Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior
First Claim
Patent Images
1. A method for controlling access to data in a database, the method comprising:
- receiving a request for data residing in one or more data files within a file layer stored in a memory of a hardware database processing system;
determining, by an application layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized application layer access attempt using a policy enforcement server communicatively coupled to the application layer, the policy enforcement server configured to determine that the received request is unauthorized by querying an intrusion detection point to determine whether a threshold number of violation attempts has been reached, wherein the threshold number of violation attempts is based on a sensitivity of the requested one or more data files, and wherein the intrusion detection point tracks violation attempts by incrementing a value representative of the tracked violation attempts by a first amount in response to a successful attempt to access the requested data, and by incrementing the value representative of the tracked violation attempts by a second amount greater than the first amount in response to a failed attempt to access the requested data;
in response to determining that the received request is not an unauthorized application layer access attempt, forwarding the received request from the application layer stored in the memory of the hardware database processing system to a table layer stored in the memory of the hardware database processing system;
determining, by the table layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized table layer access attempt using the policy enforcement server, the policy enforcement server communicatively coupled to the table layer; and
in response to determining that the received request is not an unauthorized table layer access attempt, granting access to the requested data.
3 Assignments
0 Petitions
Accused Products
Abstract
A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy.
-
Citations
15 Claims
-
1. A method for controlling access to data in a database, the method comprising:
-
receiving a request for data residing in one or more data files within a file layer stored in a memory of a hardware database processing system; determining, by an application layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized application layer access attempt using a policy enforcement server communicatively coupled to the application layer, the policy enforcement server configured to determine that the received request is unauthorized by querying an intrusion detection point to determine whether a threshold number of violation attempts has been reached, wherein the threshold number of violation attempts is based on a sensitivity of the requested one or more data files, and wherein the intrusion detection point tracks violation attempts by incrementing a value representative of the tracked violation attempts by a first amount in response to a successful attempt to access the requested data, and by incrementing the value representative of the tracked violation attempts by a second amount greater than the first amount in response to a failed attempt to access the requested data; in response to determining that the received request is not an unauthorized application layer access attempt, forwarding the received request from the application layer stored in the memory of the hardware database processing system to a table layer stored in the memory of the hardware database processing system; determining, by the table layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized table layer access attempt using the policy enforcement server, the policy enforcement server communicatively coupled to the table layer; and in response to determining that the received request is not an unauthorized table layer access attempt, granting access to the requested data. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A non-transitory computer-readable storage medium containing computer-executable instructions for controlling access to data in a database, the instructions configured to, when executed, cause a hardware database processing system to perform steps comprising:
-
receiving a request for data residing in one or more data files within a file layer stored in a memory of the hardware database processing system; determining, by an application layer stored in the memory of a hardware database processing system, whether the received request comprises an unauthorized application layer access attempt using a policy enforcement server communicatively coupled to the application layer, the policy enforcement server configured to determine that the received request is unauthorized by querying an intrusion detection point to determine whether a threshold number of violation attempts has been reached, wherein the threshold number of violation attempts is based on a sensitivity of the requested one or more data files, and wherein the intrusion detection point tracks violation attempts by incrementing a value representative of the tracked violation attempts by a first amount in response to a successful attempt to access the requested data, and by incrementing the value representative of the tracked violation attempts by a second amount greater than the first amount in response to a failed attempt to access the requested data; in response to determining that the received request is not an unauthorized application layer access attempt, forwarding the received request from the application layer stored in the memory of the hardware database processing system to a table layer stored in the memory of the hardware database processing system; determining, by the table layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized table layer access attempt using the policy enforcement server, the policy enforcement server communicatively coupled to the table layer; and in response to determining that the received request is not an unauthorized table layer access attempt, granting access to the requested data. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A hardware database processing system for controlling access to data in a database, the system comprising:
-
a non-transitory computer-readable storage medium containing executable instructions configured to, when executed, perform steps comprising; receiving a request for data residing in one or more data files within a file layer stored in a memory of the hardware database processing system; determining, by an application layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized application layer access attempt using a policy enforcement server communicatively coupled to the application layer, the policy enforcement server configured to determine that the received request is unauthorized by querying an intrusion detection point to determine whether a threshold number of violation attempts has been reached, wherein the threshold number of violation attempts is based on a sensitivity of the requested one or more data files, and wherein the intrusion detection point tracks violation attempts by incrementing a value representative of the tracked violation attempts by a first amount in response to a successful attempt to access the requested data, and by incrementing the value representative of the tracked violation attempts by a second amount greater than the first amount in response to a failed attempt to access the requested data; in response to determining that the received request is not an unauthorized application layer access attempt, forwarding the received request from the application layer stored in the memory of the hardware database processing system to a table layer stored in the memory of the hardware database processing system; determining, by the table layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized table layer access attempt using the policy enforcement server, the policy enforcement server communicatively coupled to the table layer; and in response to determining that the received request is not an unauthorized table layer access attempt, granting access to the requested data; and a hardware processor configured to execute the instructions. - View Dependent Claims (12, 13, 14, 15)
-
Specification