Immutable logging of access requests to distributed file systems

US 10,114,970 B2
Filed: 08/11/2017
Issued: 10/30/2018
Est. Priority Date: 06/02/2015
Status: Active Grant

First Claim

Patent Images

1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:

receiving, with one or more processors, a request to access a distributed data store, wherein;

the request is a request to read from or write to a unit of content pertaining to a workload application;

the distributed data store stores a plurality of units of content that are each distributed among multiple computing entities hosting different subsets of data of the distributed data store;

each computing entity among the multiple computing entities corresponds to a different host at a different user-space instance of one or more different computing devices; and

each unit of content requires information from a plurality of computing entities to read the respective unit of content;

when writing each unit of content, different portions of information required to access the respective unit of content are written to different ones of the multiple computing entities such that no single one of the multiple computing entities stores all of the information required to access the respective unit of content;

causing, with one or more processors of a computing device configured to participate in combining the information from the plurality of computing entities to access units of content, logging of the request in an entry in a tamper-evident log, wherein the tamper-evident log defines one or more sequences of cryptographic hash values based on earlier logged entries;

storing, with one or more processors, the tamper-evident log in memory;

determining, with one or more processors, whether the tamper-evident log evinces tampering of log entries based on consistency of at least one of the sequences of cryptographic hash values with at least some entries in the tamper-evident log;

determining, with one or more processors, a risk metric based on other access requests documented in the tamper-evident log and the request;

storing, with one or more processors, the risk metric in memory;

determining, with one or more processors, that the risk metric satisfies a threshold; and

in response to the determination, disabling, with one or more processors, a user account associated with the request, wherein disabling a user account associated with the request comprises disabling the user account during an active session in which the user account is authenticated in real time with the determination, wherein;

the tamper-evident log comprises a blockchain having cryptographic hash pointers between sequential blocks of the blockchain and Merkle trees within blocks of the blockchain, the cryptographic hash pointers being based on a cryptographic hash function that implements a Merkle-Damgå

rd hash function;

determining an authoritative entry among a distributed set of instances of the blockchain does not require a proof-of-work from computing devices implementing each of the set of instances;

a given entry in the tamper-evident log comprises;

an identifier of a user account having credentials by which authorization to perform a corresponding database access operation is requested; and

a timestamp of the corresponding database access operation; and

the given entry further specifies a database application program interface command by which the corresponding access operation is expressed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a process including: receiving a request to access a distributed data store, wherein the distributed data store stores a plurality of units of content that are each distributed among multiple computing entities hosting different subsets of data of the distributed data store; and causing, with one or more processors of a computing device configured to participate in combining the information from the plurality of computing entities to access units of content, logging of the request in an entry in a tamper-evident log.

26 Citations

View as Search Results

22 Claims

1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:
- receiving, with one or more processors, a request to access a distributed data store, wherein;
  
  the request is a request to read from or write to a unit of content pertaining to a workload application;
  
  the distributed data store stores a plurality of units of content that are each distributed among multiple computing entities hosting different subsets of data of the distributed data store;
  
  each computing entity among the multiple computing entities corresponds to a different host at a different user-space instance of one or more different computing devices; and
  
  each unit of content requires information from a plurality of computing entities to read the respective unit of content;
  
  when writing each unit of content, different portions of information required to access the respective unit of content are written to different ones of the multiple computing entities such that no single one of the multiple computing entities stores all of the information required to access the respective unit of content;
  
  causing, with one or more processors of a computing device configured to participate in combining the information from the plurality of computing entities to access units of content, logging of the request in an entry in a tamper-evident log, wherein the tamper-evident log defines one or more sequences of cryptographic hash values based on earlier logged entries;
  
  storing, with one or more processors, the tamper-evident log in memory;
  
  determining, with one or more processors, whether the tamper-evident log evinces tampering of log entries based on consistency of at least one of the sequences of cryptographic hash values with at least some entries in the tamper-evident log;
  
  determining, with one or more processors, a risk metric based on other access requests documented in the tamper-evident log and the request;
  
  storing, with one or more processors, the risk metric in memory;
  
  determining, with one or more processors, that the risk metric satisfies a threshold; and
  
  in response to the determination, disabling, with one or more processors, a user account associated with the request, wherein disabling a user account associated with the request comprises disabling the user account during an active session in which the user account is authenticated in real time with the determination, wherein;
  
  the tamper-evident log comprises a blockchain having cryptographic hash pointers between sequential blocks of the blockchain and Merkle trees within blocks of the blockchain, the cryptographic hash pointers being based on a cryptographic hash function that implements a Merkle-Damgå
  
  rd hash function;
  
  determining an authoritative entry among a distributed set of instances of the blockchain does not require a proof-of-work from computing devices implementing each of the set of instances;
  
  a given entry in the tamper-evident log comprises;
  
  an identifier of a user account having credentials by which authorization to perform a corresponding database access operation is requested; and
  
  a timestamp of the corresponding database access operation; and
  
  the given entry further specifies a database application program interface command by which the corresponding access operation is expressed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The medium of claim 1, the operations comprising:
    - determining that the risk metric satisfies a threshold; and
      
      in response to the determination, delaying subsequent responses to subsequent access requests.
  - 3. The medium of claim 1, the operations comprising:
    - determining that the risk metric satisfies a threshold; and
      
      in response to the determination, blocking subsequent responses to access requests.
  - 4. The medium of claim 1, the operations comprising:
    - receiving another request to access the distributed data store;
      
      selecting computing entities among the plurality of entities that store a given of unit of content to which the another access request pertains;
      
      requesting different portions of information from the given unit of content from the selected computing entities; and
      
      combining the different portions of information to re-form the given unit of content.
  - 5. The medium of claim 4, wherein:
    - the multiple computing entities are different computing devices on a plurality of different subnetworks each separated from the Internet by a different firewall; and
      
      different portions of the information pertain to different segments of a unit of content or to a cyphertext of an encrypted form of the unit of content and an encryption key by which the cyphertext is decryptable.
  - 6. The medium of claim 1, wherein:
    - the tamper-evident log stores both information by which units of content are accessed and logged access requests.
  - 7. The medium of claim 1, wherein:
    - logging the request in the entry comprises logging a cryptographic hash value based on a record describing a time of the accesses request, a user account associated with the access request, and an access request command.
  - 8. The medium of claim 7, wherein the record is stored in the tamper-evident log in association with the cryptographic hash value.
  - 9. The medium of claim 7, wherein the record is not stored in the tamper evident log and is stored in a different data repository from the tamper-evident log in association with a pointer to the cryptographic hash value based on the record.
  - 10. The medium of claim 1, the operations comprising:
    - training a machine learning algorithm on historical entries documented in the tamper-evident log; and
      
      determining that a subsequent access request is anomalous based on the trained machine learning algorithm.
  - 11. The medium of claim 1, the operations comprising:
    - steps for logging access requests in a tamper-evident log;
      
      steps for analyzing a tamper-evident log; and
      
      steps for storing data in a directed acyclic graph having edges specified by cryptographic hash pointers.

12. A method, comprising:
- receiving, with one or more processors, a request to access a distributed data store, wherein;
  
  the request is a request to read from or write to a unit of content pertaining to a workload application;
  
  the distributed data store stores a plurality of units of content that are each distributed among multiple computing entities hosting different subsets of data of the distributed data store;
  
  each computing entity among the multiple computing entities corresponds to a different host at a different user-space instance of one or more different computing devices; and
  
  each unit of content requires information from a plurality of computing entities to read the respective unit of content;
  
  when writing each unit of content, different portions of information required to access the respective unit of content are written to different ones of the multiple computing entities such that no single one of the multiple computing entities stores all of the information required to access the respective unit of content;
  
  causing, with one or more processors of a computing device configured to participate in combining the information from the plurality of computing entities to access units of content, logging of the request in an entry in a tamper-evident log, wherein the tamper-evident log defines one or more sequences of cryptographic hash values based on earlier logged entries;
  
  storing, with one or more processors, the tamper-evident log in memory;
  
  determining, with one or more processors, whether the tamper-evident log evinces tampering of log entries based on consistency of at least one of the sequences of cryptographic hash values with at least some entries in the tamper-evident log;
  
  determining, with one or more processors, a risk metric based on other access requests documented in the tamper-evident log and the request;
  
  storing, with one or more processors, the risk metric in memory;
  
  determining, with one or more processors, that the risk metric satisfies a threshold; and
  
  in response to the determination, disabling, with one or more processors, a user account associated with the request, wherein disabling a user account associated with the request comprises disabling the user account during an active session in which the user account is authenticated in real time with the determination, wherein;
  
  the tamper-evident log comprises a blockchain having cryptographic hash pointers between sequential blocks of the blockchain and Merkle trees within blocks of the blockchain, the cryptographic hash pointers being based on a cryptographic hash function that implements a Merkle-Damgå
  
  rd hash function;
  
  determining an authoritative entry among a distributed set of instances of the blockchain does not require a proof-of-work from computing devices implementing each of the set of instances;
  
  a given entry in the tamper-evident log comprises;
  
  an identifier of a user account having credentials by which authorization to perform a corresponding database access operation is requested; and
  
  a timestamp of the corresponding database access operation; and
  
  the given entry further specifies a database application program interface command by which the corresponding access operation is expressed.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, comprising:
    - determining that the risk metric satisfies a threshold; and
      
      in response to the determination, delaying subsequent responses to subsequent access requests.
  - 14. The method of claim 12, comprising:
    - determining that the risk metric satisfies a threshold; and
      
      in response to the determination, blocking subsequent responses to access requests.
  - 15. The method of claim 12, comprising:
    - receiving another request to access the distributed data store;
      
      selecting computing entities among the plurality of entities that store a given of unit of content to which the another access request pertains;
      
      requesting different portions of information from the given unit of content from the selected computing entities; and
      
      combining the different portions of information to re-form the given unit of content.
  - 16. The method of claim 15, wherein:
    - the multiple computing entities are different computing devices on a plurality of different subnetworks each separated from the Internet by a different firewall; and
      
      different portions of the information pertain to different segments of a unit of content or to a cyphertext of an encrypted form of the unit of content and an encryption key by which the cyphertext is decryptable.
  - 17. The method of claim 12, wherein:
    - the tamper-evident log stores both information by which units of content are accessed and logged access requests.
  - 18. The method of claim 12, wherein:
    - logging the request in the entry comprises logging a cryptographic hash value based on a record describing a time of the accesses request, a user account associated with the access request, and an access request command.
  - 19. The method of claim 18, wherein the record is stored in the tamper-evident log in association with the cryptographic hash value.
  - 20. The method of claim 18, wherein the record is not stored in the tamper evident log and is stored in a different data repository from the tamper-evident log in association with a pointer to the cryptographic hash value based on the record.
  - 21. The method of claim 12, comprising:
    - training a machine learning algorithm on historical entries documented in the tamper-evident log; and
      
      determining that a subsequent access request is anomalous based on the trained machine learning algorithm.
  - 22. The method of claim 12, comprising:
    - steps for logging access requests in a tamper-evident log;
      
      steps for analyzing a tamper-evident log; and
      
      steps for storing data in a directed acyclic graph having edges specified by cryptographic hash pointers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Altr Solutions, Inc.
Original Assignee
Altr Solutions, Inc.
Inventors
Goldfarb, Scott Nathaniel, Beecham, James Douglas, Struttmann, Christopher Edward
Primary Examiner(s)
Srivastava, Vivek
Assistant Examiner(s)
Raza, Muhammad

Application Number

US15/675,510
Publication Number

US 20170364700A1
Time in Patent Office

445 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/64   Protecting data integrity, ...

H04L 9/0637   Modes of operation, e.g. ci...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3247   involving digital signatures

Immutable logging of access requests to distributed file systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Immutable logging of access requests to distributed file systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links