Directing audited data traffic to specific repositories

US 10,110,637 B2
Filed: 10/22/2017
Issued: 10/23/2018
Est. Priority Date: 12/08/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for auditing data traffic, the computer-implemented method comprising:

monitoring data traffic on a network and collecting data access elements of the data traffic;

comparing the collected data access elements to security rules;

sending an audit data collection to a repository in response to one or more compared data access elements of a data access matching a condition of one of the security rules, wherein the one of the security rules having the condition designates the audit data collection and the repository;

applying, in response to the matching the condition, a tag to the data traffic of the data access and discontinuing, responsive to applying the tag, the comparing of the collected data access elements to the corresponding one of the security rules having the matching condition, wherein the tag indicates the repository and the data traffic includes at least one of a connection and session; and

sending, in response to the tag in the tagged data traffic, the audit data collection to the repository indicated by the tag for the data access, wherein the computer-implemented method continues sending audit data for future data accesses that are in the tagged data traffic without the comparing to the corresponding one of the security rules again.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data traffic is monitored on a network with data access elements thereof collected and compared to security rules. An audit data collection is sent to a repository responsive to data access elements matching a condition of the security rules, where security rules having the condition designate the audit data collection and repository. A tag to data traffic is applied responsive to the matching condition. Comparing of collected data access elements to the corresponding security rules having the matching condition is discontinued responsive to applying the tag. The tag indicates a repository and the data traffic includes a connection and session. An audit data collection is sent to the repository indicated by the tag for a data access responsive to the tag in the tagged data traffic. The method continues sending audit data for future data accesses in the tagged data traffic without comparing to the corresponding security rules again.

Citations

20 Claims

1. A computer-implemented method for auditing data traffic, the computer-implemented method comprising:
- monitoring data traffic on a network and collecting data access elements of the data traffic;
  
  comparing the collected data access elements to security rules;
  
  sending an audit data collection to a repository in response to one or more compared data access elements of a data access matching a condition of one of the security rules, wherein the one of the security rules having the condition designates the audit data collection and the repository;
  
  applying, in response to the matching the condition, a tag to the data traffic of the data access and discontinuing, responsive to applying the tag, the comparing of the collected data access elements to the corresponding one of the security rules having the matching condition, wherein the tag indicates the repository and the data traffic includes at least one of a connection and session; and
  
  sending, in response to the tag in the tagged data traffic, the audit data collection to the repository indicated by the tag for the data access, wherein the computer-implemented method continues sending audit data for future data accesses that are in the tagged data traffic without the comparing to the corresponding one of the security rules again.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein sending the audit data collection to the repository in response to the one or more data access elements of the data access matching the condition of one of the security rules includes:
    - sending a first audit data collection to a first repository in response to one or more data access elements of a first data access matching a first condition of one of the security rules, wherein the one of the security rules having the first condition designates the first audit data collection and the first repository;
      
      sending a second audit data collection to a second repository in response to one or more data access elements of a second data access matching a second condition of one of the security rules, wherein the one of the security rules having the second condition designates the second audit data collection and the second repository.
  - 3. The method of claim 2, wherein the one or more data access elements for the first condition indicate a less suspicious data access than the one or more data access elements for the second condition and wherein the first repository has a lower audit priority than the second repository, wherein in the sending of the first audit data collection to the first repository, the first audit data collection is for a less suspicious data access and is sent to a lower audit priority repository and in the sending of the second audit data collection to the second repository, the second audit data collection is for a more suspicious data access and is sent to a higher audit priority repository.
  - 4. The method of claim 2, wherein the one or more data access elements for the first condition define a first data identity and the one or more data access elements for the second condition define a second data identity, wherein in the sending of the first audit data collection to the first repository, the first audit data collection is for a data access matching the first data identity and in the sending of the second audit data collection to the second repository, the second audit data collection is for a data access matching the second data identity.
  - 5. The method of claim 4, wherein the first data identity and the second data identity include an identity of one or more of a table, field, database name, database type, text string, XML pattern or SOL pattern.
  - 6. The method of claim 4, wherein the first data identity is for data having a sensitivity level and the second data identity is for data having a higher data sensitivity level than the sensitivity level, wherein in the sending of the first audit data collection to the first repository, the first audit data collection is for a less sensitive data access and in the sending of the second audit data collection to the second repository, the second audit data collection is for a more sensitive data access.
  - 7. The method of claim 2, wherein a first data access element for the first condition defines an amount of data accessed and a second data access element for the second condition defines a larger amount of data accessed, wherein in the sending of the first audit data collection to the first repository, the first audit data collection is for a smaller data access and in the sending of the second audit data collection to the second repository, the second audit data collection is for a larger data access.

8. A system comprising:
- at least one hardware computing processor; and
  
  a non-transitory computer-readable storage media connected to the at least one hardware computing processor, wherein the non-transitory computer-readable storage media has stored thereon a data traffic auditing program for controlling the at least one hardware computing processor, and wherein the at least one hardware computing processor is operative with the data traffic auditing program to execute for;
  
  monitoring data traffic on a network and collecting data access elements of the data traffic;
  
  comparing the collected data access elements to security rules;
  
  sending an audit data collection to a repository in response to one or more compared data access elements of a data access matching a condition of one of the security rules, wherein the one of the security rules having the condition designates the audit data collection and the repository;
  
  applying, in response to the matching the condition, a tag to the data traffic of the data access and discontinuing, responsive to applying the tag, the comparing of the collected data access elements to the corresponding one of the security rules having the matching condition, wherein the tag indicates the repository and the data traffic includes at least one of a connection and session; and
  
  sending, in response to the tag in the tagged data traffic, the audit data collection to the repository indicated by the tag for the data access, wherein the system continues sending audit data for future data accesses that are in the tagged data traffic without the comparing to the corresponding one of the security rules again.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein sending the audit data collection to the repository in response to the one or more data access elements of the data access matching the condition of one of the security rules includes:
    - sending a first audit data collection to a first repository in response to one or more data access elements of a first data access matching a first condition of one of the security rules, wherein the one of the security rules having the first condition designates the first audit data collection and the first repository;
      
      sending a second audit data collection to a second repository in response to one or more data access elements of a second data access matching a second condition of one of the security rules, wherein the one of the security rules having the second condition designates the second audit data collection and the second repository.
  - 10. The system of claim 9, wherein the one or more data access elements for the first condition indicate a less suspicious data access than the one or more data access elements for the second condition and wherein the first repository has a lower audit priority than the second repository, wherein in the sending of the first audit data collection to the first repository, the first audit data collection is for a less suspicious data access and is sent to a lower audit priority repository and in the sending of the second audit data collection to the second repository, the second audit data collection is for a more suspicious data access and is sent to a higher audit priority repository.
  - 11. The system claim 9, wherein the one or more data access elements for the first condition define a first data identity and the one or more data access elements for the second condition define a second data identity, wherein in the sending of the first audit data collection to the first repository, the first audit data collection is for a data access matching the first data identity and in the sending of the second audit data collection to the second repository, the second audit data collection is for a data access matching the second data identity.
  - 12. The system of claim 11, wherein the first data identity and the second data identity include an identity of one or more of a table, field, database name, database type, text string, XML pattern or SOL pattern.
  - 13. The system of claim 11, wherein the first data identity is for data having a sensitivity level and the second data identity is for data having a higher data sensitivity level than the sensitivity level, wherein in the sending of the first audit data collection to the first repository, the first audit data collection is for a less sensitive data access and in the sending of the second audit data collection to the second repository, the second audit data collection is for a more sensitive data access.
  - 14. The system of claim 9, wherein a first data access element for the first condition defines an amount of data accessed and a second data access element for the second condition defines a larger amount of data accessed, wherein in the sending of the first audit data collection to the first repository, the first audit data collection is for a smaller data access and in the sending of the second audit data collection to the second repository, the second audit data collection is for a larger data access.

15. A non-transitory computer program product for auditing data traffic, the non-transitory computer program product comprising:
- a non-transitory computer-readable storage medium; and
  
  computer-readable program code embodied in the non-transitory computer-readable storage medium, wherein the computer-readable program code is configured to cause at least one computing processor to;
  
  monitoring data traffic on a network and collecting data access elements of the data traffic;
  
  comparing the collected data access elements to security rules;
  
  sending an audit data collection to a repository in response to one or more compared data access elements of a data access matching a condition of one of the security rules, wherein the one of the security rules having the condition designates the audit data collection and the repository;
  
  applying, in response to the matching the condition, a tag to the data traffic of the data access and discontinuing, responsive to applying the tag, the comparing of the collected data access elements to the corresponding one of the security rules having the matching condition, wherein the tag indicates the repository and the data traffic includes at least one of a connection and session; and
  
  sending, in response to the tag in the tagged data traffic, the audit data collection to the repository indicated by the tag for the data access, wherein the computer-readable program code is further configured to cause the at least one computing processor to sending audit data for future data accesses that are in the tagged data traffic without the comparing to the corresponding one of the security rules again.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer program product of claim 15, wherein sending the audit data collection to the repository in response to the one or more data access elements of the data access matching the condition of one of the security rules includes:
    - sending a first audit data collection to a first repository in response to one or more data access elements of a first data access matching a first condition of one of the security rules, wherein the one of the security rules having the first condition designates the first audit data collection and the first repository;
      
      sending a second audit data collection to a second repository in response to one or more data access elements of a second data access matching a second condition of one of the security rules, wherein the one of the security rules having the second condition designates the second audit data collection and the second repository.
  - 17. The non-transitory computer program product of claim 16, wherein the one or more data access elements for the first condition indicate a less suspicious data access than the one or more data access elements for the second condition and wherein the first repository has a lower audit priority than the second repository, wherein in the sending of the first audit data collection to the first repository, the first audit data collection is for a less suspicious data access and is sent to a lower audit priority repository and in the sending of the second audit data collection to the second repository, the second audit data collection is for a more suspicious data access and is sent to a higher audit priority repository.
  - 18. The non-transitory computer program product of claim 16, wherein the one or more data access elements for the first condition define a first data identity and the one or more data access elements for the second condition define a second data identity, wherein in the sending of the first audit data collection to the first repository, the first audit data collection is for a data access matching the first data identity and in the sending of the second audit data collection to the second repository, the second audit data collection is for a data access matching the second data identity.
  - 19. The non-transitory computer program product of claim 18, wherein the first data identity and the second data identity include an identity of one or more of a table, field, database name, database type, text string, XML pattern or SOL pattern.
  - 20. The non-transitory computer program product of claim 18, wherein the first data identity is for data having a sensitivity level and the second data identity is for data having a higher data sensitivity level than the sensitivity level, wherein in the sending of the first audit data collection to the first repository, the first audit data collection is for a less sensitive data access and in the sending of the second audit data collection to the second repository, the second audit data collection is for a more sensitive data access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Foley, Sean C., Segal, Ury, Shan, Shidong
Primary Examiner(s)
Lwin, Maung T

Application Number

US15/790,027
Publication Number

US 20180063196A1
Time in Patent Office

366 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 43/08   Monitoring or testing based...

H04L 63/105   Multiple levels of security

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Directing audited data traffic to specific repositories

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Directing audited data traffic to specific repositories

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links