Multi-Layer System for Privacy Enforcement and Monitoring of Suspicious Data Access Behavior

US 20130174215A1
Filed: 02/26/2013
Published: 07/04/2013
Est. Priority Date: 02/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method for controlling data access in a database, the method comprising:

receiving a request for data at an application layer of a database, the database comprising the application layer and a file layer, and the requested data residing in one or more data files stored at the file layer;

responsive to the received data request, performing a first intrusion detection analysis at the database application layer to determine whether the received data request comprises an application layer intrusion;

responsive to a determination that the received data request does not comprise an application layer intrusion, performing a second intrusion detection analysis at the database file layer to determine whether the received data request comprises a file layer intrusion; and

granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy.

Citations

17 Claims

1. A method for controlling data access in a database, the method comprising:
- receiving a request for data at an application layer of a database, the database comprising the application layer and a file layer, and the requested data residing in one or more data files stored at the file layer;
  
  responsive to the received data request, performing a first intrusion detection analysis at the database application layer to determine whether the received data request comprises an application layer intrusion;
  
  responsive to a determination that the received data request does not comprise an application layer intrusion, performing a second intrusion detection analysis at the database file layer to determine whether the received data request comprises a file layer intrusion; and
  
  granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising dynamically adjusting a privacy policy at the database application layer or file layer.
  - 3. The method of claim 2, further comprising modifying the protection of data at the database application layer or file layer.
  - 4. The method of claim 3, wherein modifying the protection of data is performed based on a result of the intrusion detection analysis at the database application layer or file layer.
  - 5. The method of claim 2, wherein the privacy policy comprises an access control policy or cryptographic information.
  - 6. The method of claim 1, wherein the database further comprises a table layer, and further comprising performing a third intrusion detection analysis at the database table layer to determine whether the received data request comprises a database layer intrusion.

7. A non-transitory computer-readable storage medium containing instructions for causing a computer to perform the method comprising:
- receiving a request for data at an application layer of a database, the database comprising the application layer and a file layer, and the requested data residing in one or more data files stored at the file layer;
  
  responsive to the received data request, performing a first executing a link intrusion prevention detection analysis between at the database application layer to determine whether the received data request comprises an application layer intrusion;
  
  multiple layers of the data-at-rest system, during an attempt to access data in the data-at rest system;
  
  responsive to a determination that the received data request does not comprise an application layer intrusion, performing a second intrusion detection analysis at the database file layer to determine whether the received data request comprises a file layer intrusion introducing a privacy policy at enforcement points that span multiple system layers; and
  
  granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion dynamically altering the privacy policy.

8. A method for controlling access to a database system, the method comprising:
- receiving a query at the application layer of a database from a user, the query directed to data residing in one or more data files stored at a file layer of the database, the user associated with an access history;
  
  determining a user role matching the user, the user role associated with a first access criterion at the application layer and a second access criterion at the file layer;
  
  comparing, at the application layer, the user'"'"'s access history to the first access criterion to determine whether the query comprises an application layer intrusion;
  
  responsive to a determination that the query does not comprise an application layer intrusion, comparing, at the file layer, the user'"'"'s access history to the second access criterion to determine whether the query comprises a file layer intrusion; and
  
  allowing the query in response to a determination that the query does not comprise a file layer intrusion.
- View Dependent Claims (9, 10)
- - 9. The method of claim 8, wherein the first and second access criteria comprise at least one of:
    - session authorization, session authentication, session encryption, password integrity, software integrity, application data integrity, database metadata integrity, security software integrity, time of day, and signature rules.
  - 10. The method of claim 8, further comprising:
    - responsive to a determination that the query comprises an application layer intrusion or a file layer intrusion, performing one or more of the following actions;
      
      blocking the query, alerting a system administrator and allowing the query, and allowing the query.

11. A non-transitory computer-readable storage medium containing instructions for causing a computer to perform the method comprising:
- receiving a query at the application layer of a database from a user, the query directed to data residing in one or more data files stored at a file layer of the database, the user associated with an access history;
  
  determining a user role matching the user, the user role associated with a first access criterion at the application layer and a second access criterion at the file layer;
  
  comparing, at the application layer, the user'"'"'s access history to the first access criterion to determine whether the query comprises an application layer intrusion;
  
  responsive to a determination that the query does not comprise an application layer intrusion, comparing, at the file layer, the user'"'"'s access history to the second access criterion to determine whether the query comprises a file layer intrusion; and
  
  allowing the query in response to a determination that the query does not comprise a file layer intrusion.

12. A method for accessing data, the method comprising:
- receiving a first request from a user for accessing data at an application layer of a database, the requested data residing in one or more data files stored at a file layer of the database, the user having an access history, the access history including a counter indicating a level of data accesses;
  
  responsive to the first request, comparing the counter to a first threshold at the application layer to determine whether the counter exceeds the first threshold thereby indicating an application layer intrusion; and
  
  responsive to a determination that the first request does not comprise an application layer intrusion;
  
  transmitting a second request to the file layer for the requested data, the second request being based on the first request and including the counter;
  
  comparing the counter to a second threshold at the file layer to determine whether the counter exceeds the second threshold thereby indicating a file layer intrusion; and
  
  granting the user access to the requested data in response to a determination that the second request dose not comprise a file layer intrusion.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, wherein the counter represents a volume of data the user has accessed in a given time period.
  - 14. The method of claim 12, wherein the counter comprises a scorecard indicating a number of times the user has requested the data in a given time period.
  - 15. The method of claim 12, further comprising:
    - determining that the counter exceeds a third threshold at the file layer but does not exceed the second threshold; and
      
      alerting a system administrator responsive to the counter exceeding the third threshold but not the second threshold.
  - 16. The method of claim 12, further comprising:
    - responsive to a determination that the second request comprises a file layer intrusion at the file layer, denying the first request.

17. A system comprising:
- a non-transitory computer-readable storage medium containing instructions for causing a computer to perform the method comprising;
  
  receiving a first request from a user for accessing data at an application layer of a database, the requested data residing in one or more data files stored at a file layer of the database, the user having an access history, the access history including a counter indicating a level of data accesses;
  
  responsive to the first request, comparing the counter to a first threshold at the application layer to determine whether the counter exceeds the first threshold thereby indicating an application layer intrusion; and
  
  responsive to a determination that the first request does not comprise an application layer intrusion;
  
  transmitting a second request to the file layer for the requested data, the second request being based on the first request and including the counter;
  
  comparing the counter to a second threshold at the file layer to determine whether the counter exceeds the second threshold thereby indicating a file layer intrusion; and
  
  granting the user access to the requested data in response to a determination that the second request dose not comprise a file layer intrusion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Protegrity US Holding LLC
Original Assignee
Ulf Mattsson
Inventors
Mattsson, Ulf

Granted Patent

US 8,701,191 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/60   Protecting data

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/1433   Vulnerability analysis

Multi-Layer System for Privacy Enforcement and Monitoring of Suspicious Data Access Behavior

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-Layer System for Privacy Enforcement and Monitoring of Suspicious Data Access Behavior

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links