Evaluating security of data access statements

US 10,693,877 B2
Filed: 07/23/2014
Issued: 06/23/2020
Est. Priority Date: 03/27/2013
Status: Active Grant

First Claim

Patent Images

1. A method for evaluating data access statements with respect to database security, comprising:

evaluating criticality of two or more Structured Query Language (SQL) statements, each statement from a different session of two or more sessions accessing, from a first computing system, a database implemented on a data server;

generating, on the data server, a critical item set from the two or more sessions, each element in the critical item set indicating one or more SQL statements in a session of the two or more sessions;

extracting at least one association rule from the critical item set, each of the at least one association rule indicating a sequence of SQL statements in a session of the two or more sessions;

calculating criticality of each of the at least one association rule;

evaluating a session based upon a criticality of the at least one association rule;

terminating, by the data server, the session based upon a result of the evaluating the session based upon the criticality;

ranking, by the data server, at least two association rules by the criticality of each of the at least two association rules; and

specifying, the data server, a security policy corresponding to each of the at least two association rules according to the ranking.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for evaluating the security of data access statements. Specifically, in one embodiment of the claimed subject matter there is provided a technique for evaluating the security of data access statements, comprising: evaluating the criticality of multiple SQL statements contained in multiple sessions accessing a database; generating a critical item set from the multiple sessions, each element in the critical item set indicating one or more SQL statements contained in a session; extracting at least one association rule from the critical item set, each of the at least association rule indicating a sequence of SQL statements contained in a session; and calculating the criticality of each of the at least one association rule.

Citations

9 Claims

1. A method for evaluating data access statements with respect to database security, comprising:
- evaluating criticality of two or more Structured Query Language (SQL) statements, each statement from a different session of two or more sessions accessing, from a first computing system, a database implemented on a data server;
  
  generating, on the data server, a critical item set from the two or more sessions, each element in the critical item set indicating one or more SQL statements in a session of the two or more sessions;
  
  extracting at least one association rule from the critical item set, each of the at least one association rule indicating a sequence of SQL statements in a session of the two or more sessions;
  
  calculating criticality of each of the at least one association rule;
  
  evaluating a session based upon a criticality of the at least one association rule;
  
  terminating, by the data server, the session based upon a result of the evaluating the session based upon the criticality;
  
  ranking, by the data server, at least two association rules by the criticality of each of the at least two association rules; and
  
  specifying, the data server, a security policy corresponding to each of the at least two association rules according to the ranking.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein the generating a critical item set from the multiple sessions comprises:
    - filtering at least a portion of sessions out of the multiple sessions based on the criticality of the multiple SQL statements; and
      
      generating a critical item set from the at least a portion of sessions.
  - 3. The method according to claim 2, wherein the filtering at least a portion of sessions out of the multiple sessions based on the criticality of the multiple SQL statements comprises, in response to the criticality, of each SQL statement contained in a session of the multiple sessions, having met a first threshold, deleting the session from the multiple sessions to form the at least a portion of sessions.
  - 4. The method according to claim 1, wherein the generating a critical item set from the multiple sessions comprises:
    - generating a critical 1-item set of the at least a portion of sessions, wherein each element in the critical 1-item set comprises one SQL statement;
      
      in at least one round, in response to a critical (n−
      
      1)-item set of the at least a portion of sessions being non-null, generating a critical n-item set of the at least a portion of sessions, wherein n≥
      
      2 and each element in the critical n-item set comprises n SQL statements that are arranged in order.
  - 5. The method according to claim 4, further comprising in the at least one round, deleting an element from the critical n-item set in response to any of:
    - the support of the element being zero, and the criticality of the element being zero.
  - 6. The method according to claim 4, wherein the extracting at least one association rule from the critical item set comprises:
    - with respect to each element in the critical item set, taking the last SQL statement contained in the element as a consequent;
      
      taking other SQL statements in the element as antecedents; and
      
      using a formula (antecedent->
      
      consequent) to represent one of the multiple association rules.
  - 7. The method according to claim 1, wherein the calculating the criticality of each of the at least one association rule comprises, with respect to each association rule, calculating the criticality of the association rule based on criticality of an antecedent and criticality of a consequent in the association rule, and on a relationship between the antecedent and the consequent.
  - 8. The method according to claim 1, wherein the ranking the at least one association rule by the criticality of each of the at least one association rule comprises:
    - in response to the criticality of two of the at least one association rule being equal, with respect to each of the two association rules, calculating the confidence of the association rule based on the support of the association rule and the support of an antecedent in the association rule; and
      
      ranking the two association rules by the confidence of the two association rules.
  - 9. The method according to claim 1, further comprising:
    - in response to receipt of a current session accessing the database system, searching in the at least one association rule for an association rule matching the current session; and
      
      processing the current session based on a security policy corresponding to the matching association rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Feng, Hao, Sun, Sheng Yan
Primary Examiner(s)
Sholeman, Abu S

Application Number

US14/338,359
Publication Number

US 20140337916A1
Time in Patent Office

2,162 Days
Field of Search

726 1, 726 20, 726 22, 726 24
US Class Current
CPC Class Codes

G06F 16/24   Querying

G06F 21/577   Assessing vulnerabilities a...

H04L 63/10   for controlling access to d...

H04L 63/14   for detecting or protecting...

Evaluating security of data access statements

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Evaluating security of data access statements

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links