Adaptive model for database security and processing

US 10,242,232 B1
Filed: 07/06/2018
Issued: 03/26/2019
Est. Priority Date: 10/24/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for adaptive access control of data objects, the method comprising:

receiving, by a security system, input data from a first client device to provide authorization to a given entity to access a data object of a plurality of data objects in a software system, the authorization to access the data object associated with a geographical domain;

determining a current location of a second client device of the given entity based on a first set of sensor data received by the security system from the second client device;

determining, using a model of the security system, that the current location is within the geographical domain, the model including a set of expressions for determining authorizations of entities to access data objects based on common parameters describing the entities;

responsive to the determination that the current location is within the geographical domain;

automatically updating an authorization database record of the security system to authorize the given entity to access the data object,transmitting an indication of the updated authorization database record to one or more systems associated with the given entity;

determining an updated location of the second client device based on a second set of sensor data received by the security system from the second client device;

determining, using the model, that the updated location is outside of the geographical domain;

responsive to the determination that the updated location is outside of the geographical domain;

automatically updating the authorization database record to remove authorization for the given entity to access the data object, andtransmitting another indication of the updated authorization database record to the one or more systems associated with the given entity;

after updating the authorization database record to remove authorization for the given entity, determining a different location of the second client device based on a third set of sensor data received by the security system from the second client device; and

responsive to determining that the different location is within the geographical domain, automatically updating the authorization database record to authorize the given entity to access the data object.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system determines authorizations for entities to access data objects. The security system may train an adaptive model to predict the intent of a user who provides authorization for various entities or other users. In an embodiment, the adaptive model may be configured to determine latent properties of training data by identifying common parameters between entities that are, or are not, permitted to access given data object(s). The training data may include previous authorizations provided to the entities. Based on the identified common parameters, the model may generate usage expressions for determining a likelihood that the user intends to provide authorization for a given entity to access the given data object. If the likelihood is greater than a threshold value, the security system may provide a recommendation to the user to provide the authorization for the given entity.

15 Citations

View as Search Results

17 Claims

1. A computer-implemented method for adaptive access control of data objects, the method comprising:
- receiving, by a security system, input data from a first client device to provide authorization to a given entity to access a data object of a plurality of data objects in a software system, the authorization to access the data object associated with a geographical domain;
  
  determining a current location of a second client device of the given entity based on a first set of sensor data received by the security system from the second client device;
  
  determining, using a model of the security system, that the current location is within the geographical domain, the model including a set of expressions for determining authorizations of entities to access data objects based on common parameters describing the entities;
  
  responsive to the determination that the current location is within the geographical domain;
  
  automatically updating an authorization database record of the security system to authorize the given entity to access the data object,transmitting an indication of the updated authorization database record to one or more systems associated with the given entity;
  
  determining an updated location of the second client device based on a second set of sensor data received by the security system from the second client device;
  
  determining, using the model, that the updated location is outside of the geographical domain;
  
  responsive to the determination that the updated location is outside of the geographical domain;
  
  automatically updating the authorization database record to remove authorization for the given entity to access the data object, andtransmitting another indication of the updated authorization database record to the one or more systems associated with the given entity;
  
  after updating the authorization database record to remove authorization for the given entity, determining a different location of the second client device based on a third set of sensor data received by the security system from the second client device; and
  
  responsive to determining that the different location is within the geographical domain, automatically updating the authorization database record to authorize the given entity to access the data object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - determining, using the model and an expression of the set of expressions, a likelihood that a user of the first client device intends to provide authorization to the given entity to access a different data object associated with a different authorization database record; and
      
      transmitting, responsive to determining that the likelihood is greater than a threshold value, a recommendation from the security system to the first client device for presentation, the recommendation for updating the different authorization database record to authorize the given entity to access the different data object.
  - 3. The method of claim 1, further comprising:
    - generating geographical map information of a plurality of client devices of entities authorized to access at least one data object of the plurality of data objects using sensor data from the plurality of client devices, the geographical map information describing at least the geographical domain; and
      
      transmitting the geographical map information to the first client device for presentation to a user.
  - 4. The method of claim 1, wherein automatically updating the authorization database record of the security system to authorize the given entity to access the data object is further responsive to:
    - determining, using the model, that the current location is geographically proximate to other locations of client devices of a subset of the entities, the subset of the entities authorized to access the data object.
  - 5. The method of claim 1, wherein the security system stores authorization database records on a per-data object basis, and wherein the data object is a table, table row, table column, or table data entry stored in a database.
  - 6. The method of claim 1, wherein the first set of sensor data and the second set of sensor data each indicate at least one of an Internet Protocol (IP) address or global positioning system (GPS) data of the second client device.
  - 7. The method of claim 1, wherein automatically updating the authorization database record of the security system to authorize the given entity to access the data object is further responsive to:
    - determining, using the model, that the given entity is associated with one or more parameters in common with parameters of other entities in the geographical domain.
  - 8. The method of claim 1, further comprising:
    - updating the authorization database record to authorize the given entity to access a different data object of the plurality of data objects, the security system maintaining authorization for the given entity to access the different data object after determining to remove authorization for the given entity to access the data object.

9. A non-transitory computer-readable storage medium storing instructions for adaptive access control of data objects by a security system, the instructions when executed by a processor causing the processor to:
- receive input data from a first client device to provide authorization to a given entity to access a data object of a plurality of data objects in a software system, the authorization to access the data object associated with a geographical domain;
  
  determine a current location of a second client device of the given entity based on a first set of sensor data received by the security system from the second client device;
  
  determine, using a model of the security system, that the current location is within the geographical domain, the model including a set of expressions for determining authorizations of entities to access data objects based on common parameters describing the entities;
  
  responsive to the determination that the current location is within the geographical domain;
  
  automatically update an authorization database record of the security system to authorize the given entity to access the data object,transmit an indication of the updated authorization database record to one or more systems associated with the given entity;
  
  determine an updated location of the second client device based on a second set of sensor data received by the security system from the second client device;
  
  determine, using the model, that the updated location is outside of the geographical domain;
  
  responsive to the determination that the updated location is outside of the geographical domain;
  
  automatically update the authorization database record to remove authorization for the given entity to access the data object, andtransmit another indication of the updated authorization database record to the one or more systems associated with the given entity;
  
  after updating the authorization database record to remove authorization for the given entity, determine a different location of the second client device based on a third set of sensor data received by the security system from the second client device; and
  
  responsive to determining that the different location is within the geographical domain, automatically update the authorization database record to authorize the given entity to access the data object.
- View Dependent Claims (10, 11, 12)
- - 10. The non-transitory computer-readable storage medium of claim 9, the instructions when executed by the processor causing the processor to:
    - determine, using the model and an expression of the set of expressions, a likelihood that a user of the first client device intends to provide authorization to the given entity to access a different data object associated with a different authorization database record; and
      
      transmit, responsive to determining that the likelihood is greater than a threshold value, a recommendation from the security system to the first client device for presentation, the recommendation for updating the different authorization database record to authorize the given entity to access the different data object.
  - 11. The non-transitory computer-readable storage medium of claim 9, the instructions when executed by the processor causing the processor to:
    - generate geographical map information of a plurality of client devices of entities authorized to access at least one data object of the plurality of data objects using sensor data from the plurality of client devices, the geographical map information describing at least the geographical domain; and
      
      transmit the geographical map information to the first client device for presentation to a user.
  - 12. The non-transitory computer-readable storage medium of claim 9, the instructions when executed by the processor causing the processor to:
    - update the authorization database record to authorize the given entity to access a different data object of the plurality of data objects, the security system maintaining authorization for the given entity to access the different data object after determining to remove authorization for the given entity to access the data object.

13. A security system for adaptive access control of data objects, the security system comprising:
- a processor; and
  
  a non-transitory computer-readable storage medium storing program instruction that, when executed by the processor, implement;
  
  a user interface engine configured to receive input data from a first client device to provide authorization to a given entity to access a data object of a plurality of data objects in a software system, the authorization associated with a geographical domain; and
  
  an authorization engine configured to;
  
  determine a current location of a second client device of the given entity based on a first set of sensor data received by the security system from the second client device;
  
  determine, using a model of the security system, that the current location is within the geographical domain, the model including a set of expressions for determining authorizations of entities to access data objects based on common parameters describing the entities;
  
  responsive to the determination that the current location is within the geographical domain;
  
  automatically update an authorization database record of the security system to authorize the given entity to access the data object, andtransmit an indication of the updated authorization database record to one or more systems associated with the given entity;
  
  determine an updated location of the second client device based on a second set of sensor data received by the security system from the second client device;
  
  determine, using the model, that the updated location is outside of the geographical domain;
  
  responsive to the determination that the updated location is outside of the geographical domain;
  
  automatically update the authorization database record to remove authorization for the given entity to access the data object, andtransmit another indication of the updated authorization database record to the one or more systems associated with the given entity;
  
  after updating the authorization database record to remove authorization for the given entity, determine a different location of the second client device based on a third set of sensor data received by the system from the second client device; and
  
  responsive to determining that the different location is within the geographical domain, automatically update the authorization database record to authorize the given entity to access the data object.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The security system of claim 13, further comprising a feedback engine configured to:
    - determine, using the model and an expression of the set of expressions, a likelihood that a user of the first client device intends to provide authorization to the given entity to access a different data object associated with a different authorization database record; and
      
      transmit, responsive to determining that the likelihood is greater than a threshold value, a recommendation from the security system to the first client device for presentation, the recommendation for updating the different authorization database record to authorize the given entity to access the different data object.
  - 15. The security system of claim 13, further comprising a feedback engine configured to:
    - generate geographical map information of a plurality of client devices of entities authorized to access at least one data object of the plurality of data objects using sensor data from the plurality of client devices, the geographical map information describing at least the geographical domain; and
      
      transmit the geographical map information to the first client device for presentation to a user.
  - 16. The security system of claim 13, wherein automatically updating the authorization database record of the security system to authorize the given entity to access the data object is further responsive to:
    - determine, using the model, that the current location is geographically proximate to other locations of client devices of a subset of the entities, the subset of the entities authorized to access the data object.
  - 17. The security system of claim 13, wherein the authorization engine is further configured to:
    - update the authorization database record to authorize the given entity to access a different data object of the plurality of data objects, the authorization engine maintaining authorization for the given entity to access the different data object after determining to remove authorization for the given entity to access the data object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Merck Sharp & Dohme LLC (Merck & Co., Inc.)
Original Assignee
Merck Sharp & Dohme Corporation (Merck & Co., Inc.)
Inventors
Hurry, David B., Tabacco, David J.
Primary Examiner(s)
Le, Khoi V

Application Number

US16/029,470
Time in Patent Office

263 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/1774   Locking methods, e.g. locki...

G06F 16/24524   Access plan code generation...

G06F 21/44   Program or device authentic...

G06F 21/6227   where protection concerns t...

G06F 21/6281   at program execution time, ...

H04L 63/107   wherein the security polici...

H04W 12/06   Authentication

H04W 12/08   Access security

Adaptive model for database security and processing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive model for database security and processing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links