In a data storage and retrieval environment, data security techniques enforce selective access to a protected resource such as a data storage repository, or database. A data security monitor analyzes incoming data access attempts, and determines the propriety of the access. The data security monitor examines security variables such as the originator or user of the access attempt and the data and/or objects sought for access. The data security monitor analyzes the security variables against an access policy of rules or behavior which define allowable access attempts. Such selective access allows access attempts from authorized sources, and denies unauthorized access attempts as intrusions.
Conventional data security monitors typically enforce either a network based or host based approach to intrusion detection. A conventional host based monitor analyzes access attempts from the perspective of the computer system performing the access operations to database (DB) host, typically from an agent process executing on the host. The host based monitor analyzes incoming data access attempts employing local variables such as the local login account and method of access. A network based intrusion detection monitor operates on the outside network paths into the host. Such a network based approach operates on a remote computer system, such as a data security device, connected to the host. Such a conventional network based approach analyzes variables such as the source IP address and subnet, and may also have access to data specific fields such as objects and attributes. Database applications have a particular need for such intrusion detection because such applications control access to a substantial quantity of possibly sensitive data. In a Structured Query Language (SQL) database environment, for example, the network based device may have access to the tables and attributes of the corresponding SQL schema, and therefore be operable to apply SQL specific access policy to the incoming access attempts.