US20160315975A1 - System and Method for Tracking and Auditing Data Access in a Network Environment - Google Patents

System and Method for Tracking and Auditing Data Access in a Network Environment Download PDF

Info

Publication number
US20160315975A1
US20160315975A1 US14/694,665 US201514694665A US2016315975A1 US 20160315975 A1 US20160315975 A1 US 20160315975A1 US 201514694665 A US201514694665 A US 201514694665A US 2016315975 A1 US2016315975 A1 US 2016315975A1
Authority
US
United States
Prior art keywords
user
identification
tracking
data
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US14/694,665
Other versions
US9462014B1 (en
Inventor
YeeJang James Lin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DATIPHY Inc
Original Assignee
DATIPHY Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DATIPHY Inc filed Critical DATIPHY Inc
Priority to US14/694,665 priority Critical patent/US9462014B1/en
Assigned to CHALET TECH INC. reassignment CHALET TECH INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LIN, YEEJANG JAMES
Assigned to DATIPHY INC. reassignment DATIPHY INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHALET TECH INC.
Priority to US15/273,056 priority patent/US9807125B2/en
Application granted granted Critical
Publication of US9462014B1 publication Critical patent/US9462014B1/en
Publication of US20160315975A1 publication Critical patent/US20160315975A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/308Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

A system and method that correlate business transaction in a system and traffic generated from this business transaction in a network back to a user identity that invoked this business transaction and generated subsequent network traffic. The method enables a user to set up rules for tracking the activities in a system and network traffic and these rules can then be user later for monitoring user activities. The user activities, network traffic, and the user identity are correlated and stored in a data-to-business mapping file. This data-to-business mapping file can be used for auditing events in the system.

Description

    BACKGROUND OF THE INVENTION
  • 1. Field of the Invention
  • The present invention generally relates to data security, and more specifically, relates to a system and method that audit information regarding data access.
  • 2. Description of the Related Art
  • Nowadays, in any commercial and business setting, an action from an end-user at any workstation in a system with many subsystems may trigger innumerous data transactions throughout sub-systems. For example, a person can sit in front of his home computer can visit a website and make a purchase of a product. This purchasing act will cause many actions to happen in one or more systems, for example, the information regarding the person may be recorded, the payment information may be recorded, the information about the product may be retrieved and displayed to the person, and the purchase information may be stored.
  • The information about these actions may be recorded by the front-end website host but the real users and actions are not associated with the back-end data transactions where data changes are made. Therefore, for a system accessed by thousands people each day, the retrieved information about a database access or communication between two sub-systems cannot be readily associated with the person who caused the actions to happen, neither for the business operations triggering data transactions. Thus, making difficult to audit the meaningful business transactions.
  • Therefore, there is a need for a system and method that audits transactions and records transactions associated with real users and business operations, and it is to this system the present invention is primarily directed to.
    • SUMMARY OF THE INVENTION
  • The system of the present invention provides new capabilities to servers used by enterprises by enabling the servers to associate a recorded data transaction to a business transaction invoked by a user.
  • In one embodiment, the present invention provides a method for tracking user activities in a network system. The method comprises the steps of detecting, by a tracking server at an entry point, a request from a user, retrieving, by the tracking server from a storage unit, a rule based on an user identification associated with the request, tracking, by the tracking server, user access information associated with the request according to the rule, and recording the user access information in a data-to-business mapping file. The above method also applies to the mapping of business actions and the mapping is also recorded in data-to-business mapping file.
  • In another embodiment, there is provided a method for creating a rule for tracking user access in a network system. The method comprises the steps of recording, by a tracking server, an entry point identification to the network system, activating an application with a known user identification, tracking, by the tracking server, network transactions on the network system, recording, by the tracking server, identification information associated with the network transactions, and associating the identification information with the entry point identification, identification of the application and identification of business action
  • In another embodiment, there is also provided a server for tracking user activities in a network system. The server comprises a network interface unit for monitoring network traffic, an audit policy unit for controlling rules, a database tracking unit for database access requests and responses, a control unit, and a storage unit in which a non-transitory computer program is stored, When the non-transitory computer program wherein is executed by the control unit, the server performs the steps of detecting a request from a user, retrieving a rule based on an user identification associated with the request, tracking user access information associated with the request according to the rule, and recording the user access and business action information in a data-to-business mapping file.
  • The present system and methods are therefore advantageous as they enable identification of real user identity associated with information access requests. Other advantages and features of the present invention will become apparent after review of the hereinafter set forth Brief Description of the Drawings, Detailed Description of the Invention, and the Claims.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Features and advantages of embodiments of the invention will become apparent as the following detailed description proceeds, and upon reference to the drawings, where like numerals depict like elements, and in which:
  • FIG. 1 depicts a 3-D data model representing data in a system;
  • FIG. 2 depicts a model representing data usage in the time domain;
  • FIG. 3 depicts a use of data in the time domain;
  • FIG. 4 illustrates state of data at different conditions in a system;
  • FIG. 5 illustrates a data model based on the physical disposition;
  • FIG. 6 illustrates architecture of a computer network;
  • FIG. 7 illustrates a model for mapping user information;
  • FIG. 8 is a process for setting up rules for a system;
  • FIG. 9A is a general process for data-business mapping;
  • FIG. 9B is a detail process for mapping data-user-business;
  • FIG. 10A is a process for retrieving a record corresponding to a user access;
  • FIG. 10 B is a process for retrieve records for selected criteria; and
  • FIG. 11 is architecture of one embodiment of the present invention.
    •  DETAIL DESCRIPTION OF THE INVENTION
  • In this description, the term “application” as used herein is intended to encompass executable and non-executable software files, raw data, aggregated data, patches, and other code segments. The term “exemplary” is meant only as an example, and does not indicate any preference for the embodiment or elements described. Further, like numerals refer to like elements throughout the several views, and the articles “a” and “the” includes plural references, unless otherwise specified in the description. The term “system” and “network” are used interchangeably.
  • In an overview, the present invention provides a system and method for collecting data that transit through a computer network, classifying the collected data, associating the collected data with business operations, enabling auditing of the data collected in any part of the network, and identifying a collected data with a business operation. Before describing the unique features of the present invention, a model for data transit in the network is described. When a user access requests a service, e.g. making a purchase through a website on the Internet, many data and data transactions are created. Data flows from one server to another and data transactions occur between the servers. Data connections are established between the servers for these data transactions. The data generated by the system go through different transformation as the data pass through different servers and operate by different applications. FIG. 1 illustrates a 3-D model representing data in a system. The X-axis represents passage of time: past, present, and future. The time progresses moving away from the center of the axes. The time aspect in essential when auditing data, performing security analysis, etc. The Y-axis represents the life cycle of the data. Data are at rest when stored in a database, data are in transit when moving from one server to another server, and data are in action when used by an application. The Z-axis represents the spatial allocation of data. Data are considered to be in the front when they are closer to the end user, for example, in a web server. Data are in the middle when they are passing through some intermediate server. Data are in the back when they are stored in some database in a back end server.
  • FIG. 2 depicts a model representing data usage in the time domain. The data may be used to learn the events of the past, for example, auditing network traffic data during investigation of a network security breach. The data may also be used to check the system integrity in real time. Finally, the data may be used to predict future, for example, using the current market data to predict future trend for a stock.
  • FIG. 3 is a visualization of use of data in the time domain. The data transactions are recorded and stored in the system and the selection of the data transactions for any operation depends on the objective of the operation. For example, if the operation relates to data audit, then the time span, indicated between “From” and “To,” of the data transactions of interests should be selected more from the past. If the operation relates to real time actions, such as monitoring a security, then the time span to collect the data should cover more present data transactions.
  • FIG. 4 illustrates the state of data at different conditions in a system using analogy of different state of a material. When the data are at rest, for example, stored in a server, the state of the data is like solid for a material. When the data are in transit, for example, moving through a network, the state of the data is like liquid for the material. Finally, when the data are in action, for example, being processing by applications, the state of the data is like gas for the material.
  • FIG. 5 is a representation of a data model based on the physical disposition. The data used in web services are considered to be in front of the system. The data used in business logics are considered to be in middle of the system. The data stored in the database are considered to be in back of the system.
  • FIG. 6 is architecture of a computer network 600. A user 602 can interact with the system by entering commands through his home computer 604. The home computer 604 can interact with one or more web servers 606 a-606 c and each web server 606 may be connected to one or more database server 608 a-608 d. Because the data can be distributed in different locations in the network 600 and also in different state, it is hard to correlate the data in the network 600, i.e., it is difficult to know the impact of a data operation performed by a web server on a database because applications in the front of the system and applications in the back of the system may be developed by different companies and there is no one uniform way to identify and track the data.
  • The present invention discloses a method to learning about the data in a system and consequently to develop a set of policies that can be used tracking the data. As shown in FIG. 7, to establish a set of policies that can be applied to the data in the system, it is necessary to learning the “entry” points of the system, i.e., the points that a user interfaces with the system or the commands that the user invokes to use the system. The entry point can be a website, an automatic teller machine (ATM), an application running on a server, etc. From these entry points, a “tracker” traffic is created by invoking a command with a known entity. By tracking the transactions involving this known entity through the user login process, monitoring web traffic, and database traffic, a data-to-business mapping can be captured. For example, the tracking traffic can be a user logging into a county government website and requesting tax information on his property. By knowing this is the business operation, it can be tracked operations in the web server that involve the user identification (ID), the business operation, and the information request operation. It can also be monitored network traffic between the servers after the user invoked the command. Finally, all database requests are monitored and data can related back to the business operation.
  • FIG. 8 is a flowchart 850 for a process for learning operations related to a business process. The entry points of the front end and back end traffic need to be identified, step 852, and selected target business actions are executed at the front-end entry point, step 854, which usually is an action taken at a web service. The data traffic from the web and between database servers are captured, step 856, and the captured data traffic are tracked and analyzed, step 858. The captured data traffic is used to create and to update data-business rules, step 860. This captured data traffic is used to simulate the web and database traffic, step 864, and the monitored entry points are checked, step 866, to confirm the data-business rules, step 868. If the data-business rules are not confirmed, then the process is repeated and the data traffic is analyzed again, step 858. If the data-business rules are confirmed, the data-business rules are stored, step 870.
  • In the system shown in FIG. 6, after a user logs in, a user ID and a session ID are created and subsequent user activities and resulting network activities can be tracked and tied to the business operation (application) and the user ID. As an example, the following information may be collected:
  • (EntryPoint; UserID; SessionID; AppID; CommandID; ConnectionID; ClientID;)
  • The above collected information forms a rule in the policy. For each entry point and each application, a rule will be created and this rule will be used in the future to monitor the operations in the system. However, before the rule is set and saved, the tracker traffic is replayed and the rule is used to monitor the data traffic in the system. After the rule is verified, the rule can then be saved and used as part of the policy.
  • After setting up the policy for the system, the data transactions in the system can be tracked and monitored. Changes in data records before and after being processed by an application can be recorded and observed. Creation and transfer of the data in the system are also recorded and observed.
  • FIG. 9A is a general description of a process 950 for mapping user to data collected and to business operation. The process 950 starts with capturing data traffic of business transactions at the front-end and back-end, step 952. After the data are collected, the system checks whether the process 950 is set up for mapping the data collected to business transactions, step 954. If the process 950 has not been set up for data-business mapping, then the process 950 stops. If the data-business mapping is enabled, the collected data are mapped, step 956, and then checked if the data-business mapping matches any data-business rule, step 958. If the collected data match a data-business rule, then the audit record will be updated with the captured data, step 960, and the process 950 repeats. If the collected data do not match any data-business rule, the process 950 starts anew and the collected data may be saved for future consideration whether a new data-business rule is needed.
  • FIG. 9B is a flowchart of a detail process 900 for mapping user and business information using the system described above. FIG. 9B expands the process illustrated in step 956 in FIG. 9A. A user accesses the system by invoking a business function at an entry point. When a user access is detected, step 902, the system checks whether there is a session open, step 903. Multiple accesses from a user within a short period of time may be recorded under the same session ID. Generally speaking, a session is defined by time duration; however, other criteria may also be used to define a session, such as geographic region or the IP addresses of the entry points, or combination thereof. For example, if a user accesses the system through an IP address associated with his home address and then 10 minutes later the same user accesses the system through a second IP address associated with his office address, these two accesses, though close in time, will be assigned two different session IDs. If there is no session open, a new session ID may be created, step 904, associated with the user ID and a timer is set and associated with the session ID. A rule for the entry point or entry mode may be retrieved, step 906. If the user accesses the system through a website, a website related rule may be retrieved. The rule is also identified by the business transaction invoked by the user. As the user transacts with the system, data may be created and travel from one server to another server within the system and the connection IDs between the servers are tracked and obtained according to the rule, step 908. The business transaction invoked by the user and identifications associated with user activities generated from the business transaction are also tracked and obtained according to the rule. The connection IDs are stored in a data-to-business mapping file, step 910, along with the user ID and the session ID. The database access requests, which generally correspond to one or more business operations, originated by the user access are also tracked, step 912, and these database access requests are also stored in the data-to-business mapping file 914. The tracking continues for all other user commands.
  • If there is a session already open when the user accesses the system, the system retrieves a rule from the policy, step 916, according to the manner the user accesses the system. The system tracks the connection ID according to the rule, step 918, and the connection IDs are stored in a data-to-business mapping file, step 920, along with the user ID and the session ID. The database access requests, corresponding to one or more business operations, originated by the user access are also tracked, step 922, and these database access requests are also stored in the data-to-business mapping file 924. When the timer for the session ID runs out, the session is closed, a new session ID will be created for future access, and the data-to-business mapping file is closed and stored. For future accesses, a new session ID and a new data-to-business mapping file will be created.
  • Below is a simplified description of a web purchase by a user to illustrate data collection and recording according to the present invention. When a user uses his computer to make a purchase on a website on the Internet, the user logs into the website. After the web server authenticates the user, a user ID (UserLoginID) is assigned to the user and a session ID (UserSessionID) is created. The user starts with browsing the products. The browsing request from the user and subsequent network traffic related to a database access request for retrieving product information are all recorded and the user ID for each operation is recorded according to a rule from the a policy set related to the browsing. So, at this point, a data-to-business mapping file would have, for example, UserLoginID, UserSessionID, UserBrowsingID, and DataRetrieveID. Evidently, people skilled in the art would know that many other operations may happen to achieve the browsing operation and a data-to-business mapping file may conceivably contain many more ID information.
  • After browsing the products, the user may purchase one item and this purchase action causes a new rule to be retrieved. The item is recorded in a purchase database associated with the user and this is done by a database modification request to the purchase database. The ID information associated with the purchase operation and database modification are tracked according to the new rule file. The data-to-business mapping file would record these ID information, UserPurchaseID and DataModifyID.
  • At the end of his purchase, the user decides to check out and pay for his purchase. Assuming the user is a returning user, the system may have his address in the record. So, the web server retrieves the user information from a user information database and the user information may include the user's home address and the user's credit card information. The operations involved in this check out process may include retrieving the user information from the user information database and the ID information used in this operation, UserInfoRetrieveID, is recorded in the data-to-business mapping file.
  • If the user decides to use a different payment form, such as different credit card, or send the purchase to his office instead of his home address, the web server enables the user to enter different payment information and different shipping address. This new information will then be recorded in the proper database and different database commands will be used to accomplish these tasks. The ID information related to these transactions, UserDataInputID and DataModifyID, are recorded in the data-to-business mapping file.
  • All the ID information collected and recorded during the session will be recorded in the data-to-business mapping file and the data-to-business mapping file may have:
      • (UserLoginID, UserSessionID, BusinessObjIDUserBrowsingID, DataRetrieveID, UserPurchaseID, DataModifyID, UserInfoRetrieveID, UserDataInputID, DataModifyID)
      • wherein,
      • UserLoginID is user login identification,
      • UserSessinID is access session identification,
      • BusineesObjID is identification of a business command invoked, and
      • UserBrowingID is browsing session identification.
      • Inclusion of other identifications depend on the business command invoked.
  • Since all ID information is recorded in the data-to-business mapping file, it is possible to identify the identity of the user whose action causes a particular transaction to occur in the system. For example, if a particular database transaction is suspected to be part of an illegal transaction, the ID information in this particular database transaction can be used to compare with the information in the data-to-business mapping files. The data-to-business mapping file that contains the ID information for the particular database transaction can be retrieved and the user ID of this data-to-business mapping file will disclose the identity of the user whose action caused the suspicious database transaction.
  • Though not listed above, the system may collect and record the information on the application (program) that invoked database commands. The information may include the program name and other information in the following list:
      • DB Server
      • DB Client
      • DB Type
      • Client Port
      • Server Port
      • DB User ID
      • Client Program Name
      • Client OS User
      • Client System Name
      • AppUser ID
      • DB
      • Tables
      • Functions
      • Columns
      • Commands
      • SQL statements
      • Bind Variables
      • Response Messages
      • Number of rows
      • number of columns
      • Start Time
      • End Time
      • Response Time
      • Total time
      • Number of bytes Send
      • Number of bytes received
      • Connection ID
      • Session ID
  • FIG. 10A illustrates a process 1000 for identifying a user access using the information collected by the system disclosed in the present invention. A information from a transaction event is received, step 1002, by the system when a system administrator wants to learn the user request associated with the transaction event. The transaction event can be a database transaction or any user transaction. Using the information in the transaction event, a data-to-business mapping file can be retrieved from a database, step 1004. Since the data-to-business mapping file has records of activities and connections associated with a particular user request, the user access record for the particular user request can be obtained, step 1006.
  • FIG. 10B illustrates a data auditing process 1050 that retrieve relevant data transaction records (events). The present invention allows a system administrator to identify time and matching criteria, step 1052, which are fed to the system. The system administrator can also specify other criteria, such as user ID, time period, business transaction, etc, step 1054, and these criteria are used to retrieve relevant data transaction records from a stored database, step 1056. This auditing process enables system administrator to retrieve and check data transactions related to a business operation.
  • The identification of an event related to a data transaction may be made easier by recording additional business operation related information along with the transaction data. When a transaction data is collected, for example a transaction data reflecting a data request from a web server 606 to a database server 608, the system searches for the data-business mapping rule for this data request. After identifying the data-business mapping rule, a corresponding data-business mapping file can be retrieved. The transaction data from this data request can be identified and stored in this data-business mapping file. Because this data-business mapping file is available, the user identification and business operation information related to this data request can be retrieved from the data-business mapping file and stored as part of the transaction data of this data request. Using this approach, the transaction data for each and every data transaction in the system is saved with identification information about the user and also about the business transaction that caused the data transaction. The transaction data saved would be:
      • SavedTransData=(UserID; BusObjID)+(raw data from data transaction)
      • where,
      • SavedTrasnData is the saved data for the data transaction;
      • UserId is the identification of the user; and
      • BusObjld is identification of a business command invoked.
  • Because of the saved transaction data includes identification of the user and of the business command/operation related to the data transaction, the processes described in FIGS. 10A and 10B become easier and faster. If the system administrator identifies a particular data transaction as suspicious, he can learn the identity of the user and the business operation promptly from the retrieved saved transaction data. People skilled in the art will appreciate that other identification information can also be saved with the raw data from the data transaction.
  • FIG. 11 illustrates architecture 1100 of a tracking server 1102 according to one embodiment of the present invention. The tracking server 1102 can be placed in the computer network shown in FIG. 6 and connected to the web servers 606 a-606 c and the database servers 608 a-608 d. The tracking server 1102 may also be embedded into any of the web servers or the database servers. The tracking server 1102 can monitor and track, inside the web servers and the database servers, activities or data transactions generated by a user request and also network activities between the web servers and the database servers related to the user request. The tracking server 1102 comprises a network interface 1104, an audit policy unit 1106, an authentication unit 1108, a control unit 1110, a user interface 1112, a database access/tracking unit 1116, and a storage unit 1120.
  • The network interface unit 1104 monitors network traffic, i.e., database access requests and responses travelling through the network. The audit policy unit 1106 controls audit policies/rules and the rules are used for tracking user access requests. The authentication unit 1108 authenticates the user and also checks whether there is a session open for the user. The user interface unit 1112 receives and displays information to and from a system administrator. The database access/tracking unit 1116 tracks database access requests and responses travelling through the network. The storage unit 1120 stores the audit policies/rules. The storage unit 1120 may also store a computer program that, when executed by the control unit 1110, controls the operation of components of the tracking server 1102. The storage unit may be any non-transitory storage unit, such as non-volatile memory, hard disk, or other suitable storage device.
  • According to one embodiment of the present invention, when a user invokes a business function in a system, the authentication unit 1108 authenticates the user and control unit 1110 checks whether there is a session already open for the user. If there is already a session open for the user, the control unit 1110 retrieves a data-to-business mapping file and stores the information for the current user access, which includes the business function invoked and the user ID, into the data-to-business mapping file. If there is no session opened for the user, the control unit 1110 created a session ID, opens a data-to-business mapping file, and associates it with the session ID. The audit policies/rules unit 1106 retrieves a rules file from the storage unit 1120 according to the function invoked by the user. The rules file is used by the tracking server 1102 to track the activities and database accesses generated by the business function invoked by the user. As the system processes the function invoked by the user, different database access requests may be sent from the system to one or more database servers. These database access requests and their respective responses are tracked by the database access/tracking unit 1116. Because all the transactions and database accesses are tracked and their essential information recorded, it becomes possible to identify the original business function associated with any database request or response.
  • The system and method described above enables a system administrator to audit events in the system and associate data transactions in the system with the business function that generated these data transactions. For example, if there is an abnormal access to a database, the information related to the database access request can be related back to a particular network traffic by searching the data-to-business mapping file. After identifying the data-to-business mapping file containing this abnormal database access request, it is possible to learn the business transaction, the user identification, the session identification, the entry point, etc. With this information, it is possible to retrieve the actual raw data saved for each of the operations and activities.
  • In the context of FIGS. 8-10, the steps illustrated do not require or imply any particular order of actions. The actions may be executed in sequence or in parallel. The method may be implemented, for example, by operating portion(s) of a network device, such as a network router or network server, to execute a sequence of machine-readable instructions. The instructions can reside in various types of signal-bearing or data storage primary, secondary, or tertiary media. The media may comprise, for example, RAM (not shown) accessible by, or residing within, the components of the network device. Whether contained in RAM, a diskette, or other secondary storage media, the instructions may be stored on a variety of machine-readable data storage media, such as DASD storage (e.g., a conventional “hard drive” or a RAID array), magnetic tape, electronic read-only memory (e.g., ROM, EPROM, or EEPROM), flash memory cards, an optical storage device (e.g. CD-ROM, WORM, DVD, digital optical tape), paper “punch” cards, or other suitable data storage media including digital and analog transmission media. The instructions when executed by a computer will enable the computer to perform the steps illustrated in FIGS. 8-10.
  • The units illustrated in FIG. 11 are described based on their function and these units may have different physical implementation, such as the units may be combined or implemented in different computers.
  • While the invention has been particularly shown and described with reference to a preferred embodiment thereof, it will be understood by those skilled in the art that various changes in form and detail may be made without departing from the spirit and scope of the present invention as set forth in the following claims. Furthermore, although elements of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated. The combinations of different features described in different embodiments in this specification are foreseeable and within the scope of the invention.

Claims (20)

1. A method for tracking user activities in a network system, comprising the steps of:
detecting, by a tracking server at an entry point in network system, a request from a user;
retrieving, by the tracking server from a storage unit, a rule based on the entry point and the request;
tracking, by the tracking server, user access information associated with the request according to the rule;
tracking, by the tracking server, a connection identification between servers associated with the request; and
recording the user access information and the connection identification in a data-to-business mapping file.
2. The method of claim 1, further comprising the step of creating a session identification associated with the user identification for the user.
3. The method of claim 1, further comprising the steps of:
determining whether there is a session identification associated with the user identification; and
creating a session identification for the user identification if there is no session identification associated with the user identification.
4. The method of claim 3, further comprising the step of creating a timer for the session identification, wherein when the timer expires the data-to-business mapping file is closed and a new data-to-business mapping file created.
5. The method of claim 1, wherein the tracking step further comprising the step of monitoring database access requests and database responses in the network system.
6. The method of claim 1, wherein the tracking the user access information step further comprising the step of obtaining identification information for activities generated from the request.
7. The method of claim 1, wherein the user access information comprises user login identification information and session identification information.
8. The method of claim 1, wherein the step of detecting, by a tracking server at an entry point, a request from a user further comprises
detecting a business operation invoked by the user at the entry point; and
generating the request corresponding to the business operation.
9. A method, for creating a rule for tracking user access in a network system, comprising the steps of:
recording, by a tracking server, identification of an entry point to the network system;
activating an application with a user identification known to the tracking server;
tracking, by the tracking server, network transactions associated with the known user identification on the network system;
recording, by the tracking server, identification of a connection, associated with the network transactions, between servers; and
associating the identification of the connection with the identification of the entry point and an identification of the application.
10. The method of claim 9, further comprising the step of tracking, by the tracking server, identifications associated with user activities.
11. The method of claim 9, further comprising the step of storing the identification of the connection and the identification of the associated entry point, and the identification of the application into a rule file.
12. The method of claim 9, further comprising the step of recording, by the tracking server, a business transaction associated with the application.
13. A server for tracking user activities in a network system, comprising:
a network interface unit for monitoring network traffic;
an audit policy unit for controlling rules;
a database tracking unit for database access requests and responses;
a control unit; and
a storage unit in which a non-transitory computer program is stored, wherein when the non-transitory computer program is executed by the control unit, the server performs the steps of:
detecting, at an entry point, a request from a user,
retrieving a rule associated with the request and the entry point,
tracking user access information associated with the request according to the rule,
tracking a connection identification between servers in the network system associated with the request, and
recording the user access information and the connection identification in a data-to-business mapping file.
14. The server of claim 13, wherein the server further performs the step of creating a session identification associated with an user identification for the user.
15. The server of claim 13, wherein the server further performs the steps of:
determining whether there is a session identification associated with an user identification for the user; and
creating a session identification for the user identification if there is no session identification associated with the user identification.
16. The server of claim 15, wherein the server further performs the step of creating a timer for the session identification, wherein when the timer expires the data-to-business mapping file is closed and a new data-to-business mapping file created.
17. The server of claim 13, wherein the tracking user access information step further comprising the step of monitoring database access requests and database responses in the network system.
18. The server of claim 13, wherein the request is a business transaction invoked by the user.
19. The server of claim 13, wherein the tracking user access information step further comprising the step of obtaining identification information for activities generated from the request.
20. The server of claim 13, wherein the user access information comprises user login identification information and session identification information.
US14/694,665 2015-04-23 2015-04-23 System and method for tracking and auditing data access in a network environment Active US9462014B1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US14/694,665 US9462014B1 (en) 2015-04-23 2015-04-23 System and method for tracking and auditing data access in a network environment
US15/273,056 US9807125B2 (en) 2015-04-23 2016-09-22 System and method for tracking and auditing data access in a network environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US14/694,665 US9462014B1 (en) 2015-04-23 2015-04-23 System and method for tracking and auditing data access in a network environment

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/273,056 Continuation US9807125B2 (en) 2015-04-23 2016-09-22 System and method for tracking and auditing data access in a network environment

Publications (2)

Publication Number Publication Date
US9462014B1 US9462014B1 (en) 2016-10-04
US20160315975A1 true US20160315975A1 (en) 2016-10-27

Family

ID=56995320

Family Applications (2)

Application Number Title Priority Date Filing Date
US14/694,665 Active US9462014B1 (en) 2015-04-23 2015-04-23 System and method for tracking and auditing data access in a network environment
US15/273,056 Active US9807125B2 (en) 2015-04-23 2016-09-22 System and method for tracking and auditing data access in a network environment

Family Applications After (1)

Application Number Title Priority Date Filing Date
US15/273,056 Active US9807125B2 (en) 2015-04-23 2016-09-22 System and method for tracking and auditing data access in a network environment

Country Status (1)

Country Link
US (2) US9462014B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11544229B1 (en) * 2020-04-29 2023-01-03 American Express Travel Related Services Company, Inc Enhanced tracking of data flows

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6341031B2 (en) * 2014-09-22 2018-06-13 富士通株式会社 Access control program, access control method, and information processing apparatus
US9462014B1 (en) * 2015-04-23 2016-10-04 Datiphy Inc. System and method for tracking and auditing data access in a network environment
US20170012839A1 (en) * 2015-07-06 2017-01-12 Bank Of America Corporation System Architecture Mapping
CN108319542B (en) * 2017-01-17 2022-10-28 百度在线网络技术(北京)有限公司 Information processing method, device and system
US10489225B2 (en) 2017-08-10 2019-11-26 Bank Of America Corporation Automatic resource dependency tracking and structure for maintenance of resource fault propagation
CN112231757B (en) * 2020-11-03 2022-08-02 支付宝(杭州)信息技术有限公司 Privacy protection method, device and equipment for embedded application
CN114338436A (en) * 2021-12-28 2022-04-12 深信服科技股份有限公司 Network traffic file identification method and device, electronic equipment and medium
CN117176802B (en) * 2023-11-02 2024-01-16 太平金融科技服务(上海)有限公司 Full-link monitoring method and device for service request, electronic equipment and medium

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9584522B2 (en) * 2004-02-26 2017-02-28 Vmware, Inc. Monitoring network traffic by using event log information
US8935316B2 (en) * 2005-01-14 2015-01-13 Citrix Systems, Inc. Methods and systems for in-session playback on a local machine of remotely-stored and real time presentation layer protocol data
US9237215B2 (en) * 2012-02-10 2016-01-12 Time Warner Cable Enterprises Llc Remote activation of mobile applications
CN104620536B (en) * 2012-09-17 2018-02-23 瑞典爱立信有限公司 High availability, extensible policy and charging control system and the method for it
US9450936B2 (en) * 2012-11-02 2016-09-20 Silverlake Mobility Ecosystem Sdn Bhd Method of processing requests for digital services
KR102135346B1 (en) * 2013-03-15 2020-07-17 엘지전자 주식회사 Mobile terminal
US9813488B2 (en) * 2014-06-25 2017-11-07 Comcast Cable Communications, Llc Detecting virtual private network usage
US9462014B1 (en) * 2015-04-23 2016-10-04 Datiphy Inc. System and method for tracking and auditing data access in a network environment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11544229B1 (en) * 2020-04-29 2023-01-03 American Express Travel Related Services Company, Inc Enhanced tracking of data flows

Also Published As

Publication number Publication date
US9462014B1 (en) 2016-10-04
US20170013023A1 (en) 2017-01-12
US9807125B2 (en) 2017-10-31

Similar Documents

Publication Publication Date Title
US9807125B2 (en) System and method for tracking and auditing data access in a network environment
CN106062719B (en) It is analyzed according to the service measure for the structuring logging mode for using data
CN101764819B (en) For detecting the method and system of man-in-the-browser attacks
CA2683600C (en) A system and method for creating a list of shared information on a peer-to-peer network
US7844663B2 (en) Methods, systems, and computer program products for gathering information and statistics from a community of nodes in a network
US7481361B2 (en) Method and system for identifying unsafe synthetic transactions and modifying parameters for automated playback
US9350739B2 (en) Recovery from rolling security token loss
TW201025069A (en) Method and apparatus for information recovery in using snap shot database
US10063579B1 (en) Embedding the capability to track user interactions with an application and analyzing user behavior to detect and prevent fraud
US11205179B1 (en) System, method, and program product for recognizing and rejecting fraudulent purchase attempts in e-commerce
US20170228706A1 (en) System for resource accumulation triggering based on amount within an interval
JP2019505865A (en) Method for detecting web tracking service
KR100926735B1 (en) Web source security management system and method
US10693897B2 (en) Behavioral and account fingerprinting
CN110807209B (en) Data processing method, device and storage medium
US20220028008A1 (en) Signals-based data syndication and collaboration
US20240121274A1 (en) Methods and systems for processing cyber incidents in cyber incident management systems using dynamic processing hierarchies
CN104704521A (en) Multi-factor profile and security fingerprint analysis
JP7241360B2 (en) SECURITY POLICY AND AUDIT LOG BI-DIRECTIONAL LOOKUP, COMPARING AND TRACKING SYSTEM AND METHOD THEREOF}
JP7000271B2 (en) Vehicle unauthorized access countermeasure device and vehicle unauthorized access countermeasure method
US20090234827A1 (en) Citizenship fraud targeting system
KR101453487B1 (en) A contents distribution log agent for the protection of authoring content provided as an online service, and management method thereof
Campobasso et al. Know your cybercriminal: Evaluating attacker preferences by measuring profile sales on an active, leading criminal market for user impersonation at scale
EA038077B1 (en) Method and system for marking user actions for subsequent analysis and accumulation
EP4239557A1 (en) Real-time fraud detection based on device fingerprinting

Legal Events

Date Code Title Description
AS Assignment

Owner name: CHALET TECH INC., CAYMAN ISLANDS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:LIN, YEEJANG JAMES;REEL/FRAME:035825/0191

Effective date: 20150611

AS Assignment

Owner name: DATIPHY INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CHALET TECH INC.;REEL/FRAME:036581/0721

Effective date: 20150831

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

FEPP Fee payment procedure

Free format text: SURCHARGE FOR LATE PAYMENT, SMALL ENTITY (ORIGINAL EVENT CODE: M2554); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 8