Customized data generating data storage system filter for data security

US 7,908,656 B1
Filed: 04/23/2007
Issued: 03/15/2011
Est. Priority Date: 04/23/2007
Status: Active Grant

First Claim

Patent Images

1. A security filter for a data storage system having a storage device being accessible to a client interface to provide a response to the client interface in accordance with a request for data received from the client interface, the security filter comprising:

an intrusion detector coupled to the client interface and being operable to determine that the request from the client interface is an intruder request or that the response from the storage device is an intruder response, wherein the intruder request or intruder response result from an unauthorized attempt to access information related to a content of the storage device; and

a response generator coupled to the storage device and the client interface and being operable to;

intercept the intruder response from the storage device and prevent the intruder response from reaching the client interface;

generate a substitute response containing artificial information corresponding to the detected intruder request or intruder response; and

provide the substitute response containing artificial information to the client interface instead of providing the requested data to the client interface.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data storage system filter operates through a filter framework in a file system to detect and provide customized responses to unauthorized access attempts. A security event definition determines when file system access events are classified as unauthorized access attempts. A trap manager manages the security events, and causes traps to be installed to capture file system responses. The trapped responses can be replaced with customized data, such as static artificial data, or artificial data generated based on a context of the request and/or response. The security filter can be loaded or unloaded in the filter framework and operates on a callback mechanism to avoid significant disruption of I/O activity.

Citations

43 Claims

1. A security filter for a data storage system having a storage device being accessible to a client interface to provide a response to the client interface in accordance with a request for data received from the client interface, the security filter comprising:
- an intrusion detector coupled to the client interface and being operable to determine that the request from the client interface is an intruder request or that the response from the storage device is an intruder response, wherein the intruder request or intruder response result from an unauthorized attempt to access information related to a content of the storage device; and
  
  a response generator coupled to the storage device and the client interface and being operable to;
  
  intercept the intruder response from the storage device and prevent the intruder response from reaching the client interface;
  
  generate a substitute response containing artificial information corresponding to the detected intruder request or intruder response; and
  
  provide the substitute response containing artificial information to the client interface instead of providing the requested data to the client interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The security filter according to claim 1, further comprising a trap mechanism for installing a trap to capture the intruder request or intruder response.
  - 3. The security filter according to claim 2, wherein the intrusion detector further comprises one or more security event definitions for determining when the request or response is the intruder request or the intruder response.
  - 4. A security filter according to claim 3, further comprising a trap manager responsive to the one or more security event definitions to invoke the trap mechanism to cause a trap to be installed to capture the intruder response.
  - 5. The security filter according to claim 1, wherein the intrusion detector further comprises one or more security event definitions for determining when the request or response is the intruder request or the intruder response.
  - 6. The security filter according to claim 5, wherein the security event definition comprises an expression representing one or more conditions related to the request from the client interface or the response from the storage device.
  - 7. The security filter according to claim 6, wherein the request from the client interface comprises a file open command, a file read command, a file write command, a get attributes command or a directory read command.
  - 8. The security filter according to claim 1, further comprising an alarm indication, operable to be triggered by the intruder response.
  - 9. The security filter according to claim 1, wherein the intruder response has an intruder content that influences the response generator to generate the substitute response to have a substitute content that is related to the intruder content.
  - 10. The security filter according to claim 1, wherein the response generator further comprises a data generator for generating at least a portion of the substitute response.
  - 11. The security filter according to claim 10, wherein the data generator is operable to generate artificial directory, file or block information related to the unauthorized information access attempt.
  - 12. The security filter according to claim 10, further comprising one or more data templates accessible by the data generator to contribute to providing the artificial information.
  - 13. The security filter according to claim 1, further comprising predetermined information accessible to the data generator to contribute to generating the substitute response.
  - 14. The security filter according to claim 1, further comprising an intruder event log for storing a record of events related to the unauthorized information access attempt.
  - 15. The security filter according to claim 1, wherein the security filter is implemented as a kernel mode filter.
  - 16. The security filter according to claim 1, further comprising a plurality of selectable points in a data path between the client interface and the storage device for capturing request or response information related to operation of the security filter.
  - 17. The security filter according to claim 16, wherein the security filter is a kernel mode filter that is compiled from a single source and is independent of the points at which the security filter is coupled to the data path.
  - 18. The security filter according to claim 1, further comprising a filter framework coupled to the data storage system and operable to provide management functions for the security filter.
  - 19. The security filter according to claim 18, wherein the security filter may be implemented with the filter framework as a synchronous, an asynchronous or an asynchronous release mode filter.
  - 20. The security filter according to claim 18, wherein the security filter is configured and arranged with the filter framework to permit the filter framework to invoke the security filter and continue processing the request from the client interface or the response from the storage device.

21. A security filter for a data storage system having a storage device being accessible to a client interface to provide a response to the client interface in accordance with a request for data received from the client interface, the security filter comprising:
- an intrusion detection means coupled to the client interface for determining that the request from the client interface is an intruder request or that the response from the storage device is an intruder response, wherein the intruder request or intruder response result from an unauthorized attempt to access information related to a content of the storage device; and
  
  a response generation means coupled to the storage device and the client interface for;
  
  intercepting the intruder response from the storage device and preventing the intruder response from reaching the client interface;
  
  generating a substitute response containing artificial information corresponding to the detected intruder request or intruder response; and
  
  providing the substitute response containing artificial information to the client interface instead of without providing the requested data to the client interface.

22. A security filter for a data storage system having a storage device and being accessible to a client interface, the security filter comprising:
- a security event definition for identifying unauthorized attempts made through the client interface to access information related to the storage device;
  
  a trap mechanism operable to install a trap that can block access to the information related to be identified unauthorized attempts to access the storage device;
  
  a trap manager responsive to the unauthorized attempts identified by the security event definition to control the trap mechanism to cause the trap to be installed; and
  
  a data generator operable to form an information substitute to be provided to the client interface when the trap blocks access to the information related to the identified unauthorized attempts to access the storage device, wherein the information substitute is artificial information corresponding to a content of the unauthorized attempts to access the storage device, and wherein the information substitute is provided to the client interface instead of the information related to the identified unauthorized attempts to access the storage device.
- View Dependent Claims (23, 24, 25)
- - 23. The security filter according to claim 22, further comprising a filter framework coupled to the data storage system and operable to provide management functions for the security filter.
  - 24. The security filter according to claim 22, wherein the data generator further comprises a data template operable to produce at least a portion of the information substitute.
  - 25. The security filter according to claim 22, wherein an identified unauthorized access attempt involves a command for one or more of a file open, file read, file write, get attributes or directory read.

26. A security filter for a data storage system having a storage device and being accessible to a client interface, the security filter comprising:
- a trap manager responsive to information stemming from an intruder request from the client interface or an intruder response from the storage device to determine a security filter action;
  
  a trap mechanism operable to block data related to the intruder request or the intruder response based on the security filter action, under control of the trap manager; and
  
  a response mechanism for forming a response provided to the client interface, the response including substitute data, wherein the substitute data is artificial information corresponding to a content of the intruder request or the intruder response, wherein the substitute data is provided instead of the data related to the intruder request or the intruder response.
- View Dependent Claims (27)
- - 27. The security filter according to claim 26, further comprising a data generator for generating the substitute data.

28. A method for securing a data storage system having a storage device being accessible to a client interface to provide a response to the client interface in accordance with a request for data received from the client interface, the method comprising:
- determining when the request from the client interface is an intruder request or that the response from the storage device is an intruder response, wherein the intruder request or intruder response result from an unauthorized attempt to access information related to a content of the storage device;
  
  intercepting the intruder response from the storage device and preventing the intruder response from reaching the client interface;
  
  generating a substitute response containing artificial information corresponding to the detected intruder request or intruder response; and
  
  providing the substitute response containing the artificial information to the client interface instead of providing the requested data to the client interface.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 29. The method according to claim 28, wherein blocking the intruder response further comprises trapping the intruder response.
  - 30. The method according to claim 29, further comprising triggering an alarm when the intruder response is trapped.
  - 31. The method according to claim 29, further comprising generating the substitute response based on the intruder request or the intruder response when the intruder response is trapped.
  - 32. The method according to claim 31, wherein generating the substitute response further comprises generating artificial directory, file or block information.
  - 33. The method according to claim 28, wherein determining the intruder request or intruder response further comprises evaluating a security event definition.
  - 34. The method according to claim 33, further comprising installing a trap to block the intruder response.
  - 35. The method according to claim 28, further comprising accessing a data template to obtain information for generating the artificial information.
  - 36. The method according to claim 28, further comprising accessing predetermined static information for generating the artificial information.
  - 37. The method according to claim 28, further comprising storing a record of events related to the intruder request or intruder response.
  - 38. The method according to claim 28, further comprising implementing the security filter as a kernel mode filter.
  - 39. The method according to claim 28, further comprising positioning the security filter at one or more points in a data path between the client interface and the storage device for capturing request or response information related to operation of the security filter.
  - 40. The method according to claim 39, further comprising compiling the security filter as a kernel mode filter from a single source to be independent of the points at which the security filter is coupled to the data path.
  - 41. The method according to claim 28, further comprising implementing the security filter as a synchronous, an asynchronous or an asynchronous release mode filter.

42. A method for providing security in a data storage system having an input/output (I/O) interface and a storage media, comprising:
- receiving an incoming request from the I/O interface and providing an outgoing request to the storage media, the incoming request including protocol information;
  
  receiving an incoming response from the storage media and providing an outgoing response to the I/O interface, the outgoing response including the protocol information; and
  
  filtering information in the data storage system to modify information related to the outgoing request or the outgoing response and provide the modified information instead of providing the requested information, wherein the incoming request or the incoming response relates to an unauthorized attempt to access information in the data storage system, and wherein the modified information includes artificial information corresponding to the unauthorized attempt to access information in the data storage system.

43. A computer-program product comprising:
- a computer-readable medium having computer program code embodied thereon for securing a data storage system having a storage device being accessible to a client interface to provide a response to the client interface in accordance with a request received from the client interface, the computer program code adapted to;
  
  determine when the request from the client interface is an intruder request or when the response from the storage device is an intruder response, wherein the intruder request or intruder response result from an unauthorized attempt to access information related to a content of the storage device;
  
  intercept the intruder response from the storage device and prevent the intruder response from reaching the client interface;
  
  generate a substitute response containing artificial information corresponding to the detected intruder request or intruder response; and
  
  provide the substitute response containing the artificial information to the client interface instead of providing the requested information to the client interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Network Appliance Incorporated (NetApp, Inc.)
Original Assignee
Network Appliance Incorporated (NetApp, Inc.)
Inventors
Mu, Paul Yuedong
Primary Examiner(s)
Song; Hosuk

Application Number

US11/789,004
Time in Patent Office

1,422 Days
Field of Search

726 22- 26, 713/150, 713152-154, 713187-188, 713192-194, 709/225, 709/229
US Class Current

726/22
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2127   Bluffing

G06F 3/0622   in relation to access

G06F 3/0653   Monitoring storage devices ...

Customized data generating data storage system filter for data security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Customized data generating data storage system filter for data security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links