System and methods for adaptive behavior based access control

US 7,506,371 B1
Filed: 01/22/2004
Issued: 03/17/2009
Est. Priority Date: 01/22/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method for behavior based access tracking of an application comprising:

intercepting an access attempt to a protected resource;

comparing the access attempt to a preexisting set of allowable access attempts to determine if the access attempt corresponds to a previous allowable access, comparing the access attempt further comprising;

determining a structure of the access attempt corresponding to a syntactical arrangement of the access attempt; and

comparing the determined structure of the access attempt independently of the data values implicated in the access attempt;

selectively permitting, based on the comparing, access to the protected resource according to the access attempt; and

augmenting the set of allowable access attempts by selectively adding, based on inferential feedback, the access attempt to the set of allowable access attempts.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Typical conventional content based database security scheme mechanisms employ a predefined criteria for identifying access attempts to sensitive or prohibited data. An operator, identifies the criteria indicative of prohibited data, and the conventional content based approach scans or “sniffs” the transmissions for data items matching the predefined criteria. In many environments, however, database usage tends to follow repeated patterns of legitimate usage. Such usage patterns, if tracked, are deterministic of normal, allowable data access attempts. Similarly, deviant data access attempts may be suspect. Recording and tracking patterns of database usage allows learning of an expected baseline of normal DB activity, or application behavior. Identifying baseline divergent access attempts as deviant, unallowed behavior, allows automatic learning and implementation of behavior based access control. In this manner, data access attempts not matching previous behavior patterns are disallowed.

122 Citations

41 Claims

1. A method for behavior based access tracking of an application comprising:
- intercepting an access attempt to a protected resource;
  
  comparing the access attempt to a preexisting set of allowable access attempts to determine if the access attempt corresponds to a previous allowable access, comparing the access attempt further comprising;
  
  determining a structure of the access attempt corresponding to a syntactical arrangement of the access attempt; and
  
  comparing the determined structure of the access attempt independently of the data values implicated in the access attempt;
  
  selectively permitting, based on the comparing, access to the protected resource according to the access attempt; and
  
  augmenting the set of allowable access attempts by selectively adding, based on inferential feedback, the access attempt to the set of allowable access attempts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 wherein comparing the access attempt determines correspondence by a matching of explicit rules qualifying allowable data access attempts and by a matching of a baseline having previously allowed data access attempts.
  - 3. The method of claim 1 wherein adding further comprises selectively adding, if the data access transaction corresponds to a window of allowable database activity, the data access attempt to the set of allowable data access attempts.
  - 4. The method of claim 1 wherein comparing the determined structure further comprises comparing a hash value derived from the determined structure.
  - 5. The method of claim 1 further comprising defining an access policy having a plurality of access rules, the access rules indicative of allowable access, wherein the preexisting set of allowable access attempts correspond to one of the plurality of the rules.
  - 6. The method of claim 1 wherein determining the preexisting set comprises establishing a baseline of allowable activity, the baseline indicative of an accepted set of allowable access attempts.
  - 7. The method of claim 6 wherein the baseline is a rule in the access policy and indicates allowable access when a data access transaction matches a previous data access transaction represented in the baseline.
  - 8. The method of claim 6 wherein the baseline includes the structure of the access attempts, and avoids including data values of the data access transactions from which it is derived.
  - 9. The method of claim 1 wherein selectively permitting further comprises computing, based on iteratively applying the access rules to the access attempt, an access result indicative of whether to allow the access attempt.
  - 10. The method of claim 9 wherein adding further comprises:
    - identifying a sampling window of access attempts, the sampling window deterministic of allowable access patterns to the protected resource;
      
      storing an indication of the access attempts made during the window of access attempts; and
      
      merging the window of access attempts with the current baseline set of access attempts, the current baseline deemed deterministic of allowable access behavior.
  - 11. The method of claim 1 further comprising:
    - identifying a plurality of allowable access attempts;
      
      inferring, based on observable patterns in the allowable access attempts, access rules indicative of the plurality of allowable access attempts; and
      
      adding the inferred rules to the access policy.
  - 12. The method of claim 11 wherein inferring further comprises:
    - processing the series of allowable access attempts to determine related groups of allowable access transactions;
      
      suggesting, based on a commonality of the processed group of allowable access attempts, an access rule indicative of each of the series of allowable access attempts; and
      
      adding, in response to operator input, the suggested access rule to the access policy.
  - 13. The method of claim 1 wherein the preexisting set of allowable access attempts comprise a current baseline representative of a window of access attempts, further comprising modifying the current baseline by including access attempts from a different window of access attempts.
  - 14. The method of claim 1 wherein storing further comprises:
    - verifying that the access attempt is indicative of allowable access behavior; and
      
      selectively adding, based on the verifying, the access attempts to the baseline of allowable access attempts.
  - 15. The method of claim 14 wherein determining the preexisting set includes comparing a sensitivity threshold indicative of a series of corresponding access attempts defining a benign pattern.
  - 16. The method of claim 15 wherein the corresponding access attempts define a similar pattern of access structures, the access structures determined by tables and fields affected by the access attempt.
  - 17. The method of claim 1 wherein the parse tree further conforms to a platform independent format, wherein parse trees and corresponding hash values generated from different platforms are similar and are operative to result in a consistent comparison result for similar data access attempts on a plurality of platforms.
  - 18. The method of claim 1 further comprising:
    - storing a set of data access attempts according to a learning window of observable database behavior;
      
      generating suggested rules;
      
      adding suggested rules to the security policy; and
      
      reanalyzing the set of data access attempts gathered during the leaning window in an iterative manner against suggested rules.

19. A security filter device for behavior based access tracking of a software application comprising:
- a database access analyzer operable to intercept an access attempt to a protected resource;
  
  a baseline comparator operable to compare the access attempt to a preexisting set of allowable access attempts to determine if the access attempt corresponds to a previous allowable access attempt, the comparator for comparing the access attempts by;
  
  determining a structure of the access attempt corresponding to syntactical arrangement of the access attempt; and
  
  comparing the determined structure of the access attempt independently of the data values implicated in the access attempt, determining the structure further comprising;
  
  parsing the access attempt; and
  
  building a parse tree from the parsing, the parse tree indicative of a syntactical structure of the data access attempt, wherein comparing further comprises computing a hash value from the parse tree, andcomparing the hash value to the hash values of previous access attempts;
  
  an enforcer operable to selectively permit, based on the comparing, access to the protected resource according to the access attempt; and
  
  an inference engine operable to add, if the access attempt is permitted, the access attempt to the set of allowable access attempts.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The security filter device of claim 19 wherein the baseline comparator is further operable to comparing the access attempt and determine correspondence by matching explicit rules qualifying allowable data access attempts and matching of a baseline having previously allowed data access attempts.
  - 21. The security filter device of claim 19 further comprising:
    - a parser in the database access analyzer operable to determine a structure of the access attempt corresponding to syntactical arrangement of the access attempt, wherein the baseline comparator is operable to compare the determined structure of the access attempt independently of the data values implicated in the data access attempt.
  - 22. The security filter device of claim 21 wherein the database access analyzer further includes a hash engine operable to compute a hash value derived from the determined structure.
  - 23. The security filter device of claim 21 wherein the parser is further operable to:
    - parse the access attempt; and
      
      build a parse tree from the parsing, the parse tree indicative of a syntactical structure of the data access attempt, wherein the baseline comparator is operable to compare the computed hash value from the parse tree to the hash values computed from previous access attempts.
  - 24. The security filter device of claim 19 further comprising an access policy having a plurality of access rules, the access rules indicative of allowable access, wherein the preexisting set of allowable access attempts correspond to one of the plurality of the rules.
  - 25. The security filter device of claim 19 wherein the preexisting set further comprises a baseline of allowable activity, the baseline indicative of an accepted set of allowable access attempts.
  - 26. The security filter device of claim 25 wherein the parser is operable to generate a parse tree corresponding to the structure of the access attempts, the parse tree not including data values of the data access transactions from which it is derived.
  - 27. The security filter device of claim 19 wherein the inference engine is operable to:
    - identify a plurality of allowable access attempts; and
      
      infer, based on observable patterns in the allowable access attempts, access rules indicative of the plurality of allowable access attempts; and
      
      add the inferred rules to the access policy.
  - 28. The security filter device of claim 27 wherein the inference engine further comprises:
    - a learner operable to process the series of allowable access attempts to determine related groups of allowable access transactions, the learner further operable to suggest, based on a commonality of the processed group of allowable access attempts, an access rule indicative of each of the series of allowable access attempts; and
      
      a rule suggestor operable to add, in response to operator input, the suggested access rule to the access policy.
  - 29. The security filter device of claim 19 wherein the preexisting set of allowable access attempts comprise a current baseline set representative of a window of access attempts, wherein the inference engine is operable to modify the current baseline by including access attempts from a different window of access attempts.
  - 30. The security filter device of claim 29 wherein the inference engine is further operable to:
    - identify a sampling window of access attempts, the sampling window deterministic of allowable access patterns to the protected resource;
      
      store an indication of the access attempts made during the window of access attempts; and
      
      merge the window of access attempts with the current baseline set of access attempts, the current baseline deemed deterministic of allowable access behavior.
  - 31. The security filter device of claim 19 wherein the inference engine is further operable to:
    - retain the data access attempts during a learning window of observable database behavior;
      
      generate suggested rules based on the learning window;
      
      conditionally add suggested rules to the security policy; and
      
      reanalyze the set of data access attempts gathered during the leaning window in an iterative manner against suggested rules.
  - 32. The security filter device of claim 19 wherein the rule logic in the inference engine is further operable to:
    - verify that the access attempt is indicative of allowable access behavior; and
      
      selectively add, based on the verification, the access attempts to the baseline of allowable access attempts.
  - 33. The security filter device of claim 32 wherein determining the preexisting set includes comparing a sensitivity threshold indicative of a series of corresponding access attempts defining a benign pattern.
  - 34. The security filter device of claim 33 wherein the corresponding access attempts define a similar pattern of access structures, the access structures determined by tables and fields affected by the access attempt.
  - 35. The security filter device of claim 19 further including an interface operable with an external application, the interface operable to transmit allowable data access attempts to the external application.
  - 36. The security filter device of claim 19 wherein the database analyzer further includes an interface operable with an external application, the database analyzer operable for receiving data access attempts from the external application via the interface, process the received data access attempts, and forwarding the processed data access attempts to the security filter and the repository for processing via the inference engine.

37. A computer program product having a computer readable storage medium operable to store computer program logic embodied in computer program code encoded thereon that, when executed by a computer, cause the computer to perform steps for behavior based access tracking of a software application comprising:
- intercepting an access attempt to a protected resource;
  
  comparing the access attempt to a preexisting set of allowable access attempts to determine if the access attempt corresponds to a previous allowable access attempt, comparing the access attempt further comprising;
  
  determining a structure of the access attempt corresponding to syntactical arrangement of the access attempt; and
  
  comparing the determined structure of the access attempt independently of the data values implicated in the access attempt, determining the structure further comprising;
  
  parsing the access attempt; and
  
  building a parse tree from the parsing, the parse tree indicative of a syntactical structure of the data access attempt, wherein comparing further comprises computing a hash value from the parse tree, andcomparing the hash value to the hash values of previous access attempts;
  
  selectively permitting, based on the comparing, access to the protected resource according to the access attempt; and
  
  adding, if the access attempt is permitted, the access attempt to the set of allowable access attempts.

38. A security filter device for behavior based access tracking of a software application comprising:
- means for intercepting an access attempt to a protected resource;
  
  means for comparing the access attempt to a preexisting set of allowable access attempts to determine if the access attempt corresponds to a previous allowable access attempt, means for comparing the access attempt further comprising;
  
  means for determining a structure of the access attempt corresponding to syntactical arrangement of the access attempt; and
  
  means for comparing the determined structure of the access attempt independently of the data values implicated in the access attempt, determining the structure further comprising;
  
  means for parsing the access attempt; and
  
  means for building a parse tree from the parsing, the parse tree indicative of a syntactical structure of the data access attempt, wherein comparing further comprises computing a hash value from the parse tree, andcomparing the hash value to the hash values of previous access attempts;
  
  means for selectively permitting, based on the comparing, access to the protected resource according to the access attempt; and
  
  means for adding, if the access attempt is permitted, the access attempt to the set of allowable access attempts.

39. A method for behavior based access tracking of an information repository comprising:
- capturing a sequence of access attempts;
  
  establishing a baseline of allowable access attempts from captured access attempts and a set of preexisting allowable accesses indicative of rules defining allowable behavior;
  
  intercepting an access attempt to the information repository;
  
  parsing the access attempt to determine a syntactical arrangement of the access attempt;
  
  building a parse tree to determine a structure of the access attempt by, the parse tree indicative of the syntactical arrangement of the access attempt;
  
  computing a hash value from the parse tree, the parse tree deterministic of a query structure of the access attempt such that similar access attempts share the query structure;
  
  comparing the computed hash value of the access attempt to hash values computed from the established baseline to determine if the access attempt corresponds to a previous allowable access;
  
  selectively permitting, based on the comparing, access to the information repository according to the access attempt; and
  
  augmenting the established baseline by selectively adding, based on inferential feedback, the access attempt to the set of allowable access attempts for invocation with successive access attempts.
- View Dependent Claims (40, 41)
- - 40. The method of claim 39 further comprising comparing the determined structure of the access attempt independently of the data values implicated in the access attempt, such that the computed hash is unaffected by differences in queried data values.
  - 41. The method of claim 39 wherein augmenting further comprises:
    - identifying a sampling window of access attempts, the sampling window deterministic of allowable access patterns to the protected resource;
      
      storing an indication of the access attempts made during the window of access attempts; and
      
      merging the window of access attempts with the current baseline set of access attempts, the current baseline deemed deterministic of allowable access behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Guardium, Inc. (International Business Machines Corporation)
Inventors
Ben-Natan, Ron
Primary Examiner(s)
Nalven; Andrew L

Application Number

US10/762,660
Time in Patent Office

1,881 Days
Field of Search

726/180, 726/18
US Class Current

726/18
CPC Class Codes

G06F 21/316 by observing the pattern of...

G06F 21/6218 to a system of files or obj...

System and methods for adaptive behavior based access control

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

41 Claims

Specification

Use Cases

Quick Links

Others

System and methods for adaptive behavior based access control

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

41 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others