Monitoring and reporting of data access behavior of authorized database users
First Claim
1. A computer-implemented method of monitoring user activity in a database system comprising a processor and a memory element, the method comprising:
- maintaining, by the processor and the memory element, a plurality of different daily scores for a plurality of different monitored data access events, resulting in a set of daily scores for a user, wherein each of the monitored data access events has a respective one of the daily scores associated therewith, and wherein each of the monitored data access events is associated with user access to a respective data object maintained by the database system;
detecting, by the processor, occurrences of the monitored data access events associated with the user accessing data objects maintained by the database system;
recording, by the processor, the occurrences of the monitored data access events, resulting in recorded events;
in response to each recorded event, adjusting the set of daily scores for the user to obtain an updated set of daily scores for the user, wherein adjusting the set of daily scores is performed by the processor;
calculating an aggregate daily score from the updated set of daily scores, wherein the aggregate daily score indicates risk sensitivity of the monitored data access events;
comparing, by the processor, the aggregate daily score to a corresponding threshold score defined by a scoring profile maintained for the user; and
initiating, by the processor, a course of action when the aggregate daily score diverges from the corresponding threshold score.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer-implemented system and method of monitoring data access activity of a user of a system is presented here. The method maintains a respective score for each of a plurality of monitored data access events, resulting in a set of scores for the user. The method continues by monitoring behavior of the user to detect occurrences of the monitored data access events, and updating the set of scores in response to detected occurrences of the monitored data access events. The method initiates an appropriate course of action when the updated set of scores is indicative of unauthorized, suspicious, or illegitimate data access activity.
-
Citations
13 Claims
-
1. A computer-implemented method of monitoring user activity in a database system comprising a processor and a memory element, the method comprising:
-
maintaining, by the processor and the memory element, a plurality of different daily scores for a plurality of different monitored data access events, resulting in a set of daily scores for a user, wherein each of the monitored data access events has a respective one of the daily scores associated therewith, and wherein each of the monitored data access events is associated with user access to a respective data object maintained by the database system; detecting, by the processor, occurrences of the monitored data access events associated with the user accessing data objects maintained by the database system; recording, by the processor, the occurrences of the monitored data access events, resulting in recorded events; in response to each recorded event, adjusting the set of daily scores for the user to obtain an updated set of daily scores for the user, wherein adjusting the set of daily scores is performed by the processor; calculating an aggregate daily score from the updated set of daily scores, wherein the aggregate daily score indicates risk sensitivity of the monitored data access events; comparing, by the processor, the aggregate daily score to a corresponding threshold score defined by a scoring profile maintained for the user; and initiating, by the processor, a course of action when the aggregate daily score diverges from the corresponding threshold score. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method of monitoring data access activity of a user of a database system comprising a processor and a memory element, the method comprising:
-
maintaining, by the processor and the memory element, a plurality of different daily scores including a respective daily score for each of a plurality of monitored data access events, resulting in a set of daily scores for the user, wherein each of the monitored data access events is associated with user access to a respective data object maintained by the database system; monitoring, by the processor, behavior of the user to detect occurrences of the monitored data access events; updating, by the processor, the set of daily scores in response to detected occurrences of the monitored data access events, resulting in an updated set of daily scores; calculating an aggregate daily score from the updated set of daily scores, wherein the aggregate daily score indicates risk sensitivity of the monitored data access events; initiating, by the processor, a course of action when the updated set of scores is indicative of unauthorized data access activity. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A database system comprising:
-
one or more processors; a data storage system coupled to the one or more processors to store data objects accessible by a user; a data access monitor implemented by the one or more processors and operatively associated with the data storage system, wherein the data access monitor checks activity of the user associated with access to the data objects stored by the database; a scoring engine implemented by the one or more processors and operatively associated with the data access monitor, wherein the scoring engine maintains a plurality of different daily scores as a set of daily scores for a plurality of monitored data access events, wherein each of the monitored data access events has a respective one of the daily scores associated therewith, wherein each of the monitored data access events is associated with user access to a respective one of the data objects stored by the data storage system, and wherein the scoring engine calculates an aggregate daily score from the set of daily scores, such that the aggregate daily score indicates risk sensitivity of the monitored data access events; a decision engine implemented by the one or more processors and operatively associated with the scoring engine, wherein the decision engine compares the aggregate daily score to a corresponding threshold score defined by a nominal event activity profile for the user; and a response initiator implemented by the one or more processors and operatively associated with the decision engine, wherein the response initiator initiates at least one security measure when the decision engine determines that the aggregate daily score diverges from the corresponding threshold score by at least a threshold amount. - View Dependent Claims (13)
-
Specification