Abstract: Typical conventional content based database security scheme mechanisms employ a predefined criteria for identifying access attempts to sensitive or prohibited data. An operator, identifies the criteria indicative of prohibited data, and the conventional content based approach scans or “sniffs” the transmissions for data items matching the predefined criteria. In many environments, however, database usage tends to follow repeated patterns of legitimate usage. Such usage patterns, if tracked, are deterministic of normal, allowable data access attempts. Similarly, deviant data access attempts may be suspect. Recording and tracking patterns of database usage allows learning of an expected baseline of normal DB activity, or application behavior. Identifying baseline divergent access attempts as deviant, unallowed behavior, allows automatic learning and implementation of behavior based access control. In this manner, data access attempts not matching previous behavior patterns are disallowed.

Abstract: Typical conventional database security scheme mechanisms are integrated in either the application or database. Maintenance of the security scheme, therefore, such as changes and modifications, impose changes to the application and/or database. Configurations of the invention employ a security filter for intercepting database streams, such as data access transactions, between an application and the a data repository, such as a relational database. A security filter deployed between the application and database inspects the stream of transactions between the application and the database. The security filter, by nonintrusively interrogating the transactions, provides a content-aware capability for seamlessly and nondestructively enforcing data level security. A security policy, codifying security requirements for the users and table of the database, employs rules concerning restricted data items. The filter intercepts transactions and determines if the transaction triggers rules of the security policy.

Abstract: Network based intrusion detection analyzes DB access attempts prior to transport into the host computer system and accordingly, mitigate resource overhead. However, host computer systems often employ local access such as a DBA account. Monitoring access attempts via the network monitor may not encompass such local access attempts. A data security device which intercepts both local and remote access attempts to the database resource monitors all database access attempts for auditing and security analysis. The data security device receives local access transactions via a local agent on the host. The local agent identifies and integrates with an interprocess communication (IPC) mechanism on the host computer system. The local agent implements an IPC interception mechanism to direct local database access attempts to the local agent, which then forwards the intercepted attempts to the data security device for further analysis.