Dynamic enterprise security control based on user risk factors
US-2016226911-A1 · Aug 4, 2016 · US
Systems and methods for dynamic access control over shared resources
US9807094B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9807094-B1 |
| Application number | US-201514749676-A |
| Country | US |
| Kind code | B1 |
| Filing date | Jun 25, 2015 |
| Priority date | Jun 25, 2015 |
| Publication date | Oct 31, 2017 |
| Grant date | Oct 31, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The disclosed computer-implemented method for dynamic access control over shared resources may include (1) detecting an attempt by a user to access a resource via a computing environment, (2) identifying a risk level of the user attempting to access the resource, (3) identifying a sensitivity level of the resource, (4) identifying a risk level of the computing environment through which the user is attempting to access the resource, (5) determining an overall risk level for the attempt to access the resource based at least in part on (A) the risk level of the user, (B) the sensitivity level of the resource, and (C) the risk level of the computing environment, and then (6) determining, based at least in part on the overall risk level, whether to grant the user access to the resource via the computing environment. Various other methods, systems, and computer-readable media are also disclosed.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method for dynamic access control over shared resources, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: detecting an attempt by a user to access a resource via a computing environment; identifying a risk value that: represents a risk level of the user attempting to access the resource via the computing environment; and is based at least in part on a role type of the user; identifying a sensitivity value that represents a sensitivity level of the resource that the user is attempting to access via the computing environment; identifying a risk value that represents a risk level of the computing environment through which the user is attempting to access the resource; performing a case-by-case evaluation of the attempt to access the resource by calculating an overall risk score for the attempt to access the resource by summing up: the risk value that represents the risk level of the user; the sensitivity value that represents the sensitivity level of the resource; and the risk value that represents the risk level of the computing environment; dynamically computing a threshold based at least in part on a statistical distribution of a first class of all risk levels of users, a second class of all sensitivity levels of resources, and a third class of all risk levels of computing environments, wherein: the first class represents a first sum calculated by adding an average of all role specific risk values to a weighted standard deviation of all the role specific risk values; the second class represents a second sum calculated by adding an average of all resource specific sensitivity values to a weighted standard deviation of all the resource specific sensitivity values; and the third class represents a third sum calculated by adding an average of all environment specific risk values to a weighted standard deviation of all the environment specific risk values; determining whether the overall risk score for the attempt to access the resource satisfies the dynamically computed threshold; and determining, based at least in part on whether the overall risk score for the attempt to access the resource satisfies the dynamically computed threshold, whether to grant the user access to the resource via the computing environment. 2. The method of claim 1 , wherein the user comprises at least one of: a person operating a computing system; and a computing process running on a computing system. 3. The method of claim 1 , wherein the computing environment comprises at least one of: a specific type of network through which the user is attempting to access the resource; a specific type of computing system on which the user is attempting to access the resource; and a specific type of application by which the user is attempting to access the resource. 4. The method of claim 1 , wherein the resource comprises at least one of: a file; and a database. 5. The method of claim 1 , wherein: identifying the risk value that represents the risk level of the user attempting to access the resource comprises identifying a user-specific risk value that is further based at least in part on a behavior of the user. 6. The method of claim 5 , wherein: identifying the user-specific risk value comprises dynamically calculating the user-specific risk value using at least one machine learning technique; identifying the sensitivity value that represents the sensitivity level of the resource comprises dynamically calculating the sensitivity value using at least one machine learning technique; and identifying the risk value that represents the risk level of the computing environment comprises dynamically calculating the risk value that represents the risk level of the computing environment using at least one machine learning technique. 7. The method of claim 1 , wherein identifying the risk value that represents the risk level of the computing environment comprises calculating an environment-specific risk value that represents the risk level of the computing environment based at least in part on: a specific type of network through which the user is attempting to access the resource; a specific type of computing system on which the user is attempting to access the resource; and a specific type of application by which the user is attempting to access the resource. 8. The method of claim 1 , wherein determining whether to grant the user access to the resource comprises: determining that the overall risk score for the attempt to access the resource is below the dynamically computed threshold; and granting the user access to the resource due at least in part to the overall risk score being below the dynamically computed threshold. 9. The method of claim 1 , wherein determining whether to grant the user access to the resource comprises: determining that the overall risk score for the attempt to access the resource is above the dynamically computed threshold; and denying the user access to the resource due at least in part to the overall risk score being above the dynamically computed threshold. 10. A system for dynamic access control over shared resources, the system comprising: an access-detection module, stored in memory, that detects an attempt by a user to access a resource via a computing environment; a risk-assessment module, stored in memory, that: identifies a risk value that: represents a risk level of the user attempting to access the resource via the computing environment; and is based at least in part on a role type of the user; identifies a sensitivity value that represents a sensitivity level of the resource that the user is attempting to access via the computing environment; identifies a risk value that represents a risk level of the computing environment through which the user is attempting to access the resource; and performs a case-by-case evaluation of the attempt to access the resource by calculating an overall risk score for the attempt by the user to access the resource by summing up: the risk value that represents the risk level of the user; the sensitivity value that represents the sensitivity level of the resource; and the risk value that represents the risk level of the computing environment; dynamically computes a threshold based at least in part on a statistical distribution of a first class of all risk levels of users, a second class of all sensitivity levels of resources, and a third class of all risk levels of computing environments, wherein: the first class represents a first sum calculated by adding an average of all role specific risk values to a weighted standard deviation of all the role specific risk values; the second class represents a second sum calculated by adding an average of all resource specific sensitivity values to a weighted standard deviation of all the resource specific sensitivity values; and the third class represents a third sum calculated by adding an average of all environment specific risk values to a weighted standard deviation of all the environment specific risk values; an access-control module, stored in memory, that: determines whether the overall risk score for the attempt to access the resource satisfies the dynamically computed threshold; and determines, based at least in part on whether the overall risk score for the attempt to access the resource satisfies the dynamically computed threshold, whether to grant the user access to the resource via the computing environment; and at least one physical processor configured to execute the access-detection module, the risk-assessment module, and the access-
Assignees
Inventors
Classifications
Physics · mapped topic
Protecting access to data via a platform, e.g. using keys or access control rules · CPC title
- H04L63/10Primary
for controlling access to devices or network resources · CPC title
Entity profiles · CPC title
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9807094B1 cover?
- The disclosed computer-implemented method for dynamic access control over shared resources may include (1) detecting an attempt by a user to access a resource via a computing environment, (2) identifying a risk level of the user attempting to access the resource, (3) identifying a sensitivity level of the resource, (4) identifying a risk level of the computing environment through which the user…
- Who is the assignee on this patent?
- Symantec Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/10. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 31 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).