Data security and intrusion detection

US 7,594,266 B2
Filed: 09/29/2006
Issued: 09/22/2009
Est. Priority Date: 11/23/2001
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method of detecting and preventing intrusion in a data at rest system comprising:

receiving a plurality of intrusion detection profiles from an access control system, each profile including at least one item access rule, wherein a plurality of users are associated with at least one of the intrusion detection profiles;

receiving a request for data in a data at rest system from a user;

receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system;

determining whether the result of said request causes the user to violate the at least one item access rule defined in the intrusion detection profile associated with the user; and

if the at least one item access rule is violated, notifying the access control system to alter user authorization, thereby preventing the result of the request from being transmitted to the user.

View all claims

1 Assignment

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

Systems and methods are provided for the detection and prevention of intrusions in data at rest systems such as file systems and web servers. Item requests are examined to determine if the request and/or the result violates an item access rule. If either the request or the result violates the item access rule, an access control manager is alerted and appropriate action is taken such as not complying with the item request. Embodiments of the invention also produce a scorecard to represent the severity of an intrusion threat.

78 Citations

View as Search Results

35 Claims

1. A method of detecting and preventing intrusion in a data at rest system comprising:
- receiving a plurality of intrusion detection profiles from an access control system, each profile including at least one item access rule, wherein a plurality of users are associated with at least one of the intrusion detection profiles;
  
  receiving a request for data in a data at rest system from a user;
  
  receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system;
  
  determining whether the result of said request causes the user to violate the at least one item access rule defined in the intrusion detection profile associated with the user; and
  
  if the at least one item access rule is violated, notifying the access control system to alter user authorization, thereby preventing the result of the request from being transmitted to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising:
    - accumulating results from performed requests and determining whether the accumulated results violate any one of said at least one item access rule.
  - 3. The method of claim 1, wherein the at least one item access rules are selected from the group of a rule that limits access to the data at rest system at certain defined dates and times, a rule that prohibits access to the data at rest system, a rule that limits the user'"'"'s ability to run a query at certain defined dates and times and a rule that prohibits the user from running a query.
  - 4. The method of claim 1, wherein items subject to item access rules are marked in the data at rest system, and wherein any request concerning said items automatically triggers intrusion detection.
  - 5. The method of claim 1, wherein the step of determining whether the result violates the item access rule is determining if an item access rate is exceeded, and proceeding with the intrusion detection process only upon determining that the item access rate is exceeded.
  - 6. The method of claim 1, wherein the data at rest system is a file system.
  - 7. The method of claim 6, wherein one of said at least one item access rules is selected from the group of rules consisting of a rule that defines the number of files a user may access from the file system at one time, a rule that defines the number of files a group of users may access from the file system at one time, a rule that defines the number of files that may be accessed from the file system over a period of time, a rule that defines the number of files or amount of data volume a group of users may access from the file system over a period of time, a rule that defines the number of files that may be accessed from a directory over a period of time, a rule that defines the number of files a group of users may access from a directory over a period of time, a rule that defines the number of files that may be accessed from a server over a period of time, and a rule that defines the number of files a group of users may access from a server over a period of time.
  - 8. The method of claim 6, wherein the file system is one selected from the group consisting of:
    - ext2, ext3, ReiserFS, Reiser4, Google File System, XFS, FAT, FAT12, FAT16, FAT32, NTFS, HFS and HFS+.
  - 9. The method of claim 1, wherein the request is a read/write request.
  - 10. The method of claim 1, further comprising the step of commencing analysis of historical data access records.
  - 11. The method of claim 1, further comprising the step of commencing data inference analysis.
  - 12. The method of claim 1, wherein the intrusion detection profile further includes at least one inference pattern, the method further comprising:
    - accumulating results from performed previous requests to an item;
      
      comparing the received request with at least one inference pattern, in order to determine whether a combination of accesses to the item match said inference pattern; and
      
      notifying the access control system, upon determining that a combination of accesses in the record match said inference pattern, to alter an item access rule, thereby making the received request an unauthorized request, before a result is transmitted to the user.
  - 13. The method of claim 12, wherein at least one of said at least one inference pattern is a Bayesian inference pattern.
  - 14. The method of claim 1, wherein notifying the access control system further includes notifying the access control system to alter user authorization for additional system, including notifying systems across different system layers.
  - 15. The method of claim 2, wherein accumulating results from performed requests comprises accumulating results from at least one additional system.
  - 16. The method of claims 15, wherein the additional system includes one selected from the group consisting of a file system, a database, an application, and a network.
  - 17. The method of claim 1, wherein the method further comprises producing a scorecard that contains information selected from the group consisting of:
    - violation attempts, session statistics, and data access statistics.
  - 18. The system of claim 17, wherein the data access statistics are with respect to a system layer selected from the group consisting of:
    - a user, an application, a database, a query and a column.

19. A system for detecting and preventing intrusion in a data at rest system comprising:
- a data at rest system;
  
  an access control manager in communication with the data at rest system; and
  
  one or more sensors, wherein the access control manager promulgates item access rules and distributes the item access rules to at least one of the one or more sensors which determine if a result of a user request causes the user to violate at least one of the item access rules and report violations to the access control manager, wherein the result is a subset of data in the data at rest system.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The system of claim 19, wherein the access control manager analyzes at least one of the violations and adjusts at least one item access rule for a user or a group.
  - 21. The system of claim 19, wherein the access control manager analyzes at least one of the violations and adjusts one or more of the following:
    - at least one item access rule for an application or a data item, or other change of the security policy, including activating logging;
      
      at least one item access rule for a type of network traffic; and
      
      at least one item access rule for a type of data.
  - 22. The system of claim 19, wherein the access control manager adjusts at least one item access rule due to one or more of the following:
    - a change in a threat level, an increase or decrease in security violations, and the time and date.
  - 23. The system of claim 19, wherein the one or more sensors analyze network traffic at a level selected from the group consisting of the ISO/OSI Layer 2level, the ISO/OSI Layer 3 level and the ISO/OSI Layer 7 level.
  - 24. The system of claim 19, wherein the access control manager produces a scorecard that contains information selected from the group consisting of:
    - violation attempts;
      
      session statistics; and
      
      data access statistics.
  - 25. The system of claim 19, wherein the data access statistics are with respect to a system layer selected from the group consisting of:
    - a user;
      
      an application;
      
      a database;
      
      a query; and
      
      a column.
  - 26. The system of claim 25, wherein the one or more of the data access statistics are weighted to reflect the sensitivity of the item requested by the user.

27. A method of detecting and preventing intrusion in a data at rest system comprising:
- accumulating results from performed previous requests to an item;
  
  receiving a request for data in the data at rest system from a user;
  
  receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system;
  
  comparing the result of the received request with at least one Bayesian inference pattern, in order to determine whether a combination of accesses to the item match said inference pattern; and
  
  notifying the access control system, upon determining that a combination of accesses to the item match said inference pattern, to alter an item access rule, thereby making the received request an unauthorized request, before the result is transmitted to the user.

28. A method of detecting and preventing intrusion in a database comprising:
- accumulating results from performed previous requests to an item;
  
  receiving a request for data in the database from a user;
  
  receiving a result for the request from the database if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the database;
  
  comparing the result of the received request with at least one Bayesian inference pattern, in order to determine whether a combination of accesses to the item match said inference pattern; and
  
  notifying the access control system, upon determining that a combination of accesses to the item match said inference pattern, to alter an item access rule, thereby making the received request an unauthorized request, before the result is transmitted to the user.

29. A computer-readable medium whose contents cause a computer to perform a method of detecting and preventing intrusion in a data at rest system comprising:
- receiving a plurality of intrusion detection profiles from an access control system, each profile including at least one item access rule, wherein a plurality of users are associated with at least one of the intrusion detection profiles;
  
  receiving a request for data in a data at rest system from a user;
  
  receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system;
  
  determining whether the result of said request causes the user to violate the at least one item access rule defined in the intrusion detection profile associated with the user; and
  
  if the at least one item access rule is violated, notifying the access control system to alter user authorization, thereby preventing the result of the request from being transmitted to the user.

30. A computer-readable medium whose contents cause a computer to perform a method of detecting and preventing intrusion in a data at rest system comprising:
- accumulating results from performed previous requests to an item;
  
  receiving a request for data in the data at rest system from a user;
  
  receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system;
  
  comparing the result of the received request with at least one Bayesian inference pattern, in order to determine whether a combination of accesses to the item match said inference pattern; and
  
  notifying the access control system, upon determining that a combination of accesses to the item match said inference pattern, to alter an item access rule, thereby making the received request an unauthorized request, before the result is transmitted to the user.

31. A computer-readable medium whose contents cause a computer to perform a method of detecting and preventing intrusion in a database comprising:
- accumulating results from performed previous requests to an item;
  
  receiving a request for data in the database from a user;
  
  receiving a result for the request from the database if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the database;
  
  comparing the result of the received request with at least one Bayesian inference pattern, in order to determine whether a combination of accesses to the item match said inference pattern; and
  
  notifying the access control system, upon determining that a combination of accesses to the item match said inference pattern, to alter an item access rule, thereby making the received request an unauthorized request, before the result is transmitted to the user.

32. A method of detecting and preventing intrusion in a data at rest system comprising:
- receiving a plurality of intrusion detection profiles, each profile including at least one item access rule, wherein a plurality of users are associated with at least one of the intrusion detection profiles;
  
  receiving a request for data in a data at rest system from a user;
  
  receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system;
  
  determining whether the result of said request causes the user to violate the at least one item access rule defined in the intrusion detection profile associated with the user; and
  
  if the at least one item access rule is violated, preventing the result of the request from being transmitted to the user.

33. A method of detecting and preventing intrusion in a data at rest system comprising:
- accumulating results from performed previous requests to an item;
  
  receiving a request for data in the data at rest system from a user;
  
  receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system;
  
  comparing the result of the received request with at least one Bayesian inference pattern, in order to determine whether a combination of accesses to the item match said inference pattern; and
  
  upon determining that a combination of accesses to the item match said inference pattern, altering an item access rule, thereby making the received request an unauthorized request, before the result is transmitted to the user.

34. A computer-readable medium whose contents cause a computer to perform a method of detecting and preventing intrusion in a data at rest system comprising:
- receiving a plurality of intrusion detection profiles, each profile including at least one item access rule, wherein a plurality of users are associated with at least one of the intrusion detection profiles;
  
  receiving a request for data in a data at rest system from a user;
  
  receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system;
  
  determining whether the result of said request causes the user to violate the at least one item access rule defined in the intrusion detection profile associated with the user; and
  
  if the at least one item access rule is violated, preventing the result of the request from being transmitted to the user.

35. A computer-readable medium whose contents cause a computer to perform a method of detecting and preventing intrusion in a data at rest system comprising:
- accumulating results from performed previous requests to an item;
  
  receiving a request for data in the data at rest system from a user;
  
  receiving a result for the request from the data at rest system if the request is not a per se violation of one of the at least one item access rules, wherein the result is a subset of data in the data at rest system;
  
  comparing the result of the received request with at least one Bayesian inference pattern, in order to determine whether a combination of accesses to the item match said inference pattern; and
  
  upon determining that a combination of accesses to the item match said inference pattern, altering an item access rule, thereby making the received request an unauthorized request, before the result is transmitted to the user.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Original Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Inventors
Hsu, Mike, Mattsson, Ulf
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
Fields; Courtney D

Application Number

US11/540,467
Publication Number

US 20070083928A1
Time in Patent Office

1,089 Days
Field of Search

726/22, 726/23, 726/24
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2135   Metering

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

Data security and intrusion detection

First Claim

1 Assignment

Litigations

0 Petitions

Accused Products

Abstract

78 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Data security and intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links