Reducing false positives generated by a database intrusion detection system
First Claim
1. A computer implemented method for reducing false positives generated by a database intrusion detection system, the method comprising the steps of:
- monitoring, by a computer comprising a processor and memory, attempted database activities executed by a plurality of users;
detecting at least one attempt by at least one user to execute suspicious database activity; and
responsive to a threshold amount of users in a same group as the at least one user attempting substantially similar suspicious database activity, determining that the at least one attempt to execute suspicious database activity is legitimate.
5 Assignments
0 Petitions
Accused Products
Abstract
A false positive reduction manager reduces false positives generated by database intrusion detection systems. In one embodiment, the false positive reduction manager monitors attempted database activities executed by a plurality of users. The false positive reduction manager detects at least one attempt by at least one user to execute suspicious database activity, and determines whether the at least one attempt to execute suspicious database activity is legitimate responsive to whether a threshold of users in the same group as the at least one user attempt substantially similar suspicious database activity.
72 Citations
26 Claims
-
1. A computer implemented method for reducing false positives generated by a database intrusion detection system, the method comprising the steps of:
-
monitoring, by a computer comprising a processor and memory, attempted database activities executed by a plurality of users; detecting at least one attempt by at least one user to execute suspicious database activity; and responsive to a threshold amount of users in a same group as the at least one user attempting substantially similar suspicious database activity, determining that the at least one attempt to execute suspicious database activity is legitimate. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer readable storage medium having executable computer program instructions tangibly embodied thereon for reducing false positives generated by a database intrusion detection system, the executable computer program instructions comprising:
-
computer program instructions for monitoring attempted database activities executed by a plurality of users; computer program instructions for detecting at least one attempt by at least one user to execute suspicious database activity; and computer program instruction for determining that the at least one attempt to execute suspicious database activity is legitimate responsive to a threshold amount of users in a same group as the at least one user attempting substantially similar suspicious database activity. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A computer system for reducing false positives generated by a database intrusion detection system, the computer system comprising:
a computer-readable storage medium having executable computer program instructions tangibly embodied thereon, the executable computer program instructions comprising; a software portion configured to monitor attempted database activities executed by a plurality of users; a software portion configured to detect at least one attempt by at least one user to execute suspicious database activity; and a software portion configured to determine that the at least one attempt to execute suspicious database activity is legitimate responsive to a threshold amount of users in a same group as the at least one user attempting substantially similar suspicious database activity. - View Dependent Claims (21, 22, 23, 24, 25)
-
26. A computer implemented method for reducing false positives generated by an intrusion detection system, the method comprising the steps of:
-
monitoring, by a computer comprising a processor and memory, attempted system activities executed by a plurality of users; detecting at least one attempt by at least one user to execute suspicious system activity; identifying a subgroup of users in a same group as the at least one user attempting substantially similar suspicious system activity, the subgroup excluding the at least one user; responsive to a size of the subgroup exceeding a threshold value, determining that the at least one attempt to execute suspicious system activity is legitimate; and responsive to the size of the subgroup exceeding the threshold value for a defined period of time, initiating execution of a new intrusion detection system learning mode.
-
Specification