Resource-free prioritizing in high availability external security systems

US 10,614,237 B2
Filed: 11/10/2017
Issued: 04/07/2020
Est. Priority Date: 11/10/2017
Status: Active Grant

First Claim

Patent Images

1. A method operative in a database access control system wherein database requests directed from a client to a database server are intercepted by an agent and directed to an external security device for validation against a security policy, comprising:

configuring first and second channels between the agent and the external security device;

providing, via the first channel, session user information received from the client;

providing, via the second channel, session requests received from the client after establishment of a session associated with the session user information; and

prioritizing processing of packets received over the first channel in lieu of packets received over the second channel when the external security device is operating in an overloaded state.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A database access control system is augmented to provide additional functionality to enable an external security device (e.g., an EDSM) to fully and accurately assess a database query against one or more security policies even when the EDSM is overloaded. To this end, a pair of channels is established between the ISA and the ESM, wherein the channel pair includes a first channel that is expected to have relatively low packet rate, and a second channel that is expected to have a relatively high packet rate. Packets representing initial session information (i.e., user information sent at the beginning of a user session) are directed to the first channel, whereas packets received following session establishment are directed to the second channel, because the latter are likely to be present during a potential overload scenario.

14 Citations

19 Claims

1. A method operative in a database access control system wherein database requests directed from a client to a database server are intercepted by an agent and directed to an external security device for validation against a security policy, comprising:
- configuring first and second channels between the agent and the external security device;
  
  providing, via the first channel, session user information received from the client;
  
  providing, via the second channel, session requests received from the client after establishment of a session associated with the session user information; and
  
  prioritizing processing of packets received over the first channel in lieu of packets received over the second channel when the external security device is operating in an overloaded state.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as described in claim 1 wherein the first and second channels are logical channels.
  - 3. The method as described in claim 2 wherein the first channel is a high priority, low rate logical channel, and the second channel is a relatively lower priority, high rate logical channel.
  - 4. The method as described in claim 1 wherein a data packet comprising the session user information or a session request is provided over the respective first and second channels by marking the data packet.
  - 5. The method as described in claim 1 wherein a configurable number of data packets comprising the session user information are prioritized for transmission over the first channel to the external security device.
  - 6. The method as described in claim 1 further including establishing a first queue in the external security device that receives and stores the session user information, and establishing a second queue in the external security device that receives and stores the session requests.

7. Apparatus for use in a database access control system wherein database requests directed from a client to a database server are intercepted by an agent and directed to an external security device for validation against a security policy, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor, the computer program instructions comprising program code configured to;
  
  establish first and second channels between the agent and the external security device;
  
  provide, via the first channel, session user information received from the client;
  
  provide, via the second channel, session requests received from the client after establishment of a session associated with the session user information; and
  
  prioritize processing of packets received over the first channel in lieu of packets received over the second channel when the external security device is operating in an overloaded state.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus as described in claim 7 wherein the first and second channels are logical channels.
  - 9. The apparatus as described in claim 8 wherein the first channel is a high priority, low rate logical channel, and the second channel is a relatively lower priority, high rate logical channel.
  - 10. The apparatus as described in claim 7 wherein a data packet comprising the session user information or a session request is provided over the respective first and second channels by marking the data packet.
  - 11. The apparatus as described in claim 7 wherein a configurable number of data packets comprising the session user information are prioritized for transmission over the first channel to the external security device.
  - 12. The apparatus as described in claim 7 wherein the computer program instructions are further configured to establish and maintain in the external security device a first queue that receives and stores the session user information, and a second queue that receives and stores the session requests.

13. A computer program product, comprising:
- a non-transitory computer readable medium; and
  
  computer program instructions held in the non-transitory computer readable medium in association with a database access control system wherein database requests directed by a client to a database server are intercepted by an agent and directed to an external security device for validation against a security policy, the computer program instructions executable by a processor and comprising program code configured to;
  
  establish first and second channels between the agent and the external security device;
  
  provide, via the first channel, session user information received from the client;
  
  provide, via the second channel, session requests received from the client after establishment of a session associated with the session user information; and
  
  prioritize processing of packets received over the first channel in lieu of packets received over the second channel when the external security device is operating in an overloaded state.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product as described in claim 13 wherein the first and second channels are logical channels.
  - 15. The computer program product as described in claim 14 wherein the first channel is a high priority, low rate logical channel, and the second channel is a relatively lower priority, high rate logical channel.
  - 16. The computer program product as described in claim 13 wherein a data packet comprising the session user information or a session request is provided over the respective first and second channels by marking the data packet.
  - 17. The computer program product as described in claim 13 wherein a configurable number of data packets comprising the session user information are prioritized for transmission over the first channel to the external security device.
  - 18. The computer program product as described in claim 13 wherein the computer program instructions are further configured to establish and maintain in the external security device a first queue that receives and stores the session user information, and a second queue that receives and stores the session requests.

19. A database access control system operated in association with a database client application, and a database server, comprising:
- an agent executed in hardware and configured to intercept a database protocol packet stream as the database client application directs requests to the database server; and
  
  a security mechanism executed in hardware and configured to receive a database protocol packet that has been forwarded by the agent for validation;
  
  wherein for a configurable number of packets in the intercepted database protocol packet stream that include session user information associated with initiation of a new session, the agent marks each such database protocol packet and outputs the database protocol packet as marked;
  
  wherein following processing of the configurable number of packets in the database protocol stream, outputting from the agent one or more follow-on data packets in the database protocol stream;
  
  wherein the security mechanism prioritizes processing of any marked database protocol packet over a database protocol packet that is not so marked.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Rodniansky, Leonid, Langman, Vladislav, Butovsky, Tania
Primary Examiner(s)
Do, Khang

Application Number

US15/808,963
Publication Number

US 20190147180A1
Time in Patent Office

879 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/90335   Query processing

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Resource-free prioritizing in high availability external security systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Resource-free prioritizing in high availability external security systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others