Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior

US 10,552,622 B2
Filed: 12/09/2014
Issued: 02/04/2020
Est. Priority Date: 02/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to data in a database, the method comprising:

receiving a request for data residing in one or more data files within a file layer stored in a memory of a hardware database processing system;

determining, by an application layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized application layer access attempt using a policy enforcement server communicatively coupled to the application layer, the policy enforcement server configured to determine that the received request is unauthorized by querying an intrusion detection point to determine whether a threshold number of violation attempts has been reached, wherein the threshold number of violation attempts is based on a sensitivity of the requested one or more data files, and wherein the intrusion detection point tracks violation attempts by incrementing a value representative of the tracked violation attempts by a first amount in response to a successful attempt to access the requested data, and by incrementing the value representative of the tracked violation attempts by a second amount greater than the first amount in response to a failed attempt to access the requested data;

in response to determining that the received request is not an unauthorized application layer access attempt, forwarding the received request from the application layer stored in the memory of the hardware database processing system to a table layer stored in the memory of the hardware database processing system;

determining, by the table layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized table layer access attempt using the policy enforcement server, the policy enforcement server communicatively coupled to the table layer; and

in response to determining that the received request is not an unauthorized table layer access attempt, granting access to the requested data.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy.

Citations

15 Claims

1. A method for controlling access to data in a database, the method comprising:
- receiving a request for data residing in one or more data files within a file layer stored in a memory of a hardware database processing system;
  
  determining, by an application layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized application layer access attempt using a policy enforcement server communicatively coupled to the application layer, the policy enforcement server configured to determine that the received request is unauthorized by querying an intrusion detection point to determine whether a threshold number of violation attempts has been reached, wherein the threshold number of violation attempts is based on a sensitivity of the requested one or more data files, and wherein the intrusion detection point tracks violation attempts by incrementing a value representative of the tracked violation attempts by a first amount in response to a successful attempt to access the requested data, and by incrementing the value representative of the tracked violation attempts by a second amount greater than the first amount in response to a failed attempt to access the requested data;
  
  in response to determining that the received request is not an unauthorized application layer access attempt, forwarding the received request from the application layer stored in the memory of the hardware database processing system to a table layer stored in the memory of the hardware database processing system;
  
  determining, by the table layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized table layer access attempt using the policy enforcement server, the policy enforcement server communicatively coupled to the table layer; and
  
  in response to determining that the received request is not an unauthorized table layer access attempt, granting access to the requested data.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the request for data is received from a user associated with an access history, and wherein determining whether the received request comprises an unauthorized application layer access attempt comprises:
    - determining a user role associated with the user, the user role corresponding to a first access criterion associated with the application layer; and
      
      comparing the user'"'"'s access history to the first access criterion to determine whether the received request comprises an unauthorized application layer access attempt.
  - 3. The method of claim 2, wherein the user role further corresponds to a second access criterion associated with the table layer, and wherein determining whether the received request comprises an unauthorized table layer access attempt comprises:
    - comparing the user'"'"'s access history to the second access criterion to determine whether the received request comprises an unauthorized table layer access attempt.
  - 4. The method of claim 3, wherein the first and second access criteria each comprise at least one of:
    - session authorization information, session authentication information, session encryption information, password integrity information, software integrity information, application data integrity information, database metadata integrity information, security software integrity information, time of day information, and signature rules information.
  - 5. The method of claim 1, further comprising modifying a protection of data at one or more of the application layer or the table layer based on determining that the received request comprises an unauthorized application layer access attempt or an unauthorized table layer access attempt.

6. A non-transitory computer-readable storage medium containing computer-executable instructions for controlling access to data in a database, the instructions configured to, when executed, cause a hardware database processing system to perform steps comprising:
- receiving a request for data residing in one or more data files within a file layer stored in a memory of the hardware database processing system;
  
  determining, by an application layer stored in the memory of a hardware database processing system, whether the received request comprises an unauthorized application layer access attempt using a policy enforcement server communicatively coupled to the application layer, the policy enforcement server configured to determine that the received request is unauthorized by querying an intrusion detection point to determine whether a threshold number of violation attempts has been reached, wherein the threshold number of violation attempts is based on a sensitivity of the requested one or more data files, and wherein the intrusion detection point tracks violation attempts by incrementing a value representative of the tracked violation attempts by a first amount in response to a successful attempt to access the requested data, and by incrementing the value representative of the tracked violation attempts by a second amount greater than the first amount in response to a failed attempt to access the requested data;
  
  in response to determining that the received request is not an unauthorized application layer access attempt, forwarding the received request from the application layer stored in the memory of the hardware database processing system to a table layer stored in the memory of the hardware database processing system;
  
  determining, by the table layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized table layer access attempt using the policy enforcement server, the policy enforcement server communicatively coupled to the table layer; and
  
  in response to determining that the received request is not an unauthorized table layer access attempt, granting access to the requested data.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer-readable storage medium of claim 6, wherein the request for data is received from a user associated with an access history, and wherein determining whether the received request comprises an unauthorized application layer access attempt comprises:
    - determining a user role associated with the user, the user role corresponding to a first access criterion associated with the application layer; and
      
      comparing the user'"'"'s access history to the first access criterion to determine whether the received request comprises an unauthorized application layer access attempt.
  - 8. The computer-readable storage medium of claim 7, wherein the user role further corresponds to a second access criterion associated with the table layer, and wherein determining whether the received request comprises an unauthorized table layer access attempt comprises:
    - comparing the user'"'"'s access history to the second access criterion to determine whether the received request comprises an unauthorized table layer access attempt.
  - 9. The computer-readable storage medium of claim 8, wherein the first and second access criteria each comprise at least one of:
    - session authorization information, session authentication information, session encryption information, password integrity information, software integrity information, application data integrity information, database metadata integrity information, security software integrity information, time of day information, and signature rules information.
  - 10. The computer-readable storage medium of claim 6, further comprising modifying a protection of data at one or more of the application layer or the table layer based on determining that the received request comprises an unauthorized application layer access attempt or an unauthorized table layer access attempt.

11. A hardware database processing system for controlling access to data in a database, the system comprising:
- a non-transitory computer-readable storage medium containing executable instructions configured to, when executed, perform steps comprising;
  
  receiving a request for data residing in one or more data files within a file layer stored in a memory of the hardware database processing system;
  
  determining, by an application layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized application layer access attempt using a policy enforcement server communicatively coupled to the application layer, the policy enforcement server configured to determine that the received request is unauthorized by querying an intrusion detection point to determine whether a threshold number of violation attempts has been reached, wherein the threshold number of violation attempts is based on a sensitivity of the requested one or more data files, and wherein the intrusion detection point tracks violation attempts by incrementing a value representative of the tracked violation attempts by a first amount in response to a successful attempt to access the requested data, and by incrementing the value representative of the tracked violation attempts by a second amount greater than the first amount in response to a failed attempt to access the requested data;
  
  in response to determining that the received request is not an unauthorized application layer access attempt, forwarding the received request from the application layer stored in the memory of the hardware database processing system to a table layer stored in the memory of the hardware database processing system;
  
  determining, by the table layer stored in the memory of the hardware database processing system, whether the received request comprises an unauthorized table layer access attempt using the policy enforcement server, the policy enforcement server communicatively coupled to the table layer; and
  
  in response to determining that the received request is not an unauthorized table layer access attempt, granting access to the requested data; and
  
  a hardware processor configured to execute the instructions.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the request for data is received from a user associated with an access history, and wherein determining whether the received request comprises an unauthorized application layer access attempt comprises:
    - determining a user role associated with the user, the user role corresponding to a first access criterion associated with the application layer; and
      
      comparing the user'"'"'s access history to the first access criterion to determine whether the received request comprises an unauthorized application layer access attempt.
  - 13. The system of claim 12, wherein the user role further corresponds to a second access criterion associated with the table layer, and wherein determining whether the received request comprises an unauthorized table layer access attempt comprises:
    - comparing the user'"'"'s access history to the second access criterion to determine whether the received request comprises an unauthorized table layer access attempt.
  - 14. The system of claim 13, wherein the first and second access criteria each comprise at least one of:
    - session authorization information, session authentication information, session encryption information, password integrity information, software integrity information, application data integrity information, database metadata integrity information, security software integrity information, time of day information, and signature rules information.
  - 15. The system of claim 11, further comprising modifying a protection of data at one or more of the application layer or the table layer based on determining that the received request comprises an unauthorized application layer access attempt or an unauthorized table layer access attempt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Protegrity US Holding LLC
Original Assignee
Protegrity Corporation
Inventors
Mattsson, Ulf
Primary Examiner(s)
Naghdali, Khalil

Application Number

US14/564,103
Publication Number

US 20150096049A1
Time in Patent Office

1,883 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/60   Protecting data

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/1433   Vulnerability analysis

Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links