Delayed replication for protection of replicated databases

US 10,440,039 B1
Filed: 06/26/2018
Issued: 10/08/2019
Est. Priority Date: 11/09/2015
Status: Active Grant

First Claim

Patent Images

1. An apparatus for providing protection for a plurality of data servers configured to provide data replication for a database, the apparatus comprising:

at least one processing circuit, including a programmed computer, configured to;

receive a record that specifies a possibly malicious modification performed on a first version of the database stored on a first data server of the plurality of data servers;

delay replication of the modification indicated by the record in at least a second data server of the plurality of data servers for a length of time specified for the second data server in a security profile, wherein the length of time is set at least in part in response or relative to receipt of the record that specifies a possibly malicious modification;

during the length of time in which replication is delayed, determine a probability that the modification indicated by the record is malicious based on respective quantizations of a first set of factors indicated in a security profile, the respective quantizations collectively exceeding a threshold level which is indicative of anomalous data access activity; and

prevent replication of the modification indicated by the record on a second version of the database stored in the second data server in response to the threshold level being exceeded.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatuses and methods are disclosed for protection of data servers configured for data replication of a database. As an example, one apparatus includes at least one processing circuit configured to receive records indicating respective modifications performed on a first version of the database stored in a first data server of the plurality of data servers. The at least one processing circuit is configured to delay replication of the modification in one or more additional servers in the plurality of data servers for a respective length of time specified for the servers in a security profile. While delaying replication of the modification, the processing circuit determines a probability that the modification is malicious based on a first set of factors indicated in a security profile. If the probability is greater than a threshold specified in the security profile, the processing circuit prevents the modification from being performed.

Citations

20 Claims

1. An apparatus for providing protection for a plurality of data servers configured to provide data replication for a database, the apparatus comprising:
- at least one processing circuit, including a programmed computer, configured to;
  
  receive a record that specifies a possibly malicious modification performed on a first version of the database stored on a first data server of the plurality of data servers;
  
  delay replication of the modification indicated by the record in at least a second data server of the plurality of data servers for a length of time specified for the second data server in a security profile, wherein the length of time is set at least in part in response or relative to receipt of the record that specifies a possibly malicious modification;
  
  during the length of time in which replication is delayed, determine a probability that the modification indicated by the record is malicious based on respective quantizations of a first set of factors indicated in a security profile, the respective quantizations collectively exceeding a threshold level which is indicative of anomalous data access activity; and
  
  prevent replication of the modification indicated by the record on a second version of the database stored in the second data server in response to the threshold level being exceeded.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein the at least one processing circuit is further configured to delay replication of the modification indicated by the record in a third data server of the plurality of data servers for a length of time specified for the third data server in the security profile, wherein the length of time specified for the third data server is greater than the length of time specified for the second data server.
  - 3. The apparatus of claim 1, wherein the at least one processing circuit is configured to assess whether the respective quantizations collectively exceed the threshold level by summing values corresponding to the quantizations, wherein the first and second data servers are configured to provide data replication that includes data replication for the modification unless prevented by the at least one processing circuit in response to the threshold level being exceeded.
  - 4. The apparatus of claim 1, wherein the at least one processing circuit is further configured to assess whether the respective quantizations collectively exceed the threshold level by comparing a representation of the respective quantizations to the threshold level.
  - 5. The apparatus of claim 1, wherein the at least one processing circuit is configured and arranged tostore records indicating respective modifications performed on the first version of the database;
    - andin response to one of the records being stored for a second length of time specified for a third data server in the security profile, perform one of the modifications on a third version of the database stored in the third data server.
  - 6. The apparatus of claim 1, wherein the at least one processing circuit is further configured and arranged to:
    - determine a risk level of the modification indicated by the record based upon the first set of factors indicated in a security profile, the first set of factors being indicative of anomalous data access activity;
      
      perform the modification indicated by the record on the second version of the database in response to the risk level being less than the threshold level; and
      
      prevent the modification indicated by the record from being performed on the second version of the database in response to the risk level being greater than or equal to the first threshold level.
  - 7. The apparatus of claim 6, wherein:
    - the first set of factors in the security profile includes a historic profile for the modifications; and
      
      the at least one processing circuit is further configured to determine the risk level based on deviations from the historic profile.
  - 8. The apparatus of claim 1, wherein the at least one processing circuit is further configured and arranged to:
    - determine a risk level of the modification indicated by the record based upon a second version of the first set of factors indicated in the security profile;
      
      perform the modification indicated by the record on a third version of the database stored in a third data server of the plurality of data servers in response to the risk level being less than a second threshold level indicated in the security profile; and
      
      prevent the modification indicated by the record from being performed on the third version of the database in response to the risk level being greater than or equal to the second threshold level.
  - 9. The apparatus of claim 1, wherein the at least one processing circuit is further configured to provide, to an authorized user, a notification in response to preventing the modification from being performed.
  - 10. The apparatus of claim 1, wherein the respective quantizations correspond to weighting assigned to the respective ones of the first set of factors.

11. A method for providing protection for a plurality of data servers configured to provide data replication for a database, the method performed by a processing circuit including a CPU and comprising:
- receiving a record that specifies a possibly malicious modification performed on a first version of the database stored on a first data server of the plurality of data servers;
  
  delaying replication of the modification indicated by the record in at least a second data server of the plurality of data servers for a length of time specified for the second data server in a security profile, wherein the length of time is set at least in part in response or relative to receipt of the record that specifies a possibly malicious modification;
  
  during the length of time in which replication is delayed, determining a probability that the modification indicated by the record is malicious based on respective quantizations of a first set of factors indicated in a security profile, the respective quantizations collectively exceeding a threshold level which is indicative of anomalous data access activity; and
  
  preventing replication of the modification indicated by the record on a second version of the database stored in the second data server in response to the probability exceeding a threshold level specified in the security profile.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the processing circuit operates to delay replication of the modification indicated by the record in one server of the plurality of data servers for a length of time which is specified for the one server in the security profile relative to a length of time specified for another of the plurality of data servers.
  - 13. The method of claim 11, wherein the processing circuit operates to assess whether the respective quantizations collectively exceed the threshold level by summing values corresponding to the quantizations, wherein the first and second data servers are configured to provide data replication that includes data replication for the modification unless prevented by the processing circuit in response to the threshold level being exceeded.
  - 14. The method of claim 11, wherein the processing circuit operates to assess whether the respective quantizations collectively exceed the threshold level by comparing a representation of the respective quantizations to the threshold level.
  - 15. The method of claim 11, wherein the processing circuit operates tostore records indicating respective modifications performed on the first version of the database;
    - andin response to one of the records being stored for a second length of time specified for a third data server in the security profile, perform the modification indicated by the record on a third version of the database stored in the third data server.
  - 16. The method of claim 11, wherein the processing circuit operates to:
    - determine a risk level of the modification indicated by the record based upon the first set of factors indicated in a security profile, the first set of factors being indicative of anomalous data access activity;
      
      perform the modification indicated by the record on the second version of the database in response to the risk level being less than the threshold level as indicated in the security profile; and
      
      prevent the modification indicated by the record from being performed on the second version of the database in response to the risk level being greater than or equal to the threshold level.
  - 17. The method of claim 11, wherein the processing circuit operates to:
    - determine a risk level of the modification indicated by the record based upon a second version of the set of factors indicated in the security profile;
      
      perform the modification indicated by the record on a third version of the database stored in a third data server of the plurality of data servers in response to the risk level being less than another threshold level indicated in the security profile; and
      
      prevent the modification indicated by the record from being performed on the third version of the database in response to the risk level being greater than or equal to the other threshold level.
  - 18. The method of claim 11, wherein the processing circuit operates to provide, to an authorized user, a notification in response to preventing the modification from being performed.
  - 19. The method of claim 11, wherein:
    - the first set of factors in the security profile includes a historic profile associated with the modification; and
      
      the processing circuit further operates to determine the risk level based on deviations from the historic profile.
  - 20. The method of claim 11, wherein the respective quantizations correspond to weighting assigned to the respective ones of the first set of factors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
8X8, Inc.
Original Assignee
8X8, Inc.
Inventors
Salour, Mehdi, Rengarajan, Raghu
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Chao, Michael W

Application Number

US16/018,971
Time in Patent Office

469 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 11/1461   Backup scheduling policy

G06F 11/2094   Redundant storage or storag...

G06F 11/2097   maintaining the standby con...

G06F 16/27   Replication, distribution o...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2201/80   Database-specific techniques

G06F 2201/84   Using snapshots, i.e. a log...

G06F 3/0646   Horizontal data movement in...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 67/1095   Replication or mirroring of...

Delayed replication for protection of replicated databases

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Delayed replication for protection of replicated databases

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links