Patents by Inventor Galia Diamant
Galia Diamant has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11947694Abstract: A method, a computer program product, and a system for implementing a dynamic virtual database honeypot. The method includes relaying a query request received from a database client to a database and receiving, from the database, a response relating to the query request. The method also includes determining the query request is an attack on the database based on session information relating to the database and the database client, generating a honey token based on information contained within the response, generating an alternate response formatted in a same format as the response and containing artificial information that masks the information contained within the response. The method further includes inserting the honey token into the alternate response and transmitting the alternate response to the database client.Type: GrantFiled: June 29, 2021Date of Patent: April 2, 2024Assignee: International Business Machines CorporationInventors: Galia Diamant, Richard Ory Jerrell, Chun-Shuo Lin, Wei-Hsiang Hsiung, Cheng-Ta Lee, Wei-Jie Liau
-
Patent number: 11847122Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.Type: GrantFiled: April 1, 2022Date of Patent: December 19, 2023Assignee: International Business Machines CorporationInventors: Cheng-Ta Lee, Chun-Shuo Lin, Galia Diamant, Richard Ory Jerrell, Leonid Rodniansky
-
Patent number: 11562095Abstract: A database protection system (DPS) mitigates injection attacks. DPS receives an unrestricted database query, extract a syntax tree, and evaluates whether it recognizes the query. To this end, DPS applies a hash function over the extracted syntax tree, and then determines whether the resulting hash has been seen by DPS before. If so, DPS retrieves a previously-generated prepared statement associated with the syntax tree, and that prepared statement is then forward to the database server in lieu of sending the original query. If the syntax tree is not recognized, DPS creates a new prepared statement, generates a hash of the syntax tree, and stores the hash and the new prepared statement, and forwards the new prepared statement. The prepared statements are configured based on the native wire protocol used by the database server, and DPS includes additional functionality by which it can learn the semantics of this protocol if necessary.Type: GrantFiled: January 28, 2021Date of Patent: January 24, 2023Assignee: International Business Machines CorporationInventors: Galia Diamant, Leonid Rodniansky, Cheng-Ta Lee, Chun-Shuo Lin, Richard Ory Jerrell
-
Publication number: 20220414245Abstract: A method, a computer program product, and a system for implementing a dynamic virtual database honeypot. The method includes relaying a query request received from a database client to a database and receiving, from the database, a response relating to the query request. The method also includes determining the query request is an attack on the database based on session information relating to the database and the database client, generating a honey token based on information contained within the response, generating an alternate response formatted in a same format as the response and containing artificial information that masks the information contained within the response. The method further includes inserting the honey token into the alternate response and transmitting the alternate response to the database client.Type: ApplicationFiled: June 29, 2021Publication date: December 29, 2022Inventors: Galia Diamant, Richard Ory Jerrell, Chun-Shuo Lin, Wei-Hsiang Hsiung, Cheng-Ta Lee, WEI-JIE LIAU
-
Patent number: 11502855Abstract: A method includes retrieving a server certificate from a server in response to a request from a client to negotiate a connection between the client and the server and generating a new server public key and a new client public key in response to the request. The method also includes generating a new server certificate using information in the server certificate. The method further includes signing the new server certificate to produce a new signed server certificate, communicating the new signed server certificate, which includes the new server public key, to the client, and generating a new client certificate using information in a client certificate received from the client. The method also includes signing the new client certificate to produce a new signed client certificate and communicating the new signed client certificate, which includes the new client public key, to the server to establish the connection.Type: GrantFiled: August 26, 2021Date of Patent: November 15, 2022Assignee: International Business Machines CorporationInventors: Richard Ory Jerrell, Mae Rockar, Galia Diamant
-
Publication number: 20220237314Abstract: A database protection system (DPS) mitigates injection attacks. DPS receives an unrestricted database query, extract a syntax tree, and evaluates whether it recognizes the query. To this end, DPS applies a hash function over the extracted syntax tree, and then determines whether the resulting hash has been seen by DPS before. If so, DPS retrieves a previously-generated prepared statement associated with the syntax tree, and that prepared statement is then forward to the database server in lieu of sending the original query. If the syntax tree is not recognized, DPS creates a new prepared statement, generates a hash of the syntax tree, and stores the hash and the new prepared statement, and forwards the new prepared statement. The prepared statements are configured based on the native wire protocol used by the database server, and DPS includes additional functionality by which it can learn the semantics of this protocol if necessary.Type: ApplicationFiled: January 28, 2021Publication date: July 28, 2022Applicant: International Business Machines CorporationInventors: Galia Diamant, Leonid Rodniansky, Cheng-Ta Lee, Chun-Shuo Lin, Richard Ory Jerrell
-
Publication number: 20220222259Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.Type: ApplicationFiled: April 1, 2022Publication date: July 14, 2022Inventors: Cheng-Ta Lee, Chun-Shuo Lin, Galia Diamant, Richard Ory Jerrell, Leonid Rodniansky
-
Patent number: 11334569Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.Type: GrantFiled: January 21, 2020Date of Patent: May 17, 2022Assignee: International Business Machines CorporationInventors: Cheng-Ta Lee, Chun-Shuo Lin, Galia Diamant, Richard Ory Jerrell, Leonid Rodniansky
-
Patent number: 11283880Abstract: Embodiments provide a computer implemented method in a data processing comprising a processor and a memory including instructions, which are executed by the processor to cause the processor to implement the method of terminating a connection between a database server and a database client through an enforcement point, the method including: continuously monitoring, by the enforcement point, information related to a connection to a database, and parsing one or more queries; continuously comparing, by the enforcement point, the information with a predefined plurality of rules, and checking whether there is a rule violation; if there is a rule violation, assembling, by the enforcement point, a termination packet including an error message indicative of the rule violation; sending, by the enforcement point, the termination packet to the database client; and terminating, by the enforcement point, a connection between the enforcement point and the database client.Type: GrantFiled: April 15, 2019Date of Patent: March 22, 2022Assignee: International Business Machines CorporationInventors: Galia Diamant, Richard O. Jerrell, Chun-Shuo Lin, Cheng-Ta Lee
-
Patent number: 11228607Abstract: A network protection system (NPS) is augmented to provide additional functionality—preferably within the SSL/TLS connection at the OSI presentation layer—to enable efficient management and handling of security-violating client connections. When the NPS determines to suspend a suspect application client connection, the NPS modifies the request (the TLS encrypted packet) at a random offset to include a random byte value. When the modified request is then received at the server, a TLS decryption error occurs. In response, the server drops the request gracefully and, in particular, a termination response is returned from the server to the NPS, which then passes the termination response back to the requesting client.Type: GrantFiled: November 9, 2019Date of Patent: January 18, 2022Assignee: International Business Machines CorporationInventors: Leonid Rodniansky, Viktor Ginzburg, Richard Ory Jerrell, Galia Diamant
-
Publication number: 20210224281Abstract: An example operation may include one or more of receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.Type: ApplicationFiled: January 21, 2020Publication date: July 22, 2021Inventors: Cheng-Ta Lee, Chun-Shuo Lin, Galia Diamant, Richard Ory Jerrell, Leonid Rodniansky
-
Publication number: 20210144160Abstract: A network protection system (NPS) is augmented to provide additional functionality—preferably within the SSL/TLS connection at the OSI presentation layer—to enable efficient management and handling of security-violating client connections. When the NPS determines to suspend a suspect application client connection, the NPS modifies the request (the TLS encrypted packet) at a random offset to include a random byte value. When the modified request is then received at the server, a TLS decryption error occurs. In response, the server drops the request gracefully and, in particular, a termination response is returned from the server to the NPS, which then passes the termination response back to the requesting client.Type: ApplicationFiled: November 9, 2019Publication date: May 13, 2021Applicant: International Business Machines CorporationInventors: Leonid Rodniansky, Viktor Ginzburg, Richard Ory Jerrell, Galia Diamant
-
Publication number: 20200329107Abstract: Embodiments provide a computer implemented method in a data processing comprising a processor and a memory including instructions, which are executed by the processor to cause the processor to implement the method of terminating a connection between a database server and a database client through an enforcement point, the method including: continuously monitoring, by the enforcement point, information related to a connection to a database, and parsing one or more queries; continuously comparing, by the enforcement point, the information with a predefined plurality of rules, and checking whether there is a rule violation; if there is a rule violation, assembling, by the enforcement point, a termination packet including an error message indicative of the rule violation; sending, by the enforcement point, the termination packet to the database client; and terminating, by the enforcement point, a connection between the enforcement point and the database client.Type: ApplicationFiled: April 15, 2019Publication date: October 15, 2020Inventors: Galia Diamant, Richard O. Jerrell, Chun-Shuo Lin, Cheng-Ta Lee
-
Patent number: 10742657Abstract: Embodiments can provide a computer implemented method in a data processing system including a processor and a memory having instructions, which are executed by the processor to cause the processor to implement the method for accessing a shared resource. The method includes the following steps: identifying a process having elevated privileges as a background process; providing an authorized user list including at least one user identification number; providing a communication endpoint connectable to a user or a program; receiving a user identification number of the user or the program through the communication endpoint; checking whether the user identification number is in the authorized user list. If the user identification number is in the list, a file descriptor associated with the shared resource is provided; and the file descriptor is transferred to the user or the program through the communication endpoint.Type: GrantFiled: July 11, 2018Date of Patent: August 11, 2020Assignee: International Business Machines CorporationInventors: Richard O. Jerrell, Paul Spencer, Galia Diamant
-
Publication number: 20200021592Abstract: Embodiments can provide a computer implemented method in a data processing system including a processor and a memory having instructions, which are executed by the processor to cause the processor to implement the method for accessing a shared resource. The method includes the following steps: identifying a process having elevated privileges as a background process; providing an authorized user list including at least one user identification number; providing a communication endpoint connectable to a user or a program; receiving a user identification number of the user or the program through the communication endpoint; checking whether the user identification number is in the authorized user list. If the user identification number is in the list, a file descriptor associated with the shared resource is provided; and the file descriptor is transferred to the user or the program through the communication endpoint.Type: ApplicationFiled: July 11, 2018Publication date: January 16, 2020Inventors: Richard O. Jerrell, Paul Spencer, Galia Diamant
-
Patent number: 9069628Abstract: The techniques herein provide for “time-shifting” of intercepted system calls to enable a one-to-many (1:n) or a many-to-one (n:1) mapping of intercepted-to-real system calls. Any action that needs to be applied on the logical boundaries of the data (instead of the physical boundaries) presented upon system call interception spools (buffers) the data before taking the action and then unspools the result when finished. The action may be quite varied, e.g., examining the data, redacting the data, changing the data, restricting the data, processing the data, and updating the data, among others. The technique may be implemented in a database access control system.Type: GrantFiled: April 10, 2013Date of Patent: June 30, 2015Assignee: International Business Machines CorporationInventors: Richard Ory Jerrell, Ury Segal, Galia Diamant
-
Publication number: 20140310727Abstract: The techniques herein provide for “time-shifting” of intercepted system calls to enable a one-to-many (1:n) or a many-to-one (n:1) mapping of intercepted-to-real system calls. Any action that needs to be applied on the logical boundaries of the data (instead of the physical boundaries) presented upon system call interception spools (buffers) the data before taking the action and then unspools the result when finished. The action may be quite varied, e.g., examining the data, redacting the data, changing the data, restricting the data, processing the data, and updating the data, among others. The technique may be implemented in a database access control system.Type: ApplicationFiled: April 10, 2013Publication date: October 16, 2014Applicant: International Business Machines CorporationInventors: Richard Ory Jerrell, Ury Segal, Galia Diamant