Monitoring and reporting of data access behavior of authorized database users

US 8,566,956 B2
Filed: 12/06/2010
Issued: 10/22/2013
Est. Priority Date: 06/23/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of monitoring user activity in a database system comprising a processor and a memory element, the method comprising:

maintaining, by the processor and the memory element, a plurality of different daily scores for a plurality of different monitored data access events, resulting in a set of daily scores for a user, wherein each of the monitored data access events has a respective one of the daily scores associated therewith, and wherein each of the monitored data access events is associated with user access to a respective data object maintained by the database system;

detecting, by the processor, occurrences of the monitored data access events associated with the user accessing data objects maintained by the database system;

recording, by the processor, the occurrences of the monitored data access events, resulting in recorded events;

in response to each recorded event, adjusting the set of daily scores for the user to obtain an updated set of daily scores for the user, wherein adjusting the set of daily scores is performed by the processor;

calculating an aggregate daily score from the updated set of daily scores, wherein the aggregate daily score indicates risk sensitivity of the monitored data access events;

comparing, by the processor, the aggregate daily score to a corresponding threshold score defined by a scoring profile maintained for the user; and

initiating, by the processor, a course of action when the aggregate daily score diverges from the corresponding threshold score.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented system and method of monitoring data access activity of a user of a system is presented here. The method maintains a respective score for each of a plurality of monitored data access events, resulting in a set of scores for the user. The method continues by monitoring behavior of the user to detect occurrences of the monitored data access events, and updating the set of scores in response to detected occurrences of the monitored data access events. The method initiates an appropriate course of action when the updated set of scores is indicative of unauthorized, suspicious, or illegitimate data access activity.

Citations

13 Claims

1. A computer-implemented method of monitoring user activity in a database system comprising a processor and a memory element, the method comprising:
- maintaining, by the processor and the memory element, a plurality of different daily scores for a plurality of different monitored data access events, resulting in a set of daily scores for a user, wherein each of the monitored data access events has a respective one of the daily scores associated therewith, and wherein each of the monitored data access events is associated with user access to a respective data object maintained by the database system;
  
  detecting, by the processor, occurrences of the monitored data access events associated with the user accessing data objects maintained by the database system;
  
  recording, by the processor, the occurrences of the monitored data access events, resulting in recorded events;
  
  in response to each recorded event, adjusting the set of daily scores for the user to obtain an updated set of daily scores for the user, wherein adjusting the set of daily scores is performed by the processor;
  
  calculating an aggregate daily score from the updated set of daily scores, wherein the aggregate daily score indicates risk sensitivity of the monitored data access events;
  
  comparing, by the processor, the aggregate daily score to a corresponding threshold score defined by a scoring profile maintained for the user; and
  
  initiating, by the processor, a course of action when the aggregate daily score diverges from the corresponding threshold score.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein:
    - the database system comprises a multi-tenant customer relationship management (CRM) system; and
      
      the user is an authenticated user of the multi-tenant CRM system.
  - 3. The method of claim 1, further comprising deriving, by the processor, the scoring profile from historical data access behavior of the user.
  - 4. The method of claim 1, further comprising deriving, by the processor, the scoring profile from collective historical data access behavior of a peer group of the user.
  - 5. The method of claim 1, further comprising dynamically updating the scoring profile in response to ongoing data access behavior of the user, wherein the dynamically updating is performed by the processor.

6. A computer-implemented method of monitoring data access activity of a user of a database system comprising a processor and a memory element, the method comprising:
- maintaining, by the processor and the memory element, a plurality of different daily scores including a respective daily score for each of a plurality of monitored data access events, resulting in a set of daily scores for the user, wherein each of the monitored data access events is associated with user access to a respective data object maintained by the database system;
  
  monitoring, by the processor, behavior of the user to detect occurrences of the monitored data access events;
  
  updating, by the processor, the set of daily scores in response to detected occurrences of the monitored data access events, resulting in an updated set of daily scores;
  
  calculating an aggregate daily score from the updated set of daily scores, wherein the aggregate daily score indicates risk sensitivity of the monitored data access events;
  
  initiating, by the processor, a course of action when the updated set of scores is indicative of unauthorized data access activity.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6, further comprising recording, by the processor, the detected occurrences of the monitored data access events, along with application data linked with the detected occurrences of the monitored data access events.
  - 8. The method of claim 6, further comprising comparing, by the processor, the aggregate daily score to a corresponding threshold score defined by a nominal event activity profile associated with the user, wherein initiating the course of action is performed when the aggregate daily score diverges from the corresponding threshold score by at least a threshold amount.
  - 9. The method of claim 8, further comprising deriving, by the processor, the nominal event activity profile from historical data access behavior of the user.
  - 10. The method of claim 6, wherein the course of action comprises an action selected from the group consisting of:
    - generating a security alert;
      
      sending a warning message to a supervisor of the user;
      
      limiting data access rights of the user;
      
      implementing enhanced security measures for the user;
      
      logging the user out of the system;
      
      notifying the human resources department; and
      
      printing a report.
  - 11. The method of claim 6, wherein the monitored data access events comprise events selected from the group consisting of:
    - viewing a record;
      
      exporting a record;
      
      deleting a record;
      
      printing a record;
      
      emailing a record;
      
      preparing a list of records; and
      
      downloading a record.

12. A database system comprising:
- one or more processors;
  
  a data storage system coupled to the one or more processors to store data objects accessible by a user;
  
  a data access monitor implemented by the one or more processors and operatively associated with the data storage system, wherein the data access monitor checks activity of the user associated with access to the data objects stored by the database;
  
  a scoring engine implemented by the one or more processors and operatively associated with the data access monitor, wherein the scoring engine maintains a plurality of different daily scores as a set of daily scores for a plurality of monitored data access events, wherein each of the monitored data access events has a respective one of the daily scores associated therewith, wherein each of the monitored data access events is associated with user access to a respective one of the data objects stored by the data storage system, and wherein the scoring engine calculates an aggregate daily score from the set of daily scores, such that the aggregate daily score indicates risk sensitivity of the monitored data access events;
  
  a decision engine implemented by the one or more processors and operatively associated with the scoring engine, wherein the decision engine compares the aggregate daily score to a corresponding threshold score defined by a nominal event activity profile for the user; and
  
  a response initiator implemented by the one or more processors and operatively associated with the decision engine, wherein the response initiator initiates at least one security measure when the decision engine determines that the aggregate daily score diverges from the corresponding threshold score by at least a threshold amount.
- View Dependent Claims (13)
- - 13. The database system of claim 12, wherein the nominal event activity profile is derived from historical data access behavior of the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Slater, Steve
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US12/961,020
Publication Number

US 20110321175A1
Time in Patent Office

1,051 Days
Field of Search

None
US Class Current

726/28
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1416 Event detection, e.g. attac...

Monitoring and reporting of data access behavior of authorized database users

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring and reporting of data access behavior of authorized database users

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links