TRANSPARENT CLIENT APPLICATION TO ARBITRATE DATA STORAGE BETWEEN MUTABLE AND IMMUTABLE DATA REPOSITORIES

US 20170364699A1
Filed: 08/11/2017
Published: 12/21/2017
Est. Priority Date: 06/02/2015
Status: Active Grant

First Claim

Patent Images

1. A method of retrofitting applications configured to access a given data repository to instead access a heterogeneous set of data repositories in place of the given data repository for at least some data, the method comprising:

receiving, with a computing device, a first write request from an application requesting to write data to a first remote database via a network, wherein;

the first write request specifies a first value to be written to a first field in the first remote database;

the first write request specifies a second value to be written to a second field in the first remote database;

the first write request is compliant with an application program interface of a database driver configured to interface with the first remote database; and

the database driver and at least part of the application issuing the first write request execute in the same instance of an operating system executing on the computing device;

obtaining, with the computing device, a data policy having one or more rules by which values are classified as higher-security values or lower-security values;

classifying, with the computing device and at least one of the one or more rules, the first value as lower-security;

classifying, with the computing device and at least one of the one or more rules, the second value as higher-security;

in response to classifying the second value as higher-security, redirecting the second value from a destination specified by the application in the received first write request by;

obtaining a unique identifier of the second value that does not reveal the second value;

causing the second value to be stored in a second remote database that is different from the first remote database; and

updating an index with an entry that maps the unique identifier to the second value in the second remote database; and

forming, with the computing device, one or more application program interface requests to the database driver that;

(i) instruct the database driver to cause the first remote database to store the first value in association with the first field; and

(ii) instruct the database driver to cause the first remote database to store the unique identifier in association with the second field,wherein an attacker with full access to the first database does not have access to the second value classified as higher security, and wherein code of the application is not modified to interface with two databases in place of the first remote database.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a process including: receiving a first write request from an application requesting to write data to a first remote database via a network; classifying the second value as higher-security; and in response to classifying the second value as higher-security, redirecting the second value from a destination specified by the application in the received first write request, wherein an attacker with full access to the first database does not have access to the second value classified as higher security, and wherein code of the application is not modified to interface with two databases in place of the first remote database.

Citations

20 Claims

1. A method of retrofitting applications configured to access a given data repository to instead access a heterogeneous set of data repositories in place of the given data repository for at least some data, the method comprising:
- receiving, with a computing device, a first write request from an application requesting to write data to a first remote database via a network, wherein;
  
  the first write request specifies a first value to be written to a first field in the first remote database;
  
  the first write request specifies a second value to be written to a second field in the first remote database;
  
  the first write request is compliant with an application program interface of a database driver configured to interface with the first remote database; and
  
  the database driver and at least part of the application issuing the first write request execute in the same instance of an operating system executing on the computing device;
  
  obtaining, with the computing device, a data policy having one or more rules by which values are classified as higher-security values or lower-security values;
  
  classifying, with the computing device and at least one of the one or more rules, the first value as lower-security;
  
  classifying, with the computing device and at least one of the one or more rules, the second value as higher-security;
  
  in response to classifying the second value as higher-security, redirecting the second value from a destination specified by the application in the received first write request by;
  
  obtaining a unique identifier of the second value that does not reveal the second value;
  
  causing the second value to be stored in a second remote database that is different from the first remote database; and
  
  updating an index with an entry that maps the unique identifier to the second value in the second remote database; and
  
  forming, with the computing device, one or more application program interface requests to the database driver that;
  
  (i) instruct the database driver to cause the first remote database to store the first value in association with the first field; and
  
  (ii) instruct the database driver to cause the first remote database to store the unique identifier in association with the second field,wherein an attacker with full access to the first database does not have access to the second value classified as higher security, and wherein code of the application is not modified to interface with two databases in place of the first remote database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein:
    - receiving the first write request is performed with a security driver registered in the operating system as a database driver that the application is configured to call; and
      
      the security driver implements an application program interface wrapper for the application program interface of the database driver.
  - 3. The method of claim 1, wherein:
    - the first value and the second value correspond to the same record in a given tuple of a relational database;
      
      the given tuple comprises a primary key value and one or more foreign key values; and
      
      the relational database is caused by the database driver to store the unique identifier in the given tuple.
  - 4. The method of claim 1, wherein:
    - the index maps the unique identifier to a plurality of uniform resource identifiers of a plurality of different replicated instances of the second remote database.
  - 5. The method of claim 1, wherein:
    - the index is stored remote from the computing device and is updated by another computing device; and
      
      the unique identifier is obtained from the other computing device.
  - 6. The method of claim 1, wherein:
    - the unique identifier includes a cryptographic hash value based on the second value.
  - 7. The method of claim 6, comprising calculating the cryptographic hash value with a cryptographic hash function taking the second value as an input, wherein:
    - the second value is longer than a one-way compression function of the cryptographic hash function is configured to accept; and
      
      the cryptographic hash function includes operations comprising repeatedly until a beginning or ending portion of the second value is reached;
      
      obtaining a parsed portion by parsing a remaining portion of the second value that is of a length determined based on a difference between a length of input the one-way compression function of the cryptographic hash function is configured to accept and a length of an output of the one-way compression function is configured to emit;
      
      appending or prepending an output of a previous iteration of the one-way compression function to the parsed portion to form an input for a current iteration of the one-way compression function; and
      
      transforming the input for the current iteration with the one-way compression function to form an output of the one-way function.
  - 8. The method of claim 1, comprising:
    - receiving, with the computing device, a second write request from the application, the second write request requesting to write a third value to the first remote database in association with the second field, wherein the third value is equal to the second value;
      
      classifying the third value as higher-security;
      
      after classifying the third value as higher-security, instructing the database driver to cause the first remote database to store the unique identifier in association with the second field in two different records, one record among the two different records having data from the first write request and another record among the two different records having data from the second write request.
  - 9. The method of claim 8, wherein the operations comprise, after receiving the second write request:
    - determining that the unique identifier is already present in the index; and
      
      in response to the determination, determining to not add a new entry, distinct from an existing entry, corresponding to the third value to the index.
  - 10. The method of claim 1, wherein:
    - the second database comprises a plurality of blockchains;
      
      the index maps the unique identifier to a given one of the blockchains;
      
      the second value is segmented into a plurality of segments; and
      
      different segments among the plurality of segments are stored in different ones of the plurality of blockchains.
  - 11. The method of claim 1, comprising:
    - receiving, with the computing device, a query response via the database driver based on a query from the application to the first database and not to the second database;
      
      detecting the unique identifier in the query response;
      
      obtaining the second value from the second remote database with the unique identifier;
      
      forming a revised query response in which the unique identifier is replaced with the first value; and
      
      providing the revised query response to the application as a response to the query.
  - 12. The method of claim 11, wherein:
    - the unique identifier is not provided to the application;
      
      the method comprises determining that the second value is responsive to criteria of the query before replacing the unique identifier with the second value in the revised query response.
  - 13. The method of claim 11, comprising:
    - determining that the query response includes two instances of the unique identifier associated with two different records in the first remote database, the two records including the second value and a third value respectively, the third value being identical to the second value; and
      
      retrieving from the second remote database, a single value that is mapped to both the second value and the third value.
  - 14. The method of claim 11, comprising:
    - determining an aggregate amount of data requested in read requests associated with the application or a credential by which the application requests access; and
      
      determining that the aggregate amount of data requested does not exceed a threshold.
  - 15. The method of claim 14, comprising:
    - after receiving another read request, determining that an updated aggregate amount of data requested in read requests associated with the application or the credential by which the application requests access exceeds the threshold; and
      
      in response to the determination, delaying or blocking a query response associated with the other read request.
  - 16. The method of claim 1, wherein:
    - the data policy having one or more rules comprises a criterion based on a field designated as higher-security.
  - 17. The method of claim 1, wherein:
    - the data policy having one or more rules comprises a criterion based on a regular expression indicative of a higher-security values.
  - 18. The method of claim 1, comprising:
    - steps for retrofitting applications configured to access a given data repository to instead access heterogeneous data repositories.
  - 19. The method of claim 1 comprising:
    - steps for storing data in a tamper-evident distributed tamper-evident data structure.

20. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:
- receiving, with a computing device, a first write request from an application requesting to write data to a first remote database via a network, wherein;
  
  the first write request specifies a first value to be written to a first field in the first remote database;
  
  the first write request specifies a second value to be written to a second field in the first remote database;
  
  the first write request is compliant with an application program interface of a database driver configured to interface with the first remote database; and
  
  the database driver and at least part of the application issuing the first write request execute in the same instance of an operating system executing on the computing device;
  
  obtaining, with the computing device, a data policy having one or more rules by which values are classified as higher-security values or lower-security values;
  
  classifying, with the computing device and at least one of the one or more rules, the first value as lower-security;
  
  classifying, with the computing device and at least one of the one or more rules, the second value as higher-security;
  
  in response to classifying the second value as higher-security, redirecting the second value from a destination specified by the application in the received first write request by;
  
  obtaining a unique identifier of the second value that does not reveal the second value;
  
  causing the second value to be stored in a second remote database that is different from the first remote database; and
  
  updating an index with an entry that maps the unique identifier to the second value in the second remote database; and
  
  forming, with the computing device, one or more application program interface requests to the database driver that;
  
  (i) instruct the database driver to cause the first remote database to store the first value in association with the first field; and
  
  (ii) instruct the database driver to cause the first remote database to store the unique identifier in association with the second field,wherein an attacker with full access to the first database does not have access to the second value classified as higher security, and wherein code of the application is not modified to interface with two databases in place of the first remote database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Altr Solutions, Inc.
Original Assignee
Altr Solutions, Inc.
Inventors
Goldfarb, Scott Nathaniel, Beecham, James Douglas

Granted Patent

US 10,089,489 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2282   Tablespace storage structur...

G06F 16/245   Query processing

G06F 16/2455   Query execution

G06F 16/27   Replication, distribution o...

G06F 16/285   Clustering or classification

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3239   involving non-keyed hash fu...

TRANSPARENT CLIENT APPLICATION TO ARBITRATE DATA STORAGE BETWEEN MUTABLE AND IMMUTABLE DATA REPOSITORIES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TRANSPARENT CLIENT APPLICATION TO ARBITRATE DATA STORAGE BETWEEN MUTABLE AND IMMUTABLE DATA REPOSITORIES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links