is further configured and arranged to, in response to determining that the modification indicated by the record is indicative of anomalous data access activity:
    - determine a subset of the plurality of data servers that have not performed the modification;
      
      select a data server in the subset of the plurality of data servers that is the most up-to-date;
      
      undo the modification in one or more of the plurality of data servers based on data stored in the selected data server; and
      
      take the first data server offline in response to the first risk level being greater than or equal to the first threshold level.
  - 8. The apparatus of claim 2, wherein the at least one processing circuit is configured and arranged to determine at least one of the first and second risk levels based on deviations of the modification indicated by the record from a historic profile.
  - 9. The apparatus of claim 1, wherein the at least one processing circuit is further configured to provide, to an authorized user, a notification in response to the risk level being greater than or equal to the first threshold level.
  - 10. The apparatus of claim 1, further comprising the plurality of data servers, wherein the at least one processing circuit further configured to adjust the set of factors over time responsive to false positives and false negatives.

11. A method for providing protection for a plurality of data servers configured to provide data replication for a database, the method comprising using at least one processing circuit communicatively coupled to the plurality of data servers:
- receiving records indicating respective modifications performed on a first version of the database stored in a first data server of the plurality of data servers; and
  
  for at least one of the records;
  
  determining a first risk level of the modification indicated by the record based on a first set of factors indicated in a security profile, the first set of factors being indicative of anomalous data access activity;
  
  performing the modification indicated by the record on a second version of the database, stored in a second data server of the plurality of data servers, in response to the first risk level being less than a first threshold level indicated in the security profile; and
  
  preventing the modification indicated by the record from being performed on the second version of the database in response to the first risk level being greater than or equal to the first threshold level.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the first set of factors and include a plurality of factors selected from the group consisting of:
    - size of data transactions, frequency of data transactions, historical pattern of data transactions, and authentication metrics of a user initiating the data transaction, and combinations thereof, the method further comprising;
      
      determining a second risk level of the modification indicated by the record based upon a second set of factors indicated in the security profile;
      
      performing the modification indicated by the record on a third version of the database stored in a third data server of the plurality of data servers in response to the second risk level being less than a second threshold level indicated in the security profile; and
      
      preventing the modification indicated by the record from being performed on the third version of the database in response to the second risk level being greater than or equal to the second threshold level.
  - 13. The method of claim 12, wherein the at least one processing circuit includes a first processing circuit in the second data server and a second processing circuit in the third data server.
  - 14. The method of claim 12, further comprising:
    - storing the records indicating respective modifications; and
      
      preventing performance of the modification indicated by the record on the second version of the database stored in the second data server until the record has been stored for a first length of time specified for the second data server in the security profile.
  - 15. The method of claim 14, further comprising preventing performance of the modification indicated by the record on the third version of the database stored in the third data server until the record has been stored for a second length of time specified for the third data server in the security profile.
  - 16. The method of claim 15, further comprising in response to determining that the modification indicated by the record is indicative of anomalous data access activity:
    - determining a subset of the plurality of data servers that have not performed the modification;
      
      selecting a data server in the subset of the plurality of data servers that is the most up-to-date; and
      
      undoing the modification in one or more of the plurality of data servers based on data stored in the selected data server.
  - 17. The method of claim 16, redirecting one or more end-users to the selected data server.
  - 18. The method of claim 12, further comprising determining at least one of the first and second risk levels based on deviations of the modification indicated by the record from a historic profile.
  - 19. The method of claim 11, further comprising providing, to an authorized user, a first notification in response to the risk level being greater than or equal to the first threshold level.
  - 20. The method of claim 11, wherein the determining of the first risk level includes determining whether the modification matches a signature included in the security profile, the signature being indicative of an unintended deletion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
8X8, Inc.
Original Assignee
8X8, Inc.
Inventors
Salour, Mehdi, Rengarajan, Raghu
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Chao, Michael W

Application Number

US14/936,365
Time in Patent Office

1,002 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1458   Management of the backup or...

G06F 11/1461   Backup scheduling policy

G06F 11/1658   Data re-synchronization of ...

G06F 11/2097   maintaining the standby con...

G06F 16/1844   Management specifically ada...

G06F 16/2365   Ensuring data consistency a...

G06F 16/27   Replication, distribution o...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 2201/81   Threshold

G06F 2201/84   Using snapshots, i.e. a log...

G06F 2201/87   Monitoring of transactions

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/306   User profiles

Restricted replication for protection of replicated databases

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Restricted replication for protection of replicated databases

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links