SPACE-TIME SEPARATED AND JOINTLY EVOLVING RELATIONSHIP-BASED NETWORK ACCESS AND DATA PROTECTION SYSTEM
First Claim
1. A system for determining whether user access to data stored in a database is authorized, comprising:
- computer-executable software code stored on at least one non-transitory data storage device for accepting a request by a user to access the data stored in the database;
means for identifying a sequence of servers to participate in authenticating the access of the data by the user;
means for generating a sequence of passwords;
computer-executable software code stored on at least one non-transitory data storage device for checking, at each one of the servers, a corresponding one of the passwords;
means for determining that the user is permitted to access the data if all the servers accept the corresponding password; and
means for varying the passwords over time.
1 Assignment
0 Petitions
Accused Products
Abstract
A network security system that employs space-time separated and jointly-evolving relationships to provide fast network access control, efficient real-time forensics capabilities, and enhanced protection for at-rest data in the event of a network breach. The network security system allows, in part, functionality by which the system accepts a request by a user to access the data stored in the database, identifies a sequence of security agents to participate in authenticating and protecting the access of the data by the user, generates a sequence of pseudorandom IDs and space-time varying credentials, checks at each one of the security agents a corresponding one of the credentials, determines that the user is permitted to access the data using access control logs if all the security agents accept the corresponding credentials, and varies the credentials based on a space-time relationship.
160 Citations
30 Claims
-
1. A system for determining whether user access to data stored in a database is authorized, comprising:
-
computer-executable software code stored on at least one non-transitory data storage device for accepting a request by a user to access the data stored in the database; means for identifying a sequence of servers to participate in authenticating the access of the data by the user; means for generating a sequence of passwords; computer-executable software code stored on at least one non-transitory data storage device for checking, at each one of the servers, a corresponding one of the passwords; means for determining that the user is permitted to access the data if all the servers accept the corresponding password; and means for varying the passwords over time. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method for determining whether user access to data stored in a database is authorized, comprising:
-
accepting a request by a user to access the data stored in the database; identifying a sequence of servers to participate in authenticating the access of the data by the user; generating a sequence of passwords; checking, at each one of the servers, a corresponding one of the passwords; determining that the user is permitted to access the data if all the servers accept the corresponding password; and varying the passwords over time. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A server for authenticating user access to data stored in a database, comprising:
computer-executable software code stored on at least one non-transitory data storage device for accepting a request by a user to access the data stored in the database; identifying one or more subsequent servers to participate in authenticating the access of the data by the user; analyzing a one-time password among a plurality of one-time passwords; and passing a client security ticket to at least one of the one or more subsequent servers; and passing a network security ticket to at least one of the one or more subsequent servers.
-
30. A server for authenticating user access to data stored in a database, comprising:
computer-executable software code stored on at least one non-transitory data storage device for receiving a client security ticket; comparing the client security ticket against a time varying access control list; determining whether an attack has occurred based on the comparison of the client security ticket against the time varying access control list; generating a network security ticket; identifying one or more subsequent servers to participate in authenticating the access of the data by the user; and passing the network security ticket to at least one of the subsequent servers.
Specification