Identity Propagation through Application Layers Using Contextual Mapping and Planted Values

US 20130151542A1
Filed: 02/07/2013
Published: 06/13/2013
Est. Priority Date: 12/08/2010
Status: Active Grant

First Claim

Patent Images

1. A method, in a data processing system, for propagating source identification information from an application front-end system in an application layer to a data layer inspection system associated with a back-end system, comprising:

receiving, at the data layer inspection system, an incoming user request from a gateway system, in the application layer, associated with the application front-end system;

receiving, at the data layer inspection system, one or more outgoing statements targeting the back-end system and being generated by the application front-end system based on the received incoming user request;

accessing, by the data layer inspection system, a mapping data structure based on the one or more outgoing statements to thereby correlate the one or more outgoing statements with the incoming user request;

retrieving, by the data layer inspection system, source identification information associated with the incoming user request based on the correlation of the one or more outgoing statements with the incoming user request; and

performing, by the data layer inspection system, a data layer inspection operation based on the source identification information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms are provided for propagating source identification information from an application front-end system in an application layer to a data layer inspection system associated with a back-end system. An incoming user request is received, at the data layer inspection system, from a gateway system associated with the application front-end system. One or more outgoing statements targeting a back-end system are received at the data layer inspection system. The data layer inspection system accesses a mapping data structure based on the one or more outgoing statements to thereby correlate the one or more outgoing statements with the incoming user request. The data layer inspection system retrieves source identification information associated with the incoming user request based on the correlation of the one or more outgoing statements with the incoming user request. The data layer inspection system performs a data layer inspection operation based on the source identification information.

Citations

11 Claims

1. A method, in a data processing system, for propagating source identification information from an application front-end system in an application layer to a data layer inspection system associated with a back-end system, comprising:
- receiving, at the data layer inspection system, an incoming user request from a gateway system, in the application layer, associated with the application front-end system;
  
  receiving, at the data layer inspection system, one or more outgoing statements targeting the back-end system and being generated by the application front-end system based on the received incoming user request;
  
  accessing, by the data layer inspection system, a mapping data structure based on the one or more outgoing statements to thereby correlate the one or more outgoing statements with the incoming user request;
  
  retrieving, by the data layer inspection system, source identification information associated with the incoming user request based on the correlation of the one or more outgoing statements with the incoming user request; and
  
  performing, by the data layer inspection system, a data layer inspection operation based on the source identification information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the mapping data structure maps a pattern of one or more outgoing statements to a type or pattern of one or more incoming user requests.
  - 3. The method of claim 2, wherein accessing the mapping data structure comprises performing a lookup of an entry in the mapping data structure that has a pattern of outgoing statements that matches a pattern of the received one or more outgoing statements.
  - 4. The method of claim 3, wherein accessing the mapping data structure further comprises:
    - retrieving a type or pattern of one or more incoming user requests specified in the entry; and
      
      identifying received one or more incoming user requests having a same type or pattern as the type or pattern specified in the entry.
  - 5. The method of claim 4, wherein retrieving source identification information comprises retrieving the source identification information based on connection information associated with the received one or more incoming user requests having a same type or pattern as the type or pattern specified in the entry.
  - 6. The method of claim 1, further comprising:
    - creating the mapping data structure, wherein the mapping data structure is created by;
      
      processing a plurality of test incoming user requests; and
      
      recording, in entries of the mapping data structure, for each test incoming user request in the plurality of test incoming user requests, a pattern of outgoing statements generated by the front-end application system targeting the back-end system.
  - 7. The method of claim 6, wherein processing the plurality of test incoming user requests comprises, for each test incoming user request:
    - parsing the test incoming user request to identify at least one application value in the test incoming user request;
      
      replacing the at least one application value in the test incoming user request with a uniquely identifiable value to generate a modified test incoming user request;
      
      processing the modified test incoming user request through the application front-end system; and
      
      monitoring outgoing statements generated by the application front-end system for the uniquely identifiable value.
  - 8. The method of claim 7, wherein outgoing statements having the uniquely identifiable value are added to an entry in the mapping data structure corresponding to the test incoming user request, and wherein a series of outgoing statements stored in the entry corresponding to the test incoming user request constitute a pattern of outgoing statements.
  - 9. The method of claim 1, wherein the data layer inspection operation is a data layer audit operation that generates an audit log of accesses to the back-end system, and wherein the audit log comprises the source identification information.
  - 10. The method of claim 1, wherein:
    - the back-end system is a database system,the incoming user request is a hypertext transport protocol (HTTP) request targeting the application front-end system, andthe outgoing statements are Structured Query Language (SQL) statements generated by the application front-end system based on the HTTP request.

11-25. -25. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Ben-Natan, Ron, Rodniansky, Leonid

Granted Patent

US 8,589,422 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/755
CPC Class Codes

G06F 11/3664   Environments for testing or...

G06F 11/3672   Test management

G06F 16/13   File access structures, e.g...

G06F 16/245   Query processing

G06F 16/86   Mapping to a database

G06F 40/205   Parsing

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 69/22   Parsing or analysis of headers

H04L 69/28   Timers or timing mechanisms...

H04L 69/32   Architecture of open system...

H04L 69/324   in the data link layer [OSI...

H04L 69/329   in the application layer [O...

Identity Propagation through Application Layers Using Contextual Mapping and Planted Values

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Identity Propagation through Application Layers Using Contextual Mapping and Planted Values

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links