Network Intrusion Blocking Security Overlay

US 20090271453A1
Filed: 04/25/2008
Published: 10/29/2009
Est. Priority Date: 04/25/2008
Status: Active Grant

First Claim

Patent Images

1. A method of scrutinizing database connections comprising:

receiving a transaction requesting to access a database, the transaction received on a connection, the connection being between the database and an access portal;

identifying, via a lightweight check, a set of connection attributes corresponding to the database connection, the watch status indicative of a level of scrutiny to be applied to the connection;

selectively transmitting, based on the connection attributes being indicative of a need to analyze the connection, the received transaction to an evaluator, the evaluator operable to apply a set of access rules for determining a verdict specifying whether the transaction is a suspect transaction indicative of undesirable access selectively transmitting further comprising;

computing the verdict at the evaluator by applying the set of access rules to the transaction, the remote node distinct from a server operable to access the database and having separate computing resources; and

receiving the verdict, the verdict indicative of a responsive action based on applying the set of access rules to the transaction;

computing, from the connection attributes, the responsive action if the connection attributes do not indicate analyzing the transaction at the evaluator; and

applying the responsive action to the transaction.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A database security overlay that identifies each network and local access gateway to a database, and monitors each access path from the identified gateways to analyze each connection to the database and block any connections determined to transport unauthorized or undesirable content. Access gateways that establish connections are identifiable by interprocess communication (IPC) mechanisms employed in accessing the database. An evaluator monitors access attempts, while a tapping mechanism on IPC mechanisms that provide the connections captures access attempts from the access gateways. The tapping mechanism intercepts and forwards access attempts to the evaluator to centralize and focus DB paths amid multiple local and external connections on the DB server. A lightweight check for each local access quickly determines if the access attempt warrants further scrutiny.

28 Citations

View as Search Results

24 Claims

1. A method of scrutinizing database connections comprising:
- receiving a transaction requesting to access a database, the transaction received on a connection, the connection being between the database and an access portal;
  
  identifying, via a lightweight check, a set of connection attributes corresponding to the database connection, the watch status indicative of a level of scrutiny to be applied to the connection;
  
  selectively transmitting, based on the connection attributes being indicative of a need to analyze the connection, the received transaction to an evaluator, the evaluator operable to apply a set of access rules for determining a verdict specifying whether the transaction is a suspect transaction indicative of undesirable access selectively transmitting further comprising;
  
  computing the verdict at the evaluator by applying the set of access rules to the transaction, the remote node distinct from a server operable to access the database and having separate computing resources; and
  
  receiving the verdict, the verdict indicative of a responsive action based on applying the set of access rules to the transaction;
  
  computing, from the connection attributes, the responsive action if the connection attributes do not indicate analyzing the transaction at the evaluator; and
  
  applying the responsive action to the transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1 wherein the connection attributes are indicative of the responsive action, further comprising:
    - computing, from the connection attributes for the connection, the responsive action;
      
      applying the computed responsive action to the transaction; and
      
      selectively allowing the transaction to proceed, based on the computed responsive action, independently of an exchange with the evaluator.
  - 3. The method of claim 1 wherein the lightweight check further comprises a first stage screening of a set connection attributes of the transaction, and determining a verdict comprises a second stage, the first stage occurring via a common access point on the server.
  - 4. The method of claim 1 further comprising:
    - generating a lightweight table, the lightweight table responsive to the lightweight check, generating including;
      
      receiving a connection request for connecting to the database; and
      
      identifying the connection attributes of the connection request, the connection attributes further defining an origin and a user from which the connection request was received, the origin indicative of a user access device and an interprocess transport medium, the connection attributes including a watch status corresponding to the transaction, the watch status indicating whether to transmit the transactions on the connection to be analyzed by the evaluator.
  - 5. The method of claim 2 wherein determining the connection attributes include a watch status, the watch status indicative of whether to invoke the second stage for the connection.
  - 6. The method of claim 2 further comprising:
    - defining, for the connection, a redaction indicator as a connection attribute;
      
      identifying, from the intercepted transaction, a portion of data for redaction;
      
      applying an indication of the redaction and a redaction format corresponding to the portion of data;
      
      analyzing the intercepted data including the portion of data for redaction;
      
      redacting, from a database response to the intercepted transaction, the portion of data according to the redaction format.
  - 7. The method of claim 2 wherein the connection attributes in the lightweight table further include a delay indicator, the delay indicator causing delaying a response to a client until the responsive action is received, wherein identifying further comprises:
    - fetching the delay indicator corresponding to the connection; and
      
      restricting the transaction until the responsive action is received.
  - 8. The method of claim 2 wherein receiving the connection request further comprises:
    - receiving a communication from the user access device;
      
      identifying the communication as a database connection request;
      
      generating an entry in the lightweight table corresponding to the connection request;
      
      storing an identity of the interprocess transport medium from which the connection request emanated; and
      
      storing the connection attributes indicative of a need to evaluate transactions transmitted on the connection.
  - 9. The method of claim 4 wherein generating the lightweight table further comprisesestablishing a common access point for the transactions;
    - watching the common access point for an attempt to connect to the database;
      
      gathering parameters concerning the connection request; and
      
      matching the gathered parameters to the set of rules.
  - 10. The method of claim 9 wherein establishing the common access point further comprises:
    - identifying a plurality of interprocess transport mediums through which database connections may be established;
      
      establishing, for each of the identified communication mechanisms, tap points from which to intercept communications directed to the database; and
      
      intercepting connection requests from each of the identified interprocess transport mediums; and
      
      sending the intercepted connection requests to the common access point for classifying the connection via a connection entry and watch status in the lightweight table.
  - 11. The method of claim 2 wherein the responsive action received from the evaluator is indicative of a termination of the connection, the termination resulting from the verdict evaluating the transaction as an undesirable communication.
  - 12. The method of claim 2 wherein the responsive action from the evaluator is indicative of permitting the transaction to proceed and logging the transaction at the evaluator.
  - 13. The method of claim 2 wherein the connection attributes in the lightweight table further include a priority buffer, the priority buffer causing a delay of a transaction requesting access to the database for permitting higher priority requests to proceed, further comprising:
    - receiving the request for database access;
      
      fetching the priority buffer value corresponding to the connection; and
      
      delaying the request for a duration corresponding to the priority buffer value.
  - 14. The method of claim 1 wherein the received transaction further includes a set of portions, each portion contained in a packet, further comprising:
    - receiving a series of packets, the packets collectively defining the transaction received on a watched connection;
      
      transmitting the received packets to the evaluator for aggregating the packets as a single transaction;
      
      identifying a response transaction corresponding to the received transaction, the response transaction received on the watched connection; and
      
      instructing the evaluator to commence analyzing the transaction by applying the set of rules to the received transaction.
  - 15. The method of claim 14 wherein analyzing the connection further comprises:
    - receiving a request transaction, the request transaction triggering the response transaction by the database;
      
      permitting each of the portions of the request transaction to transmit to the database;
      
      identifying a first portion of the corresponding response transaction; and
      
      informing the evaluator that the request transaction is complete and to begin evaluating the received transaction.
  - 16. The method of claim 3 where the lightweight check avoids impeding database access by consuming less the 4% of CPU resources for performing fetching of the connection attributes.
  - 17. The method of claim 11 further comprising, following termination of a connection based on a responsive action, causing the server to perform a rollback of the received transaction causing the termination to restore the database to a state immediately prior to the received transaction.
  - 18. The method of claim 2 further comprising performing the lightweight check comprises fetching a predetermined label corresponding to the connection, the predetermined label based on comparing the connection attributes to the transactions on the connection.
  - 19. The method of claim 2 wherein the responsive action is indicative of at least one of a treatment for the transaction and a state change modifying the rules indicating whether to allow subsequent transactions on the connection to proceed.

20. A data security appliance for monitoring database connections comprising:
- an evaluator having a memory, a processor, a network interface, and a coupling to a database server performing database access requests via the database connections;
  
  the coupling responsive to an IPC intercept on the database server for receiving a transaction requesting to access a database, the transaction received on a connection, the connection being between the database and an access portal;
  
  the IPC intercept providing the transaction to a scrutinizer for identifying, via a lightweight check, a set of connection attributes of the database connection, the connection attributes indicative of a level of scrutiny to be applied to the connection, the lightweight check performed by fetching a predetermined label corresponding to the connection;
  
  the scrutinizer selectively transmitting, based on the connection attributes being indicative of a need to analyze the connection, the received transaction to the coupled evaluator, the evaluator having a set of access rules for determining a verdict specifying whether the transaction is a suspect transaction indicative of undesirable access;
  
  the evaluator invoking the coupling for sending the verdict to the scrutinizer, the verdict indicative of a responsive action based on applying the set of access rules to the transaction; and
  
  the scrutinizer responsive to the verdict for applying the responsive action to the transaction, the responsive action indicating at least one of;
  
  permitting the transaction the transaction;
  
  ormodifying the set of access rules to apply to subsequent transactions.
- View Dependent Claims (21, 22, 23)
- - 21. The appliance of claim 20 wherein the scrutinizer coupled to the evaluator further comprises:
    - a lightweight table, the lightweight table responsive to the lightweight check, wherein the scrutinizer;
      
      receives a connection request for connecting to the database;
      
      identifies the connection attributes of the connection, the connection attributes further defining an origin and a user from which the connection request was received, the origin indicative of a user access device and an interprocess transport medium for identifying successive transactions on the connection; and
      
      determines, for the connection, the connection attributes, the connection attributes including at least one of a watch status, a delay indicator, a redaction indicator or a priority buffer corresponding to the connection.
  - 22. The appliance of claim 21 wherein the scrutinizer:
    - identifies a plurality of interprocess transport mediums through which database connections may be established;
      
      establishes, for each of the identified communication mechanisms, tap points from which to intercept communications directed to the database; and
      
      intercepts connection requests from each of the identified interprocess transport mediums; and
      
      sends the intercepted connection requests to the common access point for classifying the connection via a connection entry and watch status in the lightweight table.
  - 23. The method of claim 22 wherein the evaluator is coupled to the scrutinizer for receiving each of a plurality of transactions directed to the database server, the scrutinizer further identifying each interprocess transport medium employed for database access.

24. A computer program product having a computer readable storage medium operable to store computer program logic embodied in computer program code encoded as a set of processor based instructions thereon, that, when executed by the processor cause the computer to perform steps for scrutinizing database connections comprising:
- computer program code for receiving a transaction requesting to access a database, the transaction received on a connection, the connection being between the database and an access portal;
  
  computer program code for identifying, via a lightweight check, a set of connection attributes corresponding to the database connection, the watch status indicative of a level of scrutiny to be applied to the connection, the lightweight check performed by fetching a predetermined label corresponding to the connection;
  
  computer program code for selectively transmitting, based on the connection attributes being indicative of a need to analyze the connection, the received transaction to an evaluator, the evaluator operable to apply a set of access rules for determining a verdict specifying whether the transaction is a suspect transaction indicative of undesirable access;
  
  computer program code for receiving the verdict, the verdict indicative of a responsive action based on applying the set of access rules to the transaction; and
  
  computer program code for applying the responsive action to the transaction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Ben-Natan, Ron

Granted Patent

US 8,261,326 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/20 for managing network securi...

Network Intrusion Blocking Security Overlay

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Network Intrusion Blocking Security Overlay

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links