MONITORING AND REPORTING OF DATA ACCESS BEHAVIOR OF AUTHORIZED DATABASE USERS

US 20110321175A1
Filed: 12/06/2010
Published: 12/29/2011
Est. Priority Date: 06/23/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of monitoring user activity in a database system, the method comprising:

recording data access events associated with a user accessing data maintained by the database system, resulting in recorded events;

comparing characteristics of the recorded events for a designated period of time to corresponding characteristics of a nominal event activity profile for the designated period of time; and

initiating a course of action when the characteristics of the recorded events diverge from the nominal event activity profile.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented system and method of monitoring data access activity of a user of a system is presented here. The method maintains a respective score for each of a plurality of monitored data access events, resulting in a set of scores for the user. The method continues by monitoring behavior of the user to detect occurrences of the monitored data access events, and updating the set of scores in response to detected occurrences of the monitored data access events. The method initiates an appropriate course of action when the updated set of scores is indicative of unauthorized, suspicious, or illegitimate data access activity.

107 Citations

View as Search Results

20 Claims

1. A computer-implemented method of monitoring user activity in a database system, the method comprising:
- recording data access events associated with a user accessing data maintained by the database system, resulting in recorded events;
  
  comparing characteristics of the recorded events for a designated period of time to corresponding characteristics of a nominal event activity profile for the designated period of time; and
  
  initiating a course of action when the characteristics of the recorded events diverge from the nominal event activity profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein:
    - the database system comprises a multi-tenant customer relationship management (CRM) system; and
      
      the user is an authenticated user of the multi-tenant CRM system.
  - 3. The method of claim 1, further comprising deriving the nominal event activity profile from historical data access behavior of the user.
  - 4. The method of claim 1, further comprising deriving the nominal event activity profile from collective historical data access behavior of a peer group of the user.
  - 5. The method of claim 1, further comprising dynamically updating the nominal event activity profile in response to ongoing data access behavior of the user.
  - 6. The method of claim 1, further comprising:
    - maintaining a respective score for each of a plurality of monitored data access events, resulting in a set of scores for the user; and
      
      in response to each recorded event, adjusting the set of scores to obtain an updated set of scores for the user, wherein comparing characteristics of the recorded events comprises comparing the updated set of scores to a scoring profile assigned to the user.
  - 7. The method of claim 1, further comprising:
    - maintaining a respective score for each of a plurality of monitored data access events, resulting in a set of scores for the user; and
      
      in response to each recorded event, adjusting the set of scores to obtain an updated set of scores for the user, wherein comparing characteristics of the recorded events comprises comparing the updated set of scores to a scoring profile assigned to a peer group of the user.

8. A computer-implemented method of monitoring data access activity of a user of a system, the method comprising:
- maintaining a respective score for each of a plurality of monitored data access events, resulting in a set of scores for the user;
  
  monitoring behavior of the user to detect occurrences of the monitored data access events;
  
  updating the set of scores in response to detected occurrences of the monitored data access events, resulting in an updated set of scores; and
  
  initiating a course of action when the updated set of scores is indicative of unauthorized data access activity.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The method of claim 8, further comprising recording the detected occurrences of the monitored data access events, along with application data linked with the detected occurrences of the monitored data access events.
  - 10. The method of claim 8, further comprising comparing the updated set of scores to a nominal event activity profile associated with the user, wherein initiating the course of action is performed when the updated set of scores diverges from the nominal event activity profile by at least a threshold amount.
  - 11. The method of claim 10, further comprising deriving the nominal event activity profile from historical data access behavior of the user.
  - 12. The method of claim 8, further comprising resetting the updated set of scores in accordance with a predetermined schedule.
  - 13. The method of claim 12, wherein resetting the updated set of scores comprises initializing the respective score for each of the plurality of monitored data access events on a daily basis.
  - 14. The method of claim 8, wherein the course of action comprises an action selected from the group consisting of:
    - generating a security alert;
      
      sending a warning message to a supervisor of the user;
      
      limiting data access rights of the user;
      
      implementing enhanced security measures for the user;
      
      logging the user out of the system;
      
      notifying the human resources department; and
      
      printing a report.
  - 15. The method of claim 8, wherein initiating the course of action is performed when the updated set of scores includes at least one individual score that exceeds a respective threshold score.
  - 16. The method of claim 8, wherein initiating the course of action is performed when an overall score derived from the updated set of scores exceeds a respective threshold score.
  - 17. The method of claim 8, wherein the monitored data access events comprise events selected from the group consisting of:
    - viewing a record;
      
      exporting a record;
      
      deleting a record;
      
      printing a record;
      
      emailing a record;
      
      preparing a list of records; and
      
      downloading a record.

18. A database system comprising:
- a database to store data accessible by a user;
  
  a data access monitor operatively associated with the database, wherein the monitor checks activity of the user associated with access to the database;
  
  a scoring engine operatively associated with the data access monitor, wherein the scoring engine maintains a set of scores for a plurality of monitored data access events;
  
  a decision engine operatively associated with the scoring engine, wherein the decision engine compares the set of scores to a nominal event activity profile for the user; and
  
  a response initiator operatively associated with the decision engine, wherein the response initiator initiates at least one security measure when the decision engine determines that the set of scores is indicative of unauthorized data access activity.
- View Dependent Claims (19, 20)
- - 19. The database system of claim 18, wherein the nominal event activity profile is derived from historical data access behavior of the user.
  - 20. The database system of claim 18, wherein the response initiator initiates at least one security measure when characteristics of the set of scores diverge from corresponding characteristics of the nominal event activity profile by at least a threshold amount.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Slater, Steve

Granted Patent

US 8,566,956 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/28
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1416 Event detection, e.g. attac...

MONITORING AND REPORTING OF DATA ACCESS BEHAVIOR OF AUTHORIZED DATABASE USERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

107 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MONITORING AND REPORTING OF DATA ACCESS BEHAVIOR OF AUTHORIZED DATABASE USERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links