Database user behavior monitor system and method
First Claim
1. A method for monitoring a database, comprising:
- collecting user behavior data that indicates how one or more users use the database;
processing and storing the data as historical data;
analyzing the historical data to determine behavior patterns;
receiving a new set of data that indicates how one or more users have used the database;
performing a comparison between the new set of data and the behavior pattern;
determining based on the comparison, whether the new set of data satisfies a set of criteria;
if the new set of data satisfies the set of criteria, then determining that the new set of data represents anomalous activity; and
responding to the determination by performing a targeted operation.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the present invention provide techniques for monitoring a database system for anomalous activity. User behavior information relative to a subject database being monitored may be automatically collected, analyzed and compared with one or more policies to detect anomalous activity. Embodiments collect user behavior data regarding the subject database from a variety of sources, including an audit trail and dynamic views in cooperation with the database management system of the database. Embodiments employ one or more of statistics-based intrusion detection (SBID) and rule-based intrusion detection (RBID) to detect anomalous database activity. If suspicious database access that deviate from the normal usage pattern are detected, a targeted operation, such as alerting the responsible security officers, generating reports, email alerts or the like, is performed.
-
Citations
30 Claims
-
1. A method for monitoring a database, comprising:
-
collecting user behavior data that indicates how one or more users use the database;
processing and storing the data as historical data;
analyzing the historical data to determine behavior patterns;
receiving a new set of data that indicates how one or more users have used the database;
performing a comparison between the new set of data and the behavior pattern;
determining based on the comparison, whether the new set of data satisfies a set of criteria;
if the new set of data satisfies the set of criteria, then determining that the new set of data represents anomalous activity; and
responding to the determination by performing a targeted operation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer-readable medium carrying one or more sequences of instructions for reverting to a recovery configuration in response to device faults, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
collecting user behavior data that indicates how one or more users use the database;
processing and storing the data as historical data;
analyzing the historical data to determine behavior patterns;
receiving a new set of data that indicates how one or more users have used the database;
performing a comparison between the new set of data and the behavior pattern;
determining based on the comparison, whether the new set of data satisfies a set of criteria;
if the new set of data satisfies the set of criteria, then determining that the new set of data represents anomalous activity; and
responding to the determination by performing a targeted operation. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. An apparatus, comprising:
-
means for collecting user behavior data that indicates how one or more users use the database;
means for processing and storing the data as historical data;
means for analyzing the historical data to determine behavior patterns;
means for receiving a new set of data that indicates how one or more users have used the database;
means for performing a comparison between the new set of data and the behavior pattern;
means for determining based on the comparison, whether the new set of data satisfies a set of criteria;
means for determining that the new set of data represents anomalous activity, if the new set of data satisfies the set of criteria; and
means for responding to the determination by performing a targeted operation.
-
-
30. An apparatus, comprising:
-
a data collector for collecting user behavior data that indicates how one or more users use the database and processing and storing the data as historical data; and
receiving a new set of data that indicates how one or more users have used the database;
a data analyzer for analyzing the historical data to determine behavior patterns; and
an anomaly detector for performing a comparison between the new set of data and the behavior pattern;
determining based on the comparison, whether the new set of data satisfies a set of criteria;
determining that the new set of data represents anomalous activity if the new set of data satisfies the set of criteria; and
responding to the determination by performing a targeted operation.
-
Specification