Network Intrusion Blocking Security Overlay
First Claim
1. A method of scrutinizing database connections comprising:
- receiving a transaction requesting to access a database, the transaction received on a connection, the connection being between the database and an access portal;
identifying, via a lightweight check, a set of connection attributes corresponding to the database connection, the watch status indicative of a level of scrutiny to be applied to the connection;
selectively transmitting, based on the connection attributes being indicative of a need to analyze the connection, the received transaction to an evaluator, the evaluator operable to apply a set of access rules for determining a verdict specifying whether the transaction is a suspect transaction indicative of undesirable access selectively transmitting further comprising;
computing the verdict at the evaluator by applying the set of access rules to the transaction, the remote node distinct from a server operable to access the database and having separate computing resources; and
receiving the verdict, the verdict indicative of a responsive action based on applying the set of access rules to the transaction;
computing, from the connection attributes, the responsive action if the connection attributes do not indicate analyzing the transaction at the evaluator; and
applying the responsive action to the transaction.
2 Assignments
0 Petitions
Accused Products
Abstract
A database security overlay that identifies each network and local access gateway to a database, and monitors each access path from the identified gateways to analyze each connection to the database and block any connections determined to transport unauthorized or undesirable content. Access gateways that establish connections are identifiable by interprocess communication (IPC) mechanisms employed in accessing the database. An evaluator monitors access attempts, while a tapping mechanism on IPC mechanisms that provide the connections captures access attempts from the access gateways. The tapping mechanism intercepts and forwards access attempts to the evaluator to centralize and focus DB paths amid multiple local and external connections on the DB server. A lightweight check for each local access quickly determines if the access attempt warrants further scrutiny.
28 Citations
24 Claims
-
1. A method of scrutinizing database connections comprising:
-
receiving a transaction requesting to access a database, the transaction received on a connection, the connection being between the database and an access portal; identifying, via a lightweight check, a set of connection attributes corresponding to the database connection, the watch status indicative of a level of scrutiny to be applied to the connection; selectively transmitting, based on the connection attributes being indicative of a need to analyze the connection, the received transaction to an evaluator, the evaluator operable to apply a set of access rules for determining a verdict specifying whether the transaction is a suspect transaction indicative of undesirable access selectively transmitting further comprising; computing the verdict at the evaluator by applying the set of access rules to the transaction, the remote node distinct from a server operable to access the database and having separate computing resources; and receiving the verdict, the verdict indicative of a responsive action based on applying the set of access rules to the transaction; computing, from the connection attributes, the responsive action if the connection attributes do not indicate analyzing the transaction at the evaluator; and applying the responsive action to the transaction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A data security appliance for monitoring database connections comprising:
-
an evaluator having a memory, a processor, a network interface, and a coupling to a database server performing database access requests via the database connections; the coupling responsive to an IPC intercept on the database server for receiving a transaction requesting to access a database, the transaction received on a connection, the connection being between the database and an access portal; the IPC intercept providing the transaction to a scrutinizer for identifying, via a lightweight check, a set of connection attributes of the database connection, the connection attributes indicative of a level of scrutiny to be applied to the connection, the lightweight check performed by fetching a predetermined label corresponding to the connection; the scrutinizer selectively transmitting, based on the connection attributes being indicative of a need to analyze the connection, the received transaction to the coupled evaluator, the evaluator having a set of access rules for determining a verdict specifying whether the transaction is a suspect transaction indicative of undesirable access; the evaluator invoking the coupling for sending the verdict to the scrutinizer, the verdict indicative of a responsive action based on applying the set of access rules to the transaction; and the scrutinizer responsive to the verdict for applying the responsive action to the transaction, the responsive action indicating at least one of; permitting the transaction the transaction;
ormodifying the set of access rules to apply to subsequent transactions. - View Dependent Claims (21, 22, 23)
-
-
24. A computer program product having a computer readable storage medium operable to store computer program logic embodied in computer program code encoded as a set of processor based instructions thereon, that, when executed by the processor cause the computer to perform steps for scrutinizing database connections comprising:
-
computer program code for receiving a transaction requesting to access a database, the transaction received on a connection, the connection being between the database and an access portal; computer program code for identifying, via a lightweight check, a set of connection attributes corresponding to the database connection, the watch status indicative of a level of scrutiny to be applied to the connection, the lightweight check performed by fetching a predetermined label corresponding to the connection; computer program code for selectively transmitting, based on the connection attributes being indicative of a need to analyze the connection, the received transaction to an evaluator, the evaluator operable to apply a set of access rules for determining a verdict specifying whether the transaction is a suspect transaction indicative of undesirable access; computer program code for receiving the verdict, the verdict indicative of a responsive action based on applying the set of access rules to the transaction; and computer program code for applying the responsive action to the transaction.
-
Specification