Identifying attribute propagation for multi-tier processing

US 20100132024A1
Filed: 12/20/2006
Published: 05/27/2010
Est. Priority Date: 12/20/2006
Status: Active Grant

First Claim

Patent Images

1. A method for propagating attributes comprising:

receiving a request to perform a processing operation, the request including an attribute indicative of an initiator of the request;

determining a processing unit associated with the request, the processing unit operable to service the request;

identifying a processing operation performed by the determined processing unit for satisfying the request;

matching the processing operation to the request by identifying a processing unit common to the request and the processing operation, the common processing unit identified by intercepting a system call to receive the request and a system call to perform the processing operation; and

mapping the common processing unit associated with the request to the processing operation being performed to service the request.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multi-tier attribute tracking mechanism provides the ability to identify the end user credentials and other client information and attributes and assign them to database requests in an application server architecture. Disclosed configurations identify the processing unit, or thread, assigned by the operating system to service the incoming request from the user at the application tier. A matching of users to threads allows successive thread activity to be mapped back to the initiating user. Conventional interception of database access attempts at the application level (so called “server taps,” or staps) identified only the database user (the account in the database) and associated connection as the responsible user. By intercepting, or “tapping” the access request at the operating system level (using so-called kernel taps, or “ktaps”), the mechanism matches which application requests map to which database requests. With this matching, the database requests can be tagged with the user credentials which are known through the application request.

68 Citations

View as Search Results

28 Claims

1. A method for propagating attributes comprising:
- receiving a request to perform a processing operation, the request including an attribute indicative of an initiator of the request;
  
  determining a processing unit associated with the request, the processing unit operable to service the request;
  
  identifying a processing operation performed by the determined processing unit for satisfying the request;
  
  matching the processing operation to the request by identifying a processing unit common to the request and the processing operation, the common processing unit identified by intercepting a system call to receive the request and a system call to perform the processing operation; and
  
  mapping the common processing unit associated with the request to the processing operation being performed to service the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein the request corresponds to an attribute indicative of a responsible user and the processing operation includes a database call to access a database for satisfying the request.
  - 3. The method of claim 2 wherein the attribute is a user identifier, further comprising receiving a user credential indicative of the operator corresponding to the user identifier.
  - 4. The method of claim 1 wherein mapping further comprises:
    - identifying an attribute of the request;
      
      storing an association of the attribute and the common processing unit; and
      
      detecting a successive application function performed by the common processing unit as corresponding to the identified attribute.
  - 5. The method of claim 4 wherein receiving the request and performing the processing operation occur on different application tiers, further comprising performing the processing operation on a tier in which the attribute is unavailable via propagation to the tier performing the processing operation.
  - 6. The method of claim 4 wherein the request further comprises an inbound request including at least one of a connection request or a data request, the inbound request directed to a predetermined set of connections through which requests are channeled.
  - 7. The method of claim 4 wherein the system call is an outbound call to an outbound IPC portal operative to perform application functions on behalf of the identified attribute.
  - 8. The method of claim 7 wherein identifying the outbound call further comprises:
    - intercepting an invocation to a system routine for accessing the outbound IPC portal; and
      
      matching the processing unit performing the outbound IPC portal access with the processing unit servicing the inbound request to perform application functions.
  - 9. The method of claim 1 wherein receiving the request further comprises intercepting invocations to a system routine for instantiating the processing unit, the processing unit operable to perform a read via an interface resource to which the request is directed, receiving further comprising scrutinizing requests for at least one of a connection request and a query request.
  - 10. The method of claim 7 wherein intercepting the outbound IPC portal access further comprises:
    - watching write operations to a port associated with the database, the port accessible via a socket responsive to the processing unit; and
      
      identifying a user identifier corresponding to the processing unit, the processing unit further comprising a thread assigned by the operating system for servicing the inbound request.
  - 11. The method of claim 10 wherein receiving the request further comprises:
    - listening to a set of ports designated as the interface resources operable for database access and to a set of ports designated as the interface resources operable for application requests;
      
      intercepting a connection request to a socket bound to one of the ports in the set of ports designated as the interface resources operable for application requests as issued on behalf of a user;
      
      computing a thread instantiated as the processing unit for servicing the connection request, the thread operable to service successive data access requests emanating from the same user; and
      
      intercepting successive data access requests by watching socket writes to ports associated with the database made by the instantiated thread.
  - 12. The method of claim 11 wherein the connection request includes a credential indicative of the user, further comprising:
    - retrieving user identification information from the credential;
      
      identifying a session token corresponding to the user identification;
      
      identifying successive data access requests corresponding to the session token; and
      
      mapping the identified successive data access requests to the user via the session token.
  - 13. The method of claim 6 wherein following intercepting an inbound connection request and identifying corresponding outgoing database requests, the corresponding outgoing database calls are performed by the same thread as the inbound request.
  - 14. The method of claim 13 further comprising:
    - identifying incoming IPC mechanisms through which application requests emanate from a user;
      
      identifying outgoing IPC mechanisms through which the database requests to the database are made; and
      
      identifying the IPC mechanism includes identifying a port against which a socket read was executed.

15. An encoded set of processor based instructions for performing a method of user identification via attribute propagation comprising:
- receiving, from a user, a request to perform an application function;
  
  extracting an attribute from the request;
  
  intercepting an inbound system call to service the request by an interprocess communication (IPC) portal;
  
  determining, from the intercepted system call, a processing unit assigned to service the request;
  
  watching operations performed by the assigned processing unit to capture database access attempts by the assigned processing unit;
  
  intercepting an outbound system call to access the database by the assigned processing unit;
  
  mapping the processing unit to the extracted attribute in the inbound system call;
  
  associating the attribute to the access made by the assigned processing unit; and
  
  logging the association of the database access request to the mapped attribute.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15 wherein watching further comprises:
    - establishing a front end responsive to system calls, andfiltering system calls by identifying calls made to access IPC portals associated with the database made by a watched processing unit; and
      
      computing the processing unit assigned in response to the system calls.
  - 17. The method of claim 16 wherein intercepting the inbound system call to an IPC portal further comprises:
    - identifying a port employed by the requests to access the application;
      
      identifying a request to bind a socket to the identified port; and
      
      receiving connection requests on behalf of a user directed to the identified port.

18. A data security device for tracking database access attempts comprising:
- a monitor operable to receive an application request to perform an application function, the application request including an attribute;
  
  a thread table operable to determine a processing unit associated with the application request, the processing unit operable to service the application request;
  
  an interface to an interception layer operable to identify a database call performed by the determined processing unit for satisfying the application request via database access; and
  
  a mapper operable to map the attribute to the database calls caused when servicing the request by identifying a processing unit common to the application request and database call, the common processing unit identified by intercepting a system call to receive the request and a system call to send the database call, the correlator further operable to employ the thread table to map the common processing unit with the attribute included in the application request.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The device of claim 18 wherein the application request further comprises an inbound request including at least one of a connection request or a data request, the inbound request directed to a predetermined set of interface resources through which database access attempts are channeled.
  - 20. The device of claim 19 wherein the database call is an outbound database call to an outbound IPC portal operative to access data in the database on behalf of a user corresponding to the attribute included in the application request.
  - 21. The device of claim 20 wherein the interface for identifying the database call is further operable to:
    - intercept an invocation to a system routine for accessing the outbound IPC portal; and
      
      match the processing unit performing the outbound IPC portal access with the processing unit performing the inbound application request.
  - 22. The device of claim 21 wherein the database monitor is operable to receive the application request by intercepting invocations to a system routine for instantiating the processing unit, the processing unit operable to perform a read via the interface resource to which the request is directed, receiving further comprising scrutinizing the application requests for at least one of a connection request and a query request.
  - 23. The device of claim 21 wherein the interface to the interception layer is further operable to:
    - watch write operations to a port associated with the database, the port accessible via a socket responsive to the processing unit, wherein the database monitor is operable to identify a user identifier corresponding to the processing unit, the processing unit further comprising a thread assigned by the operating system for servicing the inbound request.
  - 24. The device of claim 20 wherein the database monitor application is further operable to:
    - listen to a set of ports designated as the interface resources operable for database access;
      
      listen to a set of ports designated as the interface resources operable for application requests;
      
      intercept a connection request to a socket, the socket bound to one of the ports in the set of ports designated as the interface resources operable for application requests, issued on behalf of a user;
      
      compute a thread instantiated as the processing unit for servicing the connection request, the thread operable to service successive data access requests emanating from the same user; and
      
      intercept successive data access requests by watching socket writes to ports associated with the database made by the instantiated thread.
  - 25. The device of claim 21 wherein the connection request includes a credential indicative of the user, further comprising:
    - retrieving user identification information from the credential;
      
      identifying a session token corresponding to the user identification;
      
      identifying successive data access requests corresponding to the session token;
      
      mapping the identified successive data access requests to the user via the session token, such that following intercepting an inbound connection request and identifying corresponding outgoing database requests, the corresponding outgoing database calls are performed by the same thread as the inbound request; and
      
      logging the data access requests correlated with the mapped user.

26. A computer program product having a computer readable medium operable to store computer program logic embodied in computer program code encoded thereon for tracking database access comprising:
- computer program code for receiving a request to access a database, the request including a user identifier;
  
  computer program code for determining a computing unit associated with the request, the computing unit operable to service the request;
  
  computer program code for identifying a database call performed by the determined computing unit for satisfying the request via database access; and
  
  computer program code for correlating the computing unit with the user identifier to identify the user responsible for the database access.
- View Dependent Claims (27, 28)
- - 27. The computer program product of claim 26 wherein the same processing unit handles the inbound request and outbound call.
  - 28. The computer program product of claim 27 further comprising logging the access correlated with the responsible user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Segal, Ury, Ben-Natan, Ron

Granted Patent

US 8,141,100 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 2209/542 Intercept

G06F 9/545 where tasks reside in diffe...

Identifying attribute propagation for multi-tier processing

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying attribute propagation for multi-tier processing

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links