Data security and intrusion detection
DCFirst Claim
Patent Images
1. A method of detecting and preventing intrusion in a data at rest system comprising:
- receiving a plurality of intrusion detection profiles from an access control system, each profile including at least one item access rule, wherein a plurality of users are associated with at least one of the intrusion detection profiles;
receiving a request for data in a data at rest system from a user;
receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system;
determining whether the result of said request causes the user to violate the at least one item access rule defined in the intrusion detection profile associated with the user; and
if the at least one item access rule is violated, notifying the access control system to alter user authorization, thereby preventing the result of the request from being transmitted to the user.
3 Assignments
Litigations
0 Petitions
Accused Products
Abstract
Systems and methods are provided for the detection and prevention of intrusions in data at rest systems such as file systems and web servers. Item requests are examined to determine if the request and/or the result violates an item access rule. If either the request or the result violates the item access rule, an access control manager is alerted and appropriate action is taken such as not complying with the item request. Embodiments of the invention also produce a scorecard to represent the severity of an intrusion threat.
-
Citations
35 Claims
-
1. A method of detecting and preventing intrusion in a data at rest system comprising:
-
receiving a plurality of intrusion detection profiles from an access control system, each profile including at least one item access rule, wherein a plurality of users are associated with at least one of the intrusion detection profiles; receiving a request for data in a data at rest system from a user; receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system; determining whether the result of said request causes the user to violate the at least one item access rule defined in the intrusion detection profile associated with the user; and if the at least one item access rule is violated, notifying the access control system to alter user authorization, thereby preventing the result of the request from being transmitted to the user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system for detecting and preventing intrusion in a data at rest system comprising:
-
a data at rest system; an access control manager in communication with the data at rest system; and one or more sensors, wherein the access control manager promulgates item access rules and distributes the item access rules to at least one of the one or more sensors which determine if a result of a user request causes the user to violate at least one of the item access rules and report violations to the access control manager, wherein the result is a subset of data in the data at rest system. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
-
27. A method of detecting and preventing intrusion in a data at rest system comprising:
-
accumulating results from performed previous requests to an item; receiving a request for data in the data at rest system from a user; receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system; comparing the result of the received request with at least one Bayesian inference pattern, in order to determine whether a combination of accesses to the item match said inference pattern; and notifying the access control system, upon determining that a combination of accesses to the item match said inference pattern, to alter an item access rule, thereby making the received request an unauthorized request, before the result is transmitted to the user.
-
-
28. A method of detecting and preventing intrusion in a database comprising:
-
accumulating results from performed previous requests to an item; receiving a request for data in the database from a user; receiving a result for the request from the database if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the database; comparing the result of the received request with at least one Bayesian inference pattern, in order to determine whether a combination of accesses to the item match said inference pattern; and notifying the access control system, upon determining that a combination of accesses to the item match said inference pattern, to alter an item access rule, thereby making the received request an unauthorized request, before the result is transmitted to the user.
-
-
29. A computer-readable medium whose contents cause a computer to perform a method of detecting and preventing intrusion in a data at rest system comprising:
-
receiving a plurality of intrusion detection profiles from an access control system, each profile including at least one item access rule, wherein a plurality of users are associated with at least one of the intrusion detection profiles; receiving a request for data in a data at rest system from a user; receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system; determining whether the result of said request causes the user to violate the at least one item access rule defined in the intrusion detection profile associated with the user; and if the at least one item access rule is violated, notifying the access control system to alter user authorization, thereby preventing the result of the request from being transmitted to the user.
-
-
30. A computer-readable medium whose contents cause a computer to perform a method of detecting and preventing intrusion in a data at rest system comprising:
-
accumulating results from performed previous requests to an item; receiving a request for data in the data at rest system from a user; receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system; comparing the result of the received request with at least one Bayesian inference pattern, in order to determine whether a combination of accesses to the item match said inference pattern; and notifying the access control system, upon determining that a combination of accesses to the item match said inference pattern, to alter an item access rule, thereby making the received request an unauthorized request, before the result is transmitted to the user.
-
-
31. A computer-readable medium whose contents cause a computer to perform a method of detecting and preventing intrusion in a database comprising:
-
accumulating results from performed previous requests to an item; receiving a request for data in the database from a user; receiving a result for the request from the database if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the database; comparing the result of the received request with at least one Bayesian inference pattern, in order to determine whether a combination of accesses to the item match said inference pattern; and notifying the access control system, upon determining that a combination of accesses to the item match said inference pattern, to alter an item access rule, thereby making the received request an unauthorized request, before the result is transmitted to the user.
-
-
32. A method of detecting and preventing intrusion in a data at rest system comprising:
-
receiving a plurality of intrusion detection profiles, each profile including at least one item access rule, wherein a plurality of users are associated with at least one of the intrusion detection profiles; receiving a request for data in a data at rest system from a user; receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system; determining whether the result of said request causes the user to violate the at least one item access rule defined in the intrusion detection profile associated with the user; and if the at least one item access rule is violated, preventing the result of the request from being transmitted to the user.
-
-
33. A method of detecting and preventing intrusion in a data at rest system comprising:
-
accumulating results from performed previous requests to an item; receiving a request for data in the data at rest system from a user; receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system; comparing the result of the received request with at least one Bayesian inference pattern, in order to determine whether a combination of accesses to the item match said inference pattern; and upon determining that a combination of accesses to the item match said inference pattern, altering an item access rule, thereby making the received request an unauthorized request, before the result is transmitted to the user.
-
-
34. A computer-readable medium whose contents cause a computer to perform a method of detecting and preventing intrusion in a data at rest system comprising:
-
receiving a plurality of intrusion detection profiles, each profile including at least one item access rule, wherein a plurality of users are associated with at least one of the intrusion detection profiles; receiving a request for data in a data at rest system from a user; receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system; determining whether the result of said request causes the user to violate the at least one item access rule defined in the intrusion detection profile associated with the user; and if the at least one item access rule is violated, preventing the result of the request from being transmitted to the user.
-
-
35. A computer-readable medium whose contents cause a computer to perform a method of detecting and preventing intrusion in a data at rest system comprising:
-
accumulating results from performed previous requests to an item; receiving a request for data in the data at rest system from a user; receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system; comparing the result of the received request with at least one Bayesian inference pattern, in order to determine whether a combination of accesses to the item match said inference pattern; and upon determining that a combination of accesses to the item match said inference pattern, altering an item access rule, thereby making the received request an unauthorized request, before the result is transmitted to the user.
-
Specification