Reducing false positives generated by a database intrusion detection system

US 7,874,000 B1
Filed: 11/22/2004
Issued: 01/18/2011
Est. Priority Date: 11/22/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method for reducing false positives generated by a database intrusion detection system, the method comprising the steps of:

monitoring, by a computer comprising a processor and memory, attempted database activities executed by a plurality of users;

detecting at least one attempt by at least one user to execute suspicious database activity; and

responsive to a threshold amount of users in a same group as the at least one user attempting substantially similar suspicious database activity, determining that the at least one attempt to execute suspicious database activity is legitimate.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A false positive reduction manager reduces false positives generated by database intrusion detection systems. In one embodiment, the false positive reduction manager monitors attempted database activities executed by a plurality of users. The false positive reduction manager detects at least one attempt by at least one user to execute suspicious database activity, and determines whether the at least one attempt to execute suspicious database activity is legitimate responsive to whether a threshold of users in the same group as the at least one user attempt substantially similar suspicious database activity.

72 Citations

View as Search Results

26 Claims

1. A computer implemented method for reducing false positives generated by a database intrusion detection system, the method comprising the steps of:
- monitoring, by a computer comprising a processor and memory, attempted database activities executed by a plurality of users;
  
  detecting at least one attempt by at least one user to execute suspicious database activity; and
  
  responsive to a threshold amount of users in a same group as the at least one user attempting substantially similar suspicious database activity, determining that the at least one attempt to execute suspicious database activity is legitimate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 further comprising:
    - responsive to a threshold amount of users in a same group as the at least one user not attempting substantially similar suspicious database activity, determining that the attempt to execute suspicious database activity is not legitimate.
  - 3. The method of claim 1 wherein determining that the at least one attempt to execute suspicious database activity is legitimate further comprises:
    - determining that the at least one attempt to execute suspicious database activity is legitimate responsive to a threshold amount of users in a same group as the at least one user attempting substantially similar suspicious database activity within a defined period of time.
  - 4. The method of claim 1 further comprising:
    - examining at least one group definition that is a function of the database to determine whether users attempting substantially similar suspicious database activity are in a same group.
  - 5. The method of claim 1 further comprising:
    - receiving at least one group definition from an administrator; and
      
      examining at least one received group definition to determine whether users attempting substantially similar suspicious database activity are in a same group.
  - 6. The method of claim 1 further comprising:
    - receiving at least one modification to at least one group definition from an administrator;
      
      responsive to the at least one received modification, modifying the at least one group definition; and
      
      examining at least one modified group definition to determine whether users attempting substantially similar suspicious database activity are in a same group.
  - 7. The method of claim 1 further comprising:
    - during a database intrusion detection system learning mode, analyzing database activity attempted by a plurality of users;
      
      responsive to attempted activity, creating a profile for each user of the plurality as part of the database intrusion detection system learning mode;
      
      responsive to creating a substantially similar profile for at least one subset of the users of the plurality, defining those users as being members of a group; and
      
      examining at least one defined group to determine whether users attempting substantially similar suspicious database activity are in a same group.
  - 8. The method of claim 1 further comprising:
    - during a database intrusion detection system learning mode, analyzing a database activity log;
      
      responsive to contents of the log, creating a profile for each of a plurality of users as part of the database intrusion detection system learning mode;
      
      responsive to creating a substantially similar profile for at least one subset of the users of the plurality, defining those users as being members of a group; and
      
      examining at least one defined group to determine whether users attempting substantially similar suspicious database activity are in a same group.
  - 9. The method of claim 1 further comprising:
    - calculating a value to use as a threshold amount of users in a same group as a percentage of total users in that group; and
      
      using the calculated threshold amount in the legitimacy determination of the at least one attempt to execute suspicious database activity.
  - 10. The method of claim 1 further comprising:
    - receiving a value to use as a threshold amount of users in a same group from an administrator; and
      
      using the received threshold amount in the legitimacy determination of the at least one attempt to execute suspicious database activity.
  - 11. The method of claim 1 further comprising:
    - receiving at least one modification to a value to use as a threshold amount of users in a same group from an administrator;
      
      responsive to the at least one received modification, modifying the threshold amount; and
      
      using the modified threshold amount in the legitimacy determination of the at least one attempt to execute suspicious database activity.
  - 12. The method of claim 1 further comprising:
    - using a default value as a threshold amount in the legitimacy determination of the at least one attempt to execute suspicious database activity.
  - 13. The method of claim 1 further comprising:
    - responsive to a threshold amount of users in a same group attempting substantially similar suspicious database activity for a defined period of time, initiating execution of a new database intrusion detection system learning mode.

14. A computer readable storage medium having executable computer program instructions tangibly embodied thereon for reducing false positives generated by a database intrusion detection system, the executable computer program instructions comprising:
- computer program instructions for monitoring attempted database activities executed by a plurality of users;
  
  computer program instructions for detecting at least one attempt by at least one user to execute suspicious database activity; and
  
  computer program instruction for determining that the at least one attempt to execute suspicious database activity is legitimate responsive to a threshold amount of users in a same group as the at least one user attempting substantially similar suspicious database activity.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer readable storage medium of claim 14, wherein the executable computer program instructions further comprise:
    - computer program instructions for determining that the attempt to execute suspicious database activity is not legitimate responsive to a threshold amount of users in a same group as the at least one user not attempting substantially similar suspicious database activity.
  - 16. The computer readable storage medium of claim 14 wherein the computer program instructions for determining that the at least one attempt to execute suspicious database activity is further comprises:
    - computer program instructions for determining that the at least one attempt to execute suspicious database activity is legitimate responsive to a threshold amount of users in a same group as the at least one user attempting substantially similar suspicious database activity within a defined period of time.
  - 17. The computer readable storage medium of claim 14, wherein the executable computer program instructions further comprise:
    - computer program instructions for analyzing database activity attempted by a plurality of users during a database intrusion detection system learning mode;
      
      computer program instructions for creating a profile for each user of the plurality as part of the database intrusion detection system learning mode responsive to attempted activity;
      
      computer program instructions for defining those users as being members of a group responsive to creating a substantially similar profile for at least one subset of the users of the plurality; and
      
      computer program instructions for examining at least one defined group to determine whether users attempting substantially similar suspicious database activity are in a same group.
  - 18. The computer readable storage medium of claim 14, wherein the executable computer program instructions further comprise:
    - computer program instructions for analyzing a database activity log during a database intrusion detection system learning mode;
      
      computer program instructions for creating a profile for each of a plurality of users as part of the database intrusion detection system learning mode responsive to contents of the log;
      
      computer program instructions for defining those users as being members of a group responsive to creating a substantially similar profile for at least one subset of the users of the plurality; and
      
      computer program instructions for examining at least one defined group to determine whether users attempting substantially similar suspicious database activity are in a same group.
  - 19. The computer readable storage medium of claim 14, wherein the executable computer program instructions further comprise:
    - program code for initiating execution of a new database intrusion detection system learning mode responsive to a threshold amount of users in a same group attempting substantially similar suspicious database activity for a defined period of time.

20. A computer system for reducing false positives generated by a database intrusion detection system, the computer system comprising:
- a computer-readable storage medium having executable computer program instructions tangibly embodied thereon, the executable computer program instructions comprising;
  
  a software portion configured to monitor attempted database activities executed by a plurality of users;
  
  a software portion configured to detect at least one attempt by at least one user to execute suspicious database activity; and
  
  a software portion configured to determine that the at least one attempt to execute suspicious database activity is legitimate responsive to a threshold amount of users in a same group as the at least one user attempting substantially similar suspicious database activity.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The computer system of claim 20 wherein the executable computer program instructions further comprises:
    - a software portion configured to determine that the attempt to execute suspicious database activity is not legitimate responsive to a threshold amount of users in a same group as the at least one user not attempting substantially similar suspicious database activity.
  - 22. The computer system of claim 20 wherein the software portion configured to determine further comprises:
    - a software portion configured to determine that the at least one attempt to execute suspicious database activity is legitimate responsive to a threshold amount of users in a same group as the at least one user attempting substantially similar suspicious database activity within a defined period of time.
  - 23. The computer system of claim 20 wherein the executable computer program instructions further comprises:
    - a software portion configured to analyze database activity attempted by a plurality of users during a database intrusion detection system learning mode;
      
      a software portion configured to create a profile for each user of the plurality as part of the database intrusion detection system learning mode responsive to attempted activity;
      
      a software portion configured to define those users as being members of a group responsive to creating a substantially similar profile for at least one subset of the users of the plurality; and
      
      a software portion configured to examine at least one defined group to determine whether users attempting substantially similar suspicious database activity are in a same group.
  - 24. The computer system of claim 20 wherein the executable computer program instructions further comprises:
    - a software portion configured to analyze a database activity log during a database intrusion detection system learning mode;
      
      a software portion configured to create a profile for each of a plurality of users as part of the database intrusion detection system learning mode responsive to contents of the log;
      
      a software portion configured to define those users as being members of a group responsive to creating a substantially similar profile for at least one subset of the users of the plurality; and
      
      a software portion configured to examine at least one defined group to determine whether users attempting substantially similar suspicious database activity are in a same group.
  - 25. The computer system of claim 20 wherein the executable computer program instructions further comprises:
    - a software portion configured to initiate execution of a new database intrusion detection system learning mode responsive to a threshold amount of users in a same group attempting substantially similar suspicious database activity for a defined period of time.

26. A computer implemented method for reducing false positives generated by an intrusion detection system, the method comprising the steps of:
- monitoring, by a computer comprising a processor and memory, attempted system activities executed by a plurality of users;
  
  detecting at least one attempt by at least one user to execute suspicious system activity;
  
  identifying a subgroup of users in a same group as the at least one user attempting substantially similar suspicious system activity, the subgroup excluding the at least one user;
  
  responsive to a size of the subgroup exceeding a threshold value, determining that the at least one attempt to execute suspicious system activity is legitimate; and
  
  responsive to the size of the subgroup exceeding the threshold value for a defined period of time, initiating execution of a new intrusion detection system learning mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Lal, Amrish
Primary Examiner(s)
Cervetti; David Garcia

Application Number

US10/994,849
Time in Patent Office

2,248 Days
Field of Search

726/22, 726/23, 726/24, 726/25
US Class Current

726/23
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

Reducing false positives generated by a database intrusion detection system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

72 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Reducing false positives generated by a database intrusion detection system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links