Data leak protection system, method and apparatus

US 7,827,608 B2
Filed: 02/08/2005
Issued: 11/02/2010
Est. Priority Date: 02/08/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A data leak protection method comprising:

receiving a database query;

producing metrics, by an intrusion detection system (IDS), for said database query;

receiving the result set produced by said database query; and

limiting a response to said database query based upon;

a shape of said result set produced by said database query,said metrics, anda data leak protection policy specifying a set of limitations for a corresponding set of shapes and metrics.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and apparatus for data leak prevention. An information system, such as a database system, which has been configured for data leak protection in accordance with the present invention can include an IDS coupled to the information system and a data leak protection system configured to apply a data leak protection policy for result sets produced by the information system in response to a database query. The data leak protection policy can include a listing of data shapes and corresponding remedial measures. The data leak protection policy further can include consideration for metrics produced by the IDS.

Citations

23 Claims

1. A data leak protection method comprising:
- receiving a database query;
  
  producing metrics, by an intrusion detection system (IDS), for said database query;
  
  receiving the result set produced by said database query; and
  
  limiting a response to said database query based upon;
  
  a shape of said result set produced by said database query,said metrics, anda data leak protection policy specifying a set of limitations for a corresponding set of shapes and metrics.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein said limiting comprises:
    - characterizing said shape of said result set;
      
      comparing said shape to pre-specified shapes to identify a matching shape;
      
      retrieving a remedial measure corresponding to said matching shape; and
      
      ,applying said remedial measure.
  - 3. The method of claim 1, wherein said shape of said result set is characterized by at least two characteristics of said result set.
  - 4. The method of claim 2, wherein said characterizing comprises processing at least one ofa stateless function for data in said result,a stateful function for data in multiple result sets,a stateful function for said metrics produced by said IDS, anda stateless function for said metrics produced by said IDS.
  - 5. The method of claim 2, wherein said applying comprises quashing said result set.
  - 6. The method of claim 2, wherein said applying comprises returning said result set in its entirety.
  - 7. The method of claim 2, wherein said applying comprises pruning said result set.
  - 8. The method of claim 2, wherein said applying comprises disconnecting a user issuing said database query.

9. A machine readable storage having stored thereon a computer program for data leak protection, the computer program comprising a routine set of instructions which when executed by a machine causes the machine to perform:
- receiving a database query;
  
  producing metrics, by an intrusion detection system (IDS), for said database query;
  
  receiving the result set produced by said database query; and
  
  limiting a response to said database query based upon;
  
  a shape of said result set produced by said database query,said metrics, anda data leak protection policy specifying a set of limitations for a corresponding set of shapes and metrics.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The machine readable storage of claim 9, wherein said limiting comprises:
    - characterizing said shape of said result set;
      
      comparing said shape to pre-specified shapes to identify a matching shape;
      
      retrieving a remedial measure corresponding to said matching shape; and
      
      ,applying said remedial measure.
  - 11. The machine readable storage of claim 9, wherein said shape of said result set is characterized by at least two characteristics of said result set.
  - 12. The machine readable storage of claim 10, wherein said characterizing comprises processing at least one ofa stateless function for data in said result,a stateful function for data in multiple result sets,a stateful function for said metrics produced by said IDS, anda stateless function for said metrics produced by said IDS.
  - 13. The machine readable storage of claim 10, wherein said applying comprises quashing said result set.
  - 14. The machine readable storage of claim 10, wherein said applying comprises returning said result set in its entirety.
  - 15. The machine readable storage of claim 10, wherein said applying comprises pruning said result set.
  - 16. The machine readable storage of claim 10, wherein said applying comprises disconnecting a user issuing said database query.

17. An information hardware system configured for data leak protection comprising:
- a database server configured to receive a database query and produce a result set for the database query;
  
  an intrusion detection system (IDS) coupled to said database server; and
  
  ,a data leak protection system configured to limit a response to the database query based upon;
  
  a shape of the result set produced by said database query,a data leak protection policy specifying a set of limitations for a corresponding set of shapes and metrics.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The system of claim 17, wherein the data leak protection policy comprises a listing of data shapes and corresponding remedial measures.
  - 19. The system of claim 17, wherein the data leak protection policy further comprises consideration for metrics produced by the IDS.
  - 20. The system of claim 17, wherein the information hardware system is a database hardware system.
  - 21. The system of claim 17, wherein said shape of said result set is characterized by at least two characteristics of said result set.
  - 22. The system of claim 18, wherein the data shapes are stateless functions of data included in each of the result sets.
  - 23. The system of claim 18, wherein the data shapes are stateful functions of data included across multiple ones of the result sets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
LinkedIn Corporation (Microsoft Corporation)
Original Assignee
International Business Machines Corporation
Inventors
Rjaibi, Walid, Lightstone, Sam S., Bird, Paul M., Kaminsky, David L.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
RAHIM, MONJUR

Application Number

US11/053,105
Publication Number

US 20060179040A1
Time in Patent Office

2,093 Days
Field of Search

713/172, 713/200, 726/3, 726/23, 380/200
US Class Current

726/23
CPC Class Codes

G06F 16/217   Database tuning G06F16/2282...

G06F 16/2455   Query execution

G06F 21/6227   where protection concerns t...

Data leak protection system, method and apparatus

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Data leak protection system, method and apparatus

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links