WO2002014987A2 - An adaptive system and architecture for access control - Google Patents

An adaptive system and architecture for access control Download PDF

Info

Publication number
WO2002014987A2
WO2002014987A2 PCT/IB2001/001876 IB0101876W WO0214987A2 WO 2002014987 A2 WO2002014987 A2 WO 2002014987A2 IB 0101876 W IB0101876 W IB 0101876W WO 0214987 A2 WO0214987 A2 WO 0214987A2
Authority
WO
WIPO (PCT)
Prior art keywords
access
computer network
agent
security policy
resource
Prior art date
Application number
PCT/IB2001/001876
Other languages
French (fr)
Other versions
WO2002014987A8 (en
Inventor
Ofer Gadish
Yuval Baharav
Original Assignee
Camelot Information Technologies Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Camelot Information Technologies Ltd. filed Critical Camelot Information Technologies Ltd.
Priority to AU2001294083A priority Critical patent/AU2001294083A1/en
Publication of WO2002014987A2 publication Critical patent/WO2002014987A2/en
Publication of WO2002014987A8 publication Critical patent/WO2002014987A8/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/231Hierarchical techniques, i.e. dividing or merging pattern sets so as to obtain a dendrogram
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/107License processing; Key processing
    • G06F21/1078Logging; Metering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2145Inheriting rights or properties, e.g., propagation of permissions or restrictions within a hierarchy
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Definitions

  • the present invention relates generally to computer networks and, specifically, to access control with respect to computer networks.
  • Computer networks may consist of vast amounts of information and/or resources, such as files, documents, texts, databases, servers, printers, plotters, etc. (collectively “resources”) shared among a large numbers of users.
  • the resources may have a varied degree of sensitivity and may not necessarily be appropriate for use by all the users of the computer network or by users outside the network. This problem is especially pronounced in the business environment where there are global users and where business-to-business (B2B) communications are common.
  • B2B business-to-business
  • a member of a development group may be assigned access privileges to resources pertaining to a particular project on which he is working, while at the same time being restricted from access to other management resources. Each user is thus assigned "static" access privileges according to his perceived level or task. Access restrictions may similarly be assigned to the resources themselves. For example, a network printer may be made available to everyone on the network for printing, or it may be restricted to only those individuals who are granted special access.
  • access permissions are controlled at the resource level.
  • each resource would have a corresponding access control list (ACL) generated either during the creation of the resource or at a later date.
  • An ACL usually comprises a list of access entries, each such access entry containing a user's name and his/her associated permissions/restrictions.
  • the access entry may comprise a user group (such as accounting, engineering, marketing, etc.) and the associated access permissions/restrictions for that group.
  • the permissions/restrictions typically allow/prevent access to the resource, or allow/deny the performance of various operations by, or on, the resource, such as deleting, reading, writing, or otherwise using the resource.
  • OSs such as the UNIX® operating system
  • ACL has been simplified to allow only three predefined accessibility levels of users: the owner of the resource, the owner's group, and the world, which would include anyone requesting access. For each of these user levels, three basic access permissions may generally be possible: "read”, "write”, and "execute”.
  • One known method for carrying out access control on a network may be as follows: A person, X, is accepted into an ente ⁇ rise or organization network, at which point he is associated with a user name and possibly added to one or more user groups. When person X requests access to a certain resource, the access list associated with that resource is consulted and searched for either the user name or the user group(s) associated with person X. Defending on the relevant ACL, access to the particular resource is either permitted or denied. In fact, in conventional systems, the only possible conclusion for a given access request is either to permit or to deny access.
  • the resultant security policy which may be seen as a collection of all potential access permissions and denials, is distributed throughout the system, with little or no capability for effective management.
  • Some systems include "agents" that monitor access and consult a more global policy, normally centrally located, to each permission grant or denial.
  • An object of the present invention is to provide an access control system and architecture for accessing resources. It is another object of the invention to provide an access control system and architecture for accessing resources such as databases, files, computer peripherals and others/
  • An embodiment of the present invention therefore, provides a system adapted for controlling access by one or more users to one or more resources.
  • the system includes at least one agent, which collects data about access attempts concerning the resources, and at least one access analyzer, which receives and processes the collected data.
  • the access analyzer analyzes at least the collected data and generates permission levels based on the analysis.
  • an "access attempt” is an attempt to gain access to any of the resources on the system, regardless of whether the access is ultimately permitted or not.
  • an access attempt includes the situations where access is granted, and also where access is denied.
  • the data collected by the agent can be, for example, behavioral data concerning the users as well as data concerning the resource itself. More specifically, examples of the collected data include; the access distribution of the resource(s), that is, how each resource is allocated to the user(s); the level and frequency of access attempts initiated by particular user(s), etc.
  • the collected data can also include information about activities such as how much CPU time each user utilizes and/or data regarding I/O and application usage.
  • the permission levels may be access control permission levels, wherein the permission levels are presented as numbers within a given range, and wherein the likelihood that the access attempt is to be permitted is determined based on the value of the permission level.
  • the permission levels may be normalized to a range between 0 and 1 and the access can be permitted/denied depending on whether the permission level is above/below a certain threshold.
  • the agent may include at least an enforcement means adapted to control access to the resources based on at least the permission levels.
  • a system in accordance with the present invention may further include one or more controllers adapted to provide one or more rules to the agent, wherein the rules maybe access control rules.
  • the enforcement means may be adapted to control access to the resources based on at least the permission levels and the rules and, the enforcement means need not necessarily be located within the agent.
  • the enforcement means can be located external to the immediate network and its servers and enforce access to the resources through remote means, hi further embodiments of the invention, the system may also include a discovery unit adapted to provide information to the controller, wherein the information may be data concerning the users and the resources.
  • the discovery unit may include means for automatically gathering the information.
  • FIG. 1 is a block diagram illustration of an access architecture, constructed and operative according to an embodiment of the present invention
  • FIG. 2 is a block diagram illustration of an access control system, implemented using the access architecture of FIG. 1, constructed and operative according to an embodiment of the present invention
  • FIGS. 3 A and 3B are block diagram illustrations of alternative access control systems, implemented using the' access architecture of FIG. 1, constructed and operative according to an embodiment of the present invention.
  • FIG. 1 is a block diagram illustrating the operation of the invention and an example of access architecture 10.
  • Architecture 10 illustrates one embodiment of the present invention; other embodiments are also described below.
  • Resources may be services, documents, data, files, databases, or any portion of such services, documents, data, files, databases, as well as peripheral devices or any other type of computer resources.
  • Access Attempt may be an attempt to use or otherwise gain access to a particular resource.
  • User(s) may be any person, user group, or other resource wishing to access a resource; persons such as members of a company with which the resource resides, associates of the company (e.g., in a B2B situation), Internet browsers, etc. or programs or other resources.
  • “User groups” maybe teams of users with some actual or perceived shared trait, such as shared responsibilities, e.g., an accounting group, shared location, e.g., Haifa, group, shared hierarchy in the co ⁇ oration, e.g., a management group, etc.
  • Policy may be a list of rules and "security policy” may be a list of rules that control the access privileges to resources.
  • Rule may comprise at least user or user group names and/or associated access permission, denial or other result.
  • administering may be persons who administer or manage computer systems such as those described herein.
  • a “security policy table” may be a table that lists access options and other rules related to resource security.
  • Permission levels refer to the likelihood that accesses to the resource will be required and/or granted. The permission levels may be likelihood estimates, possibly discretized and normalized to a specific range, for example, between 0 and 1. Such a permission level may be specific to the user, his gro ⁇ p, time-of-day, location, or other parameters.
  • An “analyzing algorithm” may be an algorithm that, based on gathered data, for example access requests, learns about activities and at least therefrom creates permission levels. "Adaptive permission levels” or “APL” may be permission levels generated periodically by an analyzing algorithm.
  • An “agent” may be a software utility that collects data about the activities of the computer; a “guardian agent” is a type of agent that is capable of enforcement based on at least security policy rules. A guardian agent may further be capable of enforcement based, in addition, on permission levels.
  • FIG. 1 Illustrated in FIG. 1 is an exemplary system in accordance with the present invention. Three elements comprise an architecture 10: an Agent 100, a Control Unit 110, and an Access Analyzer 120.
  • Agent 100 monitors access attempts 108 directed to particular resources, (not shown; ⁇ , and provides a periodic event audit trail 102 to access analyzer 120, reports alarms 104 to control unit 110 and, if it is a "Guardian Agent", enforces access restrictions 106 " to the resource.
  • Event Audit Trail 102 includes information regarding the access attempt(s), including but not limited to such things as whether the access was penriitted, time of the access attempt, etc.
  • Access analyzer 120 analyzes event audit trail 102, possibly using a first security policy 122 provided by control unit 110, and responds periodically by sending a list of permission levels 134 to agent 100. Access analyzer 120 also sends statistical information 132 to control unit 110.
  • agent 100 Based on permission levels 134, received from access analyzer 120 and optionally second security policy 122' received from control unit 110, agent 100, if it is a guardian f agent, can provide enforcement 106.
  • Access enforcement 106 includes enforcing the security control of the resources by permitting, alerting, denying, or otherwise controlling access to the resource.
  • First and second security policy arrows 122 and 122' can represent the same security policy information from control unit 110 to access analyzer 120 and agent 100, respectively, or either the first or second security pohcy, 122 or 122', can comprise a subset of the other.
  • Independently sending/receiving a security policy allows for the use of multiple agents 100, access analyzers 120, and control units 110 which all either send or receive united security policy 122, or 122'.
  • Control unit 110 may use the alarms 104 received from agent 100, the statistical mformation 132 received from Access analyzer 120, and other user inputs (not shown) to create reports 126. Reports 126 provide all, or some, of the input information in a user defined fonnat.
  • access analyzer 120 can be provided to agent 100 by way of access analyzer 120.
  • access analyzer 120 receives first security policy 122 from control unit 110 and then sends it along to agent 100. According to this embodiment, it would not be necessary to provide second security policy 122' from Control Unit 110 to Agent 100.
  • a system in accordance with the present invention may be used for various operations, including analysis, intrusion detection, website user profiling, database access, or any other resource access application, such as access control.
  • FIG. 2 provides a relatively detailed illustration of an exemplary configuration of architecture 10, herein referred to as an access control architecture, or access system 20, which is constructed and operative in accordance with an embodiment of the present invention.
  • Access system 20 comprises one or more agents 100, one or more access analyzers 120, one or more central control servers 110, an optional security policy (not shown) originating in control server 110, and optionally one or more auto discovery units 22.
  • Access system 20 resides, for example, in a umversity, business, or any other organization, that has one or more servers 18, 18' and 18" which may communicate with other devices through either non-secure or secure channels (e.g., encrypted channels).
  • non-secure or secure channels e.g., encrypted channels
  • Servers 18, 18' and 18" include any computer resources that serve as gateways to other computer resources or services.
  • Exemplary servers shown in FIG. 2 are databases 18', file servers 18", and personal computers 18, but other, similar machines, such as printer servers (not shown), could also be connected to system 20 in accordance with the present invention.
  • system 20 can utilize one or more adaptive algorithms.
  • system 20 may be dedicated to the adaptive access control of resources on a network, as depicted in architecture 10 (FIG. 1).
  • system 20 may also comprise a key authority (not shown), which can reside on control server 110 or on another appropriate platform.
  • each device can be encrypted in accordance with conventional encryption tehniques.
  • each of the devices shown in FIG. 1, for example, Agent 100, Access Analyzer 120 and Control Unit 110 can be equipped with both encryption and decryption tools in order to encrypt the information it sends, and decrypt the information it receives.
  • Agents 100 which may "also be Guardian Agents as described above, reside on servers 18, 18' or 18" and monitor access attempts that occur on servers 18, 18' or 18" and gather data related to those access attempts, data such as the name of the user attempting access, the machine from which access is attempted, the time of day of the access attempt, the resource to which access is attempted, the type of access attempted, etc. The gathered data may then be sent as event audit trail 102 (FIG. 1) to access analyzer 120 to be used as input for an analyzing algorithm run by access analyzer 120.
  • event audit trail 102 FIG. 1
  • the analyzing algorithm can use at least the gathered data to generate permission levels
  • guardian agents 100 can protect the resources stored on servers 18, 18' or 18" by enforcing the permission levels 134. Enforcement may be performed by guardian agent 100 or by an enforcement unit (not shown) provided either within guardian agent 100 or as a separate unit.
  • event audit trail 102 is used by access analyzer 120 to generate the underlying system permissions, e.g., ACLs, that are used to update the system ACLs.
  • agent 100 may not necessarily be a guardian agent.
  • the consulting facilities of a computer system may be used. In such a case as a response to an access attempt 108 the system will respond with a query to the consulting facilities. The consulting facilities, based on permission levels provided by access analyzer 120 may respond with the required response relative to access attempt 108.
  • agent 100 may be implemented as a "proxy", i.e., a unit through which all the p network traffic flows and which may not necessarily be part of the system it is protecting, and access attempts 108 will be handled from the "proxy" unit.
  • proxy i.e., a unit through which all the p network traffic flows and which may not necessarily be part of the system it is protecting, and access attempts 108 will be handled from the "proxy" unit.
  • agents 100 can reside on control server 110 or any other appropriate platform. That is, it is not necessary for Agents 100 and Control Units 110 to be separate machines, their functionalities can be combined into a single machine.
  • guardian agents 100 may protect the resources stored on servers 18, 18' or 18" by executing and enforcing access permissions and restrictions, and possibly notifications to other system resources, based on both the permission levels
  • enforcement may be executed by guardian agent 100 or by an enforcement unit (not shown) within guardian agent 100, or as a separate unit.
  • Access Analyzer 120 may be in communication with one or more agents 100 and each access analyzer 120 can support and control each of these agents 100, depending on the load of each agent 100 and the strength of access analyzer 120. Access analyzer 120 may further receive event audit trail 102 by a push, i.e., where the sender initiates the transfer, or pull, where the receiver initiates the transfer, method to transfer the event audit trail data from each agent 100, applying the data to an analyzing algorithm. For example, the transfer of event audit trail 102 may take place on a cyclic basis (e.g., once a day) and the analyzing algorithm may then be executed after the new event audit trail 102 data has been received.
  • a push i.e., where the sender initiates the transfer, or pull, where the receiver initiates the transfer, method to transfer the event audit trail data from each agent 100, applying the data to an analyzing algorithm.
  • the transfer of event audit trail 102 may take place on a cyclic basis (e.g., once a day) and the
  • Access analyzer 120 can utilize any learning algorithm adapted for access control, an example of which is described in the co-pending U.S. Patent Application, filed on the same date herewith, entitled “Permission Level Generation Based on Adaptive Learning”, and which is assigned to the same common assignee as the present application, and is inco ⁇ orated herein by reference in its entirety for all it discloses.
  • Access analyzer 120 based on security policy 122 and event audit trail 102, is operable to estimate the probability of an access attempt to a system resource occurring and, subsequently, define the most up-to-date permission levels 134.
  • Permission levels 134 which are an output of the analyzing algorithm utilized within Access Analyzer 120, may be transmitted to agent 100, which may receive and/or transmit data to one or more access analyzers 120.
  • Central Control Unit
  • Control unit 110 may comprise means for interacting with access analyzers 120 and agents 100, and can manage activities within the system architecture 10 (FIG. 1) and system 20 (FIG. 2) having a jingle security policy, i.e., a combination of security policies 122, 122'.
  • one or more control servers 110 may handle a single security policy.
  • Control server 110 may control the system configuration, security policy, and response to reported events. When access attempts 108 occur, they may be reported to control unit 110, and, based on the nature of the attempt, confrol unit 110 may notify the appropriate person(s) or program(s) by e- mail or other form of communication.
  • Control unit 110 may include a database, a report generation engine, and a scheduler.
  • agents 100 may monitor access attempts 108 that occur on servers 18, 18' and 18" and gather data related to those attempts.
  • the access attemtps and data that are monitored may relate to user or resource activities, or to any otlier operations that may occur on servers 18, 18' or 18".
  • the access attempts 108 that are monitored may include resource retrieval and/or usage of, for example, documents, files, databases, computer peripherals, etc., resource accesses, logins, internal communication problems, access times and types, etc.
  • Event audit trail 102 may include the number of times a resource is accessed, the users that access a specific resource, access time, type of access, any type of statistical data related to the access attempt, etc.
  • Event audit trail 102 may be used as an input for the analyzing algorithm run by access analyzer 120 as mentioned above.
  • the f analyzing algorithm uses at least event audit trail 102 to generate permission levels 134 for respective accesses to resources.
  • Permission levels 134 maybe specific to each type of access, they may be time dependent, and/or they may correspond to each user and each resource.
  • Agent 100 may receive permission levels 134 from access analyzer 120 and may receive security policy 122', in the form of a table, or some other format, from confrol unit 110. hi some embodiments of the invention, rules related to the security policy may be defined in control unit 110 and enforced by a guardian agent type of agent 100.
  • Security policy rules may include a first threshold below or above which an alarm will be generated to notify the control unit 110 of an access attempt to a resource.
  • Security policy rules may also include a second threshold below or above which access attempts to a resource will be denied.
  • An example of a security policy including the security policy rules just described is in the co-pending U.S. Patent Application, filed on the same date herewith, entitled “A Method and Apparatus for a Security Policy", and assigned to common assignee of the present invention, and which is inco ⁇ orated in its entirety herein by reference for all that is disclosed.
  • Enforcement may comprise two different operations. For example, enforcement can include; 1) allowing operations that are permitted by both the security policy and the permission levels, if both exist, or; 2) blocking operations that are not permitted or are considered suspicious beyond a!* second threshold level mentioned above. The second operation may further include the generation of a different alarm if an operation is considered suspicious as is beyond ' a first level threshold. [045] Enforcement may be performed by guardian agent 100 or by an enforcement unit
  • guardian agent 100 may reside on control f unit 110 or any other appropriate platform having access to system resources.
  • the security policy rules and permission levels 134 may correspond to a user, a group of users, a resource, a group of resources or a combination of user(s) and resources(s).
  • the security policy rules may also be applied on an access type and/or time basis, and/or may be applied on the basis of access parameter availability, such as location.
  • User groups may be created by applying an algorithm, observing formal or informal hierarchy, or other method known in the art.
  • Security pohcy rules may correspond to a resource, a user, or a ⁇ resource, user> pair, possibly in combination with a particular time, and access type as mentioned above.
  • Agent 100 may determine which rules apply to each resource, each user, and each ⁇ resource, user> pair at each time. Enforcement determinations can be made on the basis of at least the rules and/or on other factors, such as location. Conflicts between rules that are defined for the same ⁇ resource, user> pair may be resolved in the security policy rules or flagged by the system, which can determine how to handle conflicts.
  • the system may, for example, always follow the first security policy rule matching the access attempt. In another embodiment, the system may, for example, always follow the stricter of conflicting security policy rules.
  • agent 100 may protect specific resources by applying adaptive access control only to specific resources of the existing security system.
  • agent 100 does not replace or use any of the existing security subsystem.
  • agent 100 may, in addition to following the specific resource rules, continue to-enforce the system's existing rules and thus, may not permit anything that is blocked by the existing security subsystem. For example, if the operating system (OS) already permits/denies access to certain resources based on its own independent rules, the adaptive access control system of the present invention will not override the OS's rules and allow access to users that would otherwise not be permitted access.
  • OS operating system
  • agent 100 can further provide a uniform interface between the various systems since the rules of other existing systems are inco ⁇ orated without the need to interface with those systems directly. Interfacing to other systems in this manner satisfies the definition of unified and universal security policy rules.
  • agent 100 may be implemented as an extension of the operating system (OS), a database, a Web-server, or an application.
  • OS operating system
  • database database
  • Web-server Web-server
  • Discovery units 22 may comprise a tool used by control unit 110 to obtain information concerning users and resources on servers 18, 18' or 18". Discovery units 22 can receive instructions from control unit 110, when appropriate, For example, discovery unit 22 can collect information regarding which users are defined on servers 18, 18' or 18" and which resources are defined, or any other information that may be useful to control unit 110. As a further example, in some embodiments of the invention, discovery units 22 can report which users are logged-on the respective system. Discovery units 22 can gather information automatically or in response to a request from control unit 110 and Discovery units 22 may be a part of agent 100 or they can be a stand-alone units. [052] Access analyzer 120 can be in communication with agent 100 and receive event audit trail 102.
  • Event audit trail 102 can be used as an input to access analyzer 120 and used in accordance with an adaptive access control analyzing algorithm, in which at least some of the output of the analyzing algorithm, for example pennission levels 134, may be used as part of the enforcement 106.
  • an adaptive access control analyzing algorithm in which at least some of the output of the analyzing algorithm, for example pennission levels 134, may be used as part of the enforcement 106.
  • the analyzing algorithm can use "Knowledge” pertaining to user activity. Knowledge is derived from the data gathered by agents 100. The data used in gaining "Knowledge” about user activity can be transferred from agents 100 to access analyzers 120 as frequently, or infrequently, as necessary, such as daily, bi-weekly, etc. Updated data can be matched with past (known) user behavior patterns, and the behavior patterns can be updated by access analyzer 120. By consulting the user behavior patterns, it is possible to analyze and determine what each user does, what the relationships between users are, and which resources are likely to be used by various users (or user groups) in the future. As mentioned above, an exemplary analyzing algorithm is described in the co-pending U.S. Patent Application, filed on the same date herewith, entitled "Permission Level Generation Based on Adaptive Learning”.
  • access analyzer 120 can generate permission levels, possibly by calculating the likelihood that ⁇ particular access attempt should be permissible.
  • the permission levels are numbers in a given range, wherein the higher the number the more likely the access attempt is to be permitted.
  • the permission levels may be normalized to a range between 0 and 1, or any other appropriate range or scale.
  • access control determinations can be made in run-time by agent 100. hi such an instance, access analyzer 120 provides the permission levels 134 to agent 100 in advance or in generally real-time.
  • the analyzing algorithm can operate using only the data gathered by agent 100. Nevertheless, the analyzing algorithm can accept additional data, such as organizational structure information, if provided. Additional data, such as the OS permissions, or feedback from users, may improve the quality of the results, shorten the run time of the analyzing algorithm, or reduce the numbers of runs of the analyzing algorithm until convergence, or a good result, is achieved. Conversely, false input can reduce quality or increase run-time. However, given that the algorithm can resolve inaccuracies by "learning", the false input may not cause completely incorrect determinations, and effects of such will be practically eliminated over time.
  • Control unit 110 can request that agent 100 gather information upon demand.
  • Control unit 110 can also act as a cryptographic key manager, serving as a certificate authority, and can, further maintain a list of system administrators and their associated privileges.
  • Access attempts 1Q8 When access attempts 1Q8 occur, they may be reported to control unit 110, and, based on the nature of the event, control unit 110 may notify the appropriate person(s) and/or log the events outlined in the reports for future reference.
  • Control unit 110 can be operable to prepare and generate reports, schedule activities for execution, save the reports in an archive, and/or optionally distribute the reports by email, links, or other means of communication, to a recipient list, and/or link to them.
  • Agent 100 monitors a request for access to a certain resource. Agent 100 either has or receives security policy 122' (including rules) from control unit 110.
  • Agent 100 also either has or receives permission levels 134 from access analyzer 120. Based on permission levels 134 and security policy 122', agent 100, if it is a guardian agent, provides enforcement 106. Enforcement 106 comprise of blocking access, permitting access, reporting the access attempt, etc.
  • Access analyzer 120 receives from agent 100 data about the access attempt and executes the analyzing algorithm.
  • the output of the analyzing algorithm may be permission levels 134, which are transferred periodically to agent 100.
  • the activities of agent 100 and access analyzer 120 maybe time-independent with respect to each other. For example, while agent 100 operates on each and every access attempt 108, access analyzer 120 may operate periodically, based on sufficient information collected from event audit trail 102, or at the conclusion of a predefined period of time.
  • Control unit 110 can be notified of the access attempt and any subsequent confirmation of enforcement and can generate a report based on the data for on-line review or for distribution.
  • agent 100, access analyzer 120, and control unit 110 ⁇ can operate independently. That is, agent 100 can continue operating even if its connection to access analyzer 120 is not operative. For example, Agent 100 can continue gathering event audit frail data and use its latest stored version of permission levels 134 even if no updated permission levels are being provided. Access analyzer 120 can perform the analyzing algorithm using the latest event audit trail data it has received, whether or not agent 100 is currently communicating with access analyzer 120. Likewise, access analyzer 120 can perform the analyzing algorithm using the latest security policy 122 it has received, whether or not confrol unit 110 is currently communicating. Control unit 110 can be used at any time to set overall security policy 122, 122', which is transmitted to access analyzer 120 t and agent 100, when possible. Finally, statistical information 132 and alarms 104 can be received by confrol unit 110 when any disrupted connections are eventually restored, and reports 126 can be generated independently, periodically or upon request.
  • System 20 is further operable on alternative architectures, such as those illustrated in FIGS. 3A and 3B, which show architectures 30 and 40, respectively, to which reference is now made.
  • Architecture 30 is a simple configuration that may be applicable for small businesses. As shown in FIG. 3A, architecture 30 can comprise control unit 110 and file server 18, with the components of agent 100 and access analyzer 120 both residing on server 18. Architecture 30 can provide the compactness and flexibility needed for small computing environments.
  • architecture 40 shown in FIG. 3B may be applicable for application service providers (ASPs), and may operate on a local or non-local system, such as the Internet or web, and may operate on a direct line, without intermediate providers.
  • Architecture 40 may comprise at least one file server 18, one or more optional firewalls 28, and an application server 32.
  • the components of agent 100 maybe operable from file server 18.
  • Access analyzer 120 and confrol unit 110 may reside on application server 32.
  • Application server 32 may be connected to file server 18 through firewalls 28 and over the Internet. This will allow for a remote implementation of the security system by an application provider. It will be appreciated by persons skilled in the art that the present invention is not limited by what has been particularly shown and described herein above. Rather the scope of the invention is defined by the claims that follow.

Abstract

A network security system and method for protecting network resources from unauthorized access and/or use. An agent device gathers data in regard to all access attempts directed at network resources and supplies this information to an analyzer device that adapts permission levels to correspond with at least the newly supplied information. The permission levels may be used by a guardian agent for the purpose of allowing or denying access to system resources. Such enforcement may further be conducted with respect to each resource access attempt in accordance with a network security policy. A control unit maintains the security policy and generates reports based on data provided from both the agent device and the analyzer device.

Description

AN ADAPTIVE SYSTEM AND ARCHITECTURE FOR ACCESS CONTROL
CROSS REFERENCE TO RELATED APPLICATIONS
[001 ] This application claims priority to U.S . Provisional Application 60/226, 128, filed
August 18, 2000 and U.S. Provisional Application 60/259,575, filed January 04, 2001.
FIELD OF THE INVENTION
[002] The present invention relates generally to computer networks and, specifically, to access control with respect to computer networks.
BACKGROUND OF THE INVENTION
[003] Computer networks may consist of vast amounts of information and/or resources, such as files, documents, texts, databases, servers, printers, plotters, etc. (collectively "resources") shared among a large numbers of users. The resources may have a varied degree of sensitivity and may not necessarily be appropriate for use by all the users of the computer network or by users outside the network. This problem is especially pronounced in the business environment where there are global users and where business-to-business (B2B) communications are common. [004] Thus, in order to protect resources from inappropriate use, each user in the network may be assigned access to only some, rather than all, resources on the network, effectively restricting access by eaeh user to an appropriate subset of those resources. As a result, people with fewer access restrictions may have access to more of the network resources, while others with more access restrictions may have access to only a limited number of resources. A member of a development group, for example, may be assigned access privileges to resources pertaining to a particular project on which he is working, while at the same time being restricted from access to other management resources. Each user is thus assigned "static" access privileges according to his perceived level or task. Access restrictions may similarly be assigned to the resources themselves. For example, a network printer may be made available to everyone on the network for printing, or it may be restricted to only those individuals who are granted special access.
[005] Typically, access permissions are controlled at the resource level. Thus, each resource would have a corresponding access control list (ACL) generated either during the creation of the resource or at a later date. An ACL usually comprises a list of access entries, each such access entry containing a user's name and his/her associated permissions/restrictions. In some instances, the access entry may comprise a user group (such as accounting, engineering, marketing, etc.) and the associated access permissions/restrictions for that group. The permissions/restrictions typically allow/prevent access to the resource, or allow/deny the performance of various operations by, or on, the resource, such as deleting, reading, writing, or otherwise using the resource.
[006] In certain operating systems (OSs), such as the UNIX® operating system, the
ACL has been simplified to allow only three predefined accessibility levels of users: the owner of the resource, the owner's group, and the world, which would include anyone requesting access. For each of these user levels, three basic access permissions may generally be possible: "read", "write", and "execute". [007] One known method for carrying out access control on a network may be as follows: A person, X, is accepted into an enteφrise or organization network, at which point he is associated with a user name and possibly added to one or more user groups. When person X requests access to a certain resource, the access list associated with that resource is consulted and searched for either the user name or the user group(s) associated with person X. Defending on the relevant ACL, access to the particular resource is either permitted or denied. In fact, in conventional systems, the only possible conclusion for a given access request is either to permit or to deny access.
[008] h such a system, the resultant security policy, which may be seen as a collection of all potential access permissions and denials, is distributed throughout the system, with little or no capability for effective management. Some systems include "agents" that monitor access and consult a more global policy, normally centrally located, to each permission grant or denial.
[009] However, known network security methods present several problems. First, since ACLs are typically input manually, the creation of the lists may be time consuming. As the number of users and resources grows, the task becomes more cumbersome and more prone to mistakes such as inappropriate exclusions, accidental inclusions, etc. Moreover, the person who typically sets up the listing, e.g., the system administrator, may not be aware of every user and/or resource on the network. Furthermore, even if the system administrator is aware of the relevant user and resource, he may not know the job requirements and applicability of each, and so he may not be able to determine the appropriate ACL.
[010] Yet another problem with conventional network security systems is the inflexibility of the ACL, which, by the nature of the input process, is predefined. Each time a change occurs in the system, whether in regard to a user, a resource, or permission therebetween, the ACL must be amended. Furthermore, since the listing is predefined, exceptions are difficult to implement. For example, if a user changes jobs, his group must be manually changed for him to gain access to the shared resources of his new group. If the user is performing^, job temporarily, permissions maybe needed for only a limited period of time. Certain permissions for him would have to be granted to perfonn the job and then revoked when no. longer needed, requiring that someone remember to revoke the permissions at the later date. [Oil] Thus, there exists a need for a more efficient, better defined access control method and for an associated system architecture that provides for flexible, adaptive use.
SUMMARY OF THE INVENTION
[012] An object of the present invention is to provide an access control system and architecture for accessing resources. It is another object of the invention to provide an access control system and architecture for accessing resources such as databases, files, computer peripherals and others/
[013] An embodiment of the present invention, therefore, provides a system adapted for controlling access by one or more users to one or more resources. The system includes at least one agent, which collects data about access attempts concerning the resources, and at least one access analyzer, which receives and processes the collected data. The access analyzer analyzes at least the collected data and generates permission levels based on the analysis.
[014] In accordance with the invention, an "access attempt" is an attempt to gain access to any of the resources on the system, regardless of whether the access is ultimately permitted or not. Thus, an access attempt includes the situations where access is granted, and also where access is denied. The data collected by the agent can be, for example, behavioral data concerning the users as well as data concerning the resource itself. More specifically, examples of the collected data include; the access distribution of the resource(s), that is, how each resource is allocated to the user(s); the level and frequency of access attempts initiated by particular user(s), etc. The collected data can also include information about activities such as how much CPU time each user utilizes and/or data regarding I/O and application usage.
[015] The permission levels may be access control permission levels, wherein the permission levels are presented as numbers within a given range, and wherein the likelihood that the access attempt is to be permitted is determined based on the value of the permission level. For example, the permission levels may be normalized to a range between 0 and 1 and the access can be permitted/denied depending on whether the permission level is above/below a certain threshold.
[016] The agent may include at least an enforcement means adapted to control access to the resources based on at least the permission levels. A system in accordance with the present invention may further include one or more controllers adapted to provide one or more rules to the agent, wherein the rules maybe access control rules.
[017] Additionally, the enforcement means may be adapted to control access to the resources based on at least the permission levels and the rules and, the enforcement means need not necessarily be located within the agent. The enforcement means can be located external to the immediate network and its servers and enforce access to the resources through remote means, hi further embodiments of the invention, the system may also include a discovery unit adapted to provide information to the controller, wherein the information may be data concerning the users and the resources. The discovery unit may include means for automatically gathering the information.
BRIEF DESCRIPTION OF THE DRAWINGS
[018] The object and features of the present invention will become more readily apparent from the following detailed description of the preferred embodiments taken in conjunction with the accompanying drawings in which: [019] FIG. 1 is a block diagram illustration of an access architecture, constructed and operative according to an embodiment of the present invention; [020] FIG. 2 is a block diagram illustration of an access control system, implemented using the access architecture of FIG. 1, constructed and operative according to an embodiment of the present invention; and [021] FIGS. 3 A and 3B are block diagram illustrations of alternative access control systems, implemented using the' access architecture of FIG. 1, constructed and operative according to an embodiment of the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
[022] A preferred embodiment of the present invention is discussed in detail below.
While specific configurations are discussed, it should be understood that this is done for illustration purposes only. A person skilled in the relevant art will recognize that other components and configurations may be used without departing from the spirit and scope of the invention. [023] Reference is now made to FIG. 1, which is a block diagram illustrating the operation of the invention and an example of access architecture 10. Architecture 10 illustrates one embodiment of the present invention; other embodiments are also described below. In order to facilitate the discussion of a preferred embodiment, the following is a list of relevant terms and associated definitions: "Resources" may be services, documents, data, files, databases, or any portion of such services, documents, data, files, databases, as well as peripheral devices or any other type of computer resources. "Access Attempt", as mentioned above, may be an attempt to use or otherwise gain access to a particular resource. "User(s)" may be any person, user group, or other resource wishing to access a resource; persons such as members of a company with which the resource resides, associates of the company (e.g., in a B2B situation), Internet browsers, etc. or programs or other resources. "User groups" maybe teams of users with some actual or perceived shared trait, such as shared responsibilities, e.g., an accounting group, shared location, e.g., Haifa, group, shared hierarchy in the coφoration, e.g., a management group, etc. "Policy" may be a list of rules and "security policy" may be a list of rules that control the access privileges to resources. "Rules" may comprise at least user or user group names and/or associated access permission, denial or other result. "Administrators" may be persons who administer or manage computer systems such as those described herein. A "security policy table" may be a table that lists access options and other rules related to resource security. "Permission levels" refer to the likelihood that accesses to the resource will be required and/or granted. The permission levels may be likelihood estimates, possibly discretized and normalized to a specific range, for example, between 0 and 1. Such a permission level may be specific to the user, his groμp, time-of-day, location, or other parameters. An "analyzing algorithm" may be an algorithm that, based on gathered data, for example access requests, learns about activities and at least therefrom creates permission levels. "Adaptive permission levels" or "APL" may be permission levels generated periodically by an analyzing algorithm. An "agent" may be a software utility that collects data about the activities of the computer; a "guardian agent" is a type of agent that is capable of enforcement based on at least security policy rules. A guardian agent may further be capable of enforcement based, in addition, on permission levels. [025] Illustrated in FIG. 1 is an exemplary system in accordance with the present invention. Three elements comprise an architecture 10: an Agent 100, a Control Unit 110, and an Access Analyzer 120. Agent 100 monitors access attempts 108 directed to particular resources, (not shown;}, and provides a periodic event audit trail 102 to access analyzer 120, reports alarms 104 to control unit 110 and, if it is a "Guardian Agent", enforces access restrictions 106 "to the resource. Event Audit Trail 102, includes information regarding the access attempt(s), including but not limited to such things as whether the access was penriitted, time of the access attempt, etc. Access analyzer 120 analyzes event audit trail 102, possibly using a first security policy 122 provided by control unit 110, and responds periodically by sending a list of permission levels 134 to agent 100. Access analyzer 120 also sends statistical information 132 to control unit 110. Based on permission levels 134, received from access analyzer 120 and optionally second security policy 122' received from control unit 110, agent 100, if it is a guardian f agent, can provide enforcement 106. Access enforcement 106 includes enforcing the security control of the resources by permitting, alerting, denying, or otherwise controlling access to the resource.
[026] First and second security policy arrows 122 and 122' can represent the same security policy information from control unit 110 to access analyzer 120 and agent 100, respectively, or either the first or second security pohcy, 122 or 122', can comprise a subset of the other. Independently sending/receiving a security policy allows for the use of multiple agents 100, access analyzers 120, and control units 110 which all either send or receive united security policy 122, or 122'. Control unit 110 may use the alarms 104 received from agent 100, the statistical mformation 132 received from Access analyzer 120, and other user inputs (not shown) to create reports 126. Reports 126 provide all, or some, of the input information in a user defined fonnat.
[027] In another embodiment of the present invention (not shown), first security policy
122 can be provided to agent 100 by way of access analyzer 120. In other words, access analyzer 120 receives first security policy 122 from control unit 110 and then sends it along to agent 100. According to this embodiment, it would not be necessary to provide second security policy 122' from Control Unit 110 to Agent 100.
[028] According to the architecture 10, described above, a system in accordance with the present invention may be used for various operations, including analysis, intrusion detection, website user profiling, database access, or any other resource access application, such as access control.
[029] FIG. 2, to which reference is now made, provides a relatively detailed illustration of an exemplary configuration of architecture 10, herein referred to as an access control architecture, or access system 20, which is constructed and operative in accordance with an embodiment of the present invention. Access system 20 comprises one or more agents 100, one or more access analyzers 120, one or more central control servers 110, an optional security policy (not shown) originating in control server 110, and optionally one or more auto discovery units 22. Access system 20 resides, for example, in a umversity, business, or any other organization, that has one or more servers 18, 18' and 18" which may communicate with other devices through either non-secure or secure channels (e.g., encrypted channels). Servers 18, 18' and 18" include any computer resources that serve as gateways to other computer resources or services. Exemplary servers shown in FIG. 2 are databases 18', file servers 18", and personal computers 18, but other, similar machines, such as printer servers (not shown), could also be connected to system 20 in accordance with the present invention. [030] hi accordance with the present invention, system 20 can utilize one or more adaptive algorithms. For example, system 20 may be dedicated to the adaptive access control of resources on a network, as depicted in architecture 10 (FIG. 1). Optionally, for secure embodiments of the present invention, system 20 may also comprise a key authority (not shown), which can reside on control server 110 or on another appropriate platform. I a secure embodiment of the present invention, all communications to/from each device can be encrypted in accordance with conventional encryption tehniques. For example, each of the devices shown in FIG. 1, for example, Agent 100, Access Analyzer 120 and Control Unit 110, can be equipped with both encryption and decryption tools in order to encrypt the information it sends, and decrypt the information it receives.
Agent
[031] Agents 100, which may "also be Guardian Agents as described above, reside on servers 18, 18' or 18" and monitor access attempts that occur on servers 18, 18' or 18" and gather data related to those access attempts, data such as the name of the user attempting access, the machine from which access is attempted, the time of day of the access attempt, the resource to which access is attempted, the type of access attempted, etc. The gathered data may then be sent as event audit trail 102 (FIG. 1) to access analyzer 120 to be used as input for an analyzing algorithm run by access analyzer 120.
The analyzing algorithm can use at least the gathered data to generate permission levels
134 (FIG. 1). [032] In further embodiments, based on at least the permission levels 134, guardian agents 100 can protect the resources stored on servers 18, 18' or 18" by enforcing the permission levels 134. Enforcement may be performed by guardian agent 100 or by an enforcement unit (not shown) provided either within guardian agent 100 or as a separate unit.
[033] In yet another embodiment of this invention, event audit trail 102 is used by access analyzer 120 to generate the underlying system permissions, e.g., ACLs, that are used to update the system ACLs. In this embodiment, agent 100 may not necessarily be a guardian agent. In another embodiment of this invention, the consulting facilities of a computer system may be used. In such a case as a response to an access attempt 108 the system will respond with a query to the consulting facilities. The consulting facilities, based on permission levels provided by access analyzer 120 may respond with the required response relative to access attempt 108. hi yet another embodiment of this invention, agent 100 may be implemented as a "proxy", i.e., a unit through which all the p network traffic flows and which may not necessarily be part of the system it is protecting, and access attempts 108 will be handled from the "proxy" unit.
[034] Also, agents 100 can reside on control server 110 or any other appropriate platform. That is, it is not necessary for Agents 100 and Control Units 110 to be separate machines, their functionalities can be combined into a single machine.
[035] In other embodiments, based on at least the permission levels 134 and the security policy 122, 122', guardian agents 100 may protect the resources stored on servers 18, 18' or 18" by executing and enforcing access permissions and restrictions, and possibly notifications to other system resources, based on both the permission levels
134 and security policies 122, 122' to control access to the resources. As mentioned above, enforcement may be executed by guardian agent 100 or by an enforcement unit (not shown) within guardian agent 100, or as a separate unit.
Access Analyzer
[036] Access Analyzer 120 may be in communication with one or more agents 100 and each access analyzer 120 can support and control each of these agents 100, depending on the load of each agent 100 and the strength of access analyzer 120. Access analyzer 120 may further receive event audit trail 102 by a push, i.e., where the sender initiates the transfer, or pull, where the receiver initiates the transfer, method to transfer the event audit trail data from each agent 100, applying the data to an analyzing algorithm. For example, the transfer of event audit trail 102 may take place on a cyclic basis (e.g., once a day) and the analyzing algorithm may then be executed after the new event audit trail 102 data has been received.
[037] Access analyzer 120 can utilize any learning algorithm adapted for access control, an example of which is described in the co-pending U.S. Patent Application, filed on the same date herewith, entitled "Permission Level Generation Based on Adaptive Learning", and which is assigned to the same common assignee as the present application, and is incoφorated herein by reference in its entirety for all it discloses.
[038] Access analyzer 120, based on security policy 122 and event audit trail 102, is operable to estimate the probability of an access attempt to a system resource occurring and, subsequently, define the most up-to-date permission levels 134. Permission levels 134, which are an output of the analyzing algorithm utilized within Access Analyzer 120, may be transmitted to agent 100, which may receive and/or transmit data to one or more access analyzers 120. Central Control Unit
[039] Control unit 110 may comprise means for interacting with access analyzers 120 and agents 100, and can manage activities within the system architecture 10 (FIG. 1) and system 20 (FIG. 2) having a jingle security policy, i.e., a combination of security policies 122, 122'. hi other embodiments of the present invention, one or more control servers 110 may handle a single security policy. Control server 110 may control the system configuration, security policy, and response to reported events. When access attempts 108 occur, they may be reported to control unit 110, and, based on the nature of the attempt, confrol unit 110 may notify the appropriate person(s) or program(s) by e- mail or other form of communication. Control unit 110 may include a database, a report generation engine, and a scheduler.
[040] In a further embodiment in accordance with system 20, agents 100 may monitor access attempts 108 that occur on servers 18, 18' and 18" and gather data related to those attempts. The access attemtps and data that are monitored may relate to user or resource activities, or to any otlier operations that may occur on servers 18, 18' or 18". The access attempts 108 that are monitored may include resource retrieval and/or usage of, for example, documents, files, databases, computer peripherals, etc., resource accesses, logins, internal communication problems, access times and types, etc. Event audit trail 102 may include the number of times a resource is accessed, the users that access a specific resource, access time, type of access, any type of statistical data related to the access attempt, etc.
[041] Event audit trail 102 may be used as an input for the analyzing algorithm run by access analyzer 120 as mentioned above. In some embodiments of the invention, the f analyzing algorithm uses at least event audit trail 102 to generate permission levels 134 for respective accesses to resources. Permission levels 134 maybe specific to each type of access, they may be time dependent, and/or they may correspond to each user and each resource.
[042] Agent 100 may receive permission levels 134 from access analyzer 120 and may receive security policy 122', in the form of a table, or some other format, from confrol unit 110. hi some embodiments of the invention, rules related to the security policy may be defined in control unit 110 and enforced by a guardian agent type of agent 100.
[043] Based on at least permission levels 134 and second security policy 122' guardian agent 100 may execute and enforce the overall access requirements of the resource, thereby protecting the resources stored on servers 18, 18' or 18" from unauthorized access or use. Security policy rules may include a first threshold below or above which an alarm will be generated to notify the control unit 110 of an access attempt to a resource. Security policy rules may also include a second threshold below or above which access attempts to a resource will be denied. An example of a security policy including the security policy rules just described is in the co-pending U.S. Patent Application, filed on the same date herewith, entitled "A Method and Apparatus for a Security Policy", and assigned to common assignee of the present invention, and which is incoφorated in its entirety herein by reference for all that is disclosed.
[044] Enforcement may comprise two different operations. For example, enforcement can include; 1) allowing operations that are permitted by both the security policy and the permission levels, if both exist, or; 2) blocking operations that are not permitted or are considered suspicious beyond a!* second threshold level mentioned above. The second operation may further include the generation of a different alarm if an operation is considered suspicious as is beyond'a first level threshold. [045] Enforcement may be performed by guardian agent 100 or by an enforcement unit
(not shown) within guardian agent 100. Alternatively, agents 100 may reside on control f unit 110 or any other appropriate platform having access to system resources.
[046] The security policy rules and permission levels 134 may correspond to a user, a group of users, a resource, a group of resources or a combination of user(s) and resources(s). The security policy rules may also be applied on an access type and/or time basis, and/or may be applied on the basis of access parameter availability, such as location. User groups may be created by applying an algorithm, observing formal or informal hierarchy, or other method known in the art.
[047] Security pohcy rules may correspond to a resource, a user, or a <resource, user> pair, possibly in combination with a particular time, and access type as mentioned above. Agent 100 may determine which rules apply to each resource, each user, and each <resource, user> pair at each time. Enforcement determinations can be made on the basis of at least the rules and/or on other factors, such as location. Conflicts between rules that are defined for the same <resource, user> pair may be resolved in the security policy rules or flagged by the system, which can determine how to handle conflicts. The system may, for example, always follow the first security policy rule matching the access attempt. In another embodiment, the system may, for example, always follow the stricter of conflicting security policy rules.
[048] In further embodiments of the invention, agent 100 may protect specific resources by applying adaptive access control only to specific resources of the existing security system. In such embodiments, agent 100 does not replace or use any of the existing security subsystem. Instead, agent 100 may, in addition to following the specific resource rules, continue to-enforce the system's existing rules and thus, may not permit anything that is blocked by the existing security subsystem. For example, if the operating system (OS) already permits/denies access to certain resources based on its own independent rules, the adaptive access control system of the present invention will not override the OS's rules and allow access to users that would otherwise not be permitted access.
[049] By being an extension of the existing system, agent 100 can further provide a uniform interface between the various systems since the rules of other existing systems are incoφorated without the need to interface with those systems directly. Interfacing to other systems in this manner satisfies the definition of unified and universal security policy rules.
[050] There may be an agent 1/00 for each platform or application, and agent 100 may be implemented as an extension of the operating system (OS), a database, a Web-server, or an application.
[051] Discovery units 22 may comprise a tool used by control unit 110 to obtain information concerning users and resources on servers 18, 18' or 18". Discovery units 22 can receive instructions from control unit 110, when appropriate, For example, discovery unit 22 can collect information regarding which users are defined on servers 18, 18' or 18" and which resources are defined, or any other information that may be useful to control unit 110. As a further example, in some embodiments of the invention, discovery units 22 can report which users are logged-on the respective system. Discovery units 22 can gather information automatically or in response to a request from control unit 110 and Discovery units 22 may be a part of agent 100 or they can be a stand-alone units. [052] Access analyzer 120 can be in communication with agent 100 and receive event audit trail 102. Event audit trail 102 can be used as an input to access analyzer 120 and used in accordance with an adaptive access control analyzing algorithm, in which at least some of the output of the analyzing algorithm, for example pennission levels 134, may be used as part of the enforcement 106.
[053] In order for access analyzer 120 to generate access control permission levels 134, the analyzing algorithm can use "Knowledge" pertaining to user activity. Knowledge is derived from the data gathered by agents 100. The data used in gaining "Knowledge" about user activity can be transferred from agents 100 to access analyzers 120 as frequently, or infrequently, as necessary, such as daily, bi-weekly, etc. Updated data can be matched with past (known) user behavior patterns, and the behavior patterns can be updated by access analyzer 120. By consulting the user behavior patterns, it is possible to analyze and determine what each user does, what the relationships between users are, and which resources are likely to be used by various users (or user groups) in the future. As mentioned above, an exemplary analyzing algorithm is described in the co-pending U.S. Patent Application, filed on the same date herewith, entitled "Permission Level Generation Based on Adaptive Learning".
[054] Furthermore, access analyzer 120 can generate permission levels, possibly by calculating the likelihood that ^ particular access attempt should be permissible. The permission levels are numbers in a given range, wherein the higher the number the more likely the access attempt is to be permitted. The permission levels may be normalized to a range between 0 and 1, or any other appropriate range or scale. [055] In some embodiments of the invention, access control determinations can be made in run-time by agent 100. hi such an instance, access analyzer 120 provides the permission levels 134 to agent 100 in advance or in generally real-time.
[056] Providing organizational structure of users information of the system to the analyzing algorithm is optional, hi other words, the analyzing algorithm can operate using only the data gathered by agent 100. Nevertheless, the analyzing algorithm can accept additional data, such as organizational structure information, if provided. Additional data, such as the OS permissions, or feedback from users, may improve the quality of the results, shorten the run time of the analyzing algorithm, or reduce the numbers of runs of the analyzing algorithm until convergence, or a good result, is achieved. Conversely, false input can reduce quality or increase run-time. However, given that the algorithm can resolve inaccuracies by "learning", the false input may not cause completely incorrect determinations, and effects of such will be practically eliminated over time.
[057] Control unit 110 can request that agent 100 gather information upon demand.
Control unit 110 can also act as a cryptographic key manager, serving as a certificate authority, and can, further maintain a list of system administrators and their associated privileges.
[058] When access attempts 1Q8 occur, they may be reported to control unit 110, and, based on the nature of the event, control unit 110 may notify the appropriate person(s) and/or log the events outlined in the reports for future reference. Control unit 110 can be operable to prepare and generate reports, schedule activities for execution, save the reports in an archive, and/or optionally distribute the reports by email, links, or other means of communication, to a recipient list, and/or link to them. [059] In accordance with an embodiήient of the present invention, the following is an exemplary access control scenario: Agent 100 monitors a request for access to a certain resource. Agent 100 either has or receives security policy 122' (including rules) from control unit 110. Agent 100 also either has or receives permission levels 134 from access analyzer 120. Based on permission levels 134 and security policy 122', agent 100, if it is a guardian agent, provides enforcement 106. Enforcement 106 comprise of blocking access, permitting access, reporting the access attempt, etc.
[060] Access analyzer 120 receives from agent 100 data about the access attempt and executes the analyzing algorithm. The output of the analyzing algorithm may be permission levels 134, which are transferred periodically to agent 100. The activities of agent 100 and access analyzer 120 maybe time-independent with respect to each other. For example, while agent 100 operates on each and every access attempt 108, access analyzer 120 may operate periodically, based on sufficient information collected from event audit trail 102, or at the conclusion of a predefined period of time.
[061] Control unit 110 can be notified of the access attempt and any subsequent confirmation of enforcement and can generate a report based on the data for on-line review or for distribution.
[062] An important feature of the present invention is that each of the parts ~ agent
100, access analyzer 120, and control unit 110 ~ can operate independently. That is, agent 100 can continue operating even if its connection to access analyzer 120 is not operative. For example, Agent 100 can continue gathering event audit frail data and use its latest stored version of permission levels 134 even if no updated permission levels are being provided. Access analyzer 120 can perform the analyzing algorithm using the latest event audit trail data it has received, whether or not agent 100 is currently communicating with access analyzer 120. Likewise, access analyzer 120 can perform the analyzing algorithm using the latest security policy 122 it has received, whether or not confrol unit 110 is currently communicating. Control unit 110 can be used at any time to set overall security policy 122, 122', which is transmitted to access analyzer 120 t and agent 100, when possible. Finally, statistical information 132 and alarms 104 can be received by confrol unit 110 when any disrupted connections are eventually restored, and reports 126 can be generated independently, periodically or upon request.
[063] System 20 is further operable on alternative architectures, such as those illustrated in FIGS. 3A and 3B, which show architectures 30 and 40, respectively, to which reference is now made. Architecture 30 is a simple configuration that may be applicable for small businesses. As shown in FIG. 3A, architecture 30 can comprise control unit 110 and file server 18, with the components of agent 100 and access analyzer 120 both residing on server 18. Architecture 30 can provide the compactness and flexibility needed for small computing environments.
[064] Alternatively, architecture 40, shown in FIG. 3B may be applicable for application service providers (ASPs), and may operate on a local or non-local system, such as the Internet or web, and may operate on a direct line, without intermediate providers. Architecture 40 may comprise at least one file server 18, one or more optional firewalls 28, and an application server 32. As noted in FIG. 3B, in order to adapt to the appropriate architecture and/or system, the components of agent 100 maybe operable from file server 18. Access analyzer 120 and confrol unit 110 may reside on application server 32. Application server 32 may be connected to file server 18 through firewalls 28 and over the Internet. This will allow for a remote implementation of the security system by an application provider. It will be appreciated by persons skilled in the art that the present invention is not limited by what has been particularly shown and described herein above. Rather the scope of the invention is defined by the claims that follow.

Claims

WHAT IS CLAIMED IS:
1. A computer network with a security system, the security system comprising:
at least one agent operable to identify an access attempt directed to a resource on the network and further operable to respond to said access attempt in accordance with at least permission levels; and
at least one access analyzer operable to analyze an event audit trail and provide said permission levels to said agent.
2. The computer network of claim 1, further comprising at least one control unit operably connected to said agent and said access analyzer.
3. The computer network of claim 2, wherein said control unit comprises at least a security policy.
4. The computer network of claim 3, wherein said guardian agent implements a unified security policy which is a unification of the said systems original security policy and an security policy operable with at least said permission levels.
5. The computer network of claim 4, wherein said unified security policy implements the most restrictive rules.
6. The computer network of claim 4, wherein said unified security policy implements the most permissive rules.
7. The computer network of claim 3, wherein said security policy comprises at least one security rule.
8. The computer network of claim 7, wherein said security rule defines at least one response to said access attempt.
9. The computer network of claim 8, wherein said response comprises at least allowing an access.
10. The computer network of claim 8, wherein said response comprises at least denying an access.
11. The computer network of claim 8, wherein said response comprises at least notification of an access.
12. The computer network of claim 8, wherein said response is adaptive in accordance with at least said permission levels.
13. The computer network of claim 12, wherein said adaptive response is further determined in accordance with at least one activation threshold.
14. The computer network of claim 13, wherein said response comprises at least allowing an access, deteraiined at least in accordance with a first activation threshold.
15. The computer network of claim 13, wherein said response comprises at least denying an access, determined at least in accordance with a first activation threshold.
16. The computer network of claim 13, wherein said response comprises at least notification of an access, determined at least in accordance with a second activation threshold.
17. The computer network of claim 2, further comprising a discovery unit operable to provide information to said control unit.
18. The computer network of claim 17, wherein said information includes data relative to at least a user of said network. "
19. The computer network of claim 17, wherein said information includes data relative to at least a resource accessible through said network.
20. The computer network of claim 17, wherein gathering of said information is automatic.
21. The computer network of claim 2, wherein said access analyzer provides said agent with only deny or permit status for each access attempt.
22. The computer network of claim 1 , further comprising at least one control unit operably connected to said access analyzer.
23. The computer network of claim 22, wherein said control unit comprises at least a security policy.
24. The computer network of claim 23, wherein said guardian agent implements a unified security policy which is a unification of the said systems original security policy and an security policy operable with at leas said permission levels.
25. The computer network of claim 24, wherein said unified security policy implements the most restrictive rules.
26. The computer network of claim 24, wherein said unified security policy implements the most permissive rules.
27. The computer network of claim 23, wherein said security policy comprises at least one security rule.
28. The computer network of claim 27, wherein said security rule defines at least one response to said access attempt.
29. The computer network of claim 28, wherein said response comprises at least allowing an access.
30. The computer network of claim 28, wherein said response comprises at least denying an access.
31. The computer network of claim 28, wherein said response comprises at least notification of an access.
32. The computer network of claim 28, wherein said response is adaptive in accordance with at least said permission levels.
33. The computer network of claim 32, wherein said adaptive response is further determined in accordance with at least one activation threshold.
34. The computer network of claim 33, wherein said response comprises at least allowing an access, determined at least in accordance with a first activation threshold.
35. The computer network of claim 33, wherein said response comprises at least denying an access, determined at least in accordance with a first activation threshold.
36. The computer network of claim 33, wherein said response comprises at least notification of an access, determined at least in accordance with a second activation threshold.
37. The computer network of claim 22, further comprising a discovery unit operable to provide information to said control unit.
38. The computer network of claim 37, wherein said information includes data relative to at least a user of said network.
39. The computer network of claim 37, wherein said information includes data relative to at least a resource accessible through said network.
40. The computer network of claim 37, wherein gathering of said information is automatic.
41. The computer network of claim 22, wherein said access analyzer provides said f agent with only deny or permit status for each access attempt.
42. The computer network of claim 1 , wherein said agent responds to said access attempt in accordance with a result of comparing at least one permission level to at least one threshold.
43. The computer network of claim 42, wherein said agent permits access to said resource if the permission level exceeds a first threshold.
44. The computer network of claim 42, wherein said agent denies access to said resource if the permission level does not exceed a first threshold.
45. The computer network of claim 42, wherein said agent sends a notification of said access attempt to said control unit if the permission level is below a second threshold.
46. The computer network of claim 1 , wherein said access attempt comprises at least one of: a user, a resource, a location, an access type, a time.
47. The computer network of claim 46, wherein said user may be one or more users.
48. The computer network of claim 46, wherein said resource may be one or more resources.
49. The computer network of claim 46, wherein said location may be one or more locations.
50. The computer network of claim 46, wherein said access type comprises at least one of the following; read, write, modify, execute, delete, rename, take ownership of, change permissions of, or create said resource.
51. The computer network of claim 1, wherein said access attempt comprises at least a time scope.
52. The computer network of claim 1, wherein said event audit trail is derived from at least one access attempt.
53. The computer network of claim 52, wherein said event audit trail is provided to said access analyzer on a periodic basis.
54. The computer network of claim 52, wherein said event audit trail is periodically solicited by said access analyzer.
55. The computer network of claim 52, wherein said access attempt is ignored by said agent with respect to at least one access attempt.
56. The computer network of claim 1, wherein said permission levels are derived from at least likelihood estimates that a future access attempt should be permitted.
57. The computer network of claim 1, wherein said agent comprises at least one enforcement means for controlling access. to said resources based on at least said permission levels.
58. The computer network of claim 1, wherein said permission levels are generated periodically based on a currently available event audit trail.
59. The computer network of claim 1, wherein said agent and said access analyzer reside on a single computer.
60. The computer network of claim 2, wherein said agent and said confrol unit reside on a single computer.
61. The computer network of claim 2, wherein said access analyzer and said control unit reside on a single computer.
62. The computer network of claim 2, wherein said agent, said access analyzer and said control unit reside on a single computer.
63. The computer network of claim 1 , wherein said permission levels generated by said access analyzer are used for the puφose of updating at least an access control list of at least a system resource.
64. The computer network of claim 1 , wherein said access analyzer provides permission level information to at least a system consulting unit.
65. The computer network of claim 64, wherein in response to said access attempt a query is sent to said system consulting unit.
66. The computer network of claim 65, wherein in response to said query asid system consulting unit provides a response corresponding at least to said permission levels.
67. The computer network of claim 1, wherein said agent is implemented as a proxy server.
68. A system comprising a computer network with a distributed security system, the system further comprising:
at least one agent connected to the Internet, said agent being operable to identify an access attempt directed to a resource on the computer network and further operable to respond to said access attempt in accordance with at least permission levels;
at least one access analyzer connected to the Internet, said access analyzer being operable to analyze an event audit trail and provide said permission levels to said agent; and
a communication device operable to provide communication between said agent and said access analyzer.
69. The system of claim 68, wherein the agent is connected to the Internet through a firewall.
70. The system of claim 68, wherein the access analyzer is connected to the
Internet through a firewall.
71. The system of claim 68, further comprising at least one control unit operably connected to the Internet.
72. The system of claim 71, wherein the control unit is connected to the Internet through a firewall.
73. The system of claim 71, wherein said confrol unit and said access analyzer are implemented on the same computer.
74. The system of claim 71, wherein said confrol unit and said access analyzer are implemented on the same intranet.
75. The system of claim 71, wherein said control unit and said agent are implemented on the same computer.
76. The system of claim 71, wherein said control unit and said agent are implemented on the same intranet.
77. The system of claim 71, wherein said guardian agent implements a unified security policy which is a unification of the said systems original security policy and an security policy operable with at least sa,id permission levels.
78. The system of claim 77, wherein said unified security policy implements the most restrictive rules.
79. The system of claim 77, wherein said unified security policy implements the most permissive rules.
80. The system of claim 77, wherein said security policy comprises at least one security rule.
81. The system of claim 80, wherein said security rule defines at least one response to said access attempt.
82. The system of claim 81, wherein said response comprises at least allowing an access permission.
83. The system of claim 51, wherein said response comprises at least denying an access.
84. The system of claim 81, wherein said response comprises at least notification of an access.
85. The system of claim 81, wherein said response is adaptive in accordance with at least said permission levels.
86. The system of claim 85, wherein said adaptive response is further determined in accordance with at least one activation threshold.
87. The system of claim 86, wherein said response comprises at least allowing an access, determined at least in accordance with a first activation threshold.
88. The system of claim 86, wherein said response comprises at least denying an access, determined at least in accordance with a first activation threshold.
89. The system of claim 86, wherein said response comprises at least notification of an access, determined at least in accordance with a second activation threshold.
90. The system of claim 69, further comprising a discovery unit operable to provide information to said control unit.
91. The computer network of claim 90, wherein said information includes data relative to at least a user of said network.
92. The computer network of claim 90, wherein said information includes data relative to at least a resource accessible through said network.
93. The computer network of claim 90, wherein gathering of said information is automatic.
94. The system of claim 68, wherein said agent responds to said access attempt in accordance with a result of comparing at least one permission level to at least one constant threshold.
95. The system of claim 94, wherein said agent permits access to said resource if the permission level exceeds a first threshold.
96. The system of claim 94, wherein said agent denies access to said resource if the permission level does not exceed a first threshold.
97. The system of claim 94, wherein said agent sends a notification of said access attempt to said control unit if the permission level is below a second threshold.
98. The system of claim 68, wherein said access attempt comprises at least one of: a user, a resource, a location, an access type, a time.
99. The system of claim 68, wherein said user may be one or more users.
100. The system of claim 68, wherein said resource may be one or more resources.
101. The system of claim 68, wherein said location may be one or more locations.
102. The system of claim 68, wherein said access type comprises at least one of the following; read, write, modify, execute, delete, rename, take ownership of, change permissions of, or create, said resource.
103. The system of claim 68, wherein said access attempt comprises at least a time scope.
104. The system of claim 68, wherein said event audit trail is derived from at least one access attempt.
105. The system of claim 104, wherein said event audit trail is provided to said access analyzer on a periodic basis.
106. The system of claim 104, wherein said event audit trail is periodically solicited by said access analyzer.
107. The system of claim 104, wherein said access attempt is ignored by said agent with respect to at least one access attempt.
108. The system of claim 68, wherein said permission levels are derived from at least likelihood estimates that a future access attempt should be permitted.
109. The system of claim 68, wherein said agent comprises at least one enforcement means for controlling access to said resources based on at least said permission levels.
110. The system of claim 68, wherein said permission levels are generated periodically based on a currently available event audit trail.
111. The system of claim 68, wherein said agent and said access analyzer reside on a single computer.
112. The system of claim 71, wherein said agent and said control unit reside on a single computer.
113. The system of claim 71 , wherein said access analyzer and said control unit reside on a single computer.
114. The system of claim 71, wherein said agent, said access analyzer and said control unit reside on a single computer.
115. The system of claim 68, wherein said permission levels generated by said access analyzer are used for the puφose of updating at least an access control list of at least a system resource.
116. The system of claim 68, wherein said access analyzer provides permission level information to at least a system consulting unit.
117. The system of claim 116, wherein in response to said access attempt a query is sent to said system consulting unit.
118. The system of claim 117, wherein in response to said query asid system consulting unit provides a response corresponding at least to said permission levels.
119. The system of claim 68, wherein said agent is implemented as a proxy server.
120. A method for controlling access to resources available through the system, said method comprising:
establishing a first threshold value;
gathering an event audit trail comprising data corresponding to at least one access attempt;
periodically analyzing said event audit trail;
generating a permission level for accessing system resources from at least said event audit trail; and
controlling access to said resources based on said generated permission level.
121. A method as claimed in claim 120, wherein said generated permission level comprises adaptive permission levels generated by periodically automatically modifying said event audit frail to account for the most recent access attempt or access attempts.
122. The method of claim 120, wherein if said permission level exceeds said first threshold value, access to said resource is permitted.
123. The method of claim 120, wherein if said permission level does not exceed said first threshold value access to said resource is denied.
124. The method of claim 120, further comprising:
establishing a second threshold value; and
generating a notification if said permission level is below said second threshold value.
125. The method of claim 120, wherein said permission levels are derived from at least at least likelihood estimates that a future access attempt should be permitted.
126. The method of claim 125, wherein said likelihood calculations comprise a probability that a future access attempt should be permitted.
127. The method of claim 120, further comprising:
discovering information about users and said resources.
128. The method of claim 127, wherein said discovering occurs automatically.
129. A method for employing adaptive permissions for accessing system resources comprising of the steps of:
establishing a system security policy said security policy containing at least one adaptive security rule;
gathering an event audit trail of at least one access attempt;
periodically analyzing said event audit trail;
generating permission levels for accessing system resources from at least said event audit trail and said security policy; and*'
controlling access to said resources based on said generated permission levels.
130. The method of claim 129, wherein the security policy is formatted as a security policy table.
131. The method of claim 129, wherein said adaptive security rule comprises at least one threshold.
132. The method of claim 131, wherein if said permission level exceeds said first threshold value access to said resource is permitted.
133. The method of claim 131, wherein if said permission level does not exceed said first threshold value access to said resource is denied.
134. The method of claim 131, wherein if said permission level is below said second threshold value a notification is generated.
135. The method of claim 129*, wherein said permission levels are derived from at least the likelihood estimates that a future access attempt should be permitted.
136. The method of claim 129, further comprising the step of discovering information about users and said resources.
137. The method of claim 136, wherein said step of discovering is automatic.
PCT/IB2001/001876 2000-08-18 2001-08-20 An adaptive system and architecture for access control WO2002014987A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001294083A AU2001294083A1 (en) 2000-08-18 2001-08-20 An adaptive system and architecture for access control

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US22612800P 2000-08-18 2000-08-18
US60/226,128 2000-08-18
US25957501P 2001-01-04 2001-01-04
US60/259,575 2001-01-04

Publications (2)

Publication Number Publication Date
WO2002014987A2 true WO2002014987A2 (en) 2002-02-21
WO2002014987A8 WO2002014987A8 (en) 2003-09-04

Family

ID=26920229

Family Applications (4)

Application Number Title Priority Date Filing Date
PCT/IB2001/001876 WO2002014987A2 (en) 2000-08-18 2001-08-20 An adaptive system and architecture for access control
PCT/IB2001/001923 WO2002014989A2 (en) 2000-08-18 2001-08-20 Permission level generation based on adaptive learning
PCT/IB2001/001877 WO2002014988A2 (en) 2000-08-18 2001-08-20 A method and an apparatus for a security policy
PCT/IB2001/001892 WO2002015122A2 (en) 2000-08-18 2001-08-20 A system and method for a greedy pairwise clustering

Family Applications After (3)

Application Number Title Priority Date Filing Date
PCT/IB2001/001923 WO2002014989A2 (en) 2000-08-18 2001-08-20 Permission level generation based on adaptive learning
PCT/IB2001/001877 WO2002014988A2 (en) 2000-08-18 2001-08-20 A method and an apparatus for a security policy
PCT/IB2001/001892 WO2002015122A2 (en) 2000-08-18 2001-08-20 A system and method for a greedy pairwise clustering

Country Status (2)

Country Link
AU (4) AU2001294083A1 (en)
WO (4) WO2002014987A2 (en)

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003063449A1 (en) * 2002-01-18 2003-07-31 Metrowerks Corporation System and method for monitoring network security
EP1339199A1 (en) * 2002-02-22 2003-08-27 Hewlett-Packard Company Dynamic user authentication
WO2003075531A1 (en) * 2002-03-06 2003-09-12 Peregrine Systems, Inc. Method and system for a network management console
FR2838207A1 (en) * 2002-04-08 2003-10-10 France Telecom INFORMATION EXCHANGE SYSTEM WITH CONDITIONED ACCESS ON AN INFORMATION TRANSFER NETWORK
EP1424618A1 (en) * 2002-11-29 2004-06-02 Sap Ag Method and computer system for protecting electronic documents
EP1510904A1 (en) * 2003-08-19 2005-03-02 France Telecom Method and system for evaluating the level of security of an electronic equipment and for providing conditional access to resources
WO2005038633A1 (en) 2003-10-16 2005-04-28 Vodafone Holding Gmbh Device and method for securing and monitoring protected data
EP1630711A1 (en) 2004-08-25 2006-03-01 NTT DoCoMo, Inc. Client apparatus, server apparatus and authority control method
US7324361B2 (en) 2005-01-28 2008-01-29 Kasemsan Siri Solar array inverter with maximum power tracking
US20090288144A1 (en) * 2008-05-13 2009-11-19 At&T Mobility Ii Llc Time-dependent white list generation
CN101006433B (en) * 2004-08-25 2012-01-11 日本电气株式会社 Information communication device, and program execution environment control method
US8266699B2 (en) 2003-07-01 2012-09-11 SecurityProfiling Inc. Multiple-path remediation
US8561192B2 (en) 2007-10-15 2013-10-15 Beijing Rising Information Technology Co., Ltd. Method and apparatus for automatically protecting a computer against a harmful program
US8812049B2 (en) 2008-05-07 2014-08-19 At&T Mobility Ii Llc Femto cell signaling gating
US8898775B2 (en) 2007-10-15 2014-11-25 Bejing Rising Information Technology Co., Ltd. Method and apparatus for detecting the malicious behavior of computer program
US8942180B2 (en) 2008-06-12 2015-01-27 At&T Mobility Ii Llc Point of sales and customer support for femtocell service and equipment
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US20160050205A1 (en) * 2012-03-26 2016-02-18 Greyheller, Llc Preventing unauthorized access to an application server
US9301113B2 (en) 2006-07-12 2016-03-29 At&T Intellectual Property I, L.P. Pico-cell extension for cellular network
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9503457B2 (en) 2008-05-13 2016-11-22 At&T Mobility Ii Llc Administration of access lists for femtocell service
US9509701B2 (en) 2009-10-15 2016-11-29 At&T Intellectual Property I, L.P. Management of access to service in an access point
US10229222B2 (en) 2012-03-26 2019-03-12 Greyheller, Llc Dynamically optimized content display
EP3757843A1 (en) * 2019-06-26 2020-12-30 Accenture Global Solutions Limited Security monitoring platform for managing access rights associated with cloud applications

Families Citing this family (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003203140A (en) * 2001-10-30 2003-07-18 Asgent Inc Method for grasping situation of information system and device used in the same
US7302488B2 (en) 2002-06-28 2007-11-27 Microsoft Corporation Parental controls customization and notification
CN1417690A (en) * 2002-12-03 2003-05-14 南京金鹰国际集团软件系统有限公司 Application process audit platform system based on members
US10110632B2 (en) * 2003-03-31 2018-10-23 Intel Corporation Methods and systems for managing security policies
FR2864657B1 (en) * 2003-12-24 2006-03-24 Trusted Logic METHOD FOR PARAMETRABLE SECURITY CONTROL OF COMPUTER SYSTEMS AND EMBEDDED SYSTEMS USING THE SAME
US7907934B2 (en) 2004-04-27 2011-03-15 Nokia Corporation Method and system for providing security in proximity and Ad-Hoc networks
US7979889B2 (en) 2005-01-07 2011-07-12 Cisco Technology, Inc. Methods and apparatus providing security to computer systems and networks
US7661111B2 (en) 2005-10-13 2010-02-09 Inernational Business Machines Corporation Method for assuring event record integrity
JP2009519546A (en) * 2005-12-13 2009-05-14 インターデイジタル テクノロジー コーポレーション Method and system for protecting user data in a node
US7882560B2 (en) 2005-12-16 2011-02-01 Cisco Technology, Inc. Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing
US9286469B2 (en) 2005-12-16 2016-03-15 Cisco Technology, Inc. Methods and apparatus providing computer and network security utilizing probabilistic signature generation
US8413245B2 (en) 2005-12-16 2013-04-02 Cisco Technology, Inc. Methods and apparatus providing computer and network security for polymorphic attacks
US8495743B2 (en) 2005-12-16 2013-07-23 Cisco Technology, Inc. Methods and apparatus providing automatic signature generation and enforcement
JP5482667B2 (en) * 2009-02-10 2014-05-07 日本電気株式会社 Policy management apparatus, policy management system, method and program used therefor
US8713056B1 (en) 2011-03-30 2014-04-29 Open Text S.A. System, method and computer program product for efficient caching of hierarchical items
US9355261B2 (en) 2013-03-14 2016-05-31 Appsense Limited Secure data management
US8959657B2 (en) 2013-03-14 2015-02-17 Appsense Limited Secure data management
US9215251B2 (en) 2013-09-11 2015-12-15 Appsense Limited Apparatus, systems, and methods for managing data security
JP6190518B2 (en) 2014-03-19 2017-08-30 日本電信電話株式会社 Analysis rule adjustment device, analysis rule adjustment system, analysis rule adjustment method, and analysis rule adjustment program
US9787685B2 (en) 2014-06-24 2017-10-10 Xiaomi Inc. Methods, devices and systems for managing authority
CN104125335B (en) * 2014-06-24 2017-08-25 小米科技有限责任公司 Right management method, apparatus and system
WO2023170635A2 (en) * 2022-03-10 2023-09-14 Orca Security LTD. System and methods for a machine-learning adaptive permission reduction engine
US10891816B2 (en) 2017-03-01 2021-01-12 Carrier Corporation Spatio-temporal topology learning for detection of suspicious access behavior
WO2018160560A1 (en) 2017-03-01 2018-09-07 Carrier Corporation Access control request manager based on learning profile-based access pathways
CN106778314A (en) * 2017-03-01 2017-05-31 全球能源互联网研究院 A kind of distributed difference method for secret protection based on k means
WO2018160407A1 (en) 2017-03-01 2018-09-07 Carrier Corporation Compact encoding of static permissions for real-time access control
US10764299B2 (en) * 2017-06-29 2020-09-01 Microsoft Technology Licensing, Llc Access control manager
US10831787B2 (en) * 2017-06-30 2020-11-10 Sap Se Security of a computer system
US11501257B2 (en) * 2019-12-09 2022-11-15 Jpmorgan Chase Bank, N.A. Method and apparatus for implementing a role-based access control clustering machine learning model execution module
CN114981812A (en) * 2020-01-15 2022-08-30 华为技术有限公司 Secure and reliable data access

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6049797A (en) * 1998-04-07 2000-04-11 Lucent Technologies, Inc. Method, apparatus and programmed medium for clustering databases with categorical attributes

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
No Search *

Cited By (64)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003063449A1 (en) * 2002-01-18 2003-07-31 Metrowerks Corporation System and method for monitoring network security
EP1339199A1 (en) * 2002-02-22 2003-08-27 Hewlett-Packard Company Dynamic user authentication
WO2003075531A1 (en) * 2002-03-06 2003-09-12 Peregrine Systems, Inc. Method and system for a network management console
US8676972B2 (en) 2002-03-06 2014-03-18 Hewlett-Packard Development Company, L.P. Method and system for a network management console
FR2838207A1 (en) * 2002-04-08 2003-10-10 France Telecom INFORMATION EXCHANGE SYSTEM WITH CONDITIONED ACCESS ON AN INFORMATION TRANSFER NETWORK
WO2003085534A2 (en) * 2002-04-08 2003-10-16 France Telecom Data exchange system with conditional access on a data transfer network
WO2003085534A3 (en) * 2002-04-08 2004-04-22 France Telecom Data exchange system with conditional access on a data transfer network
US7383263B2 (en) 2002-11-29 2008-06-03 Sap Aktiengesellschaft Controlling access to electronic documents
WO2004051438A1 (en) * 2002-11-29 2004-06-17 Sap Aktiengesellschaft Method and computer system for protecting electronic documents
EP1424618A1 (en) * 2002-11-29 2004-06-02 Sap Ag Method and computer system for protecting electronic documents
US8266699B2 (en) 2003-07-01 2012-09-11 SecurityProfiling Inc. Multiple-path remediation
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US10050988B2 (en) 2003-07-01 2018-08-14 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US10021124B2 (en) 2003-07-01 2018-07-10 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US10154055B2 (en) 2003-07-01 2018-12-11 Securityprofiling, Llc Real-time vulnerability monitoring
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US10104110B2 (en) 2003-07-01 2018-10-16 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9225686B2 (en) 2003-07-01 2015-12-29 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
EP1510904A1 (en) * 2003-08-19 2005-03-02 France Telecom Method and system for evaluating the level of security of an electronic equipment and for providing conditional access to resources
WO2005038633A1 (en) 2003-10-16 2005-04-28 Vodafone Holding Gmbh Device and method for securing and monitoring protected data
CN101006433B (en) * 2004-08-25 2012-01-11 日本电气株式会社 Information communication device, and program execution environment control method
EP1630711A1 (en) 2004-08-25 2006-03-01 NTT DoCoMo, Inc. Client apparatus, server apparatus and authority control method
US7743413B2 (en) 2004-08-25 2010-06-22 Ntt Docomo, Inc. Client apparatus, server apparatus and authority control method
US8640194B2 (en) 2004-08-25 2014-01-28 Nec Corporation Information communication device and program execution environment control method
US7324361B2 (en) 2005-01-28 2008-01-29 Kasemsan Siri Solar array inverter with maximum power tracking
US9301113B2 (en) 2006-07-12 2016-03-29 At&T Intellectual Property I, L.P. Pico-cell extension for cellular network
US10149126B2 (en) 2006-07-12 2018-12-04 At&T Intellectual Property I, L.P. Pico-cell extension for cellular network
US9674679B2 (en) 2006-07-12 2017-06-06 At&T Intellectual Property I, L.P. Pico-cell extension for cellular network
US8898775B2 (en) 2007-10-15 2014-11-25 Bejing Rising Information Technology Co., Ltd. Method and apparatus for detecting the malicious behavior of computer program
US8561192B2 (en) 2007-10-15 2013-10-15 Beijing Rising Information Technology Co., Ltd. Method and apparatus for automatically protecting a computer against a harmful program
US8812049B2 (en) 2008-05-07 2014-08-19 At&T Mobility Ii Llc Femto cell signaling gating
US9584984B2 (en) 2008-05-13 2017-02-28 At&T Mobility Ii Llc Reciprocal addition of attribute fields in access control lists and profiles for femto cell coverage management
US9877195B2 (en) 2008-05-13 2018-01-23 At&T Mobility Ii Llc Location-based services in a femtocell network
US10499247B2 (en) 2008-05-13 2019-12-03 At&T Mobility Ii Llc Administration of access lists for femtocell service
US9369876B2 (en) 2008-05-13 2016-06-14 At&T Mobility Ii Llc Location-based services in a femtocell network
US9392461B2 (en) 2008-05-13 2016-07-12 At&T Mobility Ii Llc Access control lists and profiles to manage femto cell coverage
US9503457B2 (en) 2008-05-13 2016-11-22 At&T Mobility Ii Llc Administration of access lists for femtocell service
US10225733B2 (en) 2008-05-13 2019-03-05 At&T Mobility Ii Llc Exchange of access control lists to manage femto cell coverage
US9538383B2 (en) 2008-05-13 2017-01-03 At&T Mobility Ii Llc Interface for access management of femto cell coverage
US9094891B2 (en) 2008-05-13 2015-07-28 At&T Mobility Ii Llc Location-based services in a femtocell network
US9591486B2 (en) 2008-05-13 2017-03-07 At&T Mobility Ii Llc Intra-premises content and equipment management in a femtocell network
US9019819B2 (en) 2008-05-13 2015-04-28 At&T Mobility Ii Llc Exchange of access control lists to manage femto cell coverage
US9775037B2 (en) 2008-05-13 2017-09-26 At&T Mobility Ii Llc Intra-premises content and equipment management in a femtocell network
US9775036B2 (en) 2008-05-13 2017-09-26 At&T Mobility Ii Llc Access control lists and profiles to manage femto cell coverage
US9319964B2 (en) 2008-05-13 2016-04-19 At&T Mobility Ii Llc Exchange of access control lists to manage femto cell coverage
US9930526B2 (en) 2008-05-13 2018-03-27 At&T Mobility Ii Llc Interface for access management of femto cell coverage
US9155022B2 (en) 2008-05-13 2015-10-06 At&T Mobility Ii Llc Interface for access management of FEMTO cell coverage
US20090288144A1 (en) * 2008-05-13 2009-11-19 At&T Mobility Ii Llc Time-dependent white list generation
US8863235B2 (en) * 2008-05-13 2014-10-14 At&T Mobility Ii Llc Time-dependent white list generation
US8942180B2 (en) 2008-06-12 2015-01-27 At&T Mobility Ii Llc Point of sales and customer support for femtocell service and equipment
US9246759B2 (en) 2008-06-12 2016-01-26 At&T Mobility Ii Llc Point of sales and customer support for femtocell service and equipment
US9509701B2 (en) 2009-10-15 2016-11-29 At&T Intellectual Property I, L.P. Management of access to service in an access point
US10645582B2 (en) 2009-10-15 2020-05-05 At&T Intellectual Property I, L.P. Management of access to service in an access point
US10225249B2 (en) * 2012-03-26 2019-03-05 Greyheller, Llc Preventing unauthorized access to an application server
US10229222B2 (en) 2012-03-26 2019-03-12 Greyheller, Llc Dynamically optimized content display
US20160050205A1 (en) * 2012-03-26 2016-02-18 Greyheller, Llc Preventing unauthorized access to an application server
EP3757843A1 (en) * 2019-06-26 2020-12-30 Accenture Global Solutions Limited Security monitoring platform for managing access rights associated with cloud applications
US11115421B2 (en) 2019-06-26 2021-09-07 Accenture Global Solutions Limited Security monitoring platform for managing access rights associated with cloud applications

Also Published As

Publication number Publication date
WO2002014988A2 (en) 2002-02-21
WO2002014989A8 (en) 2003-03-06
AU2001294110A1 (en) 2002-02-25
WO2002014988A8 (en) 2003-04-24
WO2002015122A3 (en) 2003-12-04
AU2001294083A1 (en) 2002-02-25
WO2002014989A2 (en) 2002-02-21
AU2001294084A1 (en) 2002-02-25
WO2002015122A2 (en) 2002-02-21
AU2001294089A1 (en) 2002-02-25
WO2002014987A8 (en) 2003-09-04

Similar Documents

Publication Publication Date Title
WO2002014987A2 (en) An adaptive system and architecture for access control
Shen et al. An attribute-based access control model for web services
US11489879B2 (en) Method and apparatus for centralized policy programming and distributive policy enforcement
JP5078898B2 (en) Method and system for dynamic adjustment of computer security based on user network activity
US8635661B2 (en) System and method for enforcing a security policy on mobile devices using dynamically generated security profiles
US7478420B2 (en) Administration of protection of data accessible by a mobile device
CA2553648C (en) Adaptive transparent encryption
KR100389160B1 (en) Method and apparatus to permit automated server determination for foreign system login
US7478157B2 (en) System, method, and business methods for enforcing privacy preferences on personal-data exchanges across a network
US8020192B2 (en) Administration of protection of data accessible by a mobile device
US20150229651A1 (en) Methods and systems for controlling access to computing resources based on known security vulnerabilities
US20080086473A1 (en) Computerized management of grouping access rights
US20050060537A1 (en) Managed distribution of digital assets
US20030177376A1 (en) Framework for maintaining information security in computer networks
US9118617B1 (en) Methods and apparatus for adapting the protection level for protected content
US20080178256A1 (en) System and method providing policy based control of interaction between client computer users and client computer software programs
EP1917757A2 (en) Methods and systems for intelligently controlling access to computing resources
KR101233934B1 (en) Integrated Intelligent Security Management System and Method
JP2003330802A (en) Confidential information access monitoring control method, confidential information access monitoring control system, and record medium storing the confidential information access monitoring control program
Al-Fedaghi et al. Events classification in log audit
Gheorghiu et al. Authorization for Metacomputing applications
US20220261478A1 (en) Detecting Threats By Monitoring Encryption Key Activity
Kalaria et al. Adaptive Context-Aware Access Control for Iot Environments Leveraging Fog Computing
Sodiya et al. AN ADAPTIVE HIERARCHICAL ACCESS CONTROL ARCHITECTURE FOR ENTERPRISE NETWORK USING COMPLIANCE VARIANCE
Mofokeng Windows XP security guide

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PH PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

D17 Declaration under article 17(2)a
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP