Patent application number | Description | Published |
20080232592 | Method and apparatus for performing selective encryption/decryption in a data storage system - One embodiment of the present invention provides a system for performing selective encryption/decryption in a data storage system. During operation, the system receives a data block from a storage medium at an input/output layer, wherein the input/output layer serves as an interface between the storage medium and a buffer cache. Next, the system determines whether the data block is an encrypted data block. If not, the system stores the data block in the buffer cache. Otherwise, if the data block is an encrypted data block, the system retrieves a storage-key, wherein the storage-key is associated with a subset of storage, which is associated with the encrypted data block. Using the storage-key, the system then decrypts the encrypted data block to produce a decrypted data block. Finally, the system stores the decrypted data block in the buffer cache, wherein the data block remains encrypted in the storage medium. | 09-25-2008 |
20090024565 | METHOD AND APPARATUS FOR MASKING INDEX VALUES IN A DATABASE - One embodiment of the present invention provides a system for masking index values in a database. During operation, the system receives a request to mask a column in a database, wherein the column is an index-column. Next, the system retrieves a tree which is used to index the column, wherein the tree provides a sorted representation of values in the column. The system then locates the root-node of the tree. Then, for each child-node in the tree, the system determines if the child-node is a leaf-node. If so, the system masks a node-value for the leaf-node without resorting the tree. If not, the system leaves the node-value unmasked. | 01-22-2009 |
20090024566 | METHOD AND APPARATUS FOR FACILITATING DISTRIBUTED PROCESSING OF DATABASE OPERATIONS - One embodiment of the present invention provides a system that facilitates distributed processing of database operations. During operation, the system receives a database operation at a distributed command processor, wherein the database operation includes a query language command. Next, the system performs a set of non-data processing operations associated with the database operation to obtain a set of non-data processing results. The system then sends the query language command to a database, which enables the database to execute the query language command to obtain a result. | 01-22-2009 |
20090204570 | METHOD AND APPARATUS FOR PERFORMING MULTI-STAGE TABLE UPDATES - One embodiment of the present invention provides a system that facilitates performing multi-stage table updates. During operation, the system receives a query at a query processor, wherein executing the query causes an update to an entire table in a database. Next, the system estimates an amount of transaction log space required to execute the query. If the amount of transaction log space is greater than a pre-determined threshold, the system splits the query into a set of sub-queries, wherein an amount of transaction log space required by each sub-query in the set of sub-queries is less than the pre-determined threshold. For each sub-query in the set of sub-queries, the system executes the sub-query, and performs a mini-commit operation for the sub-query, wherein updates which comprise the mini-commit operation are not exposed to a user. Finally, when mini-commit operations have been performed for all of the sub-queries, the system performs a commit operation for the query. | 08-13-2009 |
20090285396 | Database processing on externally encrypted data - Various techniques are described for processing externally encrypted data by database management system. Specifically, techniques are described for incorporating encrypted data stored in a first database that was encrypted by a first database management system into a second database where the encrypted data is accessed by a second database management system. When accessing externally encrypted data incorporated into the second database, the second database management system can decrypt portions of the data as needed. Because of the manner of incorporation of externally encrypted data into the second database, specifically because the externally encrypted data need not be decrypted before being incorporated into the second database, the computational overhead and security concerns associated with conventional approaches for migrating encrypted data from one database management system to another are avoided. | 11-19-2009 |
20100030781 | METHOD AND APPARATUS FOR AUTOMATICALLY CLASSIFYING DATA - One embodiment of the present invention provides a system for automatically classifying data in a database. During operation, the system receives and executes a database operation. Next, the system automatically determines if any data was modified as a result of executing the database operation. If so, for each data item that was modified, the system automatically determines if the data item is associated with a classification-rule. If so, the system automatically reclassifies the data item according to the classification-rule. If not, the system leaves a classification of the data item unchanged. | 02-04-2010 |
20110072030 | ACTIVE AUDITING IN A DATABASE SYSTEM - An auditing system receives a set of audit rules from a database administrator, which define a search criteria used to identify a database object that is desired to be audited. The auditing system uses the audit rules to search through a database to identify a corresponding set of database objects that satisfy at least one of the set of audit rules. Then, the system generates audit commands that configure a database management system to audit the identified set of database objects. | 03-24-2011 |
Patent application number | Description | Published |
20100174749 | SECURING DBMS EVENT NOTIFICATIONS - One embodiment of the present invention provides a database server for securing database event notifications. The server includes a session key creation mechanism configured to create a session key when a client registers for an event, a storage mechanism configured to store the session key on the database server, a data accessing mechanism configured to access registration metadata to obtain the session key when the event occurs, a connection mechanism configured to establish a communication channel between the database server and the client, a mutual authenticating mechanism configured to using the session key to mutually authenticate the client and the database server during event notification, and an event notifying mechanism configured to send the event notification to the client. | 07-08-2010 |
20110055913 | Multi-Level Authentication - Approaches for performing a multiple level authentication on an entity are provided. A primary authentication credential and a secondary authentication credential may be established for a user account. The primary authentication credential uniquely identifies a particular account of the software application. The secondary authentication credential uniquely identifies an entity, such as a user, application, or device, authorized to use the particular user account. Upon receiving a request to access the software application using the particular user account, a determination is made as to whether the request is accompanied by the primary authentication credentials and a secondary authentication credential associated with the particular user account. Upon determining that the request is accompanied by valid primary and secondary authentication credentials for the user account, limited access, based upon the secondary authentication credential, to the software application using the particular user account is granted. | 03-03-2011 |
20110067084 | METHOD AND APPARATUS FOR SECURING A DATABASE CONFIGURATION - One embodiment of the present invention provides a system that secures a database configuration from undesired modifications. This system allows a security officer to issue a configuration-locking command, which activates a lock for the configuration of a database object. When a configuration lock is activated for a database object, the system prevents a user (e.g., a database administrator) from modifying the configuration of the database object, without restricting the user from accessing the database object itself. The security officer is a trusted user that is responsible for maintaining the stability of the database configuration, such that a configuration lock activated by the security officer preserves the database configuration by overriding the privileges assigned to a database administrator. | 03-17-2011 |
20110113050 | DATA MASKING WITH AN ENCRYPTED SEED - A method and apparatus is provided for generating a masked value from a cryptographically transformed value by using the cryptographically transformed value as a random seed, without decrypting the cryptographically transformed value. A query is evaluated against a set of data to produce a result. The result may be cryptographically transformed or unencrypted. If the result is unencrypted, the result may be cryptographically transformed to produce a random seed. If the result is already cryptographically transformed, then the result is used as the random seed. The random seed is used to generate a masked value, without decrypting the cryptographically transformed random seed value. The masked value conforms to a particular data characteristic such as a data format or a data type, which may be determined from metadata stored in a database, received with a query, or gleaned from unencrypted data. The masked value is returned as a result of the query. | 05-12-2011 |
20130275590 | THIRD PARTY PROGRAM INTEGRITY AND INTEGRATION CONTROL IN WEB-BASED APPLICATIONS - Disclosed herein are a resource control service, system, method and architecture. A client device's resource access is limited to an approved resource, or resources. A request for a resource is directed to a resource control service that determines whether or not to grant access to the requested resource. Where a determination is made to grant access to the resource, a response is transmitted to the client device, the response redirecting the client device to a second URI for the approved version of the requested resource. The response can be used by the client device request the resource from the location identified in the response. | 10-17-2013 |