Access authorization with anomaly detection

US 20060075492A1
Filed: 10/01/2004
Published: 04/06/2006
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage medium whose contents cause a computer to:

monitor a computer to detect an anomalous state in the computer; and

responsive to detecting an anomalous state in the computer, activate an application of a policy within the computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility for providing access authorization is provided. The facility initially enforces a first, less restrictive policy when making its access control decisions. Subsequent to detecting an anomaly, the facility enforces a second, more restrictive policy when making its access control decisions. The facility returns to enforcing the first, less restrictive policy when the anomaly no longer exists. In another embodiment, the facility enforces a policy after detecting an anomaly and until the anomaly has ended.

103 Citations

View as Search Results

30 Claims

1. A computer-readable storage medium whose contents cause a computer to:
- monitor a computer to detect an anomalous state in the computer; and
  
  responsive to detecting an anomalous state in the computer, activate an application of a policy within the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 16)
- - 2. The computer-readable storage medium of claim 1, wherein the anomalous state is detected in a process executing on the computer, and the policy is activated against the process.
  - 3. The computer-readable storage medium of claim 1, wherein the anomalous state is detected in a group of processes, and the policy is activated against the group of process.
  - 4. The computer-readable storage medium of claim 1, wherein the policy is activated against all processes executing in the computer.
  - 5. The computer-readable storage medium of claim 1 further comprising contents that cause the computer to:
    - monitor the computer to detect a cessation of the anomalous state; and
      
      upon detecting the cessation of the anomalous state, cease the application of the policy within the computer.
  - 6. The computer-readable storage medium of claim 1, wherein the computer instructions are integrated into and execute as part of an operating system suitable for executing on the computer.
  - 7. The computer-readable storage medium of claim 1, wherein the policy is maintained as part of a centralized policy store.
  - 16. The computer-readable storage medium of claim 5 further comprising contents that cause the computer to re-apply the first policy within the computer.

8. A computer-readable storage medium whose contents cause a computer to:
- apply a first policy within a computer;
  
  monitor the computer to detect an anomalous state in the computer; and
  
  responsive to detecting an anomalous state in the computer, apply a second policy within the computer.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 29)
- - 9. The computer-readable storage medium of claim 8, wherein the first and second policies are applied to a process executing on the computer.
  - 10. The computer-readable storage medium of claim 8, wherein the first and second policies are applied to an instance of an application program executing on the computer.
  - 11. The computer-readable storage medium of claim 8, wherein the first and second policies are applied to all processes executing on the computer.
  - 12. The computer-readable storage medium of claim 8, wherein the first policy is less restrictive than the second policy.
  - 13. The computer-readable storage medium of claim 8, wherein the policy includes at least one rule for managing a resource on the computer.
  - 14. The computer-readable storage medium of claim 8, wherein the first and second policies are maintained as part of a centralized policy store.
  - 15. The computer-readable storage medium of claim 8 further comprising contents that cause the computer to:
    - monitor the computer to detect an end of the anomalous state; and
      
      upon detecting the end of the anomalous state, cease the application of the second policy within the computer.
  - 29. The system of claim 8, wherein the first and second policies are maintained as part of a centralized policy.

17. A computer-readable storage medium whose contents cause a computer to:
- receive a first authorization query for a resource access by an application program;
  
  return either an allow or a deny decision for the first authorization query by applying a first policy applicable to the application program;
  
  detect an anomalous state;
  
  subsequent to detecting the anomalous state, receive a second authorization query for a resource access by the application program; and
  
  subsequent to detecting the anomalous state, return either an allow or a deny decision for the second authorization query by applying a second policy applicable to the application program.
- View Dependent Claims (18)
- - 18. The computer-readable storage medium of claim 17 further comprising contents that cause the computer to:
    - detect an end to the anomalous state;
      
      subsequent to detecting the end of the anomalous state, receive a third authorization query for a resource access by the application program; and
      
      subsequent to detecting the end of the anomalous state, providing either an allow or a deny decision for the third authorization query by applying the first policy applicable to the application program.

19. A method in a computing system for applying a policy within a computer comprising:
- receiving a first authorization query for a resource access by an application program;
  
  providing a response to the first authorization query by applying a first policy appropriate for the application program;
  
  detecting an anomalous state;
  
  responsive to detecting an anomalous state, receiving a second authorization query for a resource access by the application program; and
  
  providing a response to the second authorization query by applying a second policy appropriate for the application program.
- View Dependent Claims (20, 21, 23)
- - 20. The method of claim 19, wherein the second policy is more restrictive than the first policy.
  - 21. The method of claim 19 further comprising:
    - detecting an end to the anomalous state;
      
      subsequent to detecting the end of the anomalous state, receiving a third authorization query for a resource access by the application program; and
      
      subsequent to detecting the end of the anomalous state, providing either an allow or a deny decision for the third authorization query by applying the first policy applicable to the application program.
  - 23. The computer memories of claim 19, wherein the first state is a normal state, and the second state is an anomalous state.

22. One or more computer memories collectively containing a data structure suitable for a policy, the data structure comprising a first policy and a second policy, the first and second policies applicable to an application program, such that the first policy is applied to the application program in a first state, and the second policy is applied to the application program in a second state.

24. A system for applying a policy to determine authorization to access a resource, the system comprising:
- a first policy applicable to a principal;
  
  a second policy applicable to the principal; and
  
  an authorization module operable to apply the first policy to the principal to determine whether the principal has authorization to perform a requested action on a computer in a non-anomalous state, the authorization module further operable to apply the second policy to the principal to determine whether the principal has authorization to perform the requested action on the computer in an anomalous state.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The system of claim 24, wherein the principal is an application program process running on the computer.
  - 26. The system of claim 24, wherein the principal is a combination of an application program process running on the computer and a user context under which the application process is running on the computer.
  - 27. The system of claim 24, wherein the first and second policies are applied to a process of the application program executing on the computer.
  - 28. The system of claim 24, wherein the first and second policies are applied to all processes of the application program executing on the computer.

30. A system for applying a policy to determine authorization to access a resource, the system comprising:
- a first policy applicable to an application program running on a computer; and
  
  an authorization module operable to not apply the first policy in determining whether the application program has authorization to perform a requested action on the computer in a non-anomalous state, the authorization module further operable to apply the first policy in determining whether the application program ahs authorization to perform the requested action on the computer in an anomalous state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Vayman, Mark, Golan, Gilad

Granted Patent

US 7,904,956 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

Access authorization with anomaly detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Access authorization with anomaly detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links