Classifications

• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/60—Protecting data
  • G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
  • G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
  • G06F21/31—User authentication
  • G06F21/316—User authentication by observing the pattern of computer usage, e.g. typical user behaviour
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/60—Protecting data
  • G06F21/604—Tools and structures for managing or administering access control systems
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/38—Payment protocols; Details thereof
  • G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/2101—Auditing as a secondary aspect
• • Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
  • Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
  • Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
  • Y10S707/00—Data processing: database and file management or data structures
  • Y10S707/99931—Database or file accessing
  • Y10S707/99933—Query processing, i.e. searching
• • Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
  • Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
  • Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
  • Y10S707/00—Data processing: database and file management or data structures
  • Y10S707/99931—Database or file accessing
  • Y10S707/99938—Concurrency, e.g. lock management in shared database
• • Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
  • Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
  • Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
  • Y10S707/00—Data processing: database and file management or data structures
  • Y10S707/99931—Database or file accessing
  • Y10S707/99939—Privileged access
• • Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
  • Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
  • Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
  • Y10S707/00—Data processing: database and file management or data structures
  • Y10S707/99941—Database schema or data structure
  • Y10S707/99944—Object-oriented database structure
  • Y10S707/99945—Object-oriented database structure processing

Definitions

• This invention relates to computer security. More particularly, this invention relates to the automatic creation and management of file security policies in organizations having a diversity of file access control models.
• Data security policies typically determine who has access to an organization's stored data on various computer systems. These policies cannot be static. Users from within the or- ganization, e.g., employees, partners, contractors, can pose a threat as severe as threats from outside the organization. Thus, as the structure and personnel makeup of the organization change, the security policy should be adjusted from time to time. Yet, information technology (IT) departments lack effective tools to manage user access rights and to ensure that needed information is conveniently available, while still protecting the organization's sensitive data. Current techniques available to IT personnel include review and maintenance of access control lists, in conjunction with administration of user names, passwords, and the extension of such techniques to include biometrics, encryption, and limitation of access to a single sign- on.
• IT information technology
• methods and systems are provided for automatically creating and managing a data security policy in networked organizations having diverse access control models and file server protocols. Access to storage elements within the organizational network is continually monitored and analyzed in order to de- fine simultaneous data access groupings and user groupings. The actual organizational structure is learned from these groupings, and becomes the basis of a dynamic data access control policy, which is constantly adapted to organizational changes over time.
• a decision assistance interface is provided for interactive management of the file access control, and a facility is provided for detecting and tracking abnormal user behavior. Organizations are thus able to bet- ter control access to their data and applications.
• the techniques are augmented by semi-automatically managing file access control by coordinating the user and data access groupings and conventional access control lists to effect modifications of the lists.
• Access control policies developed by applying the teachings of the invention have ancil- lary benefits, e.g., limiting resource use in the event of a denial-of-service attack.
• the invention provides a method for controlling data storage access in an organization, which is carried out by recording accesses of the users to storage elements, and deriving respective user access profiles from the recorded accesses.
• the method is further carried out by biclustering the users and the storage elements to define user clusters and data clusters, respec- tively, wherein the access profiles of the users in user clusters are mutually similar, and the storage elements in the data clusters are accessed only by users having mutually similar the access profiles.
• the method is further carried out responsively to the biclustering, by defining a control policy for access to the storage elements by the users.
• the control policy permits access by a user to storage elements of a data cluster only if at least one of the storage elements in that data cluster has been accessed by that user.
• the control policy permits access by the users in a user cluster to the storage elements of a data cluster, only if at least one of the storage elements in that data cluster has been accessed by at least one of the users of that user cluster.
• the structure of the file system of the storage system is derived from the biclustering process.
• a further aspect of the method includes deriving patterns of usage of the file system by the users from the biclustering process.
• One aspect of the method includes detecting aberrant patterns of usage.
• biclustering is performed iteratively, wherein the access profiles are redetermined at each iteration, and the control policy is updated following each iteration.
• defining a control policy is carried out by proposing a tentative version of the control policy, monitoring subsequent accesses to the storage elements by the users, determining that the subsequent accesses are in accordance with the tentative version of the control policy, and responsively to the determination, approving the tentative version as a definitive version of the control policy.
• Another aspect of the method includes interactively modifying the control policy.
• defining a control policy is performed automatically and substantially without human intervention.
• Yet another aspect of the method includes referencing an access control list including at least one set of users and at least one data set of storage elements, wherein the users of the user set are included in respective ones of the user clusters, and the storage elements of the data set are included in respective ones of the data clusters.
• the method is further carried out by de- tecting an absence of accesses by members of the respective user clusters to members of the respective data clusters, and responsively to the lack of accesses, removing at least a portion of the users from the user set and removing at least a portion of the storage elements from the data set.
• the invention provides a computer software product, including a computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to perform a method for controlling data storage access, which is carried out by recording accesses of the users to the storage elements and deriving respec- tive access profiles from the recorded accesses.
• the method is further carried out by bicluster- ing the users and the storage elements to define user clusters and data clusters, respectively, wherein the access profiles of the users in the user clusters are mutually similar, and the storage elements in the data clusters are accessed only by users having mutually similar the access profiles.
• the method is further carried out responsively to the biclustering, by defining a control policy for access to the storage elements by the users.
• the invention provides an apparatus for controlling data storage access in an organization having users of a file system, including a computer system operative to perform the steps of recording respective accesses of the users to the storage elements and deriving respective access profiles from the recorded accesses, biclustering the users and the storage elements to define user clusters and data clusters, respectively, wherein the access profiles of the users in the user clusters are mutually similar, and the storage elements in the data clusters are accessed only by users having mutually similar the access profiles.
• the computer system is operative, responsively to biclustering, for defining a control policy for access to the storage elements by the users.
• Fig. 1 is a block diagram of a data processing system, wherein data access control policies are automatically defined and managed in accordance with a disclosed embodiment of the invention
• Fig. 2 is a block diagram illustrating a probe engine in the system shown in Fig. 1 in accordance with a disclosed embodiment of the invention
• Fig. 3 is a block diagram illustrating another version of a probe engine in the system shown in Fig. 1 in accordance with a disclosed embodiment of the invention
• Fig. 4 is a flow chart describing a method of user clustering in accordance with a disclosed embodiment of the invention.
• Fig. 5 is a flow chart describing a method for storage element clustering in accordance with a disclosed embodiment of the invention
• Fig. 6A and Fig. 6B, referred to collectively herein as Fig. 6, are a flow chart illustrating a method of semi-automatic file access control in accordance with a disclosed embodiment of the invention.
• Software programming code which embodies aspects of the present invention, is typically maintained in permanent storage, such as a computer readable medium.
• a client- server environment such software programming code may be stored on a client or a server.
• the software programming code may be embodied on any of a variety of known media for use with a data processing system. This includes, but is not limited to, magnetic and optical storage devices such as disk drives, magnetic tape, compact discs (CD's), digital video discs (DVD's), and computer instruction signals embodied in a transmission medium with or without a carrier wave upon which the signals are modulated.
• the transmission medium may include a communications network, such as the Internet.
• the invention may be embodied in computer software, the functions necessary to implement the invention may alternatively be embodied in part or in whole using hardware components such as application-specific integrated circuits or other hardware, or some combination of hardware components and software.
• Fig. 1 is a block diagram of a data processing system 10 wherein data access control policies are automatically defined and managed in accordance with a disclosed embodiment of the invention.
• the system 10 may be implemented as a general purpose computer or a plurality of computers linked together in a network, for example the Internet.
• Organization-wide data storage accessible by the system 10 is represented by an organizational file system 12.
• the organizational file system 12 may comprise one or more co- located storage units, or may be a geographically distributed data storage system, as is known in the art. There is no requirement that individual storage units of the organizational file system 12 have the same capabilities.
• the organizational file system 12 may be accessed by any number of users 14 using a graphical user interface application 16 (GUI), which relates to other elements of the system 10 via an application programming interface 18 (API).
• GUI graphical user interface application
• the users 14 are typically members of the organization, but may also include outsiders, such as customers.
• the graphical user interface application 16 is the interface of the management system, through which the users 14 can receive the results of their actual usage analysis, as determined an analysis engine 20.
• sufficiently qualified users e.g., administrative personnel, can view their current status, and can view changes recommended by the system. Such users may be authorized to accept or reject recommended changes. Prior to selecting any recommended changes, qualified users have the ability to view the effect of recommended changes on the system. System administrators can then select or confirm the permission set that proves most suitable.
• a probe engine 22 is designed to collect access information from the organizational file system 12 in an ongoing manner, filter out duplicate or redundant information units and store the resulting information stream in a database 24.
• the probe engine 22 is also utilized to collect the organization's current file security policy, the current structure of the organizational file system 12, and information about the users 14.
• the probe engine 22 can be implemented in various environments and architectures.
• the analysis engine 20 is a specialized module that is at the heart of the system's ability to control storage access.
• the analysis engine 20 automatically proposes and revises the organization's security policy.
• the front end for the analysis engine 20 is a data collector 26, which efficiently records the storage access activities in the database 24.
• the output of the analysis engine 20 can be further manipulated using an interactive administrative interface 28 that enables system administrators to perform queries on the collected data. Using the administrative interface 28, the administrators may modify the automatically proposed security policy if necessary, and finally activate the new or revised policy.
• a commit module 30 which verifies a proposed se- curity policy, using data collected prior to its implementation.
• the commit module 30 references an access control list 32 (ACL). Activities of the commit module 30 are described in further details hereinbelow. Probe Engine.
• Probe engines are tailored to particular operating systems and environments. The following are described by way of example and not of limitation.
• FIG. 2 is a block diagram illustrating one embodiment of the probe engine 22 (Fig. 1) in accordance with a disclosed embodiment of the invention.
• This embodiment termed herein the "Win-Probe module,” acts as a probe for the Microsoft
• Win-Probe module that services all Windows computers in the organization.
• the Win- Probe module operates in parallel with probe engines adapted to other operating systems.
• a complex organization may require more than one Win-Probe module in order to assure efficient operation.
• the Win-Probe module has a file system filter 34 (SEDFILE) that employs a kernel-mode filter driver 36 for intercepting activity of a local file system 38 and for logging it alongside security information regarding the activity intercepted.
• SEDFILE file system filter 34
• a service 40 (SIDFILE_SERVICE) interacts with the filter driver 36 and polls for new log entries.
• the log entries are filtered by the service 40,
• the service 40 is responsible for compiling statistics from the filtered log entries, and forwarding both the raw log entries and their statistics to the database 24 (Fig. 1) for further processing.
• the filter 34 is transparent to the operating system, and its overhead is limited to extraction of associated security attributes per input/output (I/O) operation and logging. Communication between the filter driver 36 and the service 40 is accomplished using operating system mechanisms such as device I/O Control, and predefined control codes, e.g., "collect statistics".
• FIG. 3 is a block diagram illustrating another embodiment of the probe engine 22 (Fig. 1), which is adapted to networked devices in accordance with a disclosed embodiment of the invention.
• a network attached storage (NAS) probe 42 is responsible for collecting access data from a NAS storage device 44.
• one NAS probe may serve an entire organization.
• a plurality of NAS probes may be provided.
• the probe 42 interacts with the NAS device 44 using a dedicated, typically vendor-specific protocol. The protocol causes the NAS device 44 to send a notification 46 on a requested file access operation originating from a user 48 to the probe 42.
• the probe 42 either enables the requests to be satisfied by the NAS device 44, or denies access to the NAS device 44, according to a current governing policy.
• a log entry 50 is made by the probe 42, documenting an enabled request, and the request is passed to the NAS device 44 for conven- tional processing, in accordance with its own operating system.
• a denied request is simply discarded.
• denied requests may be logged, in order to assist in tracking abnormal user behavior.
• the user 48 receives a reply 52 to its request, either in the form of a denial of access, or an indication of the result of the requested file operation by the NAS device 44. In either case, there is minimal performance impact.
• the analysis engine 20 (Fig. 1) is at the heart of the system 10.
• the sta- tistics on actual accesses of the users 14, including every member of an organization to each of the data storage elements in the organizational file system 12, reported by the probe engine 22, are used to perform a simultaneous automatic bi-clustering of the users and the data storage elements.
• the bi-clustering is done in such a manner that users who are members of the same user cluster share a similar data access profile, and data storage elements (files or directories) that are members of the same data cluster are accessed mostly by users having similar access profiles.
• the clusters provide a global picture of the organizational structure.
• the analysis engine 20 can also develop from the clustering results a local measure of similarity among users and a local measure of similarity among the data elements that belong to the same cluster. Moreover, the clustering process reliably predicts future data storage access by organization members. It can be assumed, with a high level of confidence, that if one of the users 14 has not accessed a certain file or storage element, and similar users have not accessed similar files, then that one user will not need access rights to the corresponding storage element in the near future.
• the analysis engine 20 thus provides IT administrators a clear global picture of information usage patterns and can offer detailed recommendations for security policy optimiza- tion. At the same time, administrators are alerted to anomalous user behavior.
• the analysis engine 20 can also automatically build a complete forensic trail of any suspicious activities. The result is a dramatically greater ability to ensure compliance with access and privacy poli- cies, and to assure appropriate information usage without imposing additional administrative burdens on IT personnel.
• X stands for the set of users in the organization
• Y is the set of file directories accessed by the members of the organization.
• the value p(x,y) is the normalized number of times that user x approached the data storage element y during an enrollment phase.
• p(x,y) is the normalized number of times that user x approached the data storage element y during an enrollment phase.
• a clustering of the random variable X is a partitioning of the elements of Z into disjoint clusters denoted by X and in a similar manner denoting a partition of Y by Y'.
• the system util- izes the mutual information criterion as a cost function to assess the quality of various clustering structures.
• the next step is to utilize the mutual information criterion to find the optimal bicluster- ing.
• Different strategies are used for the user set X and the data set Y.
• user set X there is no current structure that it is necessary to maintain.
• the data file system is based on a tree structure, which we do want to maintain, as it is likely to reflect an operational similarity between nearby directories in the tree. Therefore, storage element clustering is ac- complished by essentially pruning the tree. The process is described in further detail hereinbe- low.
• Fig. 4 is a flow chart describing a method of user clustering in accordance with a disclosed embodiment of the invention. The method begins with a random solution and then sequentially improves the result in a monotonic manner.
• a random partitioning of the user list into a predetermined number of clusters is chosen as a starting point. This partitioning will be used in a current set of cycles as described below.
• the probability distribution p(y ⁇ x) stands for the normalized data access activity of the user x, i.e., p(y
• C) we define p(y
• step 56 one of the clusters established in initial step 54 is selected randomly.
• step 58 one of the users is selected. Step 58 is performed iteratively, and the users are evaluated cyclically. However, the order of evaluation in a cycle is not critical.
• step 60 the current user x is tentatively moved from its current cluster to the cluster selected in step 56 to form a tentative new clustering of the users.
• Each user x is merged into the cluster C, which minimizes the distance d(x,C).
• C) is modified according to the statistics of the new member x. It can be verified that minimizing the distance d(x,C) is equivalent to maximizing the mutual information between the clusters and the data activities.
• step 62 If the determination at decision step 62 is affirmative, then control proceeds to step 64.
• the current user x remains in the cluster that was selected in step 56, and the tentative new clustering established in step 60 is confirmed.
• step 62 determines whether the determination at decision step 62 is negative. If the determination at decision step 62 is negative, then control proceeds to step 66. The current user x is returned to the cluster from which it was selected, and the tentative new clustering established in step 60 is rejected.
• control now proceeds to decision step 68, where it is determined whether more users remain to be evaluated in the current cycle. If the determination at decision step 68 is affirmative, then control returns to step 58.
• decision step 72 the user list is reset to begin another cycle in the current set of cycles. Control returns to step 56, and the new cycle begins by choosing a new cluster, using the same random partitioning established in initial step 54.
• step 70 If the determination at decision step 70 is negative, then control proceeds to step 74.
• the best clustering achieved in the current set of cycles is memorized.
• the termination criterion may be completion of a predetermined number of iterations of initial step 54.
• a performance indicator can be used as a termination criterion. If the determination at decision step 76 is negative, then control returns to initial step 54, and the method is repeated, choosing a new starting point. If the determination at decision step 76 is affirmative, then control proceeds to final step 78.
• the best result obtained in the clusterings memorized in iterations of step 74 is reported as a final clustering that maximizes the mutual information between the user clusters and the data clusters. Data Element Clustering.
• Fig. 5 is a flow chart describing a method for storage element clustering in accordance with a disclosed embodiment of the invention.
• This is an ag- glomerative method based on merging clusters that are represented by sibling elements in the data file tree. It is assumed that user clustering as described above with reference to Fig. 4 has been performed.
• sibling directories or parent- offspring directories that cannot be distinguished in terms of user access events. This stage results in a directory tree that has been pruned into a tractable number of elements.
• Initial step 80 begins a traversal of the directories of the file tree.
• parent-offspring directories and sibling directories and clusters thereof are considered, and are referred to collectively as "neighbors".
• the traversal order is not critical, so long as all data elements are visited and all mutual neighbors are evaluated. Many known algorithms for tree traversal may be employed. Two neighbors are selected.
• step 84 the candidates are merged together to form a new data cluster. This data cluster is treated as a single storage element or neighbor in subsequent iterations of initial step 80.
• decision step 86 it is determined whether traversal of the data file tree is complete. If the determination at decision step 86 is affirmative, then control returns to initial step 80 to begin another iteration.
• the determination at decision step 86 is negative, then one phase of the method is complete, resulting in a pruned directory tree.
• the directories and clusters of direc- tories in the pruned tree constitute a tractable number of elements.
• step 88 begins another phase of the method, wherein the pruned tree is traversed again, with additional merging of candidates in a manner that leads to a minimal reduction in the mutual information l(X;Y).
• the mutual information ⁇ (X;Y) between the user clusters resulting from the method described with reference to Fig. 4 and the data clusters of the current pruned tree is memorized.
• two candidates are selected.
• these candidates can be clusters, directories, or combinations thereof, so long as the candidates have a sibling or parent-child relationship.
• step 92 the current candidates are tentatively merged to form a new clustering of the users and data elements.
• the mutual information F (X; Y) of the tentative arrangement is determined.
• step 94 If the determination at decision step 94 is affirmative, then control proceeds to step 96.
• the current tentative clustering is memorized, and set as a high water mark. It is the best new clustering thus far available.
• control proceeds to decision step 98, where it is determined if more candidates remain to be evaluated in the tree. If the determination at decision step 98 is affirmative, then control returns to step 90.
• control proceeds to decision step 100, where it is determined if a termination criterion has been met.
• This criterion can be the establishment of a predetermined number of new clusters. Alternatively, the method may terminate when the current best reduction in mutual information is less than a predetermined threshold. If the determination at decision step 100 is negative, then the method is repeated, using the mutual information of the current best clustering as a starting point. Control returns to step 88, where a new value of the mutual information 1(X; Y) is set.
• step 100 determines whether the determination at decision step 100 is affirmative. If the determination at decision step 100 is affirmative, then control proceeds to final step 102.
• the clustering last stored at step 96 is reported as an optimum data element clustering.
• both the users and the data storage elements are arranged in disjoint clusters.
• a hierarchical tree structure is maintained among the data storage elements, while the users are distributed among a user space without having a hierarchical ar- rangement.
• a robust similarity measure between users in the organization can then be extracted. It is said that users behave similarly if they belong to the same user cluster, which indicates that the two users are accessing similar portions of the data-storage systems. Two directories or other storage elements are considered similar if they belong to the same data cluster. Storage access control.
• the clustering obtained using the method described above with reference to Fig. 5 can be used to automatically eliminate unnecessary access permissions. For example, permission for a user x to access a storage element y is eliminated if the user x has not accessed the element y (nor elements similar to y) during an enrollment period. It is predicted that the user x will not need to access the element y in the near future. The prediction is based on the access profile of similar members of the organization. It can be assumed that if no users with a similar access profile to the element y, who are thus in the same cluster as the user x, have accessed the element y, nor accessed storage elements similar to the element y, then the user x will not access the element v in the near future. Therefore, in order to increase the level of organiza- tional data security, access permission can be canceled for the user x with respect to the element y. Review of the users is conducted iteratively at predetermined time intervals, and the access policy updated accordingly.
• the ACL can be viewed as a set of pairs, where each pair consists of a group of users and a group of data elements that can be accessed by the user group.
• the procedure presented below can use the unsupervised clustering procedure discussed above to modify the current ACL and thereby obtain an improved policy.
• the organizational structure learned from the recorded user access data is then used to eliminate unnecessary data access permissions.
• the algorithm is based on the current ACL, and operates separately for each user- data group in the following manner: for each user we check whether access to one of the data elements defined in the pair was recorded. If not, we check whether a similar user accessed the data element during the enrollment period. Here similarity has the same meaning as given above. If no such user was found, it can be concluded that the particular user will not need to access the data element in the near future. If this is also the case for the data elements appearing in the data group, we eliminate the user from the access control pair. A second phase of the process is applied to eliminate data elements from the access control pair, as explained below.
• Fig. 6 is a flow chart illustrating a method of partially supervised file access control in accordance with a disclosed embodiment of the invention.
• the steps of the method are shown in an exemplary sequence in Fig. 6 for clarity of presentation. However, it will be evident to those skilled in the art that many of them can be performed in parallel, asynchronously, or in different orders.
• the method begins at initial step 104.
• the bi-clustering methods described above with reference to Fig. 4 and Fig. 5 are performed and applied.
• an access control unit is selected from the ACL. This unit is a pair, composed of a group of users and a group of directories.
• step 108 a user is chosen from the users of the current access control unit.
• step 110 a data element is chosen from the current access control unit.
• step 112 determines whether users determined (in the clus- tering procedure performed in initial step 104) to be similar to the current user are evaluated. Control proceeds to step 116. A similar user is selected.
• control returns to step 116. If the determination at decision step 120 is negative, then at step 122 the current user is removed from the current access control unit.
• step 124 it is determined if more users in the current access control unit remain to be evaluated. If the determination at decision step 124 is affirmative, then control returns to step 108 If the determination at decision step 124 is negative, then, at decision step 126 it is determined if more access control units remain to be evaluated. If the determination at decision step 126 is affirmative, then control returns to step 106 to begin a new iteration.
• Step 114 begins a phase of the algorithm, which concerns the status of the current data element in the current access control unit. This phase is performed only if neither the current user nor any similar user has accessed the current data element.
• the purpose of the following steps is to investigate whether data elements that are considered to be similar to the current data element (according to the clustering procedure performed in initial step 104) have been accessed by any of the users in the current access control unit. If not, then the current data element is removed from the current access control unit. Once this action is accomplished, no member of the current user group can thereafter access the current data element. A similar data element is selected from the clustering performed in initial step 104.
• step 130 a user is again selected from the current access control unit. It is intended that all users in the current access control unit be subject to evaluation in iterations of step 130.
• step 134 determines if there are more similar data elements to be tested against the users in the current access control unit.
• control returns to step 114.
• step 136 If the determination at decision step 136 is negative, then all users of the current access control unit have been tested for access against all data elements that are similar to the current data element (chosen in the last iteration of step 110). No access has been found. At step 137 the current data element is now eliminated from the current access control unit.
• the clustering procedures described above are applied to the storage access activities collected during an enrollment or training period for the system. These procedures may be repeated from time to time, for example, following mergers and acquisitions in the underlying organization. It is desirable to assure that a proposed or tentative new or updated access control policy is valid in terms of user activity occurring following the enrollment period. Data collected after the enrollment period are used to verify the validity of the tentative policy prior to its institution. This function is carried out by the commit module 30, which records user access activities and detects violations of the tentative policy. If the user activities would not violate the tentative policy, then it is approved as a definitive storage access control policy. Otherwise it is rejected or returned for further evaluation or revision. The commit module 30 thus provides a cross-validation mechanism to check the quality of a proposed storage access control policy before its actual implementation.
• the commit module 30 is adapted to perform this function following the implementation of a storage access control. Abnormal behavior may be identified if a user acts inconsistently with other users belonging to the same user cluster.

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Physics & Mathematics (AREA)
• General Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Computer Hardware Design (AREA)
• General Health & Medical Sciences (AREA)
• Software Systems (AREA)
• Business, Economics & Management (AREA)
• Health & Medical Sciences (AREA)
• Accounting & Taxation (AREA)
• Bioethics (AREA)
• Strategic Management (AREA)
• Automation & Control Theory (AREA)
• General Business, Economics & Management (AREA)
• Finance (AREA)
• Databases & Information Systems (AREA)
• Social Psychology (AREA)
• Storage Device Security (AREA)
• Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Priority Applications (3)

Applications Claiming Priority (4)

Publications (2)

Family

ID=37495353

Family Applications (1)

Country Status (5)

Cited By (7)

Families Citing this family (270)

Family Cites Families (17)

• 2005
  • 2005-10-25 US US11/258,256 patent/US7606801B2/en active Active
• 2006
  • 2006-05-21 GB GB0723218A patent/GB2441458B/en active Active
  • 2006-05-21 WO PCT/IL2006/000600 patent/WO2006131906A2/en not_active Ceased
  • 2006-05-21 DE DE112006001378T patent/DE112006001378T5/de not_active Ceased
  • 2006-05-21 JP JP2008515373A patent/JP4988724B2/ja active Active
  • 2006-12-07 US US11/635,736 patent/US7555482B2/en active Active
• 2012
  • 2012-01-27 JP JP2012015556A patent/JP5108155B2/ja active Active

Also Published As

Similar Documents

Legal Events