Method and apparatus for monitoring a database system

US 7,085,780 B2
Filed: 02/24/2003
Issued: 08/01/2006
Est. Priority Date: 02/22/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for monitoring a database system that includes a database server executing on one or more processors of a computer system, the method comprising the steps of:

making a copy of content, managed by the database system, into a location of a device that is separate from the computer system without removing the content from the computer system,wherein said content is data that populates a database managed by the database system and does not form part of the structure, metadata, or schema of the database; and

in the device, detecting potential anomalies by;

a) reading criteria data, previously provided by a user through an interface for receiving user-specified security rules, that specifies criteria used by the one or more analysis operations, wherein the criteria data includes data that defines a condition that must be satisfied by a particular value within the copy of the content.b) performing the one or more analysis operations on the copy of the content in order to identify one or more data elements, within the copy of the content, that are potentially anomalous based on the criteria specified in the criteria data, wherein one of the one or more analysis operations involves determining whether the particular value within the copy of the content satisfies the condition; and

c) signaling a notification after identifying that the one or more data elements are potentially anomalous.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for monitoring a database system. A set of data elements may be read from a database system into a device. The device may be external to the database system. From the device, a set of analysis operations are performed on the data elements in order to identify if any of the date elements satisfy a criteria for being considered potentially anomalous. A notification is signaled if potentially anomalous data is identified.

34 Citations

View as Search Results

70 Claims

1. A method for monitoring a database system that includes a database server executing on one or more processors of a computer system, the method comprising the steps of:
- making a copy of content, managed by the database system, into a location of a device that is separate from the computer system without removing the content from the computer system,wherein said content is data that populates a database managed by the database system and does not form part of the structure, metadata, or schema of the database; and
  
  in the device, detecting potential anomalies by;
  
  a) reading criteria data, previously provided by a user through an interface for receiving user-specified security rules, that specifies criteria used by the one or more analysis operations, wherein the criteria data includes data that defines a condition that must be satisfied by a particular value within the copy of the content.b) performing the one or more analysis operations on the copy of the content in order to identify one or more data elements, within the copy of the content, that are potentially anomalous based on the criteria specified in the criteria data, wherein one of the one or more analysis operations involves determining whether the particular value within the copy of the content satisfies the condition; and
  
  c) signaling a notification after identifying that the one or more data elements are potentially anomalous.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 2. The method of claim 1, wherein the step of making the copy of the content managed by the database system further comprises the device receiving from the database system a grant of “
    - read-only”
      
      access and the device using said “
      
      read-only”
      
      access to obtain said copy of the content.
  - 3. The method of claim 1, wherein the step of performing one or more analysis operations on the copy of the content is performed exclusively by the device.
  - 4. The method of claim 1, further comprising:
    - reading metadata about a schema of the database, wherein the one or more analysis operations are performed at least in part based on said metadata.
  - 5. The method of claim 4, further comprising:
    - reading a system catalog of the database, and wherein performing one or more analysis operations includes comparing the system catalog to a system catalog that was read from the database at an earlier instance.
  - 6. The method of claim 1, further comprising:
    - reading data representing a set of privileges for enabling one or more users of the database system to do at least one of view, change or delete data within the database, wherein the one or more analysis operations are performed at least in part on said privileges.
  - 7. The method of claim 1, wherein the step of signaling a notification includes sending an email to at least a first designated email address.
  - 8. The method of claim 1, wherein the step of signaling a notification includes paging at least a first designated phone number.
  - 9. The method of claim 1, wherein performing one or more analysis operations includes comparing at least a portion of the copy of the content to content read at an earlier instance of time.
  - 10. The method of claim 1, further comprising:
    - identifying a set of data elements stored within the content stored in the database to be copied into the location of the device.
  - 11. The method of claim 10, wherein making the copy of the content managed by the database system, into a location of a device that is separate from the computer system, comprises:
    - reading the set of data into a location of an external data base analysis system.
  - 12. The method of claim 10, wherein performing one or more analysis operations includes:
    - performing a first analysis operation on the set of data elements for making a first determination whether data in the database is potentially anomalous based on a first comparison parameter of the set of data elements; and
      
      performing a second analysis operation on the set of data elements for making a second determination whether data in the database is potentially anomalous based on a second comparison parameter of the set of data elements.
  - 13. The method of claim 12, wherein performing one or more analysis operations includesperforming a third analysis operation on the set of data elements for making a third determination whether any data in the database is potentially anomalous based on a third comparison parameter of the set of data elements.
  - 14. The method of claim 12, wherein performing one or more analysis operations includes determining a maximum value of two or more data elements in the set of data elements, a minimum value of two or more data elements in the set of data elements, and an average value of two or more data elements in the set of data elements.
  - 15. The method of claim 14, wherein performing one or more analysis operations includes comparing at least one of the maximum value, the minimum value, and the average value to values determined from a previous time period.
  - 16. The method of claim 12, wherein performing one or more analysis operations includes selecting a group of data from the set of data elements, and determining a comparison parameter of the group of data.
  - 17. The method of claim 16, wherein determining a comparison parameter of the group of data includes determining one or more of a maximum value data element in the group of data, a minimum value data element in the group of data, and an average value of the group of data.
  - 18. The method of claim 16, wherein selecting a group of data includes selecting the group of data based on one or more user-defined parameters.
  - 19. The method of claim 10, wherein performing one or more analysis operations includes comparing the set of data elements to a set of parameters defined by a user.
  - 20. The method of claim 10, wherein performing one or more analysis operations includes clustering values identified from the set of data elements using a statistical distribution, and then identifying data within the database that is potentially anomalous using the statistical distribution.
  - 21. The method of claim 20, wherein performing one or more analysis operations includes identifying data points of values for individual data elements based on ranges of two or more parameters that define the individual data elements within the database.
  - 22. The method of claim 21, wherein the two or more parameters correspond to a first parameter identifying a row of an individual data element, of the individual data elements, and a second parameter identifying a column of the individual data element.
  - 23. The method of claim 10, wherein performing one or more analysis operations includes comparing a result of one or more of the analysis operations to a previous result from performing the one or more analysis operations on a set of data elements identified from the database at a previous time period.
  - 24. The method of claim 10, wherein performing one or more analysis operations includes comparing a result of one or more of the analysis operations to a designated set of results.
  - 25. The method of claim 1, further comprising:
    - compiling a result of performing the analysis operations at one or more instances into a report.
  - 26. The method of claim 25, further comprising compiling the potentially anomalous data into the report.
  - 27. The method of claim 1, further comprising associating potentially anomalous data with an event that caused the data to be stored in the database.
  - 28. The method of claim 27, further comprising archiving a plurality of events that cause anomalous data to be stored in the database.
  - 29. The method of claim 1, further comprising:
    - identifying, at one or more instances in a designated time period, a set of data elements stored as content within a database of the database system;
      
      identifying trend data for how the set of data elements are modified over the designated time period; and
      
      performing, based on the trend data, the one or more analysis operations in order to identify potentially anomalous data within the database.
  - 30. The method of claim 29, wherein the step of performing, based on the trend data, the one or more analysis operations includes adjusting the one or more analysis operations based on the trend data.
  - 31. The method of claim 29, wherein the step of performing, based on the trend data, the one or more analysis operations includes selecting the one or more analysis operations based on the trend data.
  - 32. The method of claim 29, wherein identifying a trend for how the set of data elements are modified includes identifying the trend data over a duration designated by a user.
  - 33. The method of claim 29, further comprising, once the designated time period is over, repeating the step of identifying a set of data elements, and then performing the one or more analysis operations based on the trend data identified during the designated time period.
  - 34. The method of claim 29, wherein identifying a set of data elements includes reading the set of data elements from the database managed by the database system.
  - 35. The method of claim 29, wherein the step of identifying a set of data elements is repeated at multiple instances over the designated time period, and wherein the step of identifying trend data for how the set of data elements are modified includes updating the trend data after each instance of identifying the set of data elements.

36. A computer-readable medium carrying one or more sequences of instructions for monitoring a database system that includes a database server executing on one or more processors of a computer system, which instructions, when executed by one or more processors, causes the one or more processors to carry out the steps of:
- making a copy of content, managed by the database system, into a location of a device that is separate from the computer system without removing the content from the computer system,wherein said content is data that populates a database managed by the database system and does not form part of the structure, metadata, or schema of the database; and
  
  in the device, detecting potential anomalies by;
  
  a) reading criteria data, previously provided by a user through an interface for receiving user-specified security rules, that specifies criteria used by the one or more analysis operations, wherein the criteria data includes data that defines a condition that must be satisfied by a particular value within the copy of the content;
  
  b) performing the one or more analysis operations on the copy of the content in order to identify one or more data elements, within the copy of the content, that are potentially anomalous based on the criteria specified in the criteria data, wherein one of the one or more analysis operations involves determining whether the particular value within the copy of the content satisfies the condition; and
  
  c) signaling a notification after identifying that the one or more data elements are potentially anomalous.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
- - 37. The computer readable medium of claim 36, wherein the step of making the copy of the content managed by the database system further comprises the device receiving from the database system a grant of “
    - read-only” and
      
      the device using said “
      
      read-only”
      
      access to obtain said copy of the content.
  - 38. The computer readable medium of claim 36, wherein the step of performing one or more analysis operations on the copy of the content is performed exclusively by the device.
  - 39. The computer readable medium of claim 36, wherein the sequences of instructions, when executed by the one or more processors, further causes the one or more processors to carry out the step of:
    - reading metadata about a schema of the database, wherein the one or more analysis operations are performed at least in part on said metadata.
  - 40. The computer readable medium of claim 39, wherein the sequences of instructions, when executed by said one or more processors, further causes the one or more processors to carry out the step of:
    - reading a system catalog of the database, and wherein the step of performing one or more analysis operations includes comparing the system catalog to a system catalog that was read from the database at an earlier instance.
  - 41. The computer readable medium of claim 36, wherein the sequences of instructions, when executed by the one or more processors, further causes the one or more processors to carry out the step of:
    - reading data representing a set of privileges for enabling one or more users of the database system to do at least one of view, change or delete data within the database, wherein the one or more analysis operations are performed at least in part based on said privileges.
  - 42. The computer readable medium of claim 36, wherein the step of signaling a notification includes sending an email to at least a first designated email address.
  - 43. The computer readable medium of claim 36, wherein the step of signaling a notification includes paging at least a first designated phone number.
  - 44. The computer readable medium of claim 36, wherein the step of performing one or more analysis operations includes comparing at least a portion of the copy of the content to content read at an earlier instance of time.
  - 45. The computer readable medium of claim 36, wherein the sequences of instructions, when executed by said one or more processors, further causes the one or more processors to carry out the step of:
    - identifying a set of data elements stored within the content stored in the database to be copied into the location of the device.
  - 46. The computer readable medium of claim 45, wherein the step of making the copy of the content comprises:
    - reading the set of data into a location of an external data base analysis system.
  - 47. The computer readable medium of claim 45, wherein the sequences of instructions, when executed, further cause the one or more processors to perform the steps of:
    - performing a first analysis operation on the set of data elements for making a first determination whether data in the database is potentially anomalous based on a first comparison parameter of the set of data elements; and
      
      performing a second analysis operation on the set of data elements for making a second determination whether data in the database is potentially anomalous based on a second comparison parameter of the set of data elements.
  - 48. The computer readable medium of claim 47, wherein the sequences of instructions, when executed, further cause the one or more processors to perform the step of:
    - performing a third analysis operation on the set of data elements for making a third determination whether any data in the database is potentially anomalous based on a third comparison parameter of the set of data elements.
  - 49. The computer readable medium of claim 47, wherein the instructions for carrying out the step of performing one or more analysis operations include instructions for carrying out the step of determining a maximum value of two or more data elements in the set of data elements, a minimum value of two or more data elements in the set of data elements, and an average value of two or more data elements in the set of data elements.
  - 50. The computer readable medium of claim 49, wherein the instructions for carrying out the step of performing one or more analysis operations include instructions for carrying out the step of comparing at least one of the maximum value, the minimum value, and the average value to values determined from a previous time period.
  - 51. The computer readable medium of claim 47, wherein the the one or more analysis operations includes selecting a group of data from the set of data elements;
    - and determining a comparison parameter of the group of data.
  - 52. The computer readable medium of claim 51, wherein the instructions for carrying out the step of determining a comparison parameter of the group of data include instructions for carrying out the step of determining one or more of a maximum value data element in the group of data, a minimum value data element in the group of data, and an average value of the group of data.
  - 53. The computer readable medium of claim 51, wherein the instructions for carrying out the step of selecting a group of data include instructions for carrying out the step of selecting the group of data based on one or more user-defined parameters.
  - 54. The computer readable medium of claim 45, wherein the instructions for carrying out the step of performing one or more analysis operations include instructions for carrying out the step of comparing the set of data elements to a set of parameters defined by a user.
  - 55. The computer readable medium of claim 45, wherein the instructions for carrying out the step of performing one or more analysis operations include instructions for carrying out the steps of:
    - the one or more analysis operations includes clustering values identified from the set of data elements using a statistical distribution; and
      
      identifying data within the database that is potentially anomalous using the statistical distribution.
  - 56. The computer readable medium of claim 55, wherein the instructions for carrying out the step of performing one or more analysis operations include instructions for carrying out the step of identifying data points of values for individual data elements based on ranges of two or more parameters that define the individual data elements within the database.
  - 57. The computer readable medium of claim 56, wherein the two or more parameters correspond to a first parameter identifying a row of an individual data element, of the individual data elements, and a second parameter identifying a column of the individual data element.
  - 58. The computer readable medium of claim 45, wherein the instructions for carrying out the step of performing one or more analysis operations include instructions for carrying out the step of comparing a result of one or more of the analysis operations to a previous result from performing the one or more analysis operations on a set of data elements identified from the database at a previous time period.
  - 59. The computer readable medium of claim 45, wherein the instructions for carrying out the step of performing one or more analysis operations include instructions for carrying out the step of comparing a result of one or more of the analysis operations to a designated set of results.
  - 60. The computer readable medium of claim 36, further comprising:
    - instructions for carrying out the step of compiling a result of performing the analysis operations at one or more instances into a report.
  - 61. The computer readable medium of claim 60, further comprising instructions for carrying out the step of compiling the potentially anomalous data into the report.
  - 62. The computer readable medium of claim 36, further comprising instructions for carrying out the step of associating potentially anomalous data with an event that caused the data to be stored in the database.
  - 63. The computer readable medium of claim 62, further comprising instructions for carrying out the step of archiving a plurality of events that cause anomalous data to be stored in the database.
  - 64. The computer readable medium of claim 36, further comprising instructions for carrying out the steps of:
    - identifying, at one or more instances in a designated time period, a set of data elements stored as content within a database of the database system;
      
      identifying trend data for how the set of data elements are modified over the designated time period; and
      
      performing, based on the trend data, the one or more analysis operations in order to identify potentially anomalous data within the database.
  - 65. The computer readable medium of claim 64, wherein the instructions for carrying out the step of performing, based on the trend data, the one or more analysis operations include instructions for carrying out the step of adjusting the one or more analysis operations based on the trend data.
  - 66. The computer readable medium of claim 64, wherein the instructions for carrying out the step of performing, based on the trend data, the one or more analysis operations include instructions for carrying out the step of selecting the one or more analysis operations based on the trend data.
  - 67. The computer readable medium of claim 64, wherein the instructions for carrying out the step of identifying a trend for how the set of data elements are modified include instructions for carrying out the step of identifying the trend data over a duration designated by a user.
  - 68. The computer readable medium of claim 64, further comprising, instructions for carrying out the steps of:
    - waiting for the designated time period to expire;
      
      repeating the step of identifying a set of data elements; and
      
      performing the one or more analysis operations based on the trend data identified during the designated time period.
  - 69. The computer readable medium of claim 64, wherein the instructions for carrying out the step of identifying a set of data elements include instructions for carrying out the step of reading the set of data elements from the database managed by the database system.
  - 70. The computer readable medium of claim 64, wherein the instructions for carrying out the step of identifying a set of data elements are repeatedly executed at multiple instances over the designated time period, and wherein the instructions for carrying out the step of identifying trend data for how the set of data elements are modified include instructions for carrying out the step of updating the trend data after each instance of identifying the set of data elements.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
IPLocks, Inc. (Fortinet Inc.)
Original Assignee
IPLocks, Inc. (Fortinet Inc.)
Inventors
Mukherjee, Amarnath, Sakamoto, Akio, Raj, Seshan S., Sudia, Frank
Primary Examiner(s)
Alam, Shahid
Assistant Examiner(s)
FLEURANTIN, JEAN B

Application Number

US10/375,691
Publication Number

US 20040024736A1
Time in Patent Office

1,254 Days
Field of Search

707 1- 10, 707100-1041, 707200-206, 709/217, 709/219, 709/225, 709/229, 711/100
US Class Current

1/1
CPC Class Codes

G06F 16/2365   Ensuring data consistency a...

G06F 21/55   Detecting local intrusion o...

Y10S 707/99931   Database or file accessing

Y10S 707/99939   Privileged access

Method and apparatus for monitoring a database system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

70 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for monitoring a database system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

70 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links