Patents by Inventor Ron Ben-Natan
Ron Ben-Natan has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 8141100Abstract: A multi-tier attribute tracking mechanism identifies end user credentials and other client information and attributes and assigns them to database requests in an application server architecture. Disclosed configurations identify the processing unit, or thread, assigned by the operating system to service the incoming request from the user at the application tier. A matching of users to threads allows successive thread activity to be mapped back to the initiating user. Conventional interception of database access attempts at the application level (“server taps,” or staps) identified only the database user (the account in the database) and associated connection as the responsible user. By intercepting, or “tapping” the access request at the operating system level (using kernel taps, or “ktaps”), the mechanism matches which application requests map to which database requests. With this matching, the database requests can be tagged with the user credentials which are known through the application request.Type: GrantFiled: December 20, 2006Date of Patent: March 20, 2012Assignee: International Business Machines CorporationInventors: Ron Ben-Natan, Ury Segal
-
Publication number: 20110313981Abstract: A method, a data processing system, and a computer program product for protecting data in a database. A query to a database in a data processing system is received by a security mechanism in the data processing system that is external of the database. The query is converted to a modified query according to a security policy. The modified query is sent to the database, and a response to the modified query is returned.Type: ApplicationFiled: June 17, 2010Publication date: December 22, 2011Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventor: Ron Ben-Natan
-
Patent number: 7970788Abstract: A nonintrusive database access monitoring mechanism employs a hybrid approach that disallows, or blocks, the access mediums which are not feasible to intercept or analyze, as well as intercepting and analyzing access mediums for which interception and interrogation is available. Accordingly, various configurations provide the hybrid coverage approach to identifying access mediums, and either block or intercept the access attempts. In this manner, access mediums, such as interprocess communication (IPC) system calls, which may be efficiently intercepted and analyzed are captured and substantively processed, while other access mediums that are excessively burdensome or intrusive to capture are unselectively blocked from any communication, avoiding the need to analyze such access attempts.Type: GrantFiled: August 2, 2005Date of Patent: June 28, 2011Assignee: International Business Machines CorporationInventors: Ron Ben-Natan, Izar Tarandach
-
Patent number: 7933923Abstract: A method for automatic reconciliation of database change requests associates administrative database commands with the change request via a context event command. A database monitoring system identifies a context event command that indicates that a particular context, or session, is beginning. The context event command is a tag command, and includes parameters specifying a context label indicative of a change request. Prior to entering a particular change request, the DBA issues the context event command with the context label as a parameter. The context label is an identifier of the change request to be associated with the set of operations, or commands, resulting from the particular change request. The database monitoring system logs and associates subsequently received commands with the context label in a database access log which is employed for later reconciliation of the operations with the corresponding change request.Type: GrantFiled: November 4, 2005Date of Patent: April 26, 2011Assignee: International Business Machines CorporationInventor: Ron Ben-Natan
-
Publication number: 20100131512Abstract: A nonintrusive database access monitoring mechanism employs a hybrid approach that disallows, or blocks, the access mediums which are not feasible to intercept or analyze, as well as intercepting and analyzing access mediums for which interception and interrogation is available. Accordingly, various configurations provide the hybrid coverage approach to identifying access mediums, and either block or intercept the access attempts. In this manner, access mediums, such as interprocess communication (IPC) system calls, which may be efficiently intercepted and analyzed are captured and substantively processed, while other access mediums that are excessively burdensome or intrusive to capture are unselectively blocked from any communication, avoiding the need to analyze such access attempts.Type: ApplicationFiled: August 2, 2005Publication date: May 27, 2010Inventors: Ron Ben-Natan, Izar Tarandach
-
Publication number: 20100131758Abstract: In a data level security environment, the data level security mechanism operates on plaintext data. Data level security operations identify a point in the information stream where plaintext data is available for interception. Typically this is a point in the processing stream just after the native DBMS decryption functionality has been invoked. A database monitor intercepts and scrutinizes data in transit between an application and a database by identifying a transition point between the encrypted and plaintext data where the cryptographic operations are invoked, and transfers control of the data in transit to a database monitor application subsequent to the availability of the data in plaintext form.Type: ApplicationFiled: February 22, 2007Publication date: May 27, 2010Inventor: Ron Ben-Natan
-
Publication number: 20100132024Abstract: A multi-tier attribute tracking mechanism provides the ability to identify the end user credentials and other client information and attributes and assign them to database requests in an application server architecture. Disclosed configurations identify the processing unit, or thread, assigned by the operating system to service the incoming request from the user at the application tier. A matching of users to threads allows successive thread activity to be mapped back to the initiating user. Conventional interception of database access attempts at the application level (so called “server taps,” or staps) identified only the database user (the account in the database) and associated connection as the responsible user. By intercepting, or “tapping” the access request at the operating system level (using so-called kernel taps, or “ktaps”), the mechanism matches which application requests map to which database requests.Type: ApplicationFiled: December 20, 2006Publication date: May 27, 2010Inventors: Ron Ben-Natan, Ury Segal
-
Publication number: 20090271453Abstract: A database security overlay that identifies each network and local access gateway to a database, and monitors each access path from the identified gateways to analyze each connection to the database and block any connections determined to transport unauthorized or undesirable content. Access gateways that establish connections are identifiable by interprocess communication (IPC) mechanisms employed in accessing the database. An evaluator monitors access attempts, while a tapping mechanism on IPC mechanisms that provide the connections captures access attempts from the access gateways. The tapping mechanism intercepts and forwards access attempts to the evaluator to centralize and focus DB paths amid multiple local and external connections on the DB server. A lightweight check for each local access quickly determines if the access attempt warrants further scrutiny.Type: ApplicationFiled: April 25, 2008Publication date: October 29, 2009Inventor: Ron Ben-Natan
-
Patent number: 7506371Abstract: Typical conventional content based database security scheme mechanisms employ a predefined criteria for identifying access attempts to sensitive or prohibited data. An operator, identifies the criteria indicative of prohibited data, and the conventional content based approach scans or “sniffs” the transmissions for data items matching the predefined criteria. In many environments, however, database usage tends to follow repeated patterns of legitimate usage. Such usage patterns, if tracked, are deterministic of normal, allowable data access attempts. Similarly, deviant data access attempts may be suspect. Recording and tracking patterns of database usage allows learning of an expected baseline of normal DB activity, or application behavior. Identifying baseline divergent access attempts as deviant, unallowed behavior, allows automatic learning and implementation of behavior based access control. In this manner, data access attempts not matching previous behavior patterns are disallowed.Type: GrantFiled: January 22, 2004Date of Patent: March 17, 2009Assignee: Guardium, Inc.Inventor: Ron Ben-Natan
-
Patent number: 7437362Abstract: Typical conventional database security scheme mechanisms are integrated in either the application or database. Maintenance of the security scheme, therefore, such as changes and modifications, impose changes to the application and/or database. Configurations of the invention employ a security filter for intercepting database streams, such as data access transactions, between an application and the a data repository, such as a relational database. A security filter deployed between the application and database inspects the stream of transactions between the application and the database. The security filter, by nonintrusively interrogating the transactions, provides a content-aware capability for seamlessly and nondestructively enforcing data level security. A security policy, codifying security requirements for the users and table of the database, employs rules concerning restricted data items. The filter intercepts transactions and determines if the transaction triggers rules of the security policy.Type: GrantFiled: November 26, 2003Date of Patent: October 14, 2008Assignee: Guardium, Inc.Inventor: Ron Ben-Natan
-
Patent number: 7426512Abstract: Network based intrusion detection analyzes DB access attempts prior to transport into the host computer system and accordingly, mitigate resource overhead. However, host computer systems often employ local access such as a DBA account. Monitoring access attempts via the network monitor may not encompass such local access attempts. A data security device which intercepts both local and remote access attempts to the database resource monitors all database access attempts for auditing and security analysis. The data security device receives local access transactions via a local agent on the host. The local agent identifies and integrates with an interprocess communication (IPC) mechanism on the host computer system. The local agent implements an IPC interception mechanism to direct local database access attempts to the local agent, which then forwards the intercepted attempts to the data security device for further analysis.Type: GrantFiled: February 17, 2004Date of Patent: September 16, 2008Assignee: Guardium, Inc.Inventor: Ron Ben-Natan
-
Publication number: 20070112864Abstract: A method for automatic reconciliation of database change requests associates administrative database commands with the change request via a context event command. A database monitoring system identifies a context event command that indicates that a particular context, or session, is beginning. The context event command is a tag command, and includes parameters specifying a context label indicative of a change request. Prior to entering a particular change request, the DBA issues the context event command with the context label as a parameter. The context label is an identifier of the change request to be associated with the set of operations, or commands, resulting from the particular change request. The database monitoring system logs and associates subsequently received commands with the context label in a database access log which is employed for later reconciliation of the operations with the corresponding change request.Type: ApplicationFiled: November 4, 2005Publication date: May 17, 2007Inventor: Ron Ben-Natan
-
Publication number: 20030158897Abstract: A system for defining communities and matching users into said communities, said matched users thereby gaining access to one or more elements associated with said communities; the system comprising a host connected to a network being for communication with a plurality of users, said host being configured for: creating at least one community by defining attributes for each of said communities; and defining one or more elements associated with each of said communities; and assigning attributes to a user, said attributes extracted from information associated with the user; and matching said attributes of at least one user to attributes of at least one community; assigning said user to said community based on the result of said matching; said user thereby gaining access to at least one element associated with said community.Type: ApplicationFiled: November 30, 2000Publication date: August 21, 2003Applicant: ViryaNet Ltd.Inventors: Ron Ben-Natan, Chava Kahana, Miri Levy, Rosa Miroshnikov, Oded Sofer, Lea Zafransky