Empirical database access adjustment

US 8,266,177 B1
Filed: 03/16/2004
Issued: 09/11/2012
Est. Priority Date: 03/16/2004
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus for empirically adjusting a user'"'"'s authorized access to a database, the apparatus comprising:

a non-transitory computer-readable storage medium storing executable computer program modules comprising;

a database discovery module configured to determine a structure of the database and the user'"'"'s authorized access to the database, the user'"'"'s authorized access including a set of authorized database tables and authorized columns;

a command monitoring module configured to monitor the user'"'"'s actual accesses to the database until a preselected quantity of actual accesses have been observed, the user'"'"'s actual accesses including a set of accessed database tables and accessed columns; and

an analysis module configured to compare the user'"'"'s actual accesses with the user'"'"'s authorized access and configured to adjust the user'"'"'s authorized access taking into account results of the comparing by changing settings within a database access control module to deny the user future database access to an authorized database table or an authorized column that is not in the set of accessed database tables and accessed columns; and

a processor for executing the computer program modules.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer implemented methods, apparati, and computer-readable media for empirically adjusting access to a database (1). An apparatus embodiment comprises: coupled to the database (1), a database discovery module (11) for determining authorized accesses to the database (1); coupled to the database (1), a command monitoring module (12) for monitoring actual accesses to the database (1); and coupled to the database discovery module (11) and to the command monitoring module (12), an analysis module (13) for comparing actual accesses with authorized accesses.

Citations

20 Claims

1. An apparatus for empirically adjusting a user'"'"'s authorized access to a database, the apparatus comprising:
- a non-transitory computer-readable storage medium storing executable computer program modules comprising;
  
  a database discovery module configured to determine a structure of the database and the user'"'"'s authorized access to the database, the user'"'"'s authorized access including a set of authorized database tables and authorized columns;
  
  a command monitoring module configured to monitor the user'"'"'s actual accesses to the database until a preselected quantity of actual accesses have been observed, the user'"'"'s actual accesses including a set of accessed database tables and accessed columns; and
  
  an analysis module configured to compare the user'"'"'s actual accesses with the user'"'"'s authorized access and configured to adjust the user'"'"'s authorized access taking into account results of the comparing by changing settings within a database access control module to deny the user future database access to an authorized database table or an authorized column that is not in the set of accessed database tables and accessed columns; and
  
  a processor for executing the computer program modules.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1 further comprising a storage area configured to accumulate data generated by the command monitoring module.
  - 3. The apparatus of claim 1 wherein the command monitoring module is a sniffer.
  - 4. The apparatus of claim 1 wherein the database is a relational database accessed by a structured query language.
  - 5. The apparatus of claim 1, wherein the preselected quantity of actual accesses is sufficiently large that all expected functionalities of applications accessing the database are exercised.

6. A computer-implemented method for empirically adjusting a user'"'"'s authorized access to a database, the method comprising the steps of:
- discovering the user'"'"'s authorized access to the database, the user'"'"'s authorized access including a set of authorized database tables and authorized columns;
  
  observing the user'"'"'s actual accesses to the database until a preselected quantity of actual accesses have been observed, the user'"'"'s actual accesses including a set of accessed database tables and accessed columns;
  
  comparing the user'"'"'s actual accesses with the user'"'"'s authorized access; and
  
  adjusting the user'"'"'s authorized database access taking into account results of the comparing step by changing settings within a database access control module of a computer-implemented database server to deny the user future database access to an authorized database table or an authorized column that is not in the set of accessed database tables and accessed columns.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The method of claim 6 further comprising the step of generating and storing at least one report based upon observing the user'"'"'s actual accesses to the database.
  - 8. The method of claim 6 wherein the discovering step uncovers any:
    - tables of the database;
      
      columns of the database;
      
      views of the database;
      
      stored procedures of the database;
      
      user-defined functions of the database; and
      
      triggers of the database.
  - 9. The method of claim 6 wherein the adjusting step further comprises at least one of:
    - suggesting revised database access control settings to a database administrator;
      
      automatically hardening the database for all times of day;
      
      automatically hardening the database selectively based on time of day;
      
      alerting a database administrator; and
      
      continuing to monitor the user'"'"'s accesses to the database after conclusion of the observing step.
  - 10. The method of claim 9 wherein the database is automatically hardened using standard SQL commands.
  - 11. The method of claim 9 wherein the database is automatically hardened using database specific application programming interfaces.
  - 12. The method of claim 6, further comprising:
    - storing data generated by the observing of the user'"'"'s actual accesses to the database in a storage area.
  - 13. The method of claim 6, further comprising:
    - generating a map of which tables and columns of the database were accessed during the observing.
  - 14. The method of claim 6, further comprising:
    - monitoring the user'"'"'s actual accesses to the database during an extended period occurring after the preselected quantity of actual accesses have been observed; and
      
      generating an alert in real time regarding the user'"'"'s actual accesses that are observed during the extended period that were not observed within the preselected quantity of the user'"'"'s actual accesses.

15. A non-transitory computer-readable medium containing executable computer program instructions configured to empirically adjust a user'"'"'s authorized access to a database, the computer program instructions performing the steps of:
- discovering the user'"'"'s authorized access to the database, the user'"'"'s authorized access including a set of authorized database tables and authorized columns;
  
  observing the user'"'"'s actual accesses to the database until a preselected quantity of actual accesses have been observed, the user'"'"'s actual accesses including a set of accessed database tables and accessed columns;
  
  comparing the user'"'"'s actual accesses with the user'"'"'s authorized access; and
  
  adjusting the user'"'"'s authorized database access taking into account results of the comparing step by changing settings within a database access control module of a computer-implemented database server to deny the user future database access to an authorized database table or an authorized column that is not in the set of accessed database tables and accessed columns.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15 further comprising the step of generating and storing at least one report based upon observing the user'"'"'s actual accesses to the database.
  - 17. The computer-readable medium of claim 15 wherein the discovering step uncovers any:
    - tables of the database;
      
      columns of the database;
      
      views of the database;
      
      stored procedures of the database;
      
      user-defined functions of the database; and
      
      triggers of the database.
  - 18. The computer-readable medium of claim 15 wherein the adjusting step further comprises at least one of:
    - suggesting revised database access control settings to a database administrator;
      
      automatically hardening the database for all times of day;
      
      automatically hardening the database selectively based on time of day;
      
      alerting a database administrator; and
      
      continuing to monitor the user'"'"'s accesses to the database after conclusion of the observing step.
  - 19. The computer-readable medium of claim 18 wherein the database is automatically hardened using standard SQL commands.
  - 20. The computer-readable medium of claim 18 wherein the database is automatically hardened using database specific application programming interfaces.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Seymour, Harlan, Satish, Sourabh, Yeh, Anne, Yeung, Benjamin
Primary Examiner(s)
LEWIS, ALICIA M

Application Number

US10/802,646
Time in Patent Office

3,101 Days
Field of Search

707781-783, 707/999.009
US Class Current

707/783
CPC Class Codes

G06F 16/9038 Presentation of query results

G06F 21/552 involving long-term monitor...

Empirical database access adjustment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Empirical database access adjustment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links