Abstract: A multi-tier attribute tracking mechanism identifies end user credentials and other client information and attributes and assigns them to database requests in an application server architecture. Disclosed configurations identify the processing unit, or thread, assigned by the operating system to service the incoming request from the user at the application tier. A matching of users to threads allows successive thread activity to be mapped back to the initiating user. Conventional interception of database access attempts at the application level (“server taps,” or staps) identified only the database user (the account in the database) and associated connection as the responsible user. By intercepting, or “tapping” the access request at the operating system level (using kernel taps, or “ktaps”), the mechanism matches which application requests map to which database requests. With this matching, the database requests can be tagged with the user credentials which are known through the application request.

Abstract: A method, a data processing system, and a computer program product for protecting data in a database. A query to a database in a data processing system is received by a security mechanism in the data processing system that is external of the database. The query is converted to a modified query according to a security policy. The modified query is sent to the database, and a response to the modified query is returned.

Abstract: A nonintrusive database access monitoring mechanism employs a hybrid approach that disallows, or blocks, the access mediums which are not feasible to intercept or analyze, as well as intercepting and analyzing access mediums for which interception and interrogation is available. Accordingly, various configurations provide the hybrid coverage approach to identifying access mediums, and either block or intercept the access attempts. In this manner, access mediums, such as interprocess communication (IPC) system calls, which may be efficiently intercepted and analyzed are captured and substantively processed, while other access mediums that are excessively burdensome or intrusive to capture are unselectively blocked from any communication, avoiding the need to analyze such access attempts.

Abstract: A method for automatic reconciliation of database change requests associates administrative database commands with the change request via a context event command. A database monitoring system identifies a context event command that indicates that a particular context, or session, is beginning. The context event command is a tag command, and includes parameters specifying a context label indicative of a change request. Prior to entering a particular change request, the DBA issues the context event command with the context label as a parameter. The context label is an identifier of the change request to be associated with the set of operations, or commands, resulting from the particular change request. The database monitoring system logs and associates subsequently received commands with the context label in a database access log which is employed for later reconciliation of the operations with the corresponding change request.

Abstract: A nonintrusive database access monitoring mechanism employs a hybrid approach that disallows, or blocks, the access mediums which are not feasible to intercept or analyze, as well as intercepting and analyzing access mediums for which interception and interrogation is available. Accordingly, various configurations provide the hybrid coverage approach to identifying access mediums, and either block or intercept the access attempts. In this manner, access mediums, such as interprocess communication (IPC) system calls, which may be efficiently intercepted and analyzed are captured and substantively processed, while other access mediums that are excessively burdensome or intrusive to capture are unselectively blocked from any communication, avoiding the need to analyze such access attempts.

Abstract: In a data level security environment, the data level security mechanism operates on plaintext data. Data level security operations identify a point in the information stream where plaintext data is available for interception. Typically this is a point in the processing stream just after the native DBMS decryption functionality has been invoked. A database monitor intercepts and scrutinizes data in transit between an application and a database by identifying a transition point between the encrypted and plaintext data where the cryptographic operations are invoked, and transfers control of the data in transit to a database monitor application subsequent to the availability of the data in plaintext form.

Abstract: A multi-tier attribute tracking mechanism provides the ability to identify the end user credentials and other client information and attributes and assign them to database requests in an application server architecture. Disclosed configurations identify the processing unit, or thread, assigned by the operating system to service the incoming request from the user at the application tier. A matching of users to threads allows successive thread activity to be mapped back to the initiating user. Conventional interception of database access attempts at the application level (so called “server taps,” or staps) identified only the database user (the account in the database) and associated connection as the responsible user. By intercepting, or “tapping” the access request at the operating system level (using so-called kernel taps, or “ktaps”), the mechanism matches which application requests map to which database requests.

Abstract: A database security overlay that identifies each network and local access gateway to a database, and monitors each access path from the identified gateways to analyze each connection to the database and block any connections determined to transport unauthorized or undesirable content. Access gateways that establish connections are identifiable by interprocess communication (IPC) mechanisms employed in accessing the database. An evaluator monitors access attempts, while a tapping mechanism on IPC mechanisms that provide the connections captures access attempts from the access gateways. The tapping mechanism intercepts and forwards access attempts to the evaluator to centralize and focus DB paths amid multiple local and external connections on the DB server. A lightweight check for each local access quickly determines if the access attempt warrants further scrutiny.

Abstract: Typical conventional content based database security scheme mechanisms employ a predefined criteria for identifying access attempts to sensitive or prohibited data. An operator, identifies the criteria indicative of prohibited data, and the conventional content based approach scans or “sniffs” the transmissions for data items matching the predefined criteria. In many environments, however, database usage tends to follow repeated patterns of legitimate usage. Such usage patterns, if tracked, are deterministic of normal, allowable data access attempts. Similarly, deviant data access attempts may be suspect. Recording and tracking patterns of database usage allows learning of an expected baseline of normal DB activity, or application behavior. Identifying baseline divergent access attempts as deviant, unallowed behavior, allows automatic learning and implementation of behavior based access control. In this manner, data access attempts not matching previous behavior patterns are disallowed.

Abstract: Typical conventional database security scheme mechanisms are integrated in either the application or database. Maintenance of the security scheme, therefore, such as changes and modifications, impose changes to the application and/or database. Configurations of the invention employ a security filter for intercepting database streams, such as data access transactions, between an application and the a data repository, such as a relational database. A security filter deployed between the application and database inspects the stream of transactions between the application and the database. The security filter, by nonintrusively interrogating the transactions, provides a content-aware capability for seamlessly and nondestructively enforcing data level security. A security policy, codifying security requirements for the users and table of the database, employs rules concerning restricted data items. The filter intercepts transactions and determines if the transaction triggers rules of the security policy.

Abstract: Network based intrusion detection analyzes DB access attempts prior to transport into the host computer system and accordingly, mitigate resource overhead. However, host computer systems often employ local access such as a DBA account. Monitoring access attempts via the network monitor may not encompass such local access attempts. A data security device which intercepts both local and remote access attempts to the database resource monitors all database access attempts for auditing and security analysis. The data security device receives local access transactions via a local agent on the host. The local agent identifies and integrates with an interprocess communication (IPC) mechanism on the host computer system. The local agent implements an IPC interception mechanism to direct local database access attempts to the local agent, which then forwards the intercepted attempts to the data security device for further analysis.

Abstract: A method for automatic reconciliation of database change requests associates administrative database commands with the change request via a context event command. A database monitoring system identifies a context event command that indicates that a particular context, or session, is beginning. The context event command is a tag command, and includes parameters specifying a context label indicative of a change request. Prior to entering a particular change request, the DBA issues the context event command with the context label as a parameter. The context label is an identifier of the change request to be associated with the set of operations, or commands, resulting from the particular change request. The database monitoring system logs and associates subsequently received commands with the context label in a database access log which is employed for later reconciliation of the operations with the corresponding change request.

Abstract: A system for defining communities and matching users into said communities, said matched users thereby gaining access to one or more elements associated with said communities; the system comprising a host connected to a network being for communication with a plurality of users, said host being configured for: creating at least one community by defining attributes for each of said communities; and defining one or more elements associated with each of said communities; and assigning attributes to a user, said attributes extracted from information associated with the user; and matching said attributes of at least one user to attributes of at least one community; assigning said user to said community based on the result of said matching; said user thereby gaining access to at least one element associated with said community.