Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior
First Claim
Patent Images
1. A method for controlling data access in a database, the method comprising:
- receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer;
responsive to the received data request, performing, by a processing system, a first intrusion detection analysis at the application layer to determine whether the received data request comprises an application layer intrusion;
responsive to a determination that the received data request does not comprise an application layer intrusion, performing, by the processing system, a second intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion;
responsive to a determination that the received data request does not comprise a table layer intrusion, performing, by the processing system, a third intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and
granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion.
0 Assignments
0 Petitions
Accused Products
Abstract
A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system (for instance, at an application layer and a file layer), introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy.
23 Citations
21 Claims
-
1. A method for controlling data access in a database, the method comprising:
-
receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer; responsive to the received data request, performing, by a processing system, a first intrusion detection analysis at the application layer to determine whether the received data request comprises an application layer intrusion; responsive to a determination that the received data request does not comprise an application layer intrusion, performing, by the processing system, a second intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion; responsive to a determination that the received data request does not comprise a table layer intrusion, performing, by the processing system, a third intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable storage medium containing instructions for causing a computer to perform steps comprising:
-
receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer; responsive to the received data request, performing a first intrusion detection analysis at the application layer to determine whether the received data request comprises an application layer intrusion; responsive to a determination that the received data request does not comprise an application layer intrusion, performing a second intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion; responsive to a determination that the received data request does not comprise a table layer intrusion, performing a third intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion. - View Dependent Claims (11, 12, 13)
-
-
14. A system comprising:
-
a non-transitory computer-readable storage medium containing instructions for causing a computer to perform steps comprising; receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer; responsive to the received data request, performing a first intrusion detection analysis at the application layer to determine whether the received data request comprises an application layer intrusion; responsive to a determination that the received data request does not comprise an application layer intrusion, performing a second intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion; responsive to a determination that the received data request does not comprise a table layer intrusion, performing a third intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion; and a processor configured to execute the instructions. - View Dependent Claims (15, 16, 17)
-
-
18. A method for controlling data access in a database, the method comprising:
-
receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer; responsive to the received data request, performing, by a processing system, a first intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion; responsive to a determination that the received data request does not comprise a table layer intrusion, performing, by the processing system, a second intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion.
-
-
19. A system comprising:
-
a non-transitory computer-readable storage medium containing instructions for causing a computer to perform steps comprising; receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer; responsive to the received data request, performing a first intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion; responsive to a determination that the received data request does not comprise a table layer intrusion, performing a second intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and granting access to the requested data in response to a determination that the received data request does not comprise a file layer intrusion; and a processor configured to execute the instructions.
-
-
20. A method for controlling data access in a database, the method comprising:
-
receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer; responsive to the received data request, performing, by a processing system, a first intrusion detection analysis at the application layer to determine whether the received data request comprises an application layer intrusion; responsive to a determination that the received data request does not comprise an application layer intrusion, performing, by the processing system, a second intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion; and granting access to the requested data in response to a determination that the received data request does not comprise a table layer intrusion.
-
-
21. A method for controlling data access in a database, the method comprising:
-
receiving a request for data at an application layer of a database, the database comprising the application layer, a table layer, and a file layer, and the requested data residing in one or more data files stored at the file layer; performing, by a processing system, a first intrusion detection analysis at the application layer to determine whether the received data request comprises an application layer intrusion; performing, by the processing system, a second intrusion detection analysis at the table layer to determine whether the received data request comprises a table layer intrusion; performing, by the processing system, a third intrusion detection analysis at the file layer to determine whether the received data request comprises a file layer intrusion; and granting access to the requested data in response to a determination that the received data request does not comprise an application layer intrusion, a table layer intrusion, or file layer intrusion.
-
Specification