Method for monitoring stored procedures

US 8,453,255 B2
Filed: 09/27/2011
Issued: 05/28/2013
Est. Priority Date: 09/13/2006
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computer system having a processor and a memory coupled to the processor, comprising:

generating table access data for a stored procedure of a database, the generating comprising;

determining from a data dictionary a list of table names on which the stored procedure depends;

for each of the table names in the list, detecting a table access operation command in a Structured Query Language (SQL) statement to be performed on that table in a source code of the stored procedure; and

saving as the table access data a correspondence of the detected table access operation commands and the table names for the stored procedure; and

transmitting the table access data to a secure gateway configured to, responsive to receipt of a transaction submitted by a client that invokes the stored procedure, use the table access data to monitor access through the stored procedure to the tables.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for monitoring stored procedures is disclosed. The method performs on-line and inline monitoring of stored procedures for detecting table access operations performed by the procedures. This allows the enforcing of access control policies, correlation rules and audit rules on stored procedures. The monitoring is performed using mapping information gathered about each stored procedure that can be executed by a database server. The method comprises parsing an incoming transaction submitted by a client; determining whether the incoming transaction includes an invocation of a stored procedure; obtaining a query group corresponding to the stored procedure; applying an access control policy on the query group; and asserting an unauthorized event if the query group is not compliant with the access control policy.

Citations

22 Claims

1. A method performed by a computer system having a processor and a memory coupled to the processor, comprising:
- generating table access data for a stored procedure of a database, the generating comprising;
  
  determining from a data dictionary a list of table names on which the stored procedure depends;
  
  for each of the table names in the list, detecting a table access operation command in a Structured Query Language (SQL) statement to be performed on that table in a source code of the stored procedure; and
  
  saving as the table access data a correspondence of the detected table access operation commands and the table names for the stored procedure; and
  
  transmitting the table access data to a secure gateway configured to, responsive to receipt of a transaction submitted by a client that invokes the stored procedure, use the table access data to monitor access through the stored procedure to the tables.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - determining that a stored procedure was added to the database;
      
      generating table access data for the added stored procedure; and
      
      transmitting the generated table access data for the added stored procedure to the secure gateway.
  - 3. The method of claim 1, further comprising:
    - receiving, from the secure gateway, a command for generating a stored procedure, wherein the command was submitted by a client to the database;
      
      generating table access data for the received stored procedure; and
      
      transmitting the generated table access data for the received stored procedure to the secure gateway.
  - 4. The method of claim 1, wherein the table access data for the stored procedure further includes table access data of a second stored procedure, wherein the second stored procedure is invoked by the stored procedure.
  - 5. The method of claim 1, wherein the correspondence of the detected table access operation commands and the table names for the stored procedure includes a plurality of table access operation commands.
  - 6. The method of claim 5, wherein at least two of the plurality of table access operation commands correspond to one table name.

7. A non-transitory computer readable storage medium that provides instructions that, when executed by a processor of a computer system, will cause the computer system to perform operations comprising:
- generating table access data for a stored procedure of a database, the generating comprising;
  
  determining from a data dictionary a list of table names on which the stored procedure depends;
  
  for each of the table names in the list, detecting a table access operation command in a Structured Query Language (SQL) statement to be performed on that table in a source code of the stored procedure; and
  
  saving as the table access data a correspondence of the detected table access operation commands and the table names for the stored procedure; and
  
  transmitting the table access data to a secure gateway configured to, responsive to receipt of a transaction submitted by a client that invokes the stored procedure, use the table access data to monitor access through the stored procedure to the tables.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer readable storage medium of claim 7, wherein the instructions are further adapted to enable a computer system to perform operations comprising:
    - determining that a stored procedure was added to the database;
      
      generating table access data for the added stored procedure; and
      
      transmitting the generated table access data for the added stored procedure to the secure gateway.
  - 9. The non-transitory computer readable storage medium of claim 7, wherein the instructions are further adapted to enable a computer system to perform operations comprising:
    - receiving, from the secure gateway, a command for generating a stored procedure, wherein the command was submitted by a client to the database;
      
      generating table access data for the received stored procedure; and
      
      transmitting the generated table access data for the received stored procedure to the secure gateway.
  - 10. The non-transitory computer readable storage medium of claim 7, wherein the table access data for the stored procedure further includes table access data of a second stored procedure, wherein the second stored procedure is invoked by the stored procedure.
  - 11. The non-transitory computer readable storage medium of claim 7, wherein the correspondence of the detected table access operation commands and the table names for the stored procedure includes a plurality of table access operation commands.
  - 12. The non-transitory computer readable storage medium of claim 11, wherein at least two of the plurality of table access operation commands correspond to one table name.

13. A method performed by a computer system having a processor and a memory coupled to the processor for generating table access data for a stored procedure of a database, wherein the stored procedure includes table access operation commands in one or more Structured Query Language (SQL) statements to be performed on tables of the database, wherein the tables have table names, the method comprising:
- opening a connection to the database;
  
  sending a command to the database to cause it to run an execution plan for the stored procedure to generate a report, wherein the execution plan indicates how the database plans to execute the stored procedure;
  
  receiving the report from the database;
  
  generating the table access data from the report, the table access data storing a correspondence of the table access operation commands to the table names within the stored procedure; and
  
  transmitting the table access data to a secure gateway configured to, responsive to receipt of transactions submitted by clients that invoke the stored procedure, use the table access data to monitor access through the stored procedure to the tables.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, further comprising monitoring the database for the addition of one or more new stored procedures.
  - 15. The method of claim 13, wherein the table access data for the stored procedure further includes table access data of a second stored procedure, wherein the second stored procedure is invoked by the stored procedure.
  - 16. The method of claim 13, wherein the correspondence of the table access operation commands and the table names for the stored procedure includes a plurality of table access operation commands.
  - 17. The method of claim 16, wherein at least two of the plurality of table access operation commands correspond to one table name.

18. A non-transitory computer-readable storage medium storing instructions for a processor of a processing device, which, when executed by the processor, cause the processor to generate table access data for a stored procedure of a database, wherein the stored procedure includes table access operation commands in one or more Structured Query Language (SQL) statements to be performed on tables of the database, wherein the tables have table names, by performing operations comprising:
- opening a connection to the database;
  
  sending a command to the database to cause it to run an execution plan for the stored procedure to generate a report, wherein the execution plan indicates how the database plans to execute the stored procedure;
  
  receiving the report from the database;
  
  generating the table access data from the report, the table access data storing a correspondence of the table access operation commands to the table names within the stored procedure; and
  
  transmitting the table access data to a secure gateway configured to, responsive to receipt of transactions submitted by clients that invoke the stored procedure, use the table access data to monitor access through the stored procedure to the tables.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The non-transitory computer-readable storage medium of claim 18, wherein the instructions further cause the processor to perform the following operation:
    - monitoring the database for the addition of one or more new stored procedures.
  - 20. The non-transitory computer-readable storage medium of claim 18, wherein the table access data for the stored procedure further includes table access data of a second stored procedure, wherein the second stored procedure is invoked by the stored procedure.
  - 21. The non-transitory computer-readable storage medium of claim 18, wherein the correspondence of the table access operation commands and the table names for the stored procedure includes a plurality of table access operation commands.
  - 22. The non-transitory computer-readable storage medium of claim 21, wherein at least two of the plurality of table access operation commands correspond to one table name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Shulman, Amichai, Ryterski, Tal
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US13/245,913
Publication Number

US 20120023132A1
Time in Patent Office

609 Days
Field of Search

None
US Class Current

726/27
CPC Class Codes

G06F 16/2443   Stored procedures

G06F 21/552   involving long-term monitor...

G06F 21/6281   at program execution time, ...

Method for monitoring stored procedures

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method for monitoring stored procedures

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links