Device, system and method of database security

US 8,069,482 B2
Filed: 02/27/2007
Issued: 11/29/2011
Est. Priority Date: 02/27/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an intrusion to a database, the method comprising:

providing a detection profile corresponding to said database;

deriving one or more structure maps of operating memory associated with said database, said structure maps including one or more parameters defining how said database uses said operating memory;

when a transaction with said database occurs, using at least one structure map of said structure maps to retrieve information about the transaction from the memory; and

analyzing said transaction information to generate an event corresponding to a suspicious transaction based on said detection profile.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some demonstrative embodiments of the invention relate to a method, device and system of database security. One demonstrative embodiment of the invention includes an intrusion detection sensor to scan transactions on a database, and generate an event based on a detection profile. Other embodiments are described and claimed.

Citations

30 Claims

1. A method for detecting an intrusion to a database, the method comprising:
- providing a detection profile corresponding to said database;
  
  deriving one or more structure maps of operating memory associated with said database, said structure maps including one or more parameters defining how said database uses said operating memory;
  
  when a transaction with said database occurs, using at least one structure map of said structure maps to retrieve information about the transaction from the memory; and
  
  analyzing said transaction information to generate an event corresponding to a suspicious transaction based on said detection profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, wherein the memory comprises a System Global Area (SGA) and wherein the transaction information is retrieved from the SGA.
  - 3. The method according to claim 1, wherein the transaction information is retrieved at a pre-determined scanning rate.
  - 4. The method according to claim 3, further comprising increasing the scanning rate responsive to the generation of the event.
  - 5. The method according to claim 1, further comprising terminating a session associated with the transaction information following the generation of the event.
  - 6. The method according to claim 1, further comprising queuing the transaction information retrieved from the memory.
  - 7. The method according to claim 1, further comprising receiving an update to the detection profile from a server.
  - 8. The method according to claim 1, further comprising communicating the event to a server.
  - 9. The method according to claim 1, further comprising determining at least one operating system parameter relating to at least one of processor utilization and memory consumption.
  - 10. The method according to claim 1, further comprising maintaining a log of one or more generated events.
  - 11. The method according to claim 1, wherein said transaction information is retrieved directly from said memory using said at least one derived structure map without detecting and/or computing said one or more parameters.
  - 12. The method according to claim 1, wherein said database has a transaction rate of at least ten transactions per second.
  - 13. The method according to claim 1, wherein retrieving the transaction information from the memory associated with the database does not affect operation of the database.
  - 14. The method according to claim 1, wherein there is an intrusion-detection-efficiency of at least six.
  - 15. The method according to claim 1, further comprising generating at least one alert based on said event.
  - 16. The method according to claim 1, wherein said parameters of said structure map defines one or more of a session area, a previous statement, a current statement, and dependencies.

17. A database intrusion detection sensor comprising:
- a memory access module adapted to retrieve transaction information from an operating memory associated with the database using at least one derived memory structure map, said structure map defining one or more parameters of said operating memory; and
  
  a profile module adapted to analyze said transaction information to generate an event based on a detection profile.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 18. The database intrusion detection sensor according to claim 17, wherein said memory comprises a System Global Area (SGA) and wherein said transaction information is retrieved from said SGA.
  - 19. The database intrusion detection sensor according to claim 17, wherein said memory access module is further adapted to retrieve said transaction information at a predetermined scanning rate.
  - 20. The database intrusion detection sensor according to claim 19, wherein said profile module is further adapted to increase said scanning rate responsive to the generation of said event.
  - 21. The database intrusion detection sensor according to claim 17, wherein said memory access module is further adapted to terminate a session associated with said transaction information if said transaction information triggers a detection rule.
  - 22. The database intrusion detection sensor according to claim 17, further comprising a transaction queue adapted to queue said transaction information retrieved from said memory.
  - 23. The database intrusion detection sensor according to claim 17, wherein said profile module is further adapted to receive an update to said detection profile.
  - 24. The database intrusion detection sensor according to claim 17, further comprising a communication module adapted to communicate said event to a server.
  - 25. The database intrusion detection sensor according to claim 17, further comprising an operating system data collector adapted to determine at least one operating system parameter relating to at least one of processor utilization by said database intrusion detection sensor and memory consumption by said database intrusion detection sensor.
  - 26. The database intrusion detection sensor according to claim 17, further comprising a log module adapted to maintain a log of one or more events generated by said profile module.

27. A database system comprising:
- a database host comprising a database and an operating memory associated with said database;
  
  an intrusion detection sensor installed on said database host, wherein said intrusion detection sensor is adapted to retrieve transaction information from said memory using at least one derived memory structure map and to generate an event based on a detection profile, said structure map defining one or more parameters of said memory; and
  
  a server adapted to communicate with said intrusion detection sensor.
- View Dependent Claims (28, 29, 30)
- - 28. The database system according to claim 27, wherein said server is further adapted to provide said intrusion detection sensor with an update to said detection profile.
  - 29. The database system according to claim 27, wherein said intrusion detection sensor is further adapted to communicate said event to said server, and wherein said server is further adapted to generate an alert corresponding to said event and to transmit said alert to a recipient.
  - 30. The database system according to claim 27, wherein said server comprises a management application adapted to enable a user to manage one or more members of a group consisting of:
    - said intrusion detection sensor, said event, said detection profile and said server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Sentrigo, Inc.
Inventors
Shuchami, Nathan, Markovich, Slavik
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Ho; Virginia T

Application Number

US11/711,062
Publication Number

US 20070204342A1
Time in Patent Office

1,736 Days
Field of Search

726/22, 726/23
US Class Current

726/22
CPC Class Codes

G06F 16/217   Database tuning G06F16/2282...

G06F 16/24565   Triggers; Constraints

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/6227   where protection concerns t...

Device, system and method of database security

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Device, system and method of database security

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links