System and methods for adaptive behavior based access control
First Claim
1. A method for behavior based access tracking of an application comprising:
- intercepting an access attempt to a protected resource;
comparing the access attempt to a preexisting set of allowable access attempts to determine if the access attempt corresponds to a previous allowable access, comparing the access attempt further comprising;
determining a structure of the access attempt corresponding to a syntactical arrangement of the access attempt; and
comparing the determined structure of the access attempt independently of the data values implicated in the access attempt;
selectively permitting, based on the comparing, access to the protected resource according to the access attempt; and
augmenting the set of allowable access attempts by selectively adding, based on inferential feedback, the access attempt to the set of allowable access attempts.
3 Assignments
0 Petitions
Accused Products
Abstract
Typical conventional content based database security scheme mechanisms employ a predefined criteria for identifying access attempts to sensitive or prohibited data. An operator, identifies the criteria indicative of prohibited data, and the conventional content based approach scans or “sniffs” the transmissions for data items matching the predefined criteria. In many environments, however, database usage tends to follow repeated patterns of legitimate usage. Such usage patterns, if tracked, are deterministic of normal, allowable data access attempts. Similarly, deviant data access attempts may be suspect. Recording and tracking patterns of database usage allows learning of an expected baseline of normal DB activity, or application behavior. Identifying baseline divergent access attempts as deviant, unallowed behavior, allows automatic learning and implementation of behavior based access control. In this manner, data access attempts not matching previous behavior patterns are disallowed.
122 Citations
41 Claims
-
1. A method for behavior based access tracking of an application comprising:
-
intercepting an access attempt to a protected resource; comparing the access attempt to a preexisting set of allowable access attempts to determine if the access attempt corresponds to a previous allowable access, comparing the access attempt further comprising; determining a structure of the access attempt corresponding to a syntactical arrangement of the access attempt; and comparing the determined structure of the access attempt independently of the data values implicated in the access attempt; selectively permitting, based on the comparing, access to the protected resource according to the access attempt; and augmenting the set of allowable access attempts by selectively adding, based on inferential feedback, the access attempt to the set of allowable access attempts. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A security filter device for behavior based access tracking of a software application comprising:
-
a database access analyzer operable to intercept an access attempt to a protected resource; a baseline comparator operable to compare the access attempt to a preexisting set of allowable access attempts to determine if the access attempt corresponds to a previous allowable access attempt, the comparator for comparing the access attempts by; determining a structure of the access attempt corresponding to syntactical arrangement of the access attempt; and comparing the determined structure of the access attempt independently of the data values implicated in the access attempt, determining the structure further comprising; parsing the access attempt; and building a parse tree from the parsing, the parse tree indicative of a syntactical structure of the data access attempt, wherein comparing further comprises computing a hash value from the parse tree, and comparing the hash value to the hash values of previous access attempts; an enforcer operable to selectively permit, based on the comparing, access to the protected resource according to the access attempt; and an inference engine operable to add, if the access attempt is permitted, the access attempt to the set of allowable access attempts. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A computer program product having a computer readable storage medium operable to store computer program logic embodied in computer program code encoded thereon that, when executed by a computer, cause the computer to perform steps for behavior based access tracking of a software application comprising:
-
intercepting an access attempt to a protected resource; comparing the access attempt to a preexisting set of allowable access attempts to determine if the access attempt corresponds to a previous allowable access attempt, comparing the access attempt further comprising; determining a structure of the access attempt corresponding to syntactical arrangement of the access attempt; and comparing the determined structure of the access attempt independently of the data values implicated in the access attempt, determining the structure further comprising; parsing the access attempt; and building a parse tree from the parsing, the parse tree indicative of a syntactical structure of the data access attempt, wherein comparing further comprises computing a hash value from the parse tree, and comparing the hash value to the hash values of previous access attempts; selectively permitting, based on the comparing, access to the protected resource according to the access attempt; and adding, if the access attempt is permitted, the access attempt to the set of allowable access attempts.
-
-
38. A security filter device for behavior based access tracking of a software application comprising:
-
means for intercepting an access attempt to a protected resource; means for comparing the access attempt to a preexisting set of allowable access attempts to determine if the access attempt corresponds to a previous allowable access attempt, means for comparing the access attempt further comprising; means for determining a structure of the access attempt corresponding to syntactical arrangement of the access attempt; and means for comparing the determined structure of the access attempt independently of the data values implicated in the access attempt, determining the structure further comprising; means for parsing the access attempt; and means for building a parse tree from the parsing, the parse tree indicative of a syntactical structure of the data access attempt, wherein comparing further comprises computing a hash value from the parse tree, and comparing the hash value to the hash values of previous access attempts; means for selectively permitting, based on the comparing, access to the protected resource according to the access attempt; and means for adding, if the access attempt is permitted, the access attempt to the set of allowable access attempts.
-
-
39. A method for behavior based access tracking of an information repository comprising:
-
capturing a sequence of access attempts; establishing a baseline of allowable access attempts from captured access attempts and a set of preexisting allowable accesses indicative of rules defining allowable behavior; intercepting an access attempt to the information repository; parsing the access attempt to determine a syntactical arrangement of the access attempt; building a parse tree to determine a structure of the access attempt by, the parse tree indicative of the syntactical arrangement of the access attempt; computing a hash value from the parse tree, the parse tree deterministic of a query structure of the access attempt such that similar access attempts share the query structure; comparing the computed hash value of the access attempt to hash values computed from the established baseline to determine if the access attempt corresponds to a previous allowable access; selectively permitting, based on the comparing, access to the information repository according to the access attempt; and augmenting the established baseline by selectively adding, based on inferential feedback, the access attempt to the set of allowable access attempts for invocation with successive access attempts. - View Dependent Claims (40, 41)
-
Specification