Network intrusion blocking security overlay
First Claim
1. A method of scrutinizing database connections comprising:
- receiving a transaction requesting to access a database, the transaction received on a connection, the connection being between the database and an access portal of a server operable to access the database;
identifying, via a lightweight check, a set of connection attributes corresponding to the connection and determining a level of scrutiny to be applied to the connection based on the connection attributes, wherein the connection attributes indicate the level of scrutiny;
selectively transmitting, based on the connection attributes being indicative of a need to analyze the connection, the received transaction to an evaluator, the evaluator operable to apply a set of access rules for determining a verdict specifying whether the received transaction is a suspect transaction indicative of undesirable access, the selectively transmitting further comprising;
computing the verdict at the evaluator by applying the set of access rules to the received transaction, the evaluator distinct from the server operable to access the database and having separate computing resources; and
receiving the verdict, the verdict indicative of a responsive action based on applying the set of access rules to the received transaction;
computing, from the connection attributes, the responsive action when the connection attributes do not indicate that the received transaction is a suspect transaction indicative of undesirable access and the need for analyzing the received transaction at the evaluator; and
applying the responsive action to the received transaction.
2 Assignments
0 Petitions
Accused Products
Abstract
A database security overlay that identifies each network and local access gateway to a database, and monitors each access path from the identified gateways to analyze each connection to the database and block any connections determined to transport unauthorized or undesirable content. Access gateways that establish connections are identifiable by interprocess communication (IPC) mechanisms employed in accessing the database. An evaluator monitors access attempts, while a tapping mechanism on IPC mechanisms that provide the connections captures access attempts from the access gateways. The tapping mechanism intercepts and forwards access attempts to the evaluator to centralize and focus DB paths amid multiple local and external connections on the DB server. A lightweight check for each local access quickly determines if the access attempt warrants further scrutiny.
-
Citations
24 Claims
-
1. A method of scrutinizing database connections comprising:
-
receiving a transaction requesting to access a database, the transaction received on a connection, the connection being between the database and an access portal of a server operable to access the database; identifying, via a lightweight check, a set of connection attributes corresponding to the connection and determining a level of scrutiny to be applied to the connection based on the connection attributes, wherein the connection attributes indicate the level of scrutiny; selectively transmitting, based on the connection attributes being indicative of a need to analyze the connection, the received transaction to an evaluator, the evaluator operable to apply a set of access rules for determining a verdict specifying whether the received transaction is a suspect transaction indicative of undesirable access, the selectively transmitting further comprising; computing the verdict at the evaluator by applying the set of access rules to the received transaction, the evaluator distinct from the server operable to access the database and having separate computing resources; and receiving the verdict, the verdict indicative of a responsive action based on applying the set of access rules to the received transaction; computing, from the connection attributes, the responsive action when the connection attributes do not indicate that the received transaction is a suspect transaction indicative of undesirable access and the need for analyzing the received transaction at the evaluator; and applying the responsive action to the received transaction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A data security appliance for monitoring database connections comprising:
-
an evaluator having a memory, a processor, a network interface, and a coupling to a database server performing database access requests via the database connections; the coupling responsive to an IPC intercept on the database server for receiving a transaction requesting to access a database, the transaction received on a connection, the connection being between the database and an access portal of the database server; the IPC intercept providing the received transaction to a scrutinizer for identifying, via a lightweight check, a set of connection attributes of the connection and determining a level of scrutiny to be applied to the connection based on the connection attributes, the connection attributes indicating the level of scrutiny and the lightweight check performed by fetching a predetermined label corresponding to the connection; the scrutinizer selectively transmitting, based on the connection attributes being indicative of a need to analyze the connection, the received transaction to the coupled evaluator, the evaluator having a set of access rules for determining a verdict specifying whether the received transaction is a suspect transaction indicative of undesirable access; the evaluator invoking the coupling for sending the verdict to the scrutinizer, the verdict indicative of a responsive action based on applying the set of access rules to the received transaction; the scrutinizer responsive to the verdict for applying the responsive action to the received transaction, the responsive action indicating at least one of; permitting the received transaction; and modifying the set of access rules to apply to subsequent transactions; and the scrutinizer computing, from the connection attributes, the responsive action when the connection attributes do not indicate that the received transaction is a suspect transaction indicative of undesirable access and the need for analyzing the received transaction at the evaluator. - View Dependent Claims (21, 22, 23)
-
-
24. A computer program product having a non-transitory computer readable storage medium operable to store computer program logic embodied in computer program code encoded as a set of processor based instructions thereon, that, when executed by the processor cause the computer to perform steps for scrutinizing database connections comprising:
- computer program code for receiving a transaction requesting to access a database, the transaction received on a connection, the connection being between the database and an access portal;
computer program code for identifying, via a lightweight check, a set of connection attributes corresponding to the connection and determining a level of scrutiny to be applied to the connection based on the connection attributes, the connection attributes indicating the level of scrutiny and the lightweight check performed by fetching a predetermined label corresponding to the connection;
computer program code for selectively transmitting, based on the connection attributes being indicative of a need to analyze the connection, the received transaction to an evaluator, the evaluator operable to apply a set of access rules for determining a verdict specifying whether the received transaction is a suspect transaction indicative of undesirable access;
computer program code for receiving the verdict, the verdict indicative of a responsive action based on applying the set of access rules to the received transaction;
computer program code for computing, from the connection attributes, the responsive action when the connection attributes do not indicate that the received transaction is a suspect transaction indicative of undesirable access and the need for analyzing the received transaction at the evaluator; and
computer program code for applying the responsive action to the received transaction.
- computer program code for receiving a transaction requesting to access a database, the transaction received on a connection, the connection being between the database and an access portal;
Specification