Information sharing system and method with requester dependent sharing and security rules

US 6,226,745 B1
Filed: 03/16/1998
Issued: 05/01/2001
Est. Priority Date: 03/21/1997
Status: Expired due to Term

First Claim

Patent Images

1. A security system for use in a computer system having a database of information to be shared with authorized users in accordance with pre-defined constraints, comprising:

a port for receiving queries requesting information from the database;

means for accessing a set of rules, including query pre-processing rules and query results post-processing rules;

each query pre-processing rule specifying one or more conditions that must be satisfied by any query to which the rule is applicable;

each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable;

a query pre-processing module for applying to each received query all pre-processing rules applicable to the query, for blocking further processing of the query if any of the pre-processing rules applied to the received query are not passed, and for otherwise enabling execution of the received query by a database access mechanism so as to extract information from the database as specified in the query to produce a corresponding result having one or more words; and

a post-processing module for applying to the result produced for each executed query all post-processing rules applicable to the result, for blocking transmission of the results if any of the post-processing rules applied to the results are not passed, and for otherwise enabling transmission of the results;

wherein the post-processing rules include at least one rule that compares every word of the result with a predefined dictionary of words, and the post-processing module blocks transmission of the result if the result includes any words not in the predefined dictionary of words.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security mediator system is used in a computer system having a database of information to be shared with authorized users in accordance with pre-defined constraints. A rules database stores rules, including query pre-processing rules and query results post-processing rules. The rules database includes data for specifying, for each of a plurality of specified groups of users, which of the rules in the rules database are applicable to queries received from users in each of the groups. A query pre-processing module applies to each received query all pre-processing rules in the rules database applicable to the query in accordance with the identified user who submitted the query. If any applicable rule is not passed, the query is blocked; otherwise execution of the query is enabled. A database access module executing each enabled query to produce a corresponding result. A post-processing module applies to the results all post-processing rules in the rules database applicable to the executed query. If any applicable rule is not passed, transmission of the results is blocked; otherwise transmission of the results to the identified user is enabled. A security officer module processes blocked queries and blocked results, enabling a security officer to review blocked queries and blocked results, and to either confirm the blocking determination or override it.

317 Citations

15 Claims

1. A security system for use in a computer system having a database of information to be shared with authorized users in accordance with pre-defined constraints, comprising:
- a port for receiving queries requesting information from the database;
  
  means for accessing a set of rules, including query pre-processing rules and query results post-processing rules;
  
  each query pre-processing rule specifying one or more conditions that must be satisfied by any query to which the rule is applicable;
  
  each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable;
  
  a query pre-processing module for applying to each received query all pre-processing rules applicable to the query, for blocking further processing of the query if any of the pre-processing rules applied to the received query are not passed, and for otherwise enabling execution of the received query by a database access mechanism so as to extract information from the database as specified in the query to produce a corresponding result having one or more words; and
  
  a post-processing module for applying to the result produced for each executed query all post-processing rules applicable to the result, for blocking transmission of the results if any of the post-processing rules applied to the results are not passed, and for otherwise enabling transmission of the results;
  
  wherein the post-processing rules include at least one rule that compares every word of the result with a predefined dictionary of words, and the post-processing module blocks transmission of the result if the result includes any words not in the predefined dictionary of words.
- View Dependent Claims (2, 3, 4)
- - 2. The security system of claim 1, wherein
3. The security system of claim 2, further including:
- a security officer module for processing blocked queries and blocked results, including instructions reviewing blocked queries and blocked results, and for either confirming the blocking determination or overriding it, in accordance with instructions received from an authorized security officer.
4. The security system of claim 1, further including:
- a security officer module for processing blocked queries and blocked results, including instructions reviewing blocked queries and blocked results, and for either confirming the blocking determination or overriding it, in accordance with instructions received from an authorized security officer.

5. A method of constraining access to information in a database in accordance with pre-defined constraints, comprising the steps of:
- receiving queries requesting information from the database;
  
  accessing a rules database that stores a set of rules, including query pre-processing rules and query results post-processing rules;
  
  each query pre-processing rule specifying one or more conditions that must be satisfied by any query to which the rule is applicable;
  
  each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable;
  
  pre-processing each received query by applying all pre-processing rules in the rules database applicable to the query, blocking further processing of the query if any of the pre-processing rules applied to the received query are not passed, and for otherwise enabling execution of the received query so as to extract information from the database as specified in the query to produce a corresponding result having one or more words; and
  
  post-processing the result produced for each executed query by applying all post-processing rules in the rules database applicable to the result, blocking transmission of the result if any of the post-processing rules applied to the result are not passed, and otherwise enabling transmission of the result;
  
  wherein the post-processing rules applicable to the result include at least one rule that compares every word of the result with a predefined dictionary of words, and the post-processing step blocks transmission of the result if the result includes any words not in the predefined dictionary of words.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5, wherein
7. The method of claim 6, further including:
- processing at least a subset of blocked queries and blocked results by passing them to a security monitor for review, and receiving from the security monitor a signal that confirms the blocking determination or overrides it, in accordance with instructions received from an authorized security officer.
8. The method of claim 5, further including:
- processing at least a subset of blocked queries and blocked results by passing them to a security monitor for review, and receiving from the security monitor a signal that confirms the blocking determination or overrides it, in accordance with instructions received from an authorized security officer.

9. A computer program product for applying security constraints to database access requests and replies, the computer product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism, comprising:
- instructions for storing a set of rules, including query pre-processing rules and query results post-processing rules;
  
  each query pre-processing rule specifying one or more conditions that must be satisfied by any query to which the rule is applicable;
  
  each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable;
  
  a query pre-processing module for receiving queries requesting information from a database and for applying to each received query all pre-processing rules applicable to the query, for blocking further processing of the query if any of the pre-processing rules applied to the received query are not passed, and for otherwise enabling execution of the received query by a database access mechanism so as to extract information from the database as specified in the query to produce a corresponding result having one or more words; and
  
  a post-processing module for applying to the result produced for each executed query all post-processing rules applicable to the result, for blocking transmission of the results if any of the post-processing rules applied to the results are not passed, and for otherwise enabling transmission of the results;
  
  wherein the post-processing rules applicable to the result include at least one rule that compares every word of the result with a predefined dictionary of words, and the post-rocessing module blocks transmission of the result if the result includes any words not in the predefined dictionary of words.
- View Dependent Claims (10, 11, 12)
- - 10. The computer program product of claim 9, wherein
11. The computer program product of claim 10, further including:
- a security officer module for processing blocked queries and blocked results, including instructions reviewing blocked queries and blocked results, and for either confirming the blocking determination or overriding it, in accordance with instructions received from an authorized security officer.
12. The computer program product of claim 9, further including:
- a security officer module for processing blocked queries and blocked results, including instructions reviewing blocked queries and blocked results, and for either confirming the blocking determination or overriding it, in accordance with instructions received from an authorized security officer.

13. A security system for use in a computer system having a database of information to be shared with authorized users in accordance with pre-defined constraints, comprising:
- a port for receiving queries requesting information from the database;
  
  means for accessing a set of rules, including query results post-processing rules;
  
  each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable;
  
  a database access mechanism for extracting information from a database as specified in a query to produce a corresponding result having one or more words; and
  
  a post-processing module for applying to the result produced for each executed query all post-processing rules applicable to the result, for blocking transmission of the results if any of the post-processing rules applied to the results are not passed, and for otherwise enabling transmission of the results;
  
  wherein the post-processing rules include at least one rule that compares every word of the result with a predefined dictionary of words, and the post-processing module blocks transmission of the result if the result includes any words not in the predefined dictionary of words.

14. A method of constraining access to information in a database in accordance with pre-defined constraints, comprising the steps of:
- receiving queries requesting information from the database;
  
  executing a received query so as to extract information from the database as specified in the query to produce a corresponding result having one or more words; and
  
  comparing every word of the result with a predefined dictionary of words, and blocking transmission of the result if the result includes any words not in the predefined dictionary of words; and
  
  post-processing the result produced for each executed query by applying a set of post-processing rules to the result, blocking transmission of the result if any of the post-processing rules applied to the result are not passed, and otherwise enabling transmission of the result;
  
  the postprocessing step including accessing a rules database that stores a set of rules, including query results post-processing rules;
  
  each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable.

15. A computer program product for applying security constraints to database access requests and replies, the computer product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism, comprising:
- instructions for storing a set of rules, including query results post-processing rules;
  
  each results post-processing rule specifying one or more conditions that must be satisfied by any results to which the rule is applicable;
  
  a database access mechanism for extracting information from a database as specified in a query to produce a corresponding result having one or more words; and
  
  a post-processing module for applying to the result produced for each executed query all post-processing rules applicable to the result, for blocking transmission of the results if any of the post-processing rules applied to the results are not passed, and for otherwise enabling transmission of the results;
  
  wherein the post-processing rules applicable to the result include at least one rule that compares every word of the result with a predefined dictionary of words, and the post-processing module blocks transmission of the result if the result includes any words not in the predefined dictionary of words.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gio Wiederhold
Original Assignee
Gio Wiederhold
Inventors
Wiederhold, Gio
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
ELISCA, PIERRE E

Application Number

US09/040,522
Time in Patent Office

1,142 Days
Field of Search

713/200, 713/201, 710/240, 710/243, 710/42, 706/47, 706/45, 706/50, 706/60, 707/1, 707/9
US Class Current

726/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/0227   Filtering policies mail mes...

H04L 63/20   for managing network securi...

Y10S 707/99939   Privileged access

Information sharing system and method with requester dependent sharing and security rules

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

317 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Information sharing system and method with requester dependent sharing and security rules

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

317 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links