Evaluating security of data access statements

US 9,680,830 B2
Filed: 03/24/2014
Issued: 06/13/2017
Est. Priority Date: 03/27/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus for evaluating data access statements with respect to database security and protecting, an automated database, comprising:

a plurality of processors;

a non-transitory computer readable storage medium (CRSM) coupled to the plurality of processors; and

computer code, stored on the CRSM and executed on the plurality of processors, the code comprising for;

evaluating a criticality of two or more SQL statements, each statement from a different session of two or more sessions accessing a database, from a first computing system, a database implemented on a data server;

generating, on the data server, a critical item set based upon the evaluated criticality of the two or more SQL statements from the two or more sessions, each element in the critical item set indicating one or more SQL statements contained in a session of the two or more sessions,extracting at least one association rule from the critical item set, each of the at least one association rule indicating a sequence of SQL statements;

calculating criticality of each of the at least one association rule;

evaluating a session based upon a criticality of at least one association rule;

terminating, by the data server, the session based upon a result of the evaluating;

ranking, by the data server, at least two association rules by the criticality of each of the at least two association rules; and

specifying, by the data server, a security policy corresponding to each of the at least two association rules according to the ranking.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for evaluating the security of data access statements. Specifically, in one embodiment of the claimed subject matter there is provided a technique for evaluating the security of data access statements, comprising: evaluating the criticality of multiple SQL statements contained in multiple sessions accessing a database; generating a critical item set from the multiple sessions, each element in the critical item set indicating one or more SQL statements contained in a session; extracting at least one association rule from the critical item set, each of the at least association rule indicating a sequence of SQL statements contained in a session; and calculating the criticality of each of the at least one association rule.

38 Citations

View as Search Results

17 Claims

1. An apparatus for evaluating data access statements with respect to database security and protecting, an automated database, comprising:
- a plurality of processors;
  
  a non-transitory computer readable storage medium (CRSM) coupled to the plurality of processors; and
  
  computer code, stored on the CRSM and executed on the plurality of processors, the code comprising for;
  
  evaluating a criticality of two or more SQL statements, each statement from a different session of two or more sessions accessing a database, from a first computing system, a database implemented on a data server;
  
  generating, on the data server, a critical item set based upon the evaluated criticality of the two or more SQL statements from the two or more sessions, each element in the critical item set indicating one or more SQL statements contained in a session of the two or more sessions,extracting at least one association rule from the critical item set, each of the at least one association rule indicating a sequence of SQL statements;
  
  calculating criticality of each of the at least one association rule;
  
  evaluating a session based upon a criticality of at least one association rule;
  
  terminating, by the data server, the session based upon a result of the evaluating;
  
  ranking, by the data server, at least two association rules by the criticality of each of the at least two association rules; and
  
  specifying, by the data server, a security policy corresponding to each of the at least two association rules according to the ranking.
- View Dependent Claims (2, 3, 4)
- - 2. The apparatus according to claim 1, wherein the generating comprises:
    - filtering at least a portion of sessions out of the two or more sessions based on the criticality of the two or more SQL statements; and
      
      generating a critical item set from the at least a portion of two or more sessions.
  - 3. The apparatus according to claim 1, wherein the generating comprises:
    - generating a critical 1-item set of the at least a portion of the two or more sessions, wherein each element in the critical 1-item set comprises one SQL statement;
      
      generating, in at least one round, in response to a critical (n−
      
      1)-item set of the at least a portion of the two or more sessions being non-null, a critical n-item set of the at least a portion of the two or more sessions, wherein n≧
      
      2 and each element in the critical n-item set comprises n SQL statements that are arranged in order.
  - 4. The apparatus according, to claim 1, wherein the calculating comprises calculating, with respect to each association rule, the criticality of the association rule based on criticality of an antecedent and criticality of a consequent in the association rule, and on a relationship between the antecedent and the consequent.

5. An computer program product for evaluating data access statements with respect to database security and protecting an automated database, the computer program product comprising a non-transitory computer-readable storage medium having program code embodied therewith, the program code executable by a plurality of processors to perform a method comprising:
- evaluating, by the plurality of processors, criticality of multiple Structured Query Language (SQL) statements contained in two or more sessions accessing, from a first computing system, a database implemented on a data server;
  
  generating, on the data server, a critical item set from the two or more sessions, each element in the critical item set indicating two or more SQL statements, each statement from a different session of the two or more sessions;
  
  extracting, by the plurality of processors, at least one association rule from the critical item set, each of the at least one association rule indicating a sequence of SQL statements;
  
  calculating, by the plurality of processors, criticality of each of the at least one association rule;
  
  evaluating a session based upon a criticality of at least one association rule;
  
  terminating, by the data server, the session based upon a result of the evaluating;
  
  ranking, by the data server, at least two association rules by the criticality of each of the at least two association rule; and
  
  specifying, by the data server, a security policy corresponding to each of the at least two association rules according to the ranking.
- View Dependent Claims (6, 7, 8)
- - 6. The computer program product according to claim 5, wherein the generating comprises:
    - filtering at least a portion of the two or more sessions out of the two or more sessions based on the criticality of the two or more SQL statements; and
      
      generating a critical item set from the at least a portion of the two or more sessions.
  - 7. The computer program product according to claim 5, wherein the generating comprises:
    - generating a critical 1-item set of the at least a portion of the two or more sessions, wherein each element in the critical 1-item set comprises one SQL statement;
      
      in at least one round, in response to a critical (n−
      
      1)-item set of the at least a portion of sessions of the two or more sessions being non-null, generating a critical n-item set of the at least a portion of sessions of the two or more sessions, wherein n≧
      
      2 and each element in the critical n-item set comprises n SQL statements that are arranged in order.
  - 8. The computer program product according to claim 5, wherein the calculating comprises, with respect to each association rule, calculating the criticality of the association rule based on criticality of an antecedent and criticality of a consequent in the association rule, and on a relationship between the antecedent and the consequent.

9. A method for evaluating data access statements with respect to database security, comprising:
- evaluating criticality of multiple Structured Query Language (SQL) statements contained in multiple sessions accessing, from a first computing system, a database implemented on a data server;
  
  generating, on the data server, a critical item set from the multiple sessions, each element in the critical item set indicating one or more SQL statements contained in a session of the multiple sessions;
  
  extracting at least one association rule from the critical item set, each of the at least association rule indicating, a sequence of SQL statements;
  
  calculating criticality of each of the at least one association rule;
  
  evaluating a session based upon a criticality of at least one association rule;
  
  terminating, by the data server, the session based upon a result of the evaluating;
  
  ranking, by the data server, at least two association rules by the criticality of each of the at least two association rules; and
  
  specifying, by the data server, a security policy corresponding to each of the at least two association rules according to the ranking.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method according to claim 9, wherein the generating a critical item set from the multiple sessions comprises:
    - filtering at least a portion of sessions out of the multiple sessions based on the criticality of the multiple SQL statements; and
      
      generating a critical item set from the at least a portion of sessions.
  - 11. The method according to claim 10, wherein the filtering at least a portion of sessions out of the multiple sessions based on the criticality of the multiple SQL statements comprises, in response to the criticality, of each SQL statement contained in a session of the multiple sessions, having met a first threshold, deleting the session from the multiple sessions to form the at least a portion of sessions.
  - 12. The method according to claim 9, wherein the generating a critical item set from the multiple sessions comprises:
    - generating a critical 1-item set of the at least a portion of sessions, wherein each element in the critical 1-item set comprises one SQL statement;
      
      in at least one round, in response to a critical (n−
      
      1)-item set of the at least a portion of sessions being, non-mill, generating a critical n-item set of the at least a portion of sessions, wherein n≧
      
      2 and each element in the critical n-item set comprises n SQL statements that are arranged in order.
  - 13. The method according, to claim 12, further comprising in the at least one round, deleting an element from the critical n-item set in response to any of the support of the element being zero, and the criticality of the element being zero.
  - 14. The method according to claim 12, wherein the extracting at least one association rule from the critical item set comprises:
    - with respect to each element in the critical item set, taking the last SQL statement contained in the element as a consequent;
      
      taking other SQL statements in the element as antecedents; and
      
      using a formula (antecedent→
      
      consequent) to represent one of the multiple association rules.
  - 15. The method according to claim 9, wherein the calculating the criticality of each of the at least one association rule comprises, with respect to each association rule, calculating the criticality of the association rule based on criticality of an antecedent and criticality of a consequent in the association rule, and on a relationship between the antecedent and the consequent.
  - 16. The method according to claim 9, wherein the ranking the at least one association rule by the criticality of each of the at least one association rule comprises:
    - in response to the criticality of two of the at least one association rule being equal, with respect to each of the two association rules, calculating, the confidence of the association rule based on the support of the association rule and the support of an antecedent in the association rule; and
      
      ranking the two association rules by the confidence of the two association rules.
  - 17. The method according to claim 9, further comprising:
    - in response to receipt of a current session accessing the database system, searching in the at least one association rule for an association rule matching the current session; and
      
      processing the current session based on a security policy corresponding to the matching association rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Feng, Hao, Sun, Sheng Yan
Primary Examiner(s)
Sholeman, Abu

Application Number

US14/223,339
Publication Number

US 20140298471A1
Time in Patent Office

1,177 Days
Field of Search

726 1, 726 25, 726 26, 707 7, 707 9, 707602, 707687
US Class Current
CPC Class Codes

G06F 16/24   Querying

G06F 21/577   Assessing vulnerabilities a...

H04L 63/10   for controlling access to d...

H04L 63/14   for detecting or protecting...

Evaluating security of data access statements

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Evaluating security of data access statements

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links