METHOD AND SYSTEM FOR RISK-ADAPTIVE ACCESS CONTROL OF AN APPLICATION ACTION

US 20160088005A1
Filed: 12/02/2015
Published: 03/24/2016
Est. Priority Date: 03/28/2013
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to a resource, comprising:

setting one or more security policies for controlling access to the resource of an application, wherein the one or more security policies associate each of a plurality of access levels with a corresponding value for a threat level attribute;

receiving at an access control server, threat detection data from a security system or process via a communication interface, wherein the security system or process monitors network traffic;

determining, by the access control server, based at least in part on the threat detection data received from the security system or process, a value for the threat level attribute;

receiving from the application, an access request that identifies a user of a client terminal, the resource of the application subject to the access request, and one or more actions requested associated with the resource of the application in response to the client terminal attempting to perform one or more actions with respect to the resource of the application over a is communication network; and

determining, by the access control server, an access level of the plurality of access levels to apply to the resource of the application in response to receiving a request from the client terminal to access the resource over the communication network,wherein the access level is determined based at least in part on one or more of the determined value for the threat level attribute, the identity of the user, the resource of the application subject to the request, the one or more actions requested associated with the resource of the application, and at least one of the one or more security policies.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Risk-adaptive access control techniques are disclosed. In various embodiments, a value for a threat level attribute is determined based at least in part on threat detection data generated by a security system or process. The determined value for the threat level attribute is used to make, at least in part, an access control decision with respect to a request to access the resource. In various embodiments, the threat level attribute is used as an environment attribute provided as input to an XACML-based access control system.

Citations

20 Claims

1. A method of controlling access to a resource, comprising:
- setting one or more security policies for controlling access to the resource of an application, wherein the one or more security policies associate each of a plurality of access levels with a corresponding value for a threat level attribute;
  
  receiving at an access control server, threat detection data from a security system or process via a communication interface, wherein the security system or process monitors network traffic;
  
  determining, by the access control server, based at least in part on the threat detection data received from the security system or process, a value for the threat level attribute;
  
  receiving from the application, an access request that identifies a user of a client terminal, the resource of the application subject to the access request, and one or more actions requested associated with the resource of the application in response to the client terminal attempting to perform one or more actions with respect to the resource of the application over a is communication network; and
  
  determining, by the access control server, an access level of the plurality of access levels to apply to the resource of the application in response to receiving a request from the client terminal to access the resource over the communication network,wherein the access level is determined based at least in part on one or more of the determined value for the threat level attribute, the identity of the user, the resource of the application subject to the request, the one or more actions requested associated with the resource of the application, and at least one of the one or more security policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein determining the access level of the plurality of access levels to apply to the resource includes using the threat level attribute as an environment attribute provided as input to an XACML-based access control system.
  - 3. The method of claim 1, wherein the value for the threat level attribute is determined based at least in part on respective threat detection data generated by a plurality of security systems and/or processes.
  - 4. The method of claim 1, wherein the security system or process includes one or more of an intrusion detection system (IDS) and a network monitoring tool.
  - 5. The method of claim 1, wherein determining the access level of the plurality of access levels to apply to the resource includes applying a security policy identified based at least in part on an attribute associated with the access request.
  - 6. The method of claim 1, wherein the access control server determinations are made based at least in part on respective attributes associated with one or more of the following:
    - an action to be performed by the user with respect to the resource and an environment with which one or more of the user, the resource, and the request are associated.
  - 7. The method of claim 1, wherein the access control server determination is based at least in part on a security policy with which the request is associated.
  - 8. The method of claim 1, further comprising generating based on the access control server determination a response to the request to access the resource.
  - 9. The method of claim 8, wherein the response indicates the requested access is allowed with respect to the resource.

10. A system, comprising:
- a processor configured to;
  
  set one or more security policies for controlling access to the resource of an application, wherein the one or more security policies associate each of a plurality of access levels with a corresponding value for a threat level attribute;
  
  receive threat detection data from a security system or process via a communication interface, wherein the security system or process monitors network traffic;
  
  determine, based at least in part on the threat detection data received from the security system or process, a value for the threat level attribute;
  
  receive from the application an access request that identifies a user of a client terminal, the resource of the application subject to the access request, and one or more actions requested associated with the resource of the application in response to the client terminal attempting to perform one or more actions with respect to the resource of the application over a communication network; and
  
  determine an access level of the plurality of access levels to apply to the resource of the application in response to receiving a request from the client terminal to access the resource over the communication network,wherein the access level is determined based at least in part on one or more of the determined value for the threat level attribute, the identity of the user, the resource of the application subject to the request, the one or more actions requested associated with the resource of the application, and at least one of the one or more security policies; and
  
  a memory or other storage device coupled to the processor and configured to store said threat detection data generated by said security system or process.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein determining the access level of the plurality of access levels to apply to the resource includes using the threat level attribute as an environment attribute provided as input to an XACML-based access control system.
  - 12. The system of claim 10, wherein the value for the threat level attribute is determined based at least in part on respective threat detection data generated by a plurality of security systems and/or processes.
  - 13. The system of claim 10, wherein using the determined value for the threat level attribute is to make, at least in part, an access control decision with respect to a request to access the resource includes applying a policy identified based at least in part on an attribute associated with the access request.
  - 14. The system of claim 12, wherein the access control determination is made based at least in part on respective attributes associated with one or more of the following:
    - an action to be performed by the user with respect to the resource; and
      
      an environment with which one or more of the user, the resource, and the request are associated.
  - 15. The system of claim 10, wherein the access control server determination is based at least in part on a security policy with which the request is associated.

16. A computer program product embodied in a tangible, non-transitory computer-readable storage medium, comprising computer instructions for:
- setting one or more security policies for controlling access to the resource of an application, wherein the one or more security policies associate each of a plurality of access levels with a corresponding value for a threat level attribute;
  
  receiving at an access control server, threat detection data from a security system or process via a communication interface, wherein the security system or process monitors network traffic;
  
  determining, by the access control server, based at least in part on the threat detection data received from the security system or process, a value for the threat level attribute;
  
  receiving from the application, an access request that identifies a user of a client terminal, the resource of the application subject to the access request, and one or more actions requested associated with the resource of the application in response to the client terminal attempting to perform one or more actions with respect to the resource of the application over a communication network; and
  
  determining, by the access control server, an access level of the plurality of access levels to apply to the resource of the application in response to receiving a request from the client terminal to access the resource over the communication network,wherein the access level is determined based at least in part on one or more of the determined value for the threat level attribute, the identity of the user, the resource of the is application subject to the request, the one or more actions requested associated with the resource of the application, and at least one of the one or more security policies.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product of claim 16, wherein determining the access level of the plurality of access levels to apply to the resource includes using the threat level attribute as an environment attribute provided as input to an XACML-based access control system.
  - 18. The compute program product of claim 16, wherein the value for the threat level attribute is determined based at least in part on respective threat detection data generated by a plurality of security systems and/or processes.
  - 19. The computer program product of claim 16, wherein the security system or process includes one or more of an intrusion detection system (IDS) and a network monitoring tool.
  - 20. The computer program product of claim 16, wherein determining the access level of the plurality of access levels to apply to the resource includes applying a security policy identified based at least in part on an attribute associated with the access request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
EMC Corporation (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Sinnema, Rmon

Granted Patent

US 9,992,213 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

METHOD AND SYSTEM FOR RISK-ADAPTIVE ACCESS CONTROL OF AN APPLICATION ACTION

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR RISK-ADAPTIVE ACCESS CONTROL OF AN APPLICATION ACTION

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links