File system monitoring and auditing via monitor system having user-configured policies

US 20170024408A1
Filed: 07/21/2015
Published: 01/26/2017
Est. Priority Date: 07/21/2015
Status: Active Grant

First Claim

Patent Images

1. A method for centralized monitoring of plural file systems operating in association with an enterprise computing environment, comprising:

providing each of the plural file systems with a security policy, the security policy defining one or more file system access activities to be monitored at the file system;

receiving from each of the plural file systems audit trail data, the audit trail data having been generated locally as file system access activity is intercepted at the file system in accordance with the security policy; and

storing the audit trail data received from the plural file systems; and

applying the security policy audit trail data received from at least one of the plural file systems and, in response thereto, taking a given action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Centralized monitoring of plural file systems that operate within or in association with an enterprise computing environment is provided. Each of the plural file systems are provided with a security policy, wherein the security policy defines one or more file system access activities to be monitored at the file system. Each file system is instrumented with a software agent that intercepts the relevant file system access activity. A centralized collector component is operative to receive from each of the plural file systems audit trail data, wherein the audit trail data is data that has been generated locally as file system access activity is intercepted at the file system by the local software agent in accordance with the applicable security policy. The collector applies the security policy against the audit trail data received from at least one of the plural file systems and, in response thereto, takes a given action.

Citations

23 Claims

1. A method for centralized monitoring of plural file systems operating in association with an enterprise computing environment, comprising:
- providing each of the plural file systems with a security policy, the security policy defining one or more file system access activities to be monitored at the file system;
  
  receiving from each of the plural file systems audit trail data, the audit trail data having been generated locally as file system access activity is intercepted at the file system in accordance with the security policy; and
  
  storing the audit trail data received from the plural file systems; and
  
  applying the security policy audit trail data received from at least one of the plural file systems and, in response thereto, taking a given action.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 further including sending the audit trail data to a central location remote from the plural file systems.
  - 3. The method as described in claim 1 wherein the given action is one of:
    - issuing an alert, performing an audit activity, restricting access to a file system resource, and reporting on the file system access activity.
  - 4. The method as described in claim 1 wherein the audit trail data is received continuously and in real-time with respect to the file system access activity.
  - 5. The method as described in claim 1 wherein the security policy provided to a first file system differs from the security policy provided to a second file system distinct from the first file system.
  - 6. The method as described in claim 1 further including defining the security policy, the security policy having one or more file system-specific rules.
  - 7. The method as described in claim 6 wherein the given action taken is based on the one or more file system-specific rules.

8. An apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions for centralized monitoring of plural file systems operating in association with an enterprise computing environment, the computer program instructions comprising;
  
  program code operative to provide each of the plural file systems with a security policy, the security policy defining one or more file system access activities to be monitored at the file system;
  
  program code operative to receive from each of the plural file systems audit trail data, the audit trail data having been generated locally as file system access activity is intercepted at the file system in accordance with the security policy; and
  
  program code operative to store the audit trail data received from the plural file systems; and
  
  program code operative to apply the security policy audit trail data received from at least one of the plural file systems and, in response thereto, to take a given action.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8 further including sending the audit trail data to a central location remote from the plural file systems.
  - 10. The apparatus as described in claim 8 wherein the given action is one of:
    - issuing an alert, performing an audit activity, restricting access to a file system resource, and reporting on the file system access activity.
  - 11. The apparatus as described in claim 8 wherein the audit trail data is received continuously and in real-time with respect to the file system access activity.
  - 12. The apparatus as described in claim 8 wherein the security policy provided to a first file system differs from the security policy provided to a second file system distinct from the first file system.
  - 13. The apparatus as described in claim 8 wherein the computer program instructions further include program code operative to define the security policy, the security policy having one or more file system-specific rules.
  - 14. The apparatus as described in claim 13 wherein the given action taken is based on the one or more file system-specific rules.

15. A computer program product comprising computer program instructions on non-transitory computer-readable media, the computer program instructions executed by a processor to provide centralized monitoring of plural file systems operating in association with an enterprise computing environment, the computer program instructions comprising:
- program code operative to provide each of the plural file systems with a security policy, the security policy defining one or more file system access activities to be monitored at the file system;
  
  program code operative to receive from each of the plural file systems audit trail data, the audit trail data having been generated locally as file system access activity is intercepted at the file system in accordance with the security policy; and
  
  program code operative to store the audit trail data received from the plural file systems; and
  
  program code operative to apply the security policy audit trail data received from at least one of the plural file systems and, in response thereto, to take a given action.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product as described in claim 15 further including program code operative to send the audit trail data to a central location remote from the plural file systems.
  - 17. The computer program product as described in claim 15 wherein the given action is one of:
    - issuing an alert, performing an audit activity, restricting access to a file system resource, and reporting on the file system access activity.
  - 18. The computer program product as described in claim 15 wherein the audit trail data is received continuously and in real-time with respect to the file system access activity.
  - 19. The computer program product as described in claim 15 wherein the security policy provided to a first file system differs from the security policy provided to a second file system distinct from the first file system.
  - 20. The computer program product as described in claim 15 wherein the computer program instructions further include program code operative to define the security policy, the security policy having one or more file system-specific rules.
  - 21. The computer program product as described in claim 20 wherein the given action taken is based on the one or more file system-specific rules.

22. A computer program product comprising computer program instructions on non-transitory computer-readable media, the computer program instructions executed by a processor in association with a file system in an enterprise computing environment, the computer program instructions comprising:
- program code operative to receive from a central, remote security monitoring system a security policy, the security policy defining one or more file system access activities to be monitored at the file system;
  
  program code operative to generate audit trail data based on file system access activity intercepted at the file system in accordance with the security policy; and
  
  program code operative to transmit the audit trail data to the remote security monitoring system, the audit trail data being received at the central, remote security monitoring system where it is applied against the security policy to determine whether a given action should be taken at the file system.
- View Dependent Claims (23)
- - 23. The computer program product as described in claim 22 further including program code to generate one or more classifiers to classify data associated with a given file system access activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Foley, Sean Christopher, Berube, Christopher J., Shechter, Sagi

Granted Patent

US 10,462,183 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

File system monitoring and auditing via monitor system having user-configured policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

File system monitoring and auditing via monitor system having user-configured policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links