Browse Prior Art Database

Pluggable Interception of Secure Data with Database Protocol Reconstruction in External Database Security Mechanisms

IP.com Disclosure Number: IPCOM000238708D
Publication Date: 2014-Sep-12
Document File: 5 page(s) / 73K

Publishing Venue

The IP.com Prior Art Database

Abstract

Database audit API is used by local agent (LA2) integrated with inter-process communication mechanism (IPC) in order to intercept database session login information (for database session with encrypted login) in audit format which contains session id (SID). LA2 also intercepts database protocol packets. LA2 extracts SID from database protocol packets and correlates these packets with DSLI. LA2 transforms DSLI into database protocol packet and sends it to EDSM along with other database protocol packets intercepted on IPC level.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 33% of the total text.

Page 01 of 5

Pluggable Interception of Secure Data with Database Protocol Reconstruction in External Database Security Mechanisms

Availability of database session log-in information (DSLI) is a mandatory requirement in external database security mechanisms (EDSM). This information is used for detection database access security violations (DASV).

Contemporary databases often encrypt DSLI sent by database client to database server. As a result this information is not available to EDSM directly.

If DSLI is encrypted, then intrusion detection system uses local agent (LA1) taking control of cryptographic operation invocation at the database server tier where incoming DSLI is going to be decrypted. Such local agent intercepts decrypted DSLI without disrupting main flow, since it returns control to the original cryptographic operation without data flow changes. LA1 refers DSLI to database session using available at the cryptographic tier session identifier (SI). LA1 forwards intercepted decrypted DSLI along with SI to EDSM for further analysis ("Nondestructive interception of secure data in transit", patent US 2010/0131758 A1).

If database access is not secure, then intrusion detection system uses local agent (LA2) integrated with inter-process communication mechanism (IPC) on database server host. The local agent (LA2) implements IPC interception mechanism on OS level for database client requests (DCR) and database server responses (DSR). LA2 forwards intercepted data to EDSM for further analysis ("System and methods for tracking local database access", patent US 7,426,512 B1).

Both described above LA1 and LA2 methods implemented by IBM* InfoSphere* Guardium* and used on database server host in order to forward data to EDSM for further analysis. LA1 used in the case of encrypted DSLI and LA2 used in the case of not encrypted DCR and DSR.

Patent "Session attributes propagation through database server tiers of secure database access", 13/793877 describes the method of finding SI and grouping DSLI, DCR and DSR into one database session.

On Fig.1 and Fig.2 shown data flow, on Fig. 3 shown part of decrypted DSLI in hexadecimal form of database protocol packet which contains important for security violation validation information. Such information comprise of database user name, database client application name, client ip address, server host name and database name.

Fig. 1

Fig. 2

1


Page 02 of 5

00000070 : 31 00 73 00 61 00 d3 a5 f2 a5 b3 a5 82 a5 e3 a5 1.s.a...........
00000080 : 33 a5 f2 a5 73 a5 52 00 61 00 7a 00 6f 00 72 00 3...s.R.a.z.o.r. 00000090 : 53 00 51 00 4c 00 31 00 39 00 32 00 2e 00 31 00 S.Q.L.1.9.2...1. 000000a0 : 36 00 38 00 2e 00 32 00 2e 00 34 00 35 00 6a 00 6.8...2...4.5.j. 000000b0 : 54 00 44 00 53 00 47 00 75 00 61 00 72 00 64 00 T.D.S.G.u.a.r.d. 000000c0 : 69 00 75 00 6d 00 5f 00 51 00 41 00 i.u.m._.Q.A.

Fig. 3

Shown on Fig.1, Fig.2, Fig.3 DSLI, DCR and DSR are database protocol structures.

The main drawback of LA1 is that LA1 takes...