Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior

US 8,701,191 B2
Filed: 02/26/2013
Issued: 04/15/2014
Est. Priority Date: 02/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method for controlling data access in a database, the method comprising:

receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer;

responsive to the received data request, performing, by a processing system, a first intrusion detection analysis at the application layer to determine whether the received data request comprises an application layer intrusion;

responsive to a determination that the received data request does not comprise an application layer intrusion, performing, by the processing system, a second intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion;

responsive to a determination that the received data request does not comprise a table layer intrusion, performing, by the processing system, a third intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and

granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system (for instance, at an application layer and a file layer), introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy.

23 Citations

View as Search Results

21 Claims

1. A method for controlling data access in a database, the method comprising:
- receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer;
  
  responsive to the received data request, performing, by a processing system, a first intrusion detection analysis at the application layer to determine whether the received data request comprises an application layer intrusion;
  
  responsive to a determination that the received data request does not comprise an application layer intrusion, performing, by the processing system, a second intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion;
  
  responsive to a determination that the received data request does not comprise a table layer intrusion, performing, by the processing system, a third intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and
  
  granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising dynamically adjusting a privacy policy at the application layer, the table layer, or the file layer.
  - 3. The method of claim 2, wherein dynamically adjusting a privacy policy comprises modifying the protection of data at the application layer, the table layer, or the file layer.
  - 4. The method of claim 2, wherein the privacy policy is dynamically adjusted based on a result of the intrusion detection analysis performed at the application layer, the table layer, or the file layer.
  - 5. The method of claim 1, further comprising:
    - responsive to a determination that the data request comprises an application layer intrusion, a table layer intrusion, or a file layer intrusion, performing one or more of the following actions;
      
      blocking the data request, alerting a system administrator, and allowing the data request.
  - 6. The method of claim 1, wherein the request for data is received from a user associated with an access history, and wherein performing a first intrusion detection analysis at the application layer comprises:
    - determining a user role associated with the user, the user role associated with a first access criterion at the application layer; and
      
      comparing, at the application layer, the user'"'"'s access history to the first access criterion to determine whether the query comprises an application layer intrusion.
  - 7. The method of claim 6, wherein the user role is further associated with a second access criterion at the table layer, and wherein performing a second intrusion detection analysis at the table layer comprises:
    - comparing, at the table layer, the user'"'"'s access history to the second access criterion to determine whether the query comprises a table layer intrusion.
  - 8. The method of claim 7, wherein the user role is further associated with a third access criterion at the file layer, and wherein performing a third intrusion detection analysis at the file layer comprises:
    - comparing, at the file layer, the user'"'"'s access history to the third access criterion to determine whether the query comprises a file layer intrusion.
  - 9. The method of claim 8, wherein the first, second, and third access criteria each comprise at least one of:
    - session authorization, session authentication, session encryption, password integrity, software integrity, application data integrity, database metadata integrity, security software integrity, time of day, and signature rules.

10. A non-transitory computer-readable storage medium containing instructions for causing a computer to perform steps comprising:
- receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer;
  
  responsive to the received data request, performing a first intrusion detection analysis at the application layer to determine whether the received data request comprises an application layer intrusion;
  
  responsive to a determination that the received data request does not comprise an application layer intrusion, performing a second intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion;
  
  responsive to a determination that the received data request does not comprise a table layer intrusion, performing a third intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and
  
  granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion.
- View Dependent Claims (11, 12, 13)
- - 11. The computer-readable storage medium of claim 10, wherein the request for data is received from a user associated with an access history, and wherein performing a first intrusion detection analysis at the application layer comprises:
    - determining a user role associated with the user, the user role associated with a first access criterion at the application layer; and
      
      comparing, at the application layer, the user'"'"'s access history to the first access criterion to determine whether the query comprises an application layer intrusion.
  - 12. The computer-readable storage medium of claim 11, wherein the user role is further associated with a second access criterion at the table layer, and wherein performing a second intrusion detection analysis at the table layer comprises:
    - comparing, at the table layer, the user'"'"'s access history to the second access criterion to determine whether the query comprises a table layer intrusion.
  - 13. The computer-readable storage medium of claim 12, wherein the user role is further associated with a third access criterion at the file layer, and wherein performing a third intrusion detection analysis at the file layer comprises:
    - comparing, at the file layer, the user'"'"'s access history to the third access criterion to determine whether the query comprises a file layer intrusion.

14. A system comprising:
- a non-transitory computer-readable storage medium containing instructions for causing a computer to perform steps comprising;
  
  receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer;
  
  responsive to the received data request, performing a first intrusion detection analysis at the application layer to determine whether the received data request comprises an application layer intrusion;
  
  responsive to a determination that the received data request does not comprise an application layer intrusion, performing a second intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion;
  
  responsive to a determination that the received data request does not comprise a table layer intrusion, performing a third intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and
  
  granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion; and
  
  a processor configured to execute the instructions.
- View Dependent Claims (15, 16, 17)
- - 15. The system of claim 14, wherein the request for data is received from a user associated with an access history, and wherein performing a first intrusion detection analysis at the application layer comprises:
    - determining a user role associated with the user, the user role associated with a first access criterion at the application layer; and
      
      comparing, at the application layer, the user'"'"'s access history to the first access criterion to determine whether the query comprises an application layer intrusion.
  - 16. The system of claim 15, wherein the user role is further associated with a second access criterion at the table layer, and wherein performing a second intrusion detection analysis at the table layer comprises:
    - comparing, at the table layer, the user'"'"'s access history to the second access criterion to determine whether the query comprises a table layer intrusion.
  - 17. The system of claim 16, wherein the user role is further associated with a third access criterion at the file layer, and wherein performing a third intrusion detection analysis at the file layer comprises:
    - comparing, at the file layer, the user'"'"'s access history to the third access criterion to determine whether the query comprises a file layer intrusion.

18. A method for controlling data access in a database, the method comprising:
- receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer;
  
  responsive to the received data request, performing, by a processing system, a first intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion;
  
  responsive to a determination that the received data request does not comprise a table layer intrusion, performing, by the processing system, a second intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and
  
  granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion.

19. A system comprising:
- a non-transitory computer-readable storage medium containing instructions for causing a computer to perform steps comprising;
  
  receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer;
  
  responsive to the received data request, performing a first intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion;
  
  responsive to a determination that the received data request does not comprise a table layer intrusion, performing a second intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and
  
  granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion; and
  
  a processor configured to execute the instructions.

20. A method for controlling data access in a database, the method comprising:
- receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer;
  
  responsive to the received data request, performing, by a processing system, a first intrusion detection analysis at the application layer to determine whether the received data request comprises an application layer intrusion;
  
  responsive to a determination that the received data request does not comprise an application layer intrusion, performing, by the processing system, a second intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion; and
  
  granting access to the requested data in response to a determination that the received data request does not comprise a table layer intrusion.

21. A method for controlling data access in a database, the method comprising:
- receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer;
  
  performing, by a processing system, a first intrusion detection analysis at the application layer to determine whether the received data request comprises an application layer intrusion;
  
  performing, by the processing system, a second intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion;
  
  performing, by the processing system, a third intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and
  
  granting access to the requested data in response to a determination that the received data request does not comprise an application layer intrusion, a table layer intrusion, or file layer intrusion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Original Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Inventors
Mattsson, Ulf
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
AMORIN, CARLOS E

Application Number

US13/778,060
Publication Number

US 20130174215A1
Time in Patent Office

413 Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/60   Protecting data

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/1433   Vulnerability analysis

Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others