Anomaly detection for access control events

What is claimed is: 1 . A method for managing access to protected resources within a computing environment, comprising: receiving a request for access to a protected resource within the computing environment originating from a computing device, the request for access is associated with a username; acquiring a baseline set of rules for the username derived from previous access requests associated with the username, the baseline set of rules comprises a set of locations; acquiring contextual information corresponding with the request for access, the contextual information comprises a location of the computing device; detecting a deviation from the baseline set of rules based on the contextual information; acquiring additional authentication information in response to detecting the deviation; and authorizing access to the protected resource based on the additional authentication information. 2 . The method of claim 1 , wherein: the detecting a deviation comprises detecting that the location is different from any location of the set of locations. 3 . The method of claim 1 , wherein: the detecting a deviation comprises detecting that the location is more than a threshold distance away from any location of the set of locations. 4 . The method of claim 1 , wherein: the contextual information comprises an identification of an operating system used by the computing device; and the detecting a deviation comprises detecting that the operating system used by the computing device is different from any operating system specified in the baseline set of rules. 5 . The method of claim 1 , wherein: the contextual information comprises an identification of a web browser used for submitting the request for access; and the detecting a deviation comprises detecting that the web browser is different from any web browser specified in the baseline set of rules. 6 . The method of claim 1 , further comprising: detecting that the username has been authenticated using federated authentication, the acquiring contextual information corresponding with the request for access is performed in response to detecting that the username has been authenticated using federated authentication. 7 . The method of claim 1 , further comprising: updating the baseline set of rules with the location if an intrusion has not been detected within a threshold period of time subsequent to the authorizing access to the protected resource. 8 . The method of claim 1 , wherein: the acquiring additional authentication information comprises transmitting an authentication challenge request to the computing device and receiving a valid answer to the authentication challenge request from the computing device. 9 . The method of claim 1 , further comprising: generating the baseline set of rules by applying machine learning techniques to a training data set, the training data set comprises a first set of contextual information associated with the previous access requests associated with the username. 10 . The method of claim 1 , wherein: the acquiring contextual information comprises acquiring the location of the computing device from an HTTP header. 11 . The method of claim 1 , wherein: the protected resource comprises a database; and the request for access comprises a request to read data from the database. 12 . An access control system, comprising: a storage device, the storage device stores a baseline set of rules associated with a username, the baseline set of rules comprises a set of locations; and a processor in communication with the storage device, the processor receives a request for access to a protected resource originating from a computing device, the request for access is associated with the username, the processor acquires contextual information corresponding with the request for access, the contextual information comprises a location of the computing device, the processor detects a deviation from the baseline set of rules based on the contextual information, the processor acquires additional authentication information in response to detecting the deviation, the processor authorizes access to the protected resource based on the additional authentication information. 13 . The system of claim 12 , wherein: the processor detects the deviation by detecting that the location is different from any location of the set of locations. 14 . The system of claim 12 , wherein: the processor detects the deviation by detecting that the location is more than a threshold distance away from any location of the set of locations. 15 . The system of claim 12 , wherein: the contextual information comprises an identification of an operating system used by the computing device, the processor detects the deviation by detecting that the operating system used by the computing device is different from any operating system specified in the baseline set of rules. 16 . The system of claim 12 , wherein: the contextual information comprises an identification of a web browser used for submitting the request for access, the processor detects the deviation by detecting that the web browser is different from any web browser specified in the baseline set of rules. 17 . The system of claim 12 , wherein: the processor detects that the username has been authenticated using federated authentication, the processor acquires the contextual information in response to detecting that the username has been authenticated using federated authentication. 18 . The system of claim 12 , wherein: the processor determines that an intrusion has not been detected within a threshold period of time subsequent to the processor authorizing access to the protected resource, the processor updates the baseline set of rules with the location in response to determining that the intrusion has not been detected within the threshold period of time subsequent to the processor authorizing access to the protected resource. 19 . The system of claim 12 , wherein: the processor determines the location of the computing device using information embedded within an HTTP header; the protected resource comprises a database; and the request for access comprises a request to read data from the database. 20 . A computer program product, comprising: a computer readable storage medium having computer readable program code embodied therewith, the computer readable program code comprising: computer readable program code configured to receive a request for access to a protected resource originating from a computing device, the request for access is associated with a username; computer readable program code configured to acquire a baseline set of rules for the username derived from previous access requests associated with the username, the baseline set of rules comprises a set of locations; computer readable program code configured to acquire contextual information corresponding with the request for access, the contextual information comprises a location of the computing device; computer readable program code configured to detect a deviation from the baseline set of rules by detecting that the location is more than a threshold distance away from any location of the set of locations; computer readable program code configured to acquire authentication information in response to detecting the deviation; and computer readable program code configured to authorize access to the protected resource based on the authentication information.