Identifying an application user as a source of database activity

US 7,917,759 B2
Filed: 03/30/2007
Issued: 03/29/2011
Est. Priority Date: 03/30/2007
Status: Active Grant

First Claim

Patent Images

1. A method of determining a web application user as a source of database activity comprising:

receiving, via a first thread, a communication associated with a web application user, the web application user having authenticated to a web application using a first set of credentials;

associating a second thread spawned by the web application in response to the communication, with the web application user, wherein the association is based at least in part on mapping a session identifier of the second thread to an identifier associated with the web application user;

associating the web application user with a database query generated by the second thread, wherein the second thread uses a second set of credentials, that are independent of the web application user and associated with the web application, to access a database for the database query, the database being separate from the web application, wherein associating the web application user with a database query comprises generating a dummy query containing an indicator associated with web application user;

providing the dummy query to a downstream database security monitor to indicate that the database query is associated with the web application user, wherein the dummy query is ignored by the database, and wherein the dummy query indicates that any subsequent queries received from the web application over the second thread are associated with the web application user; and

providing an interface for auditing and intrusion detection functionality, wherein the interface allows identification of a user associated with a database anomaly using at least in part the dummy query provided to the downstream database security monitor.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Determining an application user as a source of database activity is disclosed. A communication is received. A thread that is configured to handle the communication is associated with an application user with which the communication is associated. The application user is associated with a database query generated by the thread.

19 Citations

17 Claims

1. A method of determining a web application user as a source of database activity comprising:
- receiving, via a first thread, a communication associated with a web application user, the web application user having authenticated to a web application using a first set of credentials;
  
  associating a second thread spawned by the web application in response to the communication, with the web application user, wherein the association is based at least in part on mapping a session identifier of the second thread to an identifier associated with the web application user;
  
  associating the web application user with a database query generated by the second thread, wherein the second thread uses a second set of credentials, that are independent of the web application user and associated with the web application, to access a database for the database query, the database being separate from the web application, wherein associating the web application user with a database query comprises generating a dummy query containing an indicator associated with web application user;
  
  providing the dummy query to a downstream database security monitor to indicate that the database query is associated with the web application user, wherein the dummy query is ignored by the database, and wherein the dummy query indicates that any subsequent queries received from the web application over the second thread are associated with the web application user; and
  
  providing an interface for auditing and intrusion detection functionality, wherein the interface allows identification of a user associated with a database anomaly using at least in part the dummy query provided to the downstream database security monitor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 12, 13, 16)
- - 2. The method of claim 1, wherein generating a dummy query includes inserting a comment into the query.
  - 3. The method of claim 1, further comprising sending an email to the downstream database security monitor.
  - 4. The method of claim 1, further comprising providing an indication to the downstream database security monitor by writing to a log file.
  - 5. The method of claim 1 wherein the communication is a request.
  - 6. The method of claim 1 wherein the communication is a request requiring an interaction with a database.
  - 7. The method of claim 1 wherein associating a thread configured to handle the communication with an application user includes using a thread local variable.
  - 8. The method of claim 1 wherein the communication is one of a plurality of communications associated with a transaction.
  - 9. The method of claim 1 wherein associating a thread configured to handle the communication with an application user includes associating the thread with at least one piece of extracted information.
  - 12. The method of claim 1, wherein the application comprises a middle-tier application.
  - 13. The method of claim 1, wherein determining an application user as a source of database activity is performed without modification to the application.
  - 16. The method of claim 1, wherein the indication provided to the downstream database security monitor is used by the downstream database security monitor to provide intrusion detection and auditing functionality.

10. A system for determining a web application user as a source of database activity, including:
- a processor; and
  
  a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to;
  
  receive, via a first thread, a communication associated with a web application user, the application user having authenticated to an application using a first set of credentials;
  
  associate a second thread, spawned by the application in response to the communication, with the web application user, wherein the association is based at least in part on mapping a session identifier of the second thread to the identifier associated with the web application user;
  
  associate the web application user with a database query generated by the second thread, wherein the second thread uses a second set of credentials, that are independent of the web application user and associated with the web application, to access a database for the database query, the database being separate from the web application, wherein associating the web application user with a database query comprises generating a dummy query containing an indicator associated with web application user;
  
  provide the dummy query to a downstream database security monitor to indicate that the database query is associated with the web application user, wherein the dummy query is ignored by the database, and wherein the dummy query indicates that any subsequent queries received from the web application over the second thread are associated with the web application user; and
  
  provide an interface for auditing and intrusion detection functionality, wherein the interface allows identification of a user associated with a database anomaly using at least in part the dummy query provided to the downstream database security monitor.
- View Dependent Claims (14, 15, 17)
- - 14. The system of claim 10, wherein the application comprises a middle-tier application.
  - 15. The system of claim 10, wherein determining an application user as a source of database activity is performed without modification to the application.
  - 17. The system of claim 10, further comprising:
    - a database security module, the database security module providing functionality allowing restriction of one or more queries of the identified user.

11. A computer readable medium for storing a computer program of instructions configured to be readable by at least one processor for determining a web application user as a source of database activity, the computer readable medium being embodied in a computer readable medium and comprising computer instructions for:
- receiving, via a first thread, a communication associated with a web application user, the web application user having authenticated to a web application using a first set of credentials;
  
  associating a second thread, spawned by the web application in response to the communication, with the web application user, wherein the association is based at least in part on mapping a session identifier of the second thread to the identifier associated with the web application user; and
  
  associating the web application user with a database query generated by the thread, wherein the thread uses a second set of credentials, that are independent of the web application user and associated with the web application, to access a database for the database query, the database being separate from the web application, wherein associating the web application user with a database query comprises generating a dummy query containing an indicator associated with web application user;
  
  providing the dummy query to a downstream database security monitor to indicate that the database query is associated with the web application user, wherein the dummy query is ignored by the database, and wherein the dummy query indicates that any subsequent queries received from the web application over the second thread are associated with the web application user; and
  
  providing an interface for auditing and intrusion detection functionality, wherein the interface allows identification of a user associated with a database anomaly using at least in part the dummy query provided to the downstream database security monitor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Lal, Amrish K., Chandran, Vivek M., Hu, Ron-Chung, Desai, Ravil A.
Primary Examiner(s)
Abel-Jalil; Neveen
Assistant Examiner(s)
PEACH, POLINA G

Application Number

US11/731,071
Publication Number

US 20080275843A1
Time in Patent Office

1,460 Days
Field of Search

707/3, 707/9
US Class Current

713/172
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

H04L 63/1416   Event detection, e.g. attac...

Identifying an application user as a source of database activity

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying an application user as a source of database activity

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links