Proactive Information Security Management

US 20090300002A1
Filed: 05/26/2009
Published: 12/03/2009
Est. Priority Date: 05/28/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for controlling access to sensitive information, the method comprising:

maintaining access constraint data that can be used to control access to said sensitive information, wherein said access constraint data comprises match pattern data and apply pattern data;

receiving a semantic query from a querier requesting access to said sensitive information;

based on said match pattern data, determining whether said semantic query should be constrained according to said apply pattern data;

where said semantic query should be constrained according to said apply pattern data, rewriting said semantic query according to said apply pattern data to produce a rewritten query;

executing said rewritten query against a database that contains said sensitive information; and

returning any results of executing said rewritten query.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for proactive information security management is described. In one embodiment, for example, a computer-implemented method for controlling access to sensitive information, the method comprising: maintaining access constraint data that can be used to control access to the sensitive information, wherein the access constraint data includes match pattern data and apply pattern data; receiving a semantic query from a querier requesting access to the sensitive information; based on the match pattern data, determining whether the semantic query should be constrained according to the apply pattern data; where said semantic query should be constrained according to the apply pattern data, rewriting the semantic query according to the apply pattern data to produce a rewritten query; executing the rewritten query against a database that contains the sensitive information; and returning any results of executing the rewritten query.

115 Citations

27 Claims

1. A computer-implemented method for controlling access to sensitive information, the method comprising:
- maintaining access constraint data that can be used to control access to said sensitive information, wherein said access constraint data comprises match pattern data and apply pattern data;
  
  receiving a semantic query from a querier requesting access to said sensitive information;
  
  based on said match pattern data, determining whether said semantic query should be constrained according to said apply pattern data;
  
  where said semantic query should be constrained according to said apply pattern data, rewriting said semantic query according to said apply pattern data to produce a rewritten query;
  
  executing said rewritten query against a database that contains said sensitive information; and
  
  returning any results of executing said rewritten query.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer-implemented method of claim 1, wherein said rewritten query is a semantic query.
  - 3. The computer-implemented method of claim 1, wherein said database contains semantic data that represents a semantic model of said sensitive information.
  - 4. The computer-implemented method of claim 1, wherein said rewritten query is a Structured Query Language (SQL) query.
  - 5. The computer-implemented method of claim 1, wherein said database is a relational database that contains said sensitive information.
  - 6. The computer-implemented method of claim 1, wherein said match pattern data and said apply pattern data each represent a basic graph pattern.
  - 7. The computer-implemented method of claim 1, wherein said semantic query is a SPARQL Protocol and RDF Query Language (SPARQL) query.
  - 8. The computer-implemented method of claim 1, wherein said access constraint data further comprises policy metadata, said policy metadata comprising a set of one or more schema semantic statements, and wherein the method further comprises:
    - using said set of one or more schema semantic statements to determine, based on said match pattern data, whether said semantic query should be constrained according to said apply pattern data.
  - 9. The computer-implemented method of claim 1, further comprising:
    - maintaining session data that specifies an attribute of the querier and a value for said attribute;
      
      wherein said apply pattern data references said attribute; and
      
      wherein the step of rewriting said semantic query according to said apply pattern data to produce a rewritten query further comprises rewriting said semantic query to incorporate the value for said attribute.
  - 10. The computer-implemented method of claim 1, wherein said rewritten query is a semantic query, the method further comprising:
    - maintaining semantic mapping data that indicates how to map said rewritten query to a native access mechanism associated with said database; and
      
      mapping said rewritten query to said native access mechanism.
  - 11. The computer-implemented method of claim 1, wherein said database is a relational database and said rewritten query is a Structured Query Language (SQL) query, the method further comprising:
    - maintaining semantic mapping data that indicates how to map said semantic query and said apply pattern data to said rewritten query;
      
      wherein the step of rewriting said semantic query according to said apply pattern data to produce a rewritten query is based on said semantic mapping data;
  - 12. The computer-implemented method of claim 1, further comprising:
    - where said semantic query should not be constrained according to said apply pattern data,executing said semantic query against a database that contains said sensitive information; and
      
      returning any results of executing said semantic query.
  - 13. The computer-implemented method of claim 1, further comprising:
    - maintaining session data that specifies an attribute associated a state of the database system and a value for said attribute;
      
      wherein said apply pattern data references said attribute; and
      
      wherein the step of rewriting said semantic query according to said apply pattern data to produce a rewritten query further comprises rewriting said semantic query to incorporate the value for said attribute.
  - 14. A computer-readable storage medium having computer-executable instructions for performing the method of claim 1.

15. A system for controlling access to sensitive information, the system comprising:
- a processor;
  
  a memory coupled to the processor; and
  
  logic encoded in one or more computer readable media for;
  
  maintaining access constraint data that can be used to control access to said sensitive information, wherein said access constraint data comprises match pattern data and apply pattern data;
  
  receiving a semantic query from a querier requesting said sensitive information;
  
  determining, based on said match pattern data, whether said semantic query should be constrained according to said apply pattern data;
  
  where said semantic query should be constrained according to said apply pattern data,rewriting said semantic query according to said apply pattern data to produce a rewritten query;
  
  executing said rewritten query against a database that contains said sensitive information; and
  
  returning any results of executing said rewritten query.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 16. The system of claim 15, wherein said rewritten query is a semantic query.
  - 17. The system of claim 15, wherein said database contains semantic data that represents a semantic model of said sensitive information.
  - 18. The system of claim 15, wherein said rewritten query is a Structured Query Language (SQL) query.
  - 19. The system of claim 15, wherein said database is a relational database that contains said sensitive information.
  - 20. The system of claim 15, wherein said match pattern data and said apply pattern data each represent a basic graph pattern.
  - 21. The system of claim 15, wherein said semantic query is a SPARQL Protocol and RDF Query Language (SPARQL) query.
  - 22. The system of claim 15, wherein said access constraint data further comprises policy metadata, said policy metadata comprising a set of one or more schema semantic statements, and wherein the system further comprises:
    - logic for using said set of one or more schema semantic statements to determine, based on said match pattern data, whether said semantic query should be constrained according to said apply pattern data.
  - 23. The system of claim 15, further comprising:
    - logic for maintaining session data that specifies an attribute of the querier and a value for said attribute;
      
      wherein said apply pattern data references said attribute; and
      
      wherein the logic for rewriting said semantic query according to said apply pattern data to produce a rewritten query further comprises logic for rewriting said semantic query to incorporate the value for said attribute.
  - 24. The system of claim 15, wherein said rewritten query is a semantic query, the system further comprising:
    - logic for maintaining semantic mapping data that indicates how to map said rewritten query to a native access mechanism associated with said database; and
      
      logic for mapping said rewritten query to said native access mechanism.
  - 25. The system of claim 15, wherein said database is a relational database and said rewritten query is a Structured Query Language (SQL) query, the system further comprising:
    - logic for maintaining semantic mapping data that indicates how to map said semantic query and said apply pattern data to said rewritten query;
      
      wherein the logic for rewriting said semantic query according to said apply pattern data to produce a rewritten query further comprises logic for rewriting said semantic query based on said semantic mapping data;
  - 26. The system of claim 15, further comprising:
    - logic operable where said semantic query should not be constrained according to said apply pattern data for,executing said semantic query against a database that contains said sensitive information; and
      
      returning any results of executing said semantic query.
  - 27. The system of claim 15, further comprising:
    - logic for maintaining session data that specifies an attribute associated a state of the system and a value for said attribute;
      
      wherein said apply pattern data references said attribute; and
      
      wherein the logic for rewriting said semantic query according to said apply pattern data to produce a rewritten query further comprises logic for rewriting said semantic query to incorporate the value for said attribute.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Thomas, John S., Mekrez, Idriss, Topper, Matt, Yalamanchi, Aravind

Granted Patent

US 8,285,748 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/2457   with adaptation to user needs

G06F 16/9535   Search customisation based ...

G06F 21/6227   where protection concerns t...

Proactive Information Security Management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

115 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Proactive Information Security Management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links