System and method for granting access to a resource

US 5,375,244 A
Filed: 05/29/1992
Issued: 12/20/1994
Est. Priority Date: 05/29/1992
Status: Expired due to Term

First Claim

Patent Images

1. A system for controlling access by a user to a resource based upon attributes of said user, comprisingmeans (101) for storing data representing attributes of persons eligible for access and persons ineligible for access;

signal processing means (110) for processing signals representing data stored in said storing means to form a plurality of attribute profiles, each of said attribute profiles being indicative of attributes of either eligible or ineligible users;

signal correlating means (130) for determining resemblance of said attributes of said user requesting access to (1) a first one of said attribute profiles of an eligible user most similar to said attributes of said user requesting access, and (2) a second one of said attribute profiles of an ineligible user most similar to said attributes of said user requesting access, andmeans (140) for generating an access control signal allowing access to the resource based upon a relative resemblance between said attributes of said user requesting access and said first and second attribute profiles.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control system is implemented with a maximum-likelihood "soft" decision process that determines whether a user'"'"'s actions are most like those of a valid user or most like those of a hacker. Data obtained from transactions involving both valid users and hackers is clustered in a multidimensional attribute space, with each of the clusters representing an attribute profile of similar user behaviors. The similarity between the attributes of an access attempt and the attribute profiles represented by the clusters is evaluated, to identify profiles of valid and fraudulent users that most closely resemble the attributes of the access attempt. An access decision can then be made simply based upon which type of user (valid or fraudulent) the access attempt most closely resembles. Alternatively, the access decision can be made by comparing probabilities of eligibility for access, based upon the relative closeness of the resemblances between the profiles for valid and fraudulent users and the profile of the user attempting to gain access, and a function which relates the probability of eligibility to other factors, such as the confidence of the decision, the value of the resource, and so on. In this way, a particular access request is characterized as most likely valid or most likely fraudulent. The history of previous access attempts by particular users may be stored and used subsequently in the access decision process.

Citations

18 Claims

1. A system for controlling access by a user to a resource based upon attributes of said user, comprisingmeans (101) for storing data representing attributes of persons eligible for access and persons ineligible for access;
- signal processing means (110) for processing signals representing data stored in said storing means to form a plurality of attribute profiles, each of said attribute profiles being indicative of attributes of either eligible or ineligible users;
  
  signal correlating means (130) for determining resemblance of said attributes of said user requesting access to (1) a first one of said attribute profiles of an eligible user most similar to said attributes of said user requesting access, and (2) a second one of said attribute profiles of an ineligible user most similar to said attributes of said user requesting access, andmeans (140) for generating an access control signal allowing access to the resource based upon a relative resemblance between said attributes of said user requesting access and said first and second attribute profiles.

2. An access control system for determining if a particular access request is most likely valid or most likely fraudulent, said system includingmeans for storing data obtained from transactions involving both valid and fraudulent userssignal processing means for forming clusters by clustering data in said storing means in a multidimensional attribute space, each of said clusters representing an attribute profile of similar user behaviors,signal correlation means for evaluating similarity between attributes of said particular access request and each said attribute profile represented by each of said clusters, to identify profiles of valid and fraudulent users that most closely resemble attributes of said particular access request, andmeans for generating an access control signal based upon which type of user, valid or fraudulent, said particular access request most closely resembles.
- View Dependent Claims (3, 4, 5)
- - 3. The invention defined in claim 2 wherein said access decision making means further includesmeans for comparing probabilities of eligibility for access, based upon relative closeness of resemblances between each said attribute profile of valid and fraudulent users and said attributes of said particular access request, and a function which relates said probabilities of eligibility to other factors.
  - 4. The invention defined in claim 3 wherein said other factors include confidence in said access decision and value of a resource to which said access request is directed.
  - 5. The invention defined in claim 4 further including means for storing a history of previous access requests by particular users for subsequent use in said access control system.

6. A system for granting access to a resource to an authorized user, comprisingmeans for storing data obtained from transactions involving both authorized users and hackers, said user data being stored in the form of multiple records, each containing a plurality of numerical attribute values,signal processing means for analyzing said data stored in said storing means to define clusters in a multidimensional attribute space using an iterative minimum distance modelling technique, each of said clusters being represented by its coordinates in said multidimensional attribute space,signal correlation means for evaluating similarity between attributes of an access request and attribute profiles represented by said clusters by identifying at least one of said clusters having a smallest distance to a point in a multidimensional attribute space that represents attributes of said access request, andmeans for generating an access control signal based upon a distance between said at least one closest cluster and said point in said multidimensional attribute space that represents said access request.
- View Dependent Claims (7, 8)
- - 7. The invention defined in claim 6 wherein said analyzing means is arranged to define a first set of clusters for authorized users and a second set of clusters for hackers, and wherein said evaluating means is arranged to identify first and second clusters for authorized users and for hackers that are closest to said point.
  - 8. The invention defined in claim 7 wherein said access control signal generating means includes means for computing a probability of eligibility for access as a function of relative distances to nearest clusters for authorized users and for hackers, dispersion of the clusters, average spacing between clusters for authorized users, and average distance between authorized user and hacker clusters.

9. Apparatus for determining eligibility of a particular user to access a resource based upon attributes of access being requested, comprisingmeans for collecting data representing attributes of persons eligible for said access and persons ineligible for said access;
- means for processing said collected data to form a plurality of attribute profiles, each of said profiles being indicative of attributes of either eligible or ineligible users;
  
  means for determining resemblance of attributes of said particular user to (1) a first one of said attribute profiles, said first profile being a most similar one of said profiles which is indicative of attributes of an eligible person, and (2) a second one of said attribute profiles, said second profile being a most similar one of said profiles which is indicative of attributes of an ineligible person,means for generating a first signal indicative of a probability of eligibility based upon a degree of resemblance between said attributes of said particular user and said first profile,means for generating a second signal indicative of a probability of ineligibility based upon a degree of resemblance between said attributes of said particular user and said second profile, andmeans for allowing access to the resource by said particular user if the magnitude of said first signal is greater than the magnitude of said second signal.

10. A method of controlling access by a user to a resource based upon attributes of said user, comprising the steps ofstoring in a database data representing attributes of persons eligible for access and persons ineligible for access;
- processing signals representing said data stored in said storing step to form a plurality of attribute profiles, each of said attribute profiles being indicative of attributes of either eligible or ineligible users;
  
  correlating said attribute profiles with the attributes of said user requesting access to determine resemblance of said attributes of said user requesting access to (1) a first one of said attribute profiles of an eligible user most similar to said attributes of said user requesting access, and (2) a second one of said attribute profiles of an eligible user most similar to said attributes of said user requesting access, andgenerating a control signal allowing or denying access to said resource based upon a relative resemblance between said attributes of said user requesting access and said first and second attribute profiles.

11. An access control method used for determining if a particular access request is most likely valid or most likely fraudulent, said method including the steps ofstoring data obtained from transactions involving both valid and fraudulent users,forming clusters by clustering data in said storing means in a multidimensional attribute space, each of said clusters representing an attribute profile of similar user behaviors,correlating signals representing said clusters with signals representing a particular access request to evaluate similarity between attributes of said particular access request and each said attribute profile represented by each of said clusters, to identify profiles of valid and fraudulent users that most closely resemble attributes of said particular access request, andgenerating an access control signal based upon which type of user, valid or fraudulent, said particular access request most closely resembles.
- View Dependent Claims (12, 13, 14)
- - 12. The method defined in claim 11 wherein said access decision making method further includes the step ofcomparing probabilities of eligibility for access, based upon relative closeness of resemblances between each said attribute profile of valid and fraudulent users and said attributes of said particular access request, and a function which relates said probabilities of eligibility to other factors.
  - 13. The method defined in claim 12 wherein said other factors include confidence in said access decision and value of resource to which said access request is directed.
  - 14. The method defined in claim 13 further including the step of storing a history of previous access requests by particular users for subsequent use in said access control method.

15. A method for granting access to a resource to an authorized user, comprising the steps ofstoring data representing signals generated as a result of transactions involving both authorized users and hackers, said user data being stored in the form of multiple records, each containing a plurality of numerical values which are attributes of said signals,analyzing said signals by processing said stored data to define clusters in a multidimensional attribute space using an iterative minimum distance modelling technique, each of said clusters being a signal represented by its coordinates in said multidimensional attribute space,evaluating similarity between attributes of said access request and attribute profiles represented by said clusters by identifying at least one of said signals representing clusters having a smallest distance to a point in a multidimensional attribute space that represents attributes of said access request, andgenerating an access control signal based upon a distance between said at least one closest cluster and said point in said multidimensional attribute space that represents said access request.
- View Dependent Claims (16, 17)
- - 16. The invention defined in claim 15 wherein said analyzing step includes defining a first set of clusters for authorized users and a second set of clusters for hackers, and performing said evaluating step by identifying first and second clusters for authorized users and for hackers that are closest to said point.
  - 17. The invention defined in claim 16 wherein said access decision making step includes computing a probability of eligibility for access as a function of relative distances to nearest clusters for authorized users and for hackers, dispersion of the clusters, average spacing between clusters for authorized users, and average distance between authorized user and hacker clusters.

18. A method of determining eligibility of a particular user to access a resource based upon attributes of access being requested, comprising the steps ofcollecting data representing attributes of persons eligible for said access and persons ineligible for said access;
- processing said collected data to form a plurality of attribute profiles, each of said profiles being indicative of attributes of either eligible or ineligible persons;
  
  determining resemblance of attributes of said particular user to (1) a first one of said attribute profiles, said first profile being a most similar one of said profiles which is indicative of attributes of an eligible person, and (2) a second one of said attribute profiles, said second profile being a most similar one of said profiles which is indicative of attributes of an ineligible person,generating a first signal indicative of a probability of eligibility based upon a degree of resemblance between said attributes of said particular user and said first profile,generating a second signal indicative of a probability of ineligibility based upon a degree of resemblance between said attributes of said particular user and said second profile, andallowing access to the resource by said particular user if the magnitude of said first signal is greater than the magnitude of said second signal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
American Telephone & Telegraph Company (AT&T, Inc.)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
McNair, Bruce E.
Primary Examiner(s)
MacDonald, Allen R.
Assistant Examiner(s)
AUVE, GLENN ALLEN

Application Number

US07/891,347
Time in Patent Office

935 Days
Field of Search

395/725, 395/700, 395/575, 395/2.82, 340/825.34, 340/825.31, 340/825.5, 340/825.54, 340/825.3, 380/25, 380/23, 380/3, 380/4
US Class Current

710/200
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/32   using biometric data, e.g. ...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

System and method for granting access to a resource

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for granting access to a resource

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links