System and methods for selective local database access restriction

US 20100131512A1
Filed: 08/02/2005
Published: 05/27/2010
Est. Priority Date: 08/02/2005
Status: Active Grant

First Claim

Patent Images

1. A method of providing nonintrusive database security comprising:

identifying a plurality of access mediums operable to provide local access to a database via access attempts from a user, the identified access mediums including local access mediums emanating from the local server, the local server in direct communication with the database;

enumerating, for each of the identified access mediums, an access control mechanism operable to limit access attempts via the access medium, identifying further comprising identifying access mediums for all access permutations on a particular local server; and

enumerating comprising collectively covering all access permutations through which access attempts emanate on the particular local server;

identifying local access attempts to the database via the enumerated access mediums, the local access attempts employing a local client for database access, the local client defined by a local process independent of a disposition of an initiating user query device, the local access mediums including access mediums undetectable by remote parsing or stream based interrogation of an incoming network connection;

applying, to each of the identified access mediums, the enumerated access control mechanism, each of the enumerated access control mechanisms applicable to a subset of the identified access mediums; and

restricting the identified local access attempt, restricting further comprising performing at least one of preventing the access attempt and reporting the access attempt for further analysis.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A nonintrusive database access monitoring mechanism employs a hybrid approach that disallows, or blocks, the access mediums which are not feasible to intercept or analyze, as well as intercepting and analyzing access mediums for which interception and interrogation is available. Accordingly, various configurations provide the hybrid coverage approach to identifying access mediums, and either block or intercept the access attempts. In this manner, access mediums, such as interprocess communication (IPC) system calls, which may be efficiently intercepted and analyzed are captured and substantively processed, while other access mediums that are excessively burdensome or intrusive to capture are unselectively blocked from any communication, avoiding the need to analyze such access attempts.

125 Citations

View as Search Results

40 Claims

1. A method of providing nonintrusive database security comprising:
- identifying a plurality of access mediums operable to provide local access to a database via access attempts from a user, the identified access mediums including local access mediums emanating from the local server, the local server in direct communication with the database;
  
  enumerating, for each of the identified access mediums, an access control mechanism operable to limit access attempts via the access medium, identifying further comprising identifying access mediums for all access permutations on a particular local server; and
  
  enumerating comprising collectively covering all access permutations through which access attempts emanate on the particular local server;
  
  identifying local access attempts to the database via the enumerated access mediums, the local access attempts employing a local client for database access, the local client defined by a local process independent of a disposition of an initiating user query device, the local access mediums including access mediums undetectable by remote parsing or stream based interrogation of an incoming network connection;
  
  applying, to each of the identified access mediums, the enumerated access control mechanism, each of the enumerated access control mechanisms applicable to a subset of the identified access mediums; and
  
  restricting the identified local access attempt, restricting further comprising performing at least one of preventing the access attempt and reporting the access attempt for further analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 31, 32, 34, 35, 36, 37, 38, 39, 40)
- - 2. The method of claim 1 wherein enumerating further comprises:
    - determining if the access medium is responsive to an interceptor operable to retrieve and analyze access attempts made via the access medium.
  - 3. The method of claim 2 wherein applying further comprises:
    - intercepting, if the access medium is responsive to the interceptor, the access attempt for selective access analysis; and
      
      preventing, If the access medium is not responsive to the interceptor, access attempts via the enumerated access medium.
  - 4. The method of claim 3 wherein identifying further comprises:
    - identifying access mediums which are not interceptable; and
      
      preventing access via the particular access medium for each of the access mediums which are not interceptable.
  - 5. The method of claim 1 wherein applying further comprises eliminating a potential threat from each of the enumerated access mediums by at least one of:
    - intercepting the access attempts made via the enumerated access medium; and
      
      preventing usage of the enumerated access medium.
  - 6. The method of claim 1 wherein applying the enumerated access control mechanism to the access attempts further comprises:
    - collecting access attempts and either blocking or enumerating the access attempts; and
      
      transmitting the collected access attempts to a collector.
  - 31. The method of claim 1 wherein the identified access mediums include local access mediums and remote access mediums, the local access mediums defined by interprocess communication mechanisms that initiate and terminate on the particular local server.
  - 32. The method of claim 1 wherein the local access mediums define a virtual or physical path to the local server, the local server accessing interprocess communication mechanisms employed by the operating system for local access to the database.
  - 34. The method of claim 1 wherein the local access attempts invoke an access medium defined by an IPC mechanism on the local server, the local access attempt initiated by a proximate user, the proximate user achieving access via a local device such that the local device circumvents a perimeter security approach.
  - 35. The method of claim 1 wherein the access mediums include at least one of shared memory, sockets, Unix pipes, file handles, Windows LPC and Named pipes.
  - 36. The method of claim 1 wherein the local accesses are intercepted by interceding in the access path define by an access medium from the local processes.
  - 37. The method of claim 36 wherein the local accesses are undetectable by remote parsing or stream based interrogation of an incoming network connection.
  - 38. The method of claim 1 wherein identifying the plurality of access mediums further comprises defining a hybrid coverage approach which either blocks or intercepts access attempts, the hybrid coverage performing, for the identified access mediums, at least one of:
    - capturing and processing access mediums which may be intercepted; and
      
      unselectively blocking access mediums which cannot be intercepted, such that a need for capture and analysis is avoided.
  - 39. The method of claim 38 further comprising, if an access medium is determined non-interceptable, blocking disallowed access mediums for which scrutinized access is not attainable.
  - 40. The method of claim 39 wherein enumerating the access mediums further comprises storing an access matrix denoting each access medium as interceptable and non interceptable, and intercepting or terminating affected processes.

7. (canceled)

8. (canceled)

9. A method for preventing unauthorized access to a database comprising:
- identifying a plurality of access mediums to a protected database, the identified access mediums including local access mediums emanating from the local server, the local server in direct communication with the database;
  
  enumerating access mediums responsive to an interrogative process, the interrogative process operable to intercept access attempts via the enumerated access mediums;
  
  generating an access medium repository indicative of, for each of the enumerated access mediums, those which the interrogative process is operable to intercept and analyze access attempts via the respective access medium, wherein the access mediums are local access mediums emanating from a local server in direct communication with the database, the local access mediums defined by interprocess communication mechanisms emanating and terminating on the local server such that the local access mediums include access mediums undetectable by remote parsing or stream based interrogation of an incoming network connection; and
  
  blocking access from access mediums nonresponsive to an interrogative process by prohibiting activity via the nonresponsive access mediums.
- View Dependent Claims (11, 12, 13, 15, 16, 18, 19)
- - 11. The method of claim 9 further comprising:
    - identifying local access attempts to the via the enumerated access mediums repository; and
      
      intercepting the local access attempt, wherein intercepting further comprises performing at least one of preventing the access attempt and reporting the access attempt for further analysis.
  - 12. The method of claim 11 further comprising:
    - intercepting access attempts to the database to selectively allow the access attempts;
      
      reporting the intercepted access attempts to an analyzer; and
      
      analyzing the access attempts to determine whether to allow the access attempt.
  - 13. The method of claim 11 wherein the local access medium further comprises at least one of shared memory and a file structure.
  - 15. The method of claim 13 further comprising:
    - identifying file handles in use for accessing a file structured device;
      
      computing multiple processes accessing the same identified handle; and
      
      terminating processes sharing the same file handle as the database.
  - 16. The method of claim 13 further comprising:
    - identifying access mediums corresponding to shared memory segments in use;
      
      computing processes employing the same shared memory segment as the database; and
      
      terminating the computed process employing the same shared memory segment as the database.
  - 18. The method of claim 13 further comprising modifying a library path operable for accessing an access method to the database by inserting an interceptor process in the library path operable to receive and analyze access attempts via the access method.
  - 19. The method of claim 11 further comprising:
    - identifying a set of database login attempts for a particular period;
      
      gathering reported logins collected from a particular access medium; and
      
      comparing the identified database login attempts with the gathered logins to identify discrepancies indicative of potentially suspect login attempts.

10. (canceled)

14. (canceled)

17. (canceled)

20. A method of tracking database access comprising:
- enumerating access mediums providing local access to a database via a local server, the enumerated access mediums including local access mediums emanating from the local server, the local server in direct communication with the database;
  
  determining, for each of the enumerated access mediums, whether access attempts are interceptable for each particular access medium, determining further comprising identifying access mediums for all access permutations on a particular local server; and
  
  enumerating comprising collectively covering all access permutations through which access attempts emanate on the local server;
  
  identifying local access attempts to the database via the enumerated access mediums, the local access attempts occurring via interprocess communication mechanisms emanating and terminating on the local server the local access mediums including access mediums undetectable by remote parsing or stream based interrogation of an incoming network connection;
  
  collecting, for each of the interceptable access attempts, the access attempt; and
  
  preventing access for each of the access mediums which are not interceptable, preventing further comprising performing at least one of preventing the access attempt and reporting the access attempt for further analysis.

21. A server for monitoring database access comprising:
- a processor;
  
  a memory coupled to the processor;
  
  a first process for intercepting database access attempts;
  
  a second process for preventing database access attempts, the first process and the second process executable in the memory by the processor;
  
  an enumeration of available access mediums, each of the enumerated access mediums responsive to at least one of the first process and the second process, further comprising access mediums for all access permutations on a particular local server; and
  
  the enumeration collectively covering all access permutations through which access attempts emanate on the particular local server, the enumerated access mediums including local access mediums emanating from the local server, the local server in direct communication with the database; and
  
  an access controller for identifying local access attempts via the local access mediums and employing the enumeration to determine applicability of the first and second process, and further for invoking at least one of the first and second processes for scrutinizing the local access attempt, the local access attempts occurring via interprocess communication mechanisms emanating and terminating on the local server, the access controller further restricting the identified access attempt, restricting further comprising performing at least one of preventing the local access attempt and reporting the local access attempt for further analysis, the local access mediums including access mediums undetectable by remote parsing or stream based interrogation of an incoming network connection.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The server of claim 21 wherein the enumeration is an access matrix adapted to indicate if he access medium is responsive to the first process, the first process further operable to retrieve and analyze access attempts made via the access medium.
  - 23. The server of claim 22 wherein the first and second processes are responsive to the access controller for:
    - intercepting, if the access medium is responsive to the first process, the access attempt for selective access analysis; and
      
      preventing, if the access medium is not responsive to the first process, access attempts via the enumerated access medium.
  - 24. The server of claim 23 wherein the access controller:
    - identifies access mediums which are not interceptable; and
      
      prevents access via the particular access medium for each of the access mediums which are not interceptable.
  - 25. The server of claim 21 wherein the access controller eliminates a potential threat from each of the enumerated access mediums by at least one of:
    - intercepting the access attempts made via the enumerated access medium; and
      
      preventing usage of the enumerated access medium.

26. A computer program product having a computer readable storage medium operable to store computer program logic embodied in computer program code encoded thereon that, when executed by a processor, cause the computer to perform a method for providing local database security, the method comprising:
- identifying a plurality of access mediums operable to provide local access to a database via access attempts from a user, the identified access mediums including local access mediums emanating from the local server, the local server in direct communication with a database;
  
  enumerating, for each of the identified access mediums, an access control mechanism operable to limit access attempts via the access medium, identifying further comprising identifying access mediums for all access permutations on a particular local server; and
  
  enumerating comprising collectively covering all access permutations through which access attempts emanate on the local server, the local access mediums including access mediums undetectable by remote parsing or stream based interrogation of an incoming network connection;
  
  identifying local access attempts to the database via the enumerated access mediums, the local access attempts occurring via interprocess communication mechanisms emanating and terminating on the local server;
  
  applying, to each of the identified access mediums, the enumerated access control mechanism, each of the enumerated access control mechanisms applicable to a subset of the identified access mediums, applying the enumerated access control mechanism to the access attempts further including;
  
  collecting access attempts and either blocking or recording the access attempts; and
  
  transmitting the recorded access attempts to a collector operable to analyze the collected access attempts.

27. (canceled)

28. (canceled)

29. A method of providing nonintrusive database security comprising:
- identifying a plurality of access mediums operable to provide local access to a database via access attempts from a user, the identified access mediums including local access mediums emanating from the local server, the local server in direct communication with the database;
  
  enumerating, for each of the identified access mediums, an access control mechanism operable to limit access attempts via the access medium, each access medium having a corresponding prevention measure;
  
  generating, from a configuration file, an access matrix having an entry for each of a combination of operating systems and local access mediums, the access matrix indicating the prevention measure to be invoked for each combination, the local access mediums defined by interprocess communication mechanisms emanating and terminating on the local server, the local access mediums including access mediums undetectable by remote parsing or stream based interrogation of an incoming network connection;
  
  indexing the access matrix based on the local access medium and the operating system; and
  
  applying, to each of the identified access mediums, the enumerated access control mechanism, each of the enumerated access control mechanisms applicable to a subset of the identified access mediums.

30. (canceled)

33. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Ben-Natan, Ron, Tarandach, Izar

Granted Patent

US 7,970,788 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/741
CPC Class Codes

G06F 16/217   Database tuning G06F16/2282...

G06F 21/6227   where protection concerns t...

G06F 21/6236   between heterogeneous systems

System and methods for selective local database access restriction

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

125 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for selective local database access restriction

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

125 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links