[go: up one dir, main page]

WO2002014989A2 - Permission level generation based on adaptive learning - Google Patents

Permission level generation based on adaptive learning Download PDF

Info

Publication number
WO2002014989A2
WO2002014989A2 PCT/IB2001/001923 IB0101923W WO0214989A2 WO 2002014989 A2 WO2002014989 A2 WO 2002014989A2 IB 0101923 W IB0101923 W IB 0101923W WO 0214989 A2 WO0214989 A2 WO 0214989A2
Authority
WO
WIPO (PCT)
Prior art keywords
access
user
resource
users
hierarchy
Prior art date
Application number
PCT/IB2001/001923
Other languages
French (fr)
Other versions
WO2002014989A8 (en
Inventor
Eliyahu Dichterman
Gideon Maliniak
Original Assignee
Camelot Information Technologies Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Camelot Information Technologies Ltd. filed Critical Camelot Information Technologies Ltd.
Priority to AU2001294110A priority Critical patent/AU2001294110A1/en
Publication of WO2002014989A2 publication Critical patent/WO2002014989A2/en
Publication of WO2002014989A8 publication Critical patent/WO2002014989A8/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/231Hierarchical techniques, i.e. dividing or merging pattern sets so as to obtain a dendrogram
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/107License processing; Key processing
    • G06F21/1078Logging; Metering
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2145Inheriting rights or properties, e.g., propagation of permissions or restrictions within a hierarchy
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Definitions

  • This disclosure teaches techniques for automatic generation of permission levels. More specifically, the teachings include, but are not limited to, systems, methods and computer program products for generating permission levels using adaptive learning algorithms.
  • Adaptive learning is used in several areas and in a wide range of applications.
  • the term adaptive learning could relate to several different domains. It may include areas such as artificial intelligence (AI) on the one hand, and analog integrator circuits on the other.
  • AI artificial intelligence
  • Adaptive learning is widely used in expert systems. Capabilities of adaptive learning could also be used, for example, in vehicle breaking systems, thermostats, teaching systems, and many others.
  • Adaptive learning generally relies on the capability of accumulating historic information or data over time. This historic information or data is coupled with data relating to the present time to determine a response, or output, that forms the basis for establishing and predicting the current activity of the system.
  • An adaptive learning system for a thermostat may "learn" the temperature curve most suitable for the users of a room. This system will then adapt, over time, to respond to various changes that occur during the span of a day, a week, a year and so on. Continued use of such an adaptive learning system can result in significant cost savings as well as overall improvement in system performance.
  • real-time performance is required from an adaptive learning system. While, in other cases, a delayed response is permissible. For example, a real-time "expert system” is expected to provide an accurate response within a very limited time frame, so that the user does not have to wait a significant amount of time. The same type of constraints would apply for receiving a response in a breaking system for a vehicle. On the other hand, a thermostat could use relatively substantial time to "learn” and respond over time without adversely affecting the performance of the system. Learning systems and adaptive learning systems are implemented in different ways. Using logic and "IF-THEN" rules is one way of implementing such systems. In some other cases an approach using neural networks is preferred.
  • a "case by case” method, or “query” based solutions are preferred.
  • the overall function of a learning system and an adaptive learning system, as the titles indicate, is to learn. By such learning, the system becomes capable of generating a next response over time, based on the currently received input and prior history.
  • security systems The primary purpose of security systems is to prevent unauthorized use of a system's resources.
  • a security policy is usualjy implemented to prevent unauthorized use of system resources.
  • Security systems may be implemented by using a "firewall" that prevents unauthorized access by users external to the system.
  • Security systems may also be implemented by a security policy internal to the system organization.
  • the internal network may be virtual, otherwise known as a virtual private network, or VPN.
  • VPN virtual private network
  • a security policy to protect such a virtual network may also be necessary.
  • conventional systems do not provide the capability of adaptive learning for securing a network system.
  • the disclosed teachings provide a system where user access is controlled.
  • the system comprises an access analyzer subsystem and a user control subsystem.
  • the access analyzer subsystem further includes a history machine capable of processing new and historical data related to access attempts, a history database for storing the new and historical data, a hierarchy generator connected to said history machine for generating a user hierarchy related to the historical data, and a permission level generator connected to the history machine and the hierarchy generator.
  • the permission level generator is adapted to generate permissions for accessing the user subsystem based on the user hierarchy and the historical access data.
  • the user control subsystem further includes an agent adapted to provide an event audit trail to the access analyzer subsystem and receive a permission level from said access analyzer subsystem; and a control unit adapted to provide a security policy to the access analyzer subsystem and receive a statistical information from said access analyzer subsystem.
  • the agent is a guardian agent further adapted for at least allowing access to a resource in response to an access attempt, the allowing being based on at least said permission level.
  • the agent is a guardian agent further adapted for at least denying access to a resource in response to an access attempt, the denying being based on at least said permission level.
  • the agent is a guardian agent further adapted for at least sending an alarm to said control unit in response to an access attempt, the sending being based on at least said permission level.
  • control unit is further adapted for generating reports based on at least said statistical information.
  • control unit is further capable of generating reports based on at least the alarms.
  • the system comprises a history machine adapted to process new and historical data related to said events; a history database adapted to store the new and historical data; and a hierarchy generator connected to the history machine adapted to generate a hierarchy related to the new and historical data.
  • the permission level generator is adapted to generate permissions for accessing system resources based at least on the hierarchy. More specifically, the permission level generator comprises a weighted hierarchy activity calculator connected to a permission level calculator.
  • the weighted hierarchy activity calculator receives at least a weighted audit trail and a user hierarchy.
  • the permission level calculator generates permission levels based at least on an input provided from said weighted hierarchy activity calculator.
  • the permission levels are based further on a security policy.
  • said weighted audit trail is determined for a user accessing a resource in a give access type accounting for all accesses of the same type in a decreasing value.
  • said weighted audit trail is determined for a user not accessing a resource in a give access type by reducing the current said data. Still more specifically, said reduction is done as a multiplication of said data by a fractional constant.
  • the history machine generates a weighted audit trail based on event audit trail and history information provided by the history database.
  • the user hierarchy generator further includes an integrator; an aggregator connected to the integrator and further connected to a clustering machine; a clustering machine connected to the aggregator; and a hierarchy accumulator connected to the clustering machine. More specifically, the integrator receives a weighted audit trail.
  • the integrator calculates a sum total of all accesses of a specific access type made by a user-, the access being done to a specific resource.
  • the aggregator calculates a sum total of all accesses of a specific access type made by all users in a cluster, the access being done to a specific resource.
  • said aggregator calculates the contribution of all users within a cluster to access to a resource as the difference between the maximum value for said user access to said resource and the multiplication of all values relative to optionally normalized individual accesses of said user to said resource multiplied by said maximum value.
  • the maximum value is a normalized maximum value Still more specifically, said value relative to individual accesses is calculated as subtracting the value of said individual access from one. Still more specifically, the aggregator outputs an access information for every access type.
  • the access information comprises rows and columns, the rows representing users and said columns representing resources, the access matrix storing data related to the access of a said users to said resources- More specifically, the clustering machine outputs a preferred clustering assignment. Still more specifically/ the clustering machine implements a pairwise clustering algorithm. Even more specifically, the pairwise clustering algorithm is a greedy pairwise clustering algorithm.
  • the clustering machine includes a similarity matrix generator; and a pairwise clustering generator.
  • the similarity matrix generator is adapted to determine a commonality between access profiles of a first user and a second user to a resource.
  • the similarity matrix generator is further adapted to determine a first similarity between said first user and said second user, said first similarity being a result of dividing said commonality by the access attempts made by said first user.
  • the similarity matrix generator is further adapted to determine a second similarity between said second user and said first, said second similarity being a result of dividing said commonality by the access attempts made by said second user.
  • the similarity matrix generator is adapted to calculate an internal multiplication of user access profiles between a first user and a second user.
  • the similarity matrix generator is further adapted to divide the internal multiplication result by a norm of user access profiles made by the first user multiplied by the norm of access attempts made by the second user.
  • Yet another aspect of the disclosed teachings is a method for determining a hierarchy of users of a system.
  • the method comprises collecting a weighted audit trail related to access attempts by users to resources belonging to the system. All access attempts of each of a multiple types of access attempts to a f given resource by each of the users are integrated. User data is aggregated in accordance with preferred clustering assignments. Clusters are merged into higher level clusters so that each higher level cluster clusters one or more clusters in an immediate lower level cluster to form a cluster hierarchy. The steps are repeated until all clusters are merged into one cluster.
  • the steps are further repeated periodically to create a temporal hierarchy representation.
  • the aggregation is performed by averaging access data to a resource by all users belonging to a specific cluster.
  • the aggregation is performed by determining the maximum value for access data corresponding to a user belonging to a specific cluster.
  • the aggregator calculates the contribution of all users within a cluster to access to a resource as the difference between the maximum value for such user access to said resource and the multiplication of all values relative to optionally normalized individual accesses of said user to said resource multiplied by said maximum value.
  • More specifically said value relative to individual access is calculated by subtracting the value of said individual access from one.
  • the maximum value is a normalized maximum value.
  • the clustering is performed using a pairwise clustering algorithm. More specifically, the clustering algorithm is a greedy pairwise clustering algorithm. Specifically, historical data is subjected to a decay.
  • the weighted audit trail is determined for a user accessing a resource in a give access type accounting for all accesses of the same type in a decreasing value.
  • a maximum value for said data is provided. More specifically, the weighted audit trail is determined for a user not accessing a resource in a give access type by reducing the current said data.
  • Still more specifically, the reduction is done as a multiplication of said data by a fractional constant.
  • Still another aspect of the disclosed teachings is a method for determining permission levels for accessing a system.
  • the method comprises collecting data related to access attempts by users to resources belonging to the system.
  • the users are clustered into a user hierarchy.
  • Permission levels are generated based on at least the data and the user hierarchy. Specifically, the process is repeated periodically.
  • the classification of users into a user hierarchy is performed by a subprocess comprising integrating all access attempts of each of a multiple types of access attempts to a given resource by each of said users; aggregating user data in accordance with preferred clustering assignment; merging clusters into higher level clusters, wherein each higher level cluster clusters one or more clusters in an immediate lower level cluster to form a cluster hierarchy; and repeating the clustering until all users are merged into one cluster.
  • the aggregation is performed by averaging access data to a resource by all users belonging to a specific cluster. More specifically, the aggregation is performed by determining the maximum value for access data corresponding to users belonging to a specific cluster.
  • said value relative to individual accesses is calculated as subtracting the value of said individual access from one. More specifically, said clustering is performed using a pairwise clustering algorithm.
  • the clustering is performed using a pairwise clustering algorithm.
  • the pairwise clustering algorithm is a greedy pairwise clustering algorithm.
  • the generation of permission levels is performed using a subprocess comprising giving each of said users a weighted access profile to a resource based on said data and said user hierarchy; determining a range of said weighted access profiles to said resource and dividing it into a predetermined number of levels; and assigning for each of said users, a permission level based on which of said predetermined levels said each of said users corresponds to.
  • the range of said weighted access attempts is scaled to a logarithmic scale.
  • historical data is subjected to a decay factor. More specifically, said weighted audit trail is determined for a user accessing a resource in a give access type accounting for all accesses of the same type in a decreasing value.
  • the weighted audit trail is determined for a user not accessing a resource in a give access type by reducing the current said data.
  • the reduction is done as a multiplication of said data by a fractional constant.
  • Still another aspect of the disclosed teachings include computer program products that include computer readable media with instructions, the instructions being capable of enabling a computer to implement the above methods,
  • the above summaries are merely meant to provide a guidance for a better understanding of the disclosed teachings and are not intended to be limiting the scope of the claims in any manner.
  • FIG. 1 - is a block diagram illustrating an architecture used in conjunction with the present invention.
  • FIG. 2 - is an exemplary block diagram of an access analyzer.
  • FIG. 3 - is an exemplary block diagram of a hierarchy generator.
  • FIG. 4 - is an exemplary access matrix indicating users' accesses to a resource.
  • FIG. 5 - is an exemplary hierarchical clustering example.
  • FIG. 6 - is an exemplary clustering machine using a pairwise clustering unit.
  • FIG. 7 - is an exemplary similarity matrix.
  • FIG. 8 - is an exemplary block diagram of a permission levels generator.
  • FIG. 1 is a schematic illustration of a security system 10 in accordance with one embodiment that uses the disclosed teachings.
  • This architecture is fully described in the co-pending US patent application filed on the same date herewith, entitled “An Adaptive System and Architecture for Access Control", and which is assigned to common assignee as the present application, and is hereby incorporated by reference in its entirety, for all it discloses.
  • the architecture illustrated in FIG. 1 includes at least three elements: an agent 100, a control unit 110 and an access analyzer 120. Jhe relationship between the three elements are now described.
  • Agent 100 monitors access to. the resources. Such access to the resource is also called access attempt 108. Agent 100 provides a periodic historical information of access attempts to the access analyzer 120. Such periodic historical information is also known as event audit trail (EAT) 102. Further, agent 100 also provides alarms (104) to the control unit 120. Still further, if agent 100 functions as a guardian agent, it enforces access rights to system resources by permission or denial 106 of access to a system resource or resources in response to access attempt 108.
  • EAT event audit trail
  • agent 100 also provides alarms (104) to the control unit 120. Still further, if agent 100 functions as a guardian agent, it enforces access rights to system resources by permission or denial 106 of access to a system resource or resources in response to access attempt 108.
  • Access analyzer 120 analyses EAT 102, possibly using a first security policy 122. Access analyzer 120 responds, periodically, with a list of permission levels 134, to agent 100. Access analyzer 120 also provides statistical information 132 to control unit 110. Based on the permission levels received from access analyzer 120, and possibly using a second security policy 122' received from control unit 110, a guardian agent 100 is capable of enforcing the security control of the resources. The control is implemented by permitting, alerting, denying, or otherwise controlling access to at least one resource within the overall system.
  • guardian agent access analyzer and control unit
  • access analyzer access analyzer
  • control unit control unit
  • the first security policy 122 and the second security policy 122' may be identical, and may resides in the control unit 110.
  • the second security policy 122' may be provided to agent 100 through access analyzer 120.
  • the disclosed teachings include using techniques in unsupervised learning for learning an access control policy; from the access history of users, for implementing access analyzer 120.
  • the information is gathered by agent 100 as a sequence of access attempts 108.
  • An access attempt may include, but not limited to, a user, a location, a resource, an access type and time.
  • the user may be an identification of the user that initiated the access event.
  • the location may be an Internet protocol (IP) address, console name, terminal identifier, and so on, from where an access attempt 108 is being made.
  • IP Internet protocol
  • the resource may be an identification of the resource that was accessed, or attempted to be accessed, by the user.
  • the access type may be? the type of access attempt 108 that was made by the user. Examples of access types include read, write, execute, or others, and any combination thereof.
  • the time may be the exact time when the access event took place and may include among others the time of day, day of the week, etc.
  • the information gathered by the agent 100 is provided periodically by it to access analyzer 120 as event audit trail 102. It should be clear to a skilled artisan that the information gathering could be easily extended to accommodate additional information to be used by the learning system.
  • FIG. 2 is a schematic block diagram of an embodiment of access analyzer 120 that uses the disclosed teachings.
  • Access analyzer 120 includes a history machine (HM) 210, a history database (HDB) 220, a user hierarchy generator (UHG) 240, and a permission level generator (PLG) 230.
  • HM 210 processes newly accepted event audit trail 102 and combines it with the history of event audit trail collected in the past that are stored in HDB 220.
  • HM 210 outputs a weighted audit trail 250 to both UHG 240 and PLG 230.
  • HM 210 further stores the newly accepted event audit trail 102 in HDB 220 for future use.
  • the history is represented and collected as data d
  • the history collection is continued and each dj regardless of the time at which it is collected has the same weight.
  • HM 210 stores in HDB 220 the updated value of djj k that is calculated according to the following equation :
  • is a value between 0 and 1 that denotes how fast the decay occurs. The higher the value of ⁇ , the higher the importance give to current values of di jk compared to the old value.
  • dyk ⁇ kdyk
  • ⁇ , ⁇ represent charging and discharging coefficients respectively for access type a k
  • the weighted audit trail 250 which is basically a reflection of each user's access patterns, is used by UHG 240 to generate the user hierarchy based on the user pattern of accesses to system resources.
  • UHG 240 An exemplary implementation of UHG 240 using the disclosed teachings is described herein with reference to FIG. 3.
  • the basic elements that are included in UHG 240 are integrator 310, - aggregator 320, clustering machine (CM) 330 and hierarchy accumulator 340.
  • Integrator 310 operates on data ppints d U and integrates all the data points that correspond to a certain access type. While one example is provided in this disclosure, other structures of hierarchy, such as a hierarchy tree is also possible.
  • a tree hierarchy differs from a clustering hierarchy, in the sense that in the tree hierarchy each node represents a split of clusters and further that the leaves are at different levels.
  • An access type may be, for example, a read access, a write access, and others as separate or combinations thereof. It should be noted that for the purpose of hierarchy identification the access types of the users can be integrated by performing, for example the following calculation :
  • ⁇ k is the importance of a particular access type. For example, write may be more significant than read.
  • d g corresponds to the value of d for a cluster C and resource j
  • d values are normalized to the range between 0 and 1.
  • d ijk another factor d i could be used where I represents a specific time slot.
  • di jk i would represent an activity of a user Uj on a resource r 3 performing activity a k during a time slot.
  • the equations for handling the impact of historical data and integration can be appropriately modified without undue experimentation by a skilled artisan.
  • Aggregator 320 accumulates the data corresponding to a user relating to the resources the user is attempting " to access. It further handles the feedback provided by CM 330. Such feedback necessitates the recalculation of the data as cluster assignments take place and lower level clusters are clustered into higher level clusters.
  • An example implementation for the operation of aggregator 320 is to average the data di j for all data belonging to all users of a specific cluster particular value of "i".
  • Concept of a cluster is described subsequently in detail with reference to CM 330 and FIG.4.
  • a maximum value of all d u corresponding to users of a specific cluster is chosen by the aggregator as an aggregate value of the data.
  • the user access profiles are an output of aggregator 320 and may be organized as an access matrix correlating clusters of users to resources as in the exemplary matrix of Fig. 4.
  • this access matrix the rows indicate the users and the columns indicate resources.
  • the values in each i,j combination is related to the access attempts by a user "i" to a resource " ".
  • This data can be used by CM 330 to define the way in which users u, should be clustered.
  • the process is iterative.
  • a feedback is provided to aggregator 320 allowing for a further higher level cluster assignment that factors in the feedback relative to the current clustering status.
  • output of aggregator 320 may be organized in other structures, more specifically as a tree of resources, such as would be the case when handling files within a sequence of file folders.
  • CM 330 may cluster users u x through u 5 , in the example of Fig. 4, as described in FIG. 5.
  • CM could use a first lower level cluster assignment that clusters users Ui with u 2 520, users u 4 with Us 540, and leaves user u 3 S3Q on its own.
  • the current lower level clustering assignment is fed back to aggregator 320 that updates the input matrix to CM 330.
  • CM 330 may have a new upper level cluster assignment where lower level cluster 520 and lower level cluster 530 are further assigned to one upper level cluster 510, and cluster 540 is left on its own.
  • upper level cluster 510 and cluster 540 are assigned one super level cluster 500.
  • the super level 500 represents the case of all the users belonging to the system 10.
  • CM 330 using the disclosed teachings is described in Fig. 6 where a similarity matrix generator (SMG) 610 is connected to a pairwise clustering generator (PCG) 620.
  • SMG similarity matrix generator
  • PCG pairwise clustering generator
  • GPCG greedy pairwise clustering generator
  • a GPCG is the subject matter of a co-pending US patent application filed on the same date herewith, entitled “A System and Method for a Greedy Pairwise Clustering", and which is assigned to common assignee as the present invention, and is hereby incorporated by reference in its entirety, for all it discloses.
  • the PCG requires a similarity matrix as an input. Therefore, the output of aggregator 320 must be preprocessed in order to generate the f similarity matrix.
  • the generation of the similarity matrix is performed by SMG
  • the matrix of FIG. 4 can be used in conjunction with the above-mentioned formula to generate the similarity matrix of Fig. 7.
  • the results of the self- similarity i.e., the similarity of u t to itself, is clearly "1".
  • the similarity between two users shown in FIG.7, u t to u 2 is calculated as follows.
  • Resources R 3 through R 7 a total of five, are accessed by both Ui and u 2 .
  • Resources R 3 through R 7 a total of five, are accessed by both u 2 and Ui.
  • User u 2 accesses a total of six of the resources, namely resources R 3 through R 7 as well as R 9 .
  • similarity may be the result of the internal multiplication relative to u t and u m divided by the norms for ui and u m , as in the formula below:
  • ⁇ * K A skilled artisan can without undue experimentation use other ways of calculating similarity calculations for creating a similarity matrix without deviating from the spirit of the disclosed teachings. It should also be clear that instead of a similarity matrix, a dissimilarity matrix, representing the dissimilarity between two users, may be used. If a dissimilarity matrix is to be used, a minimum rather then maximum scores will be used by PCG 620 to determine the clustering assignment.
  • Permission levels 134 are generated by PLG 230 based upon at least weighted audit trail 250 and user hierarchy 260. In an alternate embodiment using the disclosed teachings security policy 122 is also an input to PLG 230.
  • PLG 230 includes a weighted hierarchical activity calculator (WHAC) 810 and a permission level calculator (PLC) 820.
  • WHAC weighted hierarchical activity calculator
  • PLC permission level calculator
  • the number of permission levels may be determined by a user or administrator of system 10, depending on the level of granularity and control necessary to be achieved, and is designated as N PL .
  • WHAC calculates the activity type a k on a resource ⁇ for all the users of the system.
  • the activity will range from a very low activity a k of some users on a resource ⁇ , to a very high activity a on a resource ⁇ , of other users.
  • users sharing a cluster may also get a permission to use certain resources.
  • a weighted value resulting from the access of a user or a cluster of users to a resource is also provided to other users sharing the cluster.
  • an access by a user to a resource will result in a certain weight given to such access attem t to all other users that have a relationship with that user.
  • Such a relationship could be by being in the same cluster or through the hierarchy of clusters.
  • Th " e weighted contribution of the relationship reduces relative to the distance of the relationship..
  • a weighted number d' u is calculated in which all clusters that contains the user (at all different levels of the hierarchy) wilfhave an influence.
  • the weighted profiles d'i j are used rather than the profiles d fj themselves.
  • a logarithmic scale is proposed to measure activity a k on resource /). Such a scale is suggested due to the significant range of activity levels between users. Hence, a user may access his own files very frequently, while other users may not access it at all.
  • the logarithmic range is then divided by N PL , creating N PL levels.
  • a user u t having an activity level a k , on resource r jr will fall within one of the levels, designated as /.
  • the adaptive permission level Lj jk which is the permission level for a user u t - to access a resource ⁇ for the purpose of an access a l is calculated as follows:
  • an access attempt 108 may be defined as: a) having an access permission regardless of the results of the access analyzer 120; or b) having no access permission regardless of the results of the access analyzer 120; or c) being an adaptive rule, the permission level is dependent on the results of access analyzer 120. Therefore the values for L ijk may be "1", "0", or the results of the formula above, respectively.
  • WHAC 810 A way of implementing this feature by WHAC 810 is by assigning a decreasing resource access weight along the hierarchy to clusters of a user who used a certain resource. Assume that the contribution of a cluster to a user is derived from the maximal access value of users within the cluster. Referring to Fig. 5, assume further that a user Ui accessed r if which no other user has accessed.. Notwithstanding, each user will still receive a contribution of that access based on its cluster proximity.
  • Ui may have a permission level of "1", u a permission level of "0.75", u 3 a permission level of "0.5", while u 4 and u 5 will have a permission level of "0.25" each.
  • an agent 100 operating as a guardian agent may permit or deny certain access attempts. For example, if the threshold for an access to resource r t is defined at a level of "0.6" only users u and u 2 will be allowed to access this resource.
  • access analyzer 120 deduce from event audit trail 102 a number in the range from 0 tol ⁇ to be assigned to each potential access attempt 108.
  • the number assigned to a potential access event (u, r, a, t), where "u” denotes a user(s), "r” denotes a resource(s), “a” denotes an access attempt(s), and "t” denotes a time(s), can be interpreted as the probability that a user u should be permitted to make an access of type "a” to a resource "r” at a time "t".
  • a person skilled in the art would be able to add parameters to the definition of a potential event.
  • the parameter "! denoting a location(s) may be used.
  • the higher this probability the more confident system 10 is that access attempt 108 should be permitted.
  • the system administrators are freed from the need to manually maintain security policy 122 of a complex enterprise wide system, as would otherwise be required in conventional systems.
  • access analyzer 120 provides a generalization mechanism from access attempts made by individual users to access attempts made by clusters of users.
  • a user may get permissions to resources he has never accessed in the past provided that there is strong evidence in the hierarchy data that his cluster should get permission to access that resource. This generally happens when other members of the cluster have accessed that resource in the past.
  • the accesses made by a user may influence the permissions assigned not only to each member of his basic cluster, but also influence the permissions assigned to members of clusters at higher levels.
  • a hierarchy of clusters was produced, in other words several levels of clusters.
  • the most general cluster the cluster at the top of the hierarchy includes all the users, that may be used to allow the most liberal access to resources of system 10.
  • the bottommost level has every user in a different cluster.
  • each cluster assignment is a refinement of the previous cluster assignment.
  • a person skilled in the art could easily adapt this invention for use in other fields other the access control.
  • One specific use is to learn the informal hierarchy of an organization and its temporal dynamics.
  • the disclosed teaching can be implemented using hardware, software or a combination thereof. It can also be implemented using any type of computer including PCs, workstations and mainframes.
  • the disclosed teaching also includes computer program products that includes a computer readable medium with instructions. These instructions can include, but not limited to, source code, object code and executable code and can be in any higher level language, assembly language and machine language.
  • the computer readable medium is not restricted to any particular type of medium but can include, but not limited to, RAMS, ROMs, hard disks, floppies, tapes and internet downloads.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Artificial Intelligence (AREA)
  • Automation & Control Theory (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The disclosure teaches a system where user access is controlled. The system comprises an access analyzer subsystem and a user control subsystem. The access analyzer subsystem further includes a history machine capable of processing new and historical data related to access attempts, a history database for storing the new and historical data, a hierarchy generator conneted to said history machine for generating a user hierarchy related to the historical data, and a permission level generator connected to the history machine and the hierarchy generator. The permission level generator is adapted to generate permission levels for accessing the user subsystem based on the hierarchy and user's access profile. The user control subsystem further includes an agent adapted to provide an event audit trail to the access analyzer subsystem and receive a premission level from said access analyzer subsystem; and a control unit adapted to provide a security policy to the access analyzer subsystem and receive statistical information and reports from said access analyzer and agent subsystem respectively.

Description

Permission Level Generation Based on Adaptive Learning
I. Description I.A. Claim for Priority This application claims priority from U.S. Provisional Patent Application serial No. 60/226,128 filed on August 18, 2000, incorporated in its entirety by reference herein. This application also claims priority from U.S. Provisional Patent Application serial No. 60/259,575 filed on January 4, 2001, incorporated in its entirety by reference herein.
I.B. Field
This disclosure teaches techniques for automatic generation of permission levels. More specifically, the teachings include, but are not limited to, systems, methods and computer program products for generating permission levels using adaptive learning algorithms.
I.C. Background and Related Art
The following documents provide background for a better understanding of the disclosed teaching, and to that extent, they are incorporated herein by reference.
1. US Patents 4,697,242 Sep 198 Holland et al.
5,115,967 May 1992' Wedekind
5,204,961 Apr 1993 Barlow 5,787,234 Jul 1998 Molloy 5,991,879 Nov 1999 Still
5,996,077 Nov 1999 Williams
6,038,556 Mar 2000 Hutchison
6,082,835 Jul 2000 Brearley 6,098,173 Aug 2000 Elgressy et al
6,134,532 Oct 2000 Lazarus et al.
6,158,010 Dec 2000 Moriconi et al
6,163,383 Dec 2000 Ota et al
6,164,975 Dec 2000 Weingarden et al. 6,167,520 Dec 2000 Touboul
6,186,794 Feb 2001 Brown et al.
6,202,157 Mar 2001 Brownlie et al
6,206,700 Mar 2001 Brown et al.
Adaptive learning is used in several areas and in a wide range of applications. The term adaptive learning could relate to several different domains. It may include areas such as artificial intelligence (AI) on the one hand, and analog integrator circuits on the other. Adaptive learning is widely used in expert systems. Capabilities of adaptive learning could also be used, for example, in vehicle breaking systems, thermostats, teaching systems, and many others.
Adaptive learning generally relies on the capability of accumulating historic information or data over time. This historic information or data is coupled with data relating to the present time to determine a response, or output, that forms the basis for establishing and predicting the current activity of the system. An adaptive learning system for a thermostat, for example, may "learn" the temperature curve most suitable for the users of a room. This system will then adapt, over time, to respond to various changes that occur during the span of a day, a week, a year and so on. Continued use of such an adaptive learning system can result in significant cost savings as well as overall improvement in system performance.
In certain cases, real-time performance is required from an adaptive learning system. While, in other cases, a delayed response is permissible. For example, a real-time "expert system" is expected to provide an accurate response within a very limited time frame, so that the user does not have to wait a significant amount of time. The same type of constraints would apply for receiving a response in a breaking system for a vehicle. On the other hand, a thermostat could use relatively substantial time to "learn" and respond over time without adversely affecting the performance of the system. Learning systems and adaptive learning systems are implemented in different ways. Using logic and "IF-THEN" rules is one way of implementing such systems. In some other cases an approach using neural networks is preferred. In yet other cases, a "case by case" method, or "query" based solutions are preferred. Regardless of the method used, the overall function of a learning system and an adaptive learning system, as the titles indicate, is to learn. By such learning, the system becomes capable of generating a next response over time, based on the currently received input and prior history.
The primary purpose of security systems is to prevent unauthorized use of a system's resources. In such security systems, and specifically network security systems, a security policy is usualjy implemented to prevent unauthorized use of system resources. Security systems may be implemented by using a "firewall" that prevents unauthorized access by users external to the system. Security systems may also be implemented by a security policy internal to the system organization. In modern network systems, very often the internal network may be virtual, otherwise known as a virtual private network, or VPN. In such cases the network, though actually physically spread out in various geographic areas, is still considered one network. A security policy to protect such a virtual network may also be necessary. However, conventional systems do not provide the capability of adaptive learning for securing a network system.
It would be advantageous to provide adaptive learning capabilities to such network systems. Specifically, more pronounced advantages can be realized in systems that have a large number of users and/or resources. This is at least because a security policy becomes increasingly difficult to create and maintain accurately and dynamically in such large systems.
II. Summary
To help realize the advantages mentioned above, the disclosed teachings provide a system where user access is controlled. The system comprises an access analyzer subsystem and a user control subsystem. The access analyzer subsystem further includes a history machine capable of processing new and historical data related to access attempts, a history database for storing the new and historical data, a hierarchy generator connected to said history machine for generating a user hierarchy related to the historical data, and a permission level generator connected to the history machine and the hierarchy generator. The permission level generator is adapted to generate permissions for accessing the user subsystem based on the user hierarchy and the historical access data. The user control subsystem further includes an agent adapted to provide an event audit trail to the access analyzer subsystem and receive a permission level from said access analyzer subsystem; and a control unit adapted to provide a security policy to the access analyzer subsystem and receive a statistical information from said access analyzer subsystem.
Specifically, the agent is a guardian agent further adapted for at least allowing access to a resource in response to an access attempt, the allowing being based on at least said permission level.
Specifically, the agent is a guardian agent further adapted for at least denying access to a resource in response to an access attempt, the denying being based on at least said permission level.
Specifically, the agent is a guardian agent further adapted for at least sending an alarm to said control unit in response to an access attempt, the sending being based on at least said permission level.
Specifically, the control unit is further adapted for generating reports based on at least said statistical information.
Specifically, the control unit is further capable of generating reports based on at least the alarms.
Another aspect of the disclosed teachings is a system for tracking access attempts. The system comprises a history machine adapted to process new and historical data related to said events; a history database adapted to store the new and historical data; and a hierarchy generator connected to the history machine adapted to generate a hierarchy related to the new and historical data. Specifically, the further includes a permission level generator connected to the history machine and said hierarchy generator. The permission level generator is adapted to generate permissions for accessing system resources based at least on the hierarchy. More specifically, the permission level generator comprises a weighted hierarchy activity calculator connected to a permission level calculator.
More specifically, the weighted hierarchy activity calculator receives at least a weighted audit trail and a user hierarchy.
More specifically, the permission level calculator generates permission levels based at least on an input provided from said weighted hierarchy activity calculator.
Still more specifically, the permission levels are based further on a security policy.
Still more specifically, said weighted audit trail is determined for a user accessing a resource in a give access type accounting for all accesses of the same type in a decreasing value.
Still more specifically, a maximum value for said data is provided.
Still more specifically, said weighted audit trail is determined for a user not accessing a resource in a give access type by reducing the current said data. Still more specifically, said reduction is done as a multiplication of said data by a fractional constant.
Specifically, the history machine generates a weighted audit trail based on event audit trail and history information provided by the history database.
More specifically, a decay factor is applied to historical data prior to storing in said history database. Specifically, the user hierarchy generator further includes an integrator; an aggregator connected to the integrator and further connected to a clustering machine; a clustering machine connected to the aggregator; and a hierarchy accumulator connected to the clustering machine. More specifically, the integrator receives a weighted audit trail.
More specifically, the integrator calculates a sum total of all accesses of a specific access type made by a user-, the access being done to a specific resource.
More specifically, the aggregator calculates a sum total of all accesses of a specific access type made by all users in a cluster, the access being done to a specific resource.
Still more specifically, said aggregator calculates the contribution of all users within a cluster to access to a resource as the difference between the maximum value for said user access to said resource and the multiplication of all values relative to optionally normalized individual accesses of said user to said resource multiplied by said maximum value.
Still more specifically, the maximum value is a normalized maximum value Still more specifically, said value relative to individual accesses is calculated as subtracting the value of said individual access from one. Still more specifically, the aggregator outputs an access information for every access type.
Even more specifically, the access information comprises rows and columns, the rows representing users and said columns representing resources, the access matrix storing data related to the access of a said users to said resources- More specifically, the clustering machine outputs a preferred clustering assignment. Still more specifically/ the clustering machine implements a pairwise clustering algorithm. Even more specifically, the pairwise clustering algorithm is a greedy pairwise clustering algorithm.
More specifically, the clustering machine includes a similarity matrix generator; and a pairwise clustering generator. Still more specifically, the similarity matrix generator is adapted to determine a commonality between access profiles of a first user and a second user to a resource. The similarity matrix generator is further adapted to determine a first similarity between said first user and said second user, said first similarity being a result of dividing said commonality by the access attempts made by said first user. The similarity matrix generator is further adapted to determine a second similarity between said second user and said first, said second similarity being a result of dividing said commonality by the access attempts made by said second user.
Still more specifically, the similarity matrix generator is adapted to calculate an internal multiplication of user access profiles between a first user and a second user. The similarity matrix generator is further adapted to divide the internal multiplication result by a norm of user access profiles made by the first user multiplied by the norm of access attempts made by the second user.
Yet another aspect of the disclosed teachings is a method for determining a hierarchy of users of a system. The method comprises collecting a weighted audit trail related to access attempts by users to resources belonging to the system. All access attempts of each of a multiple types of access attempts to a f given resource by each of the users are integrated. User data is aggregated in accordance with preferred clustering assignments. Clusters are merged into higher level clusters so that each higher level cluster clusters one or more clusters in an immediate lower level cluster to form a cluster hierarchy. The steps are repeated until all clusters are merged into one cluster.
Specifically, the steps are further repeated periodically to create a temporal hierarchy representation. Specifically, the aggregation is performed by averaging access data to a resource by all users belonging to a specific cluster.
Specifically, the aggregation is performed by determining the maximum value for access data corresponding to a user belonging to a specific cluster.
More specifically, the aggregator calculates the contribution of all users within a cluster to access to a resource as the difference between the maximum value for such user access to said resource and the multiplication of all values relative to optionally normalized individual accesses of said user to said resource multiplied by said maximum value.
More specifically said value relative to individual access is calculated by subtracting the value of said individual access from one.
More specifically, the maximum value is a normalized maximum value.
Specifically, the clustering is performed using a pairwise clustering algorithm. More specifically, the clustering algorithm is a greedy pairwise clustering algorithm. Specifically, historical data is subjected to a decay.
Specifically, the weighted audit trail is determined for a user accessing a resource in a give access type accounting for all accesses of the same type in a decreasing value.
More specifically, a maximum value for said data is provided. More specifically, the weighted audit trail is determined for a user not accessing a resource in a give access type by reducing the current said data.
Still more specifically, the reduction is done as a multiplication of said data by a fractional constant. Still another aspect of the disclosed teachings is a method for determining permission levels for accessing a system. The method comprises collecting data related to access attempts by users to resources belonging to the system. The users are clustered into a user hierarchy. Permission levels are generated based on at least the data and the user hierarchy. Specifically, the process is repeated periodically. Specifically, the classification of users into a user hierarchy is performed by a subprocess comprising integrating all access attempts of each of a multiple types of access attempts to a given resource by each of said users; aggregating user data in accordance with preferred clustering assignment; merging clusters into higher level clusters, wherein each higher level cluster clusters one or more clusters in an immediate lower level cluster to form a cluster hierarchy; and repeating the clustering until all users are merged into one cluster.
More specifically, the aggregation is performed by averaging access data to a resource by all users belonging to a specific cluster. More specifically, the aggregation is performed by determining the maximum value for access data corresponding to users belonging to a specific cluster.
More specifically, said value relative to individual accesses is calculated as subtracting the value of said individual access from one. More specifically, said clustering is performed using a pairwise clustering algorithm.
More specifically, the clustering is performed using a pairwise clustering algorithm. Still more specifically, the pairwise clustering algorithm is a greedy pairwise clustering algorithm.
Specifically, the generation of permission levels is performed using a subprocess comprising giving each of said users a weighted access profile to a resource based on said data and said user hierarchy; determining a range of said weighted access profiles to said resource and dividing it into a predetermined number of levels; and assigning for each of said users, a permission level based on which of said predetermined levels said each of said users corresponds to.
More specifically, the range of said weighted access attempts is scaled to a logarithmic scale.
Specifically, historical data is subjected to a decay factor. More specifically, said weighted audit trail is determined for a user accessing a resource in a give access type accounting for all accesses of the same type in a decreasing value.
Still more specifically, a maximum value for said data is provided.
Still more specifically, the weighted audit trail is determined for a user not accessing a resource in a give access type by reducing the current said data.
Still more specifically, the reduction is done as a multiplication of said data by a fractional constant.
Still another aspect of the disclosed teachings include computer program products that include computer readable media with instructions, the instructions being capable of enabling a computer to implement the above methods, The above summaries are merely meant to provide a guidance for a better understanding of the disclosed teachings and are not intended to be limiting the scope of the claims in any manner.
III. Brief Description of the Drawings
The disclosed teachings and techniques are described in more details using embodiments thereof with reference to the attached drawings in which:
FIG. 1 - is a block diagram illustrating an architecture used in conjunction with the present invention. FIG. 2 - is an exemplary block diagram of an access analyzer.
FIG. 3 - is an exemplary block diagram of a hierarchy generator. FIG. 4 - is an exemplary access matrix indicating users' accesses to a resource.
FIG. 5 - is an exemplary hierarchical clustering example. FIG. 6 - is an exemplary clustering machine using a pairwise clustering unit.
FIG. 7 - is an exemplary similarity matrix. FIG. 8 - is an exemplary block diagram of a permission levels generator.
IV. Detailed Description of the Embodiments
FIG. 1 is a schematic illustration of a security system 10 in accordance with one embodiment that uses the disclosed teachings. This architecture is fully described in the co-pending US patent application filed on the same date herewith, entitled "An Adaptive System and Architecture for Access Control", and which is assigned to common assignee as the present application, and is hereby incorporated by reference in its entirety, for all it discloses. The architecture illustrated in FIG. 1 includes at least three elements: an agent 100, a control unit 110 and an access analyzer 120. Jhe relationship between the three elements are now described.
Agent 100 monitors access to. the resources. Such access to the resource is also called access attempt 108. Agent 100 provides a periodic historical information of access attempts to the access analyzer 120. Such periodic historical information is also known as event audit trail (EAT) 102. Further, agent 100 also provides alarms (104) to the control unit 120. Still further, if agent 100 functions as a guardian agent, it enforces access rights to system resources by permission or denial 106 of access to a system resource or resources in response to access attempt 108.
Access analyzer 120 analyses EAT 102, possibly using a first security policy 122. Access analyzer 120 responds, periodically, with a list of permission levels 134, to agent 100. Access analyzer 120 also provides statistical information 132 to control unit 110. Based on the permission levels received from access analyzer 120, and possibly using a second security policy 122' received from control unit 110, a guardian agent 100 is capable of enforcing the security control of the resources. The control is implemented by permitting, alerting, denying, or otherwise controlling access to at least one resource within the overall system.
Although only one guardian agent, access analyzer and control unit are shown in the embodiment described in FIG.l, the disclosed teaching also contemplates using any combination of one or more agents, one or more access analyzers and one or more control units.
The first security policy 122 and the second security policy 122' may be identical, and may resides in the control unit 110. The second security policy 122' may be provided to agent 100 through access analyzer 120. The disclosed teachings include using techniques in unsupervised learning for learning an access control policy; from the access history of users, for implementing access analyzer 120. The information is gathered by agent 100 as a sequence of access attempts 108. An access attempt may include, but not limited to, a user, a location, a resource, an access type and time. The user may be an identification of the user that initiated the access event. The location may be an Internet protocol (IP) address, console name, terminal identifier, and so on, from where an access attempt 108 is being made. The resource may be an identification of the resource that was accessed, or attempted to be accessed, by the user. The access type may be? the type of access attempt 108 that was made by the user. Examples of access types include read, write, execute, or others, and any combination thereof. The time may be the exact time when the access event took place and may include among others the time of day, day of the week, etc.
The information gathered by the agent 100 is provided periodically by it to access analyzer 120 as event audit trail 102. It should be clear to a skilled artisan that the information gathering could be easily extended to accommodate additional information to be used by the learning system.
FIG. 2 is a schematic block diagram of an embodiment of access analyzer 120 that uses the disclosed teachings. Access analyzer 120 includes a history machine (HM) 210, a history database (HDB) 220, a user hierarchy generator (UHG) 240, and a permission level generator (PLG) 230. HM 210 processes newly accepted event audit trail 102 and combines it with the history of event audit trail collected in the past that are stored in HDB 220. HM 210 outputs a weighted audit trail 250 to both UHG 240 and PLG 230. HM 210 further stores the newly accepted event audit trail 102 in HDB 220 for future use. The history is represented and collected as data d|jk. It relates to an activity of a user uι on a resource rj performing activity aj .
In one embodiment using the disclosed teachings, the history collection is continued and each dj regardless of the time at which it is collected has the same weight.
However, in an alternate embodiment a decay factor α is introduced. This decay factor ensures that the weight of an older dijk is reduced over time. Hence, HM 210 stores in HDB 220 the updated value of djjk that is calculated according to the following equation :
Figure imgf000016_0001
Where the superscript "0" denotes data for a current event audit trail and the superscript "1" denotes data for a historical event audit trail. The constant α is a value between 0 and 1 that denotes how fast the decay occurs. The higher the value of α, the higher the importance give to current values of dijk compared to the old value.
An alternate technique for implementing a weighted audit trail would be to introduce "charging" and "discharging" effects as follows: If a current audit trail contains, access of type ak to resource r3 by a user U| then: dsk = k +&(0k - dl )
Otherwise:
dyk = ϊkdyk where, β , ^ represent charging and discharging coefficients respectively for access type ak and
0 ≤ βk ≤ 1 and 0 ≤ γk ≤ 1, in a typical example βk - 0.5 and γk = 0.9 represents the maximum value for dlik. While in this embodiment a couple of specific techniques for handling the impact of historical are implemented, a skilled artisan will know that other approaches for implementing the decay of historical data may be used without deviating from the spirit of the disclosed teachings. All such decay techniques are believed to be within the scope of the disclosed teachings. The weighted audit trail 250, which is basically a reflection of each user's access patterns, is used by UHG 240 to generate the user hierarchy based on the user pattern of accesses to system resources. An exemplary implementation of UHG 240 using the disclosed teachings is described herein with reference to FIG. 3. The basic elements that are included in UHG 240 are integrator 310, - aggregator 320, clustering machine (CM) 330 and hierarchy accumulator 340. Integrator 310 operates on data ppints dU and integrates all the data points that correspond to a certain access type. While one example is provided in this disclosure, other structures of hierarchy, such as a hierarchy tree is also possible. A tree hierarchy differs from a clustering hierarchy, in the sense that in the tree hierarchy each node represents a split of clusters and further that the leaves are at different levels.
An access type may be, for example, a read access, a write access, and others as separate or combinations thereof. It should be noted that for the purpose of hierarchy identification the access types of the users can be integrated by performing, for example the following calculation :
dij = ∑μkdijk
*=1 where μk is the importance of a particular access type. For example, write may be more significant than read.
In the case where the weighted event audit trail is updated using a f
"charging" and "discharging" function, the integration is performed using the following equation:
Where the dg corresponds to the value of d for a cluster C and resource j, and the d values are normalized to the range between 0 and 1. .
It should be noted that instead of dijk another factor d i could be used where I represents a specific time slot. In such a case dijki would represent an activity of a user Uj on a resource r3 performing activity ak during a time slot. The equations for handling the impact of historical data and integration can be appropriately modified without undue experimentation by a skilled artisan.
Aggregator 320 accumulates the data corresponding to a user relating to the resources the user is attempting "to access. It further handles the feedback provided by CM 330. Such feedback necessitates the recalculation of the data as cluster assignments take place and lower level clusters are clustered into higher level clusters.
An example implementation for the operation of aggregator 320 is to average the data dij for all data belonging to all users of a specific cluster particular value of "i". Concept of a cluster is described subsequently in detail with reference to CM 330 and FIG.4.
In another implementation, a maximum value of all du corresponding to users of a specific cluster is chosen by the aggregator as an aggregate value of the data. A skilled artisan could without undue experimentation implement further examples of such aggregation functions without deviating from the spirit of the disclosed teachings.
The user access profiles are an output of aggregator 320 and may be organized as an access matrix correlating clusters of users to resources as in the exemplary matrix of Fig. 4. In this access matrix, the rows indicate the users and the columns indicate resources. The values in each i,j combination is related to the access attempts by a user "i" to a resource " ". This data can be used by CM 330 to define the way in which users u, should be clustered. As can be clearly seen by the feedback mechanism, the process is iterative. A feedback is provided to aggregator 320 allowing for a further higher level cluster assignment that factors in the feedback relative to the current clustering status. However, output of aggregator 320 may be organized in other structures, more specifically as a tree of resources, such as would be the case when handling files within a sequence of file folders.
CM 330 may cluster users ux through u5, in the example of Fig. 4, as described in FIG. 5. In a hypothetical scenario, CM could use a first lower level cluster assignment that clusters users Ui with u2 520, users u4 with Us 540, and leaves user u3 S3Q on its own. As the clustering process of CM 330 contains a feedback loop, the current lower level clustering assignment is fed back to aggregator 320 that updates the input matrix to CM 330. As a result of the new input, CM 330, may have a new upper level cluster assignment where lower level cluster 520 and lower level cluster 530 are further assigned to one upper level cluster 510, and cluster 540 is left on its own. In the next step round of clustering, upper level cluster 510 and cluster 540 are assigned one super level cluster 500. The super level 500 represents the case of all the users belonging to the system 10.
One exemplary implementation of CM 330 using the disclosed teachings is described in Fig. 6 where a similarity matrix generator (SMG) 610 is connected to a pairwise clustering generator (PCG) 620. In one embodiment of the CM 330 using the disclosed teachings a greedy pairwise clustering generator (GPCG) is used. A GPCG is the subject matter of a co-pending US patent application filed on the same date herewith, entitled "A System and Method for a Greedy Pairwise Clustering", and which is assigned to common assignee as the present invention, and is hereby incorporated by reference in its entirety, for all it discloses.
However, the PCG requires a similarity matrix as an input. Therefore, the output of aggregator 320 must be preprocessed in order to generate the f similarity matrix. The generation of the similarity matrix is performed by SMG
610 receiving the access profiles as its input. The similarity between two users ut and um can be determined in several ways. One possible way is to calculate the number of shared resources between Uι and um divided by the total number of occurrences for U/. This can be summarized in the following formula: com(u,,um) Sιm(ul ,«„,) = '
N
The matrix of FIG. 4 can be used in conjunction with the above-mentioned formula to generate the similarity matrix of Fig. 7. The results of the self- similarity, i.e., the similarity of ut to itself, is clearly "1". However, the similarity between two users shown in FIG.7, ut to u2, is calculated as follows. In this example, Resources R3 through R7, a total of five, are accessed by both Ui and u2. User ut alone, however, accesses a total of seven of the resources, namely resources Ri through R7. The ratio between the commonly used resources five, and that individually used by uif seven, determines the similarity between t/j and u2, which is 5/7 (0.714). Similarly, the similarity of u2 to ut is calculated. Resources R3 through R7, a total of five, are accessed by both u2 and Ui. User u2, however, accesses a total of six of the resources, namely resources R3 through R7 as well as R9. The ratio between the commonly used resources, five, and the total accesses by u2r six, determines the similarity between u2 and Ui, which is 5/6 (0.833).
In an alternate embodiment using the disclosed teaching, similarity may be the result of the internal multiplication relative to ut and um divided by the norms for ui and um, as in the formula below:
Sim(u,,um) («ι # "»)
Ψι * K A skilled artisan can without undue experimentation use other ways of calculating similarity calculations for creating a similarity matrix without deviating from the spirit of the disclosed teachings. It should also be clear that instead of a similarity matrix, a dissimilarity matrix, representing the dissimilarity between two users, may be used. If a dissimilarity matrix is to be used, a minimum rather then maximum scores will be used by PCG 620 to determine the clustering assignment.
Permission levels 134 are generated by PLG 230 based upon at least weighted audit trail 250 and user hierarchy 260. In an alternate embodiment using the disclosed teachings security policy 122 is also an input to PLG 230. PLG 230, as shown in FIG.8, includes a weighted hierarchical activity calculator (WHAC) 810 and a permission level calculator (PLC) 820. The number of permission levels may be determined by a user or administrator of system 10, depending on the level of granularity and control necessary to be achieved, and is designated as NPL.
WHAC calculates the activity type ak on a resource η for all the users of the system. Naturally, the activity will range from a very low activity ak of some users on a resource η, to a very high activity a on a resource η, of other users. It is important that users sharing a cluster, whether within the same cluster, or through the hierarchy of clusters, may also get a permission to use certain resources. To ensure this, a weighted value resulting from the access of a user or a cluster of users to a resource, is also provided to other users sharing the cluster. In other words, an access by a user to a resource will result in a certain weight given to such access attem t to all other users that have a relationship with that user. Such a relationship could be by being in the same cluster or through the hierarchy of clusters. Th"e weighted contribution of the relationship reduces relative to the distance of the relationship..
The concept of generating a weighted user profile is described herein. Recall that dij is related to the activity of user ui with resource . A weighted number d'u is calculated in which all clusters that contains the user (at all different levels of the hierarchy) wilfhave an influence.
To decide what is contributed from a cluster C that contains Uj all the activities related to the members of the cluster need to be aggregated. Depending on the way the raw data is collected, different mechanisms may be chosen. A mechanism similar to the one used in aggregator (before finding the next level of the hierarchy) could be used. Also, when weighting the influence of a cluster, one may take into account only the new members of the cluster. It should be noted that the newer members of the cluster correspond to those that are not members of the clusters that contain Ui at lower levels of the hierarchy. This will ensure that every user will exercise influence only once.
Finally, the influence of a cluster C on d"tJ is weighted according to the level of C in the hierarchy, where the cluster that immediately contains Uj is at level 1, the cluster that immediately contains this cluster is at level 2, and so forth. Since a logarithmic scale is used to analyze the weighted profiles, a reasonable choice for the weight of the cluster c at level i should exponentially
decrease with i, e.g. V
/ -
As described in the application, to generate the permission levels, the weighted profiles d'ij are used rather than the profiles dfj themselves.
A logarithmic scale is proposed to measure activity ak on resource /). Such a scale is suggested due to the significant range of activity levels between users. Hence, a user may access his own files very frequently, while other users may not access it at all. The logarithmic range is then divided by NPL, creating NPL levels. A user ut having an activity level ak, on resource rjr will fall within one of the levels, designated as /. The adaptive permission level Ljjk, which is the permission level for a user ut- to access a resource η for the purpose of an access a l is calculated as follows:
L = ^L-
In the alternate embodiment where security policy 122 is also used as an input, an access attempt 108 may be defined as: a) having an access permission regardless of the results of the access analyzer 120; or b) having no access permission regardless of the results of the access analyzer 120; or c) being an adaptive rule, the permission level is dependent on the results of access analyzer 120. Therefore the values for Lijk may be "1", "0", or the results of the formula above, respectively.
It should be noted that a user may receive a permission level other then zero to access a resource, even if the resource was never used by this user. Such a situation arises if another user in his cluster, or a joined cluster of a higher level, has accessed that resource. A way of implementing this feature by WHAC 810 is by assigning a decreasing resource access weight along the hierarchy to clusters of a user who used a certain resource. Assume that the contribution of a cluster to a user is derived from the maximal access value of users within the cluster. Referring to Fig. 5, assume further that a user Ui accessed rif which no other user has accessed.. Notwithstanding, each user will still receive a contribution of that access based on its cluster proximity. Hence, cluster 520 will have a weight of, for example, 0.5, cluster 510 a weight of 0.25, and cluster 500 a weight of 0.125. Therefore, user Ut will have an overall access weight of 1+0.5+0.25+0.125=1.875, while user u2 will have an access weight of 0.5+0.25+0.125=0.875. User u3 will have an access weight of 0.25+0.125=0.375, while users u4 and u5 will have an access weight of 0.125 only.
If a four level permission system - with permissions of "1", "0.75", "0.5", and "0.25" is used - then Ui may have a permission level of "1", u a permission level of "0.75", u3 a permission level of "0.5", while u4 and u5 will have a permission level of "0.25" each. In conjunction with the threshold values defined in security policy 122, an agent 100 operating as a guardian agent may permit or deny certain access attempts. For example, if the threshold for an access to resource rt is defined at a level of "0.6" only users u and u2 will be allowed to access this resource.
The purpose of access analyzer 120 is to deduce from event audit trail 102 a number in the range from 0 tol^to be assigned to each potential access attempt 108. The number assigned to a potential access event (u, r, a, t), where "u" denotes a user(s), "r" denotes a resource(s), "a" denotes an access attempt(s), and "t" denotes a time(s), can be interpreted as the probability that a user u should be permitted to make an access of type "a" to a resource "r" at a time "t". A person skilled in the art would be able to add parameters to the definition of a potential event. In one embodiment of this invention, the parameter "!", denoting a location(s) may be used. The higher this probability, the more confident system 10 is that access attempt 108 should be permitted. By allowing system 10 to autonomously learn the characteristics of access attempts 108, the system administrators are freed from the need to manually maintain security policy 122 of a complex enterprise wide system, as would otherwise be required in conventional systems.
Further, as users are grouped into clusters with similar access patterns, access analyzer 120 provides a generalization mechanism from access attempts made by individual users to access attempts made by clusters of users. In other words, a user may get permissions to resources he has never accessed in the past provided that there is strong evidence in the hierarchy data that his cluster should get permission to access that resource. This generally happens when other members of the cluster have accessed that resource in the past. Using this mechanism, the accesses made by a user may influence the permissions assigned not only to each member of his basic cluster, but also influence the permissions assigned to members of clusters at higher levels.
Furthermore, using the method described hereinabove, a hierarchy of clusters was produced, in other words several levels of clusters. The most general cluster, the cluster at the top of the hierarchy includes all the users, that may be used to allow the most liberal access to resources of system 10. The bottommost level has every user in a different cluster. In between there are several levels of partitions of users into clusters, wherein each cluster assignment is a refinement of the previous cluster assignment. A person skilled in the art could easily adapt this invention for use in other fields other the access control. One specific use is to learn the informal hierarchy of an organization and its temporal dynamics.
It should be clear to a skilled artisan that the disclosed teaching can be implemented using hardware, software or a combination thereof. It can also be implemented using any type of computer including PCs, workstations and mainframes. The disclosed teaching also includes computer program products that includes a computer readable medium with instructions. These instructions can include, but not limited to, source code, object code and executable code and can be in any higher level language, assembly language and machine language. The computer readable medium is not restricted to any particular type of medium but can include, but not limited to, RAMS, ROMs, hard disks, floppies, tapes and internet downloads.
Other modifications and variations to the disclosed teachings will be apparent to those skilled in the art from the foregoing disclosure and teachings. Thus, while only certain embodiments using the disclosed teachings have been specifically described herein, it will be apparent that numerous modifications may be made thereto without departing from the spirit and scope of the disclosed teachings.

Claims

What is claimed is:
1. A system with controlled user access, the system comprising : an access analyzer subsystem; and a user control subsystem; the access analyzer subsystem further including: a history machine capable of processing new and historical data related to access attempts; a history database for storing said new and historical data; a hierarchy generator connected to said history machine for generating a hierarchy related to said historical data; a permission level generator connected to said history machine and said hierarchy generator adapted to generate permissions for accessing said user subsystem based on said hierarchy, and the user control subsystem further including : an agent adapted to provide an event audit trail to said access analyzer subsystem and receive a permission level from said access analyzer subsystem; and a control unit adapted to provide a security policy to said access analyzer subsystem and receive a statistical information from said access analyzer subsystem.
2. The system of claim 1, wherein said agent is a guardian agent further adapted for at least allowing access to a resource in response to an access attempt, the allowing being based on at least said permission level.
3. The system of claim 1, wherein said agent is a guardian agent further adapted for at least denying access to a resource in response to an access attempt, the denying being based on at least said permission level.
4. The system of claim 1, wherein said agent is a guardian agent further adapted for at least sending an alarm to said control unit in f response to an access attempt, the sending being based on at least said permission level.
5. The system of claim 1, wherein said control unit is further adapted for generating reports based on at least said statistical information.
6. The system of claim 1, wherein said control unit is further capable of generating reports based on at least said alarms.
7. A system for tracking access attempts, the system comprising: a history machine adapted to process new and historical data related to said events; a history database adapted to store said new and historical data; and a hierarchy generator connected to said history machine adapted to generate a hierarchy related to said new and historical data.
8. The system of claim 7, further including: a permission level generator connected to said history machine and said hierarchy generator, said permission level generator being adapted to generate permissions for accessing system resources based at least on said hierarchy.
9. The system of claim 8, wherein said permission level generator comprises a weighted hierarchy activity calculator connected to a permission level calculator.
10. The system of claim 9, wherein said weighted hierarchy activity calculator receives at least a weighted audit trail and a user hierarchy.
11. The system of claim 9, wherein said permission level calculator generates permission levels based on at least an input provided from said weighted hierarchy activity calculator.
12. The system of claim 11, wherein said permission levels are based further on a security policy.
13. The system of claim 7, wherein said history machine generates a weighted audit trail based on event audit trail and history information provided by said history database.
14. The system of claim 13, wherein a decay factor is applied to historical data prior to storing in said history database.
15. The system of claim 13, wherein said weighted audit trail is determined for a user accessing a resource in a give access type accounting for all accesses of the same type in a decreasing value.
16. The system of claim 15, wherein a maximum value for said data is provided.
17. The system of claim 13, wherein said weighted audit trail is determined for a user not accessing a resource in a give access type by reducing the current said data.
18. The system of claim 17, wherein said reduction is done as a multiplication of said data by a fractional constant.
19 The system of claim 7, wherein said user hierarchy generator further ncludes: an integrator; an aggregator connected to said integrator and further connected to a clustering machine; and a clustering machine connected to said aggregator; a hierarchy accumulator connected to said clustering machine.
20. The system of claim 19, wherein said integrator receives a weighted audit trail.
21. The system of claim 20, wherein said integrator calculates a sum total of all accesses of a specific access type made by a user, said access being done to a specific resource.
22. The system of claim 19, wherein said aggregator calculates a sum total of all accesses of a specific access type made by all users in a cluster, said access being done to a specific resource.
23. The system of claim 19, wherein said aggregator calculates the contribution of all users within β cluster to access to a resource as the difference between the maximum value for such user access to said resource and the multiplication of all values relative to normalized individual accesses of said user to said resource multiplied by said maximum value.
24. The system of claim 23, wherein said value relative to individual accesses is calculated as subtracting the value of said individual access from one.
25. The system of claim 19, -wherein said aggregator outputs access information for every access type.
26. The system of claim 25, wherein said access information comprises a matrix of rows and columns, said rows representing users and said columns representing resources, said matrix storing data related to the access of said users to said resources.
27. The system of claim 19, wherein said clustering machine outputs a preferred clustering assignment.
28. The system of claim 27, wherein said clustering machine implements a pairwise clustering algorithm.
29. The system of claim 28, wherein said pairwise clustering algorithm is a greedy pairwise clustering algorithm.
30. The system of claim 19, wherein said clustering machine comprises: a similarity matrix generator; and a pairwise clustering generator.
31. The system of claim 30, wherein said similarity matrix generator is adapted to determine a commonality between access profiles of a first user and a second user to a resource, said similarity matrix generator is further adapted to determine a first similarity between said first user and said second user, said first similarity being a result of dividing said commonality by the access attempts made by said first user and said similarity matrix generator being further adapted to determine a second similarity between said second user and said first, said second similarity being a result of dividing said commonality by the access attempts made by said second user.
32. The system of claim 30, wherein said similarity matrix generator is adapted to calculate an internal multiplication of user access profiles between a first user and a second user, said similarity matrix generator being further adapted to divide the internal multiplication result by a norm of user access profiles made by said first user multiplied by the norm of access attempts made by said second user.
33. A method for determining a hierarchy of users of a system, said method comprising:
(a) collecting a weighted audit trail related to access attempts by users to resources belonging to the system;
(b) integrating all access attempts of each of a multiple types of access attempts to a given resource by each of said users;
(c) aggregating user data in accordance with preferred clustering assignments;
(d) merging clusters into higher levels clusters, wherein each higher level cluster clusters one or more clusters in an immediate lower level cluster to form a cluster hierarchy; and
(e) repeating step (d) until all clusters are merged into one cluster.
34. The method of claim 33, wherein the steps are repeated periodically to create a temporal hierarchy representation.
35. The method of claim 33, wherein said aggregation is performed by averaging access data to a resource by all users belonging to a specific cluster.
36. The method of claim 33, wherein said aggregation is performed by determining the maximum value for access data corresponding to one of all users belonging to a specific cluster.
37. The method of claim 33, wherein said aggregator calculates the contribution of all users within a cluster to access to a resource as the difference between the maximum value for such user access to said resource and the multiplication of all values relative to individual accesses of said user to said resource multiplied by said maximum value.
38. The method of claim 33, wherein said clustering is performed using a pairwise clustering algorithm.
39. The method of claim 38, wherein said pairwise clustering algorithm is a greedy pairwise clustering algorithm.
40. The method of claim 33, wherein historical data is subjected to a decay.
41. The method of claim 33, wherein said weighted audit trail is determined for a user accessing a resource in a give access type accounting for all accesses of the same type in a decreasing value.
42. The method of claim 41, wherein a maximum value for said data is provided.
43. The method of claim 33, wherein said weighted audit trail is determined for a user not accessing a resource in a give access type by reducing the current said data. .
44. The method of claim 43, wherein said reduction is done as a multiplication of said data by a fractional constant.
45. A method for determining permission levels for accessing a system, said method comprising :
(a) collecting data related to access attempts by users to resources belonging to the system;
(b) clustering users into a user hierarchy;
(c) generating permission levels based on at least said data and said user hierarchy.
46. The method of claim 45, wherein the process is repeated periodically.
47. The method of claim 45, wherein said classifying users into a user hierarchy is performed by a subprocess comprising:
(b)(1) integrating all access attempts of each of a multiple types of access attempts to a given resource by each of said users; (b)(2) aggregating user data in accordance with preferred clustering assignment;
(b)(3) merging clusters into higher levels clusters, wherein each higher level cluster clusters one or more clusters in an immediate lower level cluster to form a cluster hierarchy; and (b)(4) repeating step (b)(3) until all users are merged into one cluster.
48. The method of claim 47, wherein said aggregation is performed by averaging access data to a resource by all users belonging to a specific cluster.
49. The method of claim 47, wherein said aggregation is performed by determining the maximum value for access data corresponding to one of all users belonging to a specific cluster.
50. The method of claim 47, wherein said aggregator calculates the contribution of all users within a cluster to access to a resource as the difference between the maximum value for such user access to said resource and the multiplication of all values relative to normalized individual accesses of said user to said resource multiplied by said maximum value.
51. The method of claim 50, wherein said value relative to individual accesses is calculated as subtracting the value of said individual access from one.
52. The method of claim 47 . wherein said clustering is performed using a pairwise clustering algorithm.
53. The method of claim 52, wherein said pairwise clustering algorithm is a greedy pairwise clustering algorithm.
54. The method of claim 45, wherein said generation of permission levels is performed using a subprocess comprising:
(c)(1) giving each of said users a weighted access profile to a resource based on said data and said user hierarchy;
(c)(2) determining a range of said weighted access profile to said resource and dividing it into a predetermined number of levels; and
(c)(3) assigning for each of said -users, a permission level based on which of said predetermined levels said each of said users corresponds to.
55. The method of claim 54, wherein said range of said weighted access attempts is scaled to a logarithmic scale.
56. The method of claim 45, wherein historical data is subjected to a decay factor.
57. The method of claim 45, wherein said weighted audit trail is determined for a user accessing -a resource in a give access type accounting for ail accesses of the same type in a decreasing value.
58. The method of claim 57, wherein a maximum value for said data is provided.
59. The system of claim 45, wherein said weighted audit trail is determined for a user not accessing a resource in a give access type by reducing the current said data.
60. The method of claim 59, wherein said reduction is done as a multiplication of said data by a fractional constant.
61. A computer program product determining a hierarchy of users of a system, said program product comprising a computer-readable medium, said medium comprising instructions that enable a computer to implement a process, said process comprising:
(a) collecting data related to access attempts by users to resources belonging to the system;
(b) integrating all access attempts of each of a multiple types of access attempts to a given resource by each of said users;
(c) aggregating user data in accordance with preferred clustering assignments;
(d) merging clusters into higher levels clusters, wherein each higher level cluster clusters one or more clusters in an immediate lower level cluster to form a cluster hierarchy; and
(e) repeating step (d) until all clusters are merged into one cluster.
62. The computer program product of claim 61, wherein the process is repeated periodically for the purpose of determining a temporal hierarchy.
63. The computer program product of claim 61, wherein the output of step (d) represents an output related to a specific hierarchy level.
64. The computer program product of claim 61, wherein said aggregation is performed by averaging access data to a resource by all users belonging to a specific cluster.
65. The computer program product of claim 61, wherein said aggregation is performed by determining the maximum value for access data corresponding to one of all users belonging to a specific cluster
66. The computer program product of claim 61, wherein said aggregator calculates the contribution of all users within a cluster to access to a resource as the difference between the maximum value for such user access to said resource and the multiplication of all values relative to individual accesses of said user to said resource multiplied by said maximum value.
67. The computer program product of claim 66, wherein said value relative to individual accesses is calculated as subtracting the value of said individual access from one.
68. The computer program product of claim 61, wherein said clustering is performed using a pairwise clustering algorithm.
69. The computer program product of claim 68, wherein said pairwise clustering algorithm is a greedy pairwise clustering algorithm.
70. The computer program product of claim 61, wherein historical data is subjected to a decay.
71. The computer program product of claim 61, wherein said weighted audit trail is determined for a user accessing a resource in a give access type accounting for all accesses of the same type in a decreasing value.
72. The computer program product of claim 71, wherein a maximum value for said data is provided.
73. The computer program product of claim 61, wherein said weighted audit trail is determined for a user not accessing a resource in a give access type by reducing the current said data.
74. The computer program product of claim 73, wherein said reduction is done as a multiplication of said data by a fractional constant.
75. A computer program product for determining permission levels for accessing a system, said program product comprising a computer- readable medium, said medium comprising instructions that enable a computer to implement a process, said process comprising:
(a) collecting data related to access attempts by users to resources belonging to the system;
(b) clustering users into a user hierarchy;
(c) generating permission levels based on at least said data and said user hierarchy.
76. The computer program product of claim 75, wherein the process is repeated periodically for the purpose of updating said permission levels.
77. The computer program product of claim 75, wherein said classifying users into a user hierarchy is performed by a subprocess comprising: (b)(1) integrating all access attempts of each of a multiple types of access attempts to a given resource by each of said users;
(b)(2) aggregating user data in accordance with preferred clustering assignment;
(b)(3) merging clusters into higher levels cluster, wherein each higher level cluster clusters one or more clusters in an immediate lower level cluster to form a cluster hierarchy; and (b)(4) repeating step (b)(3) until all users are merged into one cluster.
78. The computer program product of claim 77, wherein said aggregation is performed by averaging access data to a resource by all users belonging to a specific cluster.
79. The computer program product of claim 77, wherein said aggregation is performed by determining the maximum value for access data corresponding to one of all users belonging to a specific cluster.
80. The computer program product of claim 77, wherein said aggregator calculates the contribution of all users within a cluster to access to a resource as the difference between the maximum value for such user access to said resource and the multiplication of all values relative to individual accesses of said user to said resource multiplied by said maximum value.
81. The computer program product of claim 80, wherein said value relative to individual accesses is calculated as subtracting the value of said individual access from one.
82. The computer program product of claim 77, wherein said clustering is performed using a pairwise clustering algorithm.
83. The computer program product of claim 82, wherein said pairwise clustering algorithm is a greedy pairwise clustering algorithm.
84. The computer program product of claim 75, wherein said generation of permission levels is performed using a subprocess comprising : (c)(1) giving each of said users a weighted access profile to a resource based on said data and said user hierarchy;
(c)(2) determining a range of said weighted access profile to said resource and dividing it into a predetermined number of levels; and (c)(3) assigning for each of said users, a permission level based on which of said predetermined levels said each of said users corresponds to.
85. The computer program product of claim 84, wherein said range of said weighted access attempts is scaled to a logarithmic scale.
86. The computer program product of claim 75, wherein historical data is subjected to a decay factor.
87. The computer program product of claim 75, wherein said weighted audit trail is determined for a user accessing a resource in a give access type accounting for all accesses of the same type in a decreasing value.
88. The computer program product of claim 87, wherein a maximum value for said data is provided.
89. The computer program product of claim 75, wherein said weighted audit trail is determined for a user not accessing a resource in a give access type by reducing the current said data.
90. The method of claim 89, wherein said reducing is performed as a multiplication of said data by a fractional constant.
91. The method of claim 37, wherein said value relative to individual access is calculated by subtracting the value of said individual access from one.
92. The system of claim 23 wherein the maximum value is a normalized maximum value.
93. The method of claim 50 wherein the maximum value is a normalized maximum value.
PCT/IB2001/001923 2000-08-18 2001-08-20 Permission level generation based on adaptive learning WO2002014989A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001294110A AU2001294110A1 (en) 2000-08-18 2001-08-20 Permission level generation based on adaptive learning

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US22612800P 2000-08-18 2000-08-18
US60/226,128 2000-08-18
US25957501P 2001-01-04 2001-01-04
US60/259,575 2001-01-04

Publications (2)

Publication Number Publication Date
WO2002014989A2 true WO2002014989A2 (en) 2002-02-21
WO2002014989A8 WO2002014989A8 (en) 2003-03-06

Family

ID=26920229

Family Applications (4)

Application Number Title Priority Date Filing Date
PCT/IB2001/001892 WO2002015122A2 (en) 2000-08-18 2001-08-20 A system and method for a greedy pairwise clustering
PCT/IB2001/001877 WO2002014988A2 (en) 2000-08-18 2001-08-20 A method and an apparatus for a security policy
PCT/IB2001/001923 WO2002014989A2 (en) 2000-08-18 2001-08-20 Permission level generation based on adaptive learning
PCT/IB2001/001876 WO2002014987A2 (en) 2000-08-18 2001-08-20 An adaptive system and architecture for access control

Family Applications Before (2)

Application Number Title Priority Date Filing Date
PCT/IB2001/001892 WO2002015122A2 (en) 2000-08-18 2001-08-20 A system and method for a greedy pairwise clustering
PCT/IB2001/001877 WO2002014988A2 (en) 2000-08-18 2001-08-20 A method and an apparatus for a security policy

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/IB2001/001876 WO2002014987A2 (en) 2000-08-18 2001-08-20 An adaptive system and architecture for access control

Country Status (2)

Country Link
AU (4) AU2001294084A1 (en)
WO (4) WO2002015122A2 (en)

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SG98496A1 (en) * 2001-10-30 2003-09-19 Asgent Inc Method for ascertaining the status of information system, and apparatus to be used with the method
EP1376981A3 (en) * 2002-06-28 2004-06-30 Microsoft Corporation Parental controls customization and notification
WO2006074294A2 (en) 2005-01-07 2006-07-13 Cisco Technology, Inc. Methods and apparatus providing security to computer systems and networks
WO2007111660A3 (en) * 2005-12-13 2008-06-19 Interdigital Tech Corp Method and system for protecting user data in a node
US7907934B2 (en) 2004-04-27 2011-03-15 Nokia Corporation Method and system for providing security in proximity and Ad-Hoc networks
US8255995B2 (en) 2005-12-16 2012-08-28 Cisco Technology, Inc. Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing
EP2378458A4 (en) * 2009-02-10 2013-01-09 Nec Corp Policy management device, policy management system, and method and program used therefor
US8413245B2 (en) 2005-12-16 2013-04-02 Cisco Technology, Inc. Methods and apparatus providing computer and network security for polymorphic attacks
US8495743B2 (en) 2005-12-16 2013-07-23 Cisco Technology, Inc. Methods and apparatus providing automatic signature generation and enforcement
US8713056B1 (en) * 2011-03-30 2014-04-29 Open Text S.A. System, method and computer program product for efficient caching of hierarchical items
CN104125335A (en) * 2014-06-24 2014-10-29 小米科技有限责任公司 Method, device and system for managing authority
GB2514454A (en) * 2013-03-14 2014-11-26 Appsense Ltd Secure data management
US9215251B2 (en) 2013-09-11 2015-12-15 Appsense Limited Apparatus, systems, and methods for managing data security
US9286469B2 (en) 2005-12-16 2016-03-15 Cisco Technology, Inc. Methods and apparatus providing computer and network security utilizing probabilistic signature generation
US9355261B2 (en) 2013-03-14 2016-05-31 Appsense Limited Secure data management
EP3099024A4 (en) * 2014-03-19 2017-07-05 Nippon Telegraph and Telephone Corporation Analysis rule adjustment device, analysis rule adjustment system, analysis rule adjustment method, and analysis rule adjustment program
US9787685B2 (en) 2014-06-24 2017-10-10 Xiaomi Inc. Methods, devices and systems for managing authority
EP3422240A1 (en) * 2017-06-30 2019-01-02 Sap Se Improving the security of a computer system
WO2019005400A1 (en) * 2017-06-29 2019-01-03 Microsoft Technology Licensing, Llc Access control manager configuration based on log files mining
US10891816B2 (en) 2017-03-01 2021-01-12 Carrier Corporation Spatio-temporal topology learning for detection of suspicious access behavior
WO2021071539A1 (en) * 2020-01-15 2021-04-15 Futurewei Technologies, Inc. Secure and accountable data access
US11373472B2 (en) 2017-03-01 2022-06-28 Carrier Corporation Compact encoding of static permissions for real-time access control
US11687810B2 (en) 2017-03-01 2023-06-27 Carrier Corporation Access control request manager based on learning profile-based access pathways
WO2023170635A3 (en) * 2022-03-10 2023-10-19 Orca Security LTD. System and methods for a machine-learning adaptive permission reduction engine
EP4073702A4 (en) * 2019-12-09 2023-12-20 JPMorgan Chase Bank, N.A. Method and apparatus for implementing a role-based access control clustering machine learning model execution module
GB2637148A (en) * 2024-01-10 2025-07-16 Ibm User access group discovery

Families Citing this family (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003063449A1 (en) * 2002-01-18 2003-07-31 Metrowerks Corporation System and method for monitoring network security
EP1339199A1 (en) * 2002-02-22 2003-08-27 Hewlett-Packard Company Dynamic user authentication
WO2003075531A1 (en) * 2002-03-06 2003-09-12 Peregrine Systems, Inc. Method and system for a network management console
FR2838207B1 (en) * 2002-04-08 2006-06-23 France Telecom INFORMATION EXCHANGE SYSTEM WITH CONDITIONED ACCESS TO AN INFORMATION TRANSFER NETWORK
ATE540373T1 (en) * 2002-11-29 2012-01-15 Sap Ag METHOD AND COMPUTER SYSTEM FOR PROTECTING ELECTRONIC DOCUMENTS
CN1417690A (en) * 2002-12-03 2003-05-14 南京金鹰国际集团软件系统有限公司 Application process audit platform system based on members
US10110632B2 (en) 2003-03-31 2018-10-23 Intel Corporation Methods and systems for managing security policies
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US20070113272A2 (en) 2003-07-01 2007-05-17 Securityprofiling, Inc. Real-time vulnerability monitoring
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US8266699B2 (en) 2003-07-01 2012-09-11 SecurityProfiling Inc. Multiple-path remediation
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
EP1510904B1 (en) * 2003-08-19 2008-12-31 France Telecom Method and system for evaluating the level of security of an electronic equipment and for providing conditional access to resources
DE10348729B4 (en) 2003-10-16 2022-06-15 Vodafone Holding Gmbh Setup and procedures for backing up protected data
FR2864657B1 (en) * 2003-12-24 2006-03-24 Trusted Logic METHOD FOR PARAMETRABLE SECURITY CONTROL OF COMPUTER SYSTEMS AND EMBEDDED SYSTEMS USING THE SAME
JP4643204B2 (en) 2004-08-25 2011-03-02 株式会社エヌ・ティ・ティ・ドコモ Server device
EP1811387A4 (en) * 2004-08-25 2016-04-13 Nec Corp Information communication device, and program execution environment control method
US7193872B2 (en) 2005-01-28 2007-03-20 Kasemsan Siri Solar array inverter with maximum power tracking
US7661111B2 (en) 2005-10-13 2010-02-09 Inernational Business Machines Corporation Method for assuring event record integrity
US8326296B1 (en) 2006-07-12 2012-12-04 At&T Intellectual Property I, L.P. Pico-cell extension for cellular network
CN101350052B (en) 2007-10-15 2010-11-03 北京瑞星信息技术有限公司 Method and apparatus for discovering malignancy of computer program
CN101350054B (en) 2007-10-15 2011-05-25 北京瑞星信息技术有限公司 Method and apparatus for automatically protecting computer noxious program
US8626223B2 (en) 2008-05-07 2014-01-07 At&T Mobility Ii Llc Femto cell signaling gating
US8719420B2 (en) 2008-05-13 2014-05-06 At&T Mobility Ii Llc Administration of access lists for femtocell service
US8863235B2 (en) 2008-05-13 2014-10-14 At&T Mobility Ii Llc Time-dependent white list generation
US20100041365A1 (en) 2008-06-12 2010-02-18 At&T Mobility Ii Llc Mediation, rating, and billing associated with a femtocell service framework
US8510801B2 (en) 2009-10-15 2013-08-13 At&T Intellectual Property I, L.P. Management of access to service in an access point
US10225249B2 (en) * 2012-03-26 2019-03-05 Greyheller, Llc Preventing unauthorized access to an application server
US10229222B2 (en) 2012-03-26 2019-03-12 Greyheller, Llc Dynamically optimized content display
CN106778314A (en) * 2017-03-01 2017-05-31 全球能源互联网研究院 A kind of distributed difference method for secret protection based on k means
US11115421B2 (en) 2019-06-26 2021-09-07 Accenture Global Solutions Limited Security monitoring platform for managing access rights associated with cloud applications

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6049797A (en) * 1998-04-07 2000-04-11 Lucent Technologies, Inc. Method, apparatus and programmed medium for clustering databases with categorical attributes

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
No Search *

Cited By (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SG98496A1 (en) * 2001-10-30 2003-09-19 Asgent Inc Method for ascertaining the status of information system, and apparatus to be used with the method
EP1376981A3 (en) * 2002-06-28 2004-06-30 Microsoft Corporation Parental controls customization and notification
US7302488B2 (en) 2002-06-28 2007-11-27 Microsoft Corporation Parental controls customization and notification
US7907934B2 (en) 2004-04-27 2011-03-15 Nokia Corporation Method and system for providing security in proximity and Ad-Hoc networks
EP1834439A4 (en) * 2005-01-07 2011-07-27 Cisco Tech Inc METHODS AND APPARATUSES FOR SECURITY IN NETWORKS AND COMPUTER SYSTEMS
WO2006074294A2 (en) 2005-01-07 2006-07-13 Cisco Technology, Inc. Methods and apparatus providing security to computer systems and networks
WO2007111660A3 (en) * 2005-12-13 2008-06-19 Interdigital Tech Corp Method and system for protecting user data in a node
US9148442B2 (en) 2005-12-16 2015-09-29 Cisco Technology, Inc. Methods and apparatus providing automatic signature generation and enforcement
US8255995B2 (en) 2005-12-16 2012-08-28 Cisco Technology, Inc. Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing
US8413245B2 (en) 2005-12-16 2013-04-02 Cisco Technology, Inc. Methods and apparatus providing computer and network security for polymorphic attacks
US8495743B2 (en) 2005-12-16 2013-07-23 Cisco Technology, Inc. Methods and apparatus providing automatic signature generation and enforcement
US9286469B2 (en) 2005-12-16 2016-03-15 Cisco Technology, Inc. Methods and apparatus providing computer and network security utilizing probabilistic signature generation
US8806650B2 (en) 2005-12-16 2014-08-12 Cisco Technology, Inc. Methods and apparatus providing automatic signature generation and enforcement
EP2378458A4 (en) * 2009-02-10 2013-01-09 Nec Corp Policy management device, policy management system, and method and program used therefor
US8875221B2 (en) 2009-02-10 2014-10-28 Nec Corporation Policy management apparatus, policy management system, and method and program used for the same
US9183241B2 (en) 2011-03-30 2015-11-10 Open Text S.A. System, method and computer program product for efficient caching of hierarchical items
US8713056B1 (en) * 2011-03-30 2014-04-29 Open Text S.A. System, method and computer program product for efficient caching of hierarchical items
US9674150B2 (en) 2011-03-30 2017-06-06 Open Text Sa Ulc System, method and computer program product for efficient caching of hierarchical items
GB2514454A (en) * 2013-03-14 2014-11-26 Appsense Ltd Secure data management
US8959657B2 (en) 2013-03-14 2015-02-17 Appsense Limited Secure data management
US9355261B2 (en) 2013-03-14 2016-05-31 Appsense Limited Secure data management
US9215251B2 (en) 2013-09-11 2015-12-15 Appsense Limited Apparatus, systems, and methods for managing data security
EP3099024A4 (en) * 2014-03-19 2017-07-05 Nippon Telegraph and Telephone Corporation Analysis rule adjustment device, analysis rule adjustment system, analysis rule adjustment method, and analysis rule adjustment program
US10104124B2 (en) 2014-03-19 2018-10-16 Nippon Telegraph And Telephone Corporation Analysis rule adjustment device, analysis rule adjustment system, analysis rule adjustment method, and analysis rule adjustment program
US9787685B2 (en) 2014-06-24 2017-10-10 Xiaomi Inc. Methods, devices and systems for managing authority
EP2960823A1 (en) * 2014-06-24 2015-12-30 Xiaomi Inc. Method, device and system for managing authority
CN104125335A (en) * 2014-06-24 2014-10-29 小米科技有限责任公司 Method, device and system for managing authority
CN104125335B (en) * 2014-06-24 2017-08-25 小米科技有限责任公司 Right management method, apparatus and system
US11373472B2 (en) 2017-03-01 2022-06-28 Carrier Corporation Compact encoding of static permissions for real-time access control
US11687810B2 (en) 2017-03-01 2023-06-27 Carrier Corporation Access control request manager based on learning profile-based access pathways
US10891816B2 (en) 2017-03-01 2021-01-12 Carrier Corporation Spatio-temporal topology learning for detection of suspicious access behavior
WO2019005400A1 (en) * 2017-06-29 2019-01-03 Microsoft Technology Licensing, Llc Access control manager configuration based on log files mining
US10764299B2 (en) 2017-06-29 2020-09-01 Microsoft Technology Licensing, Llc Access control manager
EP3422240A1 (en) * 2017-06-30 2019-01-02 Sap Se Improving the security of a computer system
US10831787B2 (en) 2017-06-30 2020-11-10 Sap Se Security of a computer system
EP4073702A4 (en) * 2019-12-09 2023-12-20 JPMorgan Chase Bank, N.A. Method and apparatus for implementing a role-based access control clustering machine learning model execution module
WO2021071539A1 (en) * 2020-01-15 2021-04-15 Futurewei Technologies, Inc. Secure and accountable data access
WO2023170635A3 (en) * 2022-03-10 2023-10-19 Orca Security LTD. System and methods for a machine-learning adaptive permission reduction engine
GB2637148A (en) * 2024-01-10 2025-07-16 Ibm User access group discovery

Also Published As

Publication number Publication date
WO2002014987A8 (en) 2003-09-04
AU2001294084A1 (en) 2002-02-25
WO2002014987A2 (en) 2002-02-21
AU2001294110A1 (en) 2002-02-25
WO2002015122A3 (en) 2003-12-04
AU2001294089A1 (en) 2002-02-25
WO2002014989A8 (en) 2003-03-06
AU2001294083A1 (en) 2002-02-25
WO2002014988A2 (en) 2002-02-21
WO2002015122A2 (en) 2002-02-21
WO2002014988A8 (en) 2003-04-24

Similar Documents

Publication Publication Date Title
WO2002014989A2 (en) Permission level generation based on adaptive learning
US10685109B2 (en) Elimination of false positives in antivirus records
US8341405B2 (en) Access management in an off-premise environment
Lunt Automated audit trail analysis and intrusion detection: A survey
US7594266B2 (en) Data security and intrusion detection
US7606801B2 (en) Automatic management of storage access control
US20050132215A1 (en) Dynamic delegation method and device using the same
US9148433B2 (en) Retrospective policy safety net
US7555645B2 (en) Reactive audit protection in the database (RAPID)
US20080104393A1 (en) Cloud-based access control list
US8126856B2 (en) File access management system
US10558810B2 (en) Device monitoring policy
Liu et al. Intrusion confinement by isolation in information systems
CN118643509B (en) Scenario-adaptive permission dynamic adjustment method and device based on trust evaluation
US20070091809A1 (en) Managed network resource sharing and optimization method and apparatus
CN116684123A (en) Dynamic trust evaluation method and device in micro-isolation cloud environment
CN114386025A (en) Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
Yan et al. Database audit workload prioritization via game theory
US7885976B2 (en) Identification, notification, and control of data access quantity and patterns
US12348547B2 (en) Supply chain attack detection
CN111917801A (en) Petri network-based user behavior authentication method in private cloud environment
EP4274160B1 (en) Machine learning based malware detection
CN109495474B (en) Dynamic access control method facing internal attack
US20240388505A1 (en) Intelligent auto-detection of anomalous web-based access requests
CN115587374A (en) Trust value-based dynamic access control method and control system thereof

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PH PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
D17 Declaration under article 17(2)a
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP