Multi-Layer System for Privacy Enforcement and Monitoring of Suspicious Data Access Behavior
First Claim
Patent Images
1. A method for controlling data access in a database, the method comprising:
- receiving a request for data at an application layer of a database, the database comprising the application layer and a file layer, and the requested data residing in one or more data files stored at the file layer;
responsive to the received data request, performing a first intrusion detection analysis at the database application layer to determine whether the received data request comprises an application layer intrusion;
responsive to a determination that the received data request does not comprise an application layer intrusion, performing a second intrusion detection analysis at the database file layer to determine whether the received data request comprises a file layer intrusion; and
granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy.
-
Citations
17 Claims
-
1. A method for controlling data access in a database, the method comprising:
-
receiving a request for data at an application layer of a database, the database comprising the application layer and a file layer, and the requested data residing in one or more data files stored at the file layer; responsive to the received data request, performing a first intrusion detection analysis at the database application layer to determine whether the received data request comprises an application layer intrusion; responsive to a determination that the received data request does not comprise an application layer intrusion, performing a second intrusion detection analysis at the database file layer to determine whether the received data request comprises a file layer intrusion; and granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer-readable storage medium containing instructions for causing a computer to perform the method comprising:
-
receiving a request for data at an application layer of a database, the database comprising the application layer and a file layer, and the requested data residing in one or more data files stored at the file layer; responsive to the received data request, performing a first executing a link intrusion prevention detection analysis between at the database application layer to determine whether the received data request comprises an application layer intrusion;
multiple layers of the data-at-rest system, during an attempt to access data in the data-at rest system;responsive to a determination that the received data request does not comprise an application layer intrusion, performing a second intrusion detection analysis at the database file layer to determine whether the received data request comprises a file layer intrusion introducing a privacy policy at enforcement points that span multiple system layers; and granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion dynamically altering the privacy policy.
-
-
8. A method for controlling access to a database system, the method comprising:
-
receiving a query at the application layer of a database from a user, the query directed to data residing in one or more data files stored at a file layer of the database, the user associated with an access history; determining a user role matching the user, the user role associated with a first access criterion at the application layer and a second access criterion at the file layer; comparing, at the application layer, the user'"'"'s access history to the first access criterion to determine whether the query comprises an application layer intrusion; responsive to a determination that the query does not comprise an application layer intrusion, comparing, at the file layer, the user'"'"'s access history to the second access criterion to determine whether the query comprises a file layer intrusion; and allowing the query in response to a determination that the query does not comprise a file layer intrusion. - View Dependent Claims (9, 10)
-
-
11. A non-transitory computer-readable storage medium containing instructions for causing a computer to perform the method comprising:
-
receiving a query at the application layer of a database from a user, the query directed to data residing in one or more data files stored at a file layer of the database, the user associated with an access history; determining a user role matching the user, the user role associated with a first access criterion at the application layer and a second access criterion at the file layer; comparing, at the application layer, the user'"'"'s access history to the first access criterion to determine whether the query comprises an application layer intrusion; responsive to a determination that the query does not comprise an application layer intrusion, comparing, at the file layer, the user'"'"'s access history to the second access criterion to determine whether the query comprises a file layer intrusion; and allowing the query in response to a determination that the query does not comprise a file layer intrusion.
-
-
12. A method for accessing data, the method comprising:
-
receiving a first request from a user for accessing data at an application layer of a database, the requested data residing in one or more data files stored at a file layer of the database, the user having an access history, the access history including a counter indicating a level of data accesses; responsive to the first request, comparing the counter to a first threshold at the application layer to determine whether the counter exceeds the first threshold thereby indicating an application layer intrusion; and responsive to a determination that the first request does not comprise an application layer intrusion; transmitting a second request to the file layer for the requested data, the second request being based on the first request and including the counter; comparing the counter to a second threshold at the file layer to determine whether the counter exceeds the second threshold thereby indicating a file layer intrusion; and granting the user access to the requested data in response to a determination that the second request dose not comprise a file layer intrusion. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A system comprising:
a non-transitory computer-readable storage medium containing instructions for causing a computer to perform the method comprising; receiving a first request from a user for accessing data at an application layer of a database, the requested data residing in one or more data files stored at a file layer of the database, the user having an access history, the access history including a counter indicating a level of data accesses; responsive to the first request, comparing the counter to a first threshold at the application layer to determine whether the counter exceeds the first threshold thereby indicating an application layer intrusion; and responsive to a determination that the first request does not comprise an application layer intrusion; transmitting a second request to the file layer for the requested data, the second request being based on the first request and including the counter; comparing the counter to a second threshold at the file layer to determine whether the counter exceeds the second threshold thereby indicating a file layer intrusion; and granting the user access to the requested data in response to a determination that the second request dose not comprise a file layer intrusion.
Specification