System and method for granting access to a resource
First Claim
1. A system for controlling access by a user to a resource based upon attributes of said user, comprisingmeans (101) for storing data representing attributes of persons eligible for access and persons ineligible for access;
- signal processing means (110) for processing signals representing data stored in said storing means to form a plurality of attribute profiles, each of said attribute profiles being indicative of attributes of either eligible or ineligible users;
signal correlating means (130) for determining resemblance of said attributes of said user requesting access to (1) a first one of said attribute profiles of an eligible user most similar to said attributes of said user requesting access, and (2) a second one of said attribute profiles of an ineligible user most similar to said attributes of said user requesting access, andmeans (140) for generating an access control signal allowing access to the resource based upon a relative resemblance between said attributes of said user requesting access and said first and second attribute profiles.
1 Assignment
0 Petitions
Accused Products
Abstract
An access control system is implemented with a maximum-likelihood "soft" decision process that determines whether a user'"'"'s actions are most like those of a valid user or most like those of a hacker. Data obtained from transactions involving both valid users and hackers is clustered in a multidimensional attribute space, with each of the clusters representing an attribute profile of similar user behaviors. The similarity between the attributes of an access attempt and the attribute profiles represented by the clusters is evaluated, to identify profiles of valid and fraudulent users that most closely resemble the attributes of the access attempt. An access decision can then be made simply based upon which type of user (valid or fraudulent) the access attempt most closely resembles. Alternatively, the access decision can be made by comparing probabilities of eligibility for access, based upon the relative closeness of the resemblances between the profiles for valid and fraudulent users and the profile of the user attempting to gain access, and a function which relates the probability of eligibility to other factors, such as the confidence of the decision, the value of the resource, and so on. In this way, a particular access request is characterized as most likely valid or most likely fraudulent. The history of previous access attempts by particular users may be stored and used subsequently in the access decision process.
-
Citations
18 Claims
-
1. A system for controlling access by a user to a resource based upon attributes of said user, comprising
means (101) for storing data representing attributes of persons eligible for access and persons ineligible for access; -
signal processing means (110) for processing signals representing data stored in said storing means to form a plurality of attribute profiles, each of said attribute profiles being indicative of attributes of either eligible or ineligible users; signal correlating means (130) for determining resemblance of said attributes of said user requesting access to (1) a first one of said attribute profiles of an eligible user most similar to said attributes of said user requesting access, and (2) a second one of said attribute profiles of an ineligible user most similar to said attributes of said user requesting access, and means (140) for generating an access control signal allowing access to the resource based upon a relative resemblance between said attributes of said user requesting access and said first and second attribute profiles.
-
-
2. An access control system for determining if a particular access request is most likely valid or most likely fraudulent, said system including
means for storing data obtained from transactions involving both valid and fraudulent users signal processing means for forming clusters by clustering data in said storing means in a multidimensional attribute space, each of said clusters representing an attribute profile of similar user behaviors, signal correlation means for evaluating similarity between attributes of said particular access request and each said attribute profile represented by each of said clusters, to identify profiles of valid and fraudulent users that most closely resemble attributes of said particular access request, and means for generating an access control signal based upon which type of user, valid or fraudulent, said particular access request most closely resembles.
-
6. A system for granting access to a resource to an authorized user, comprising
means for storing data obtained from transactions involving both authorized users and hackers, said user data being stored in the form of multiple records, each containing a plurality of numerical attribute values, signal processing means for analyzing said data stored in said storing means to define clusters in a multidimensional attribute space using an iterative minimum distance modelling technique, each of said clusters being represented by its coordinates in said multidimensional attribute space, signal correlation means for evaluating similarity between attributes of an access request and attribute profiles represented by said clusters by identifying at least one of said clusters having a smallest distance to a point in a multidimensional attribute space that represents attributes of said access request, and means for generating an access control signal based upon a distance between said at least one closest cluster and said point in said multidimensional attribute space that represents said access request.
-
9. Apparatus for determining eligibility of a particular user to access a resource based upon attributes of access being requested, comprising
means for collecting data representing attributes of persons eligible for said access and persons ineligible for said access; -
means for processing said collected data to form a plurality of attribute profiles, each of said profiles being indicative of attributes of either eligible or ineligible users; means for determining resemblance of attributes of said particular user to (1) a first one of said attribute profiles, said first profile being a most similar one of said profiles which is indicative of attributes of an eligible person, and (2) a second one of said attribute profiles, said second profile being a most similar one of said profiles which is indicative of attributes of an ineligible person, means for generating a first signal indicative of a probability of eligibility based upon a degree of resemblance between said attributes of said particular user and said first profile, means for generating a second signal indicative of a probability of ineligibility based upon a degree of resemblance between said attributes of said particular user and said second profile, and means for allowing access to the resource by said particular user if the magnitude of said first signal is greater than the magnitude of said second signal.
-
-
10. A method of controlling access by a user to a resource based upon attributes of said user, comprising the steps of
storing in a database data representing attributes of persons eligible for access and persons ineligible for access; -
processing signals representing said data stored in said storing step to form a plurality of attribute profiles, each of said attribute profiles being indicative of attributes of either eligible or ineligible users; correlating said attribute profiles with the attributes of said user requesting access to determine resemblance of said attributes of said user requesting access to (1) a first one of said attribute profiles of an eligible user most similar to said attributes of said user requesting access, and (2) a second one of said attribute profiles of an eligible user most similar to said attributes of said user requesting access, and generating a control signal allowing or denying access to said resource based upon a relative resemblance between said attributes of said user requesting access and said first and second attribute profiles.
-
-
11. An access control method used for determining if a particular access request is most likely valid or most likely fraudulent, said method including the steps of
storing data obtained from transactions involving both valid and fraudulent users, forming clusters by clustering data in said storing means in a multidimensional attribute space, each of said clusters representing an attribute profile of similar user behaviors, correlating signals representing said clusters with signals representing a particular access request to evaluate similarity between attributes of said particular access request and each said attribute profile represented by each of said clusters, to identify profiles of valid and fraudulent users that most closely resemble attributes of said particular access request, and generating an access control signal based upon which type of user, valid or fraudulent, said particular access request most closely resembles.
-
15. A method for granting access to a resource to an authorized user, comprising the steps of
storing data representing signals generated as a result of transactions involving both authorized users and hackers, said user data being stored in the form of multiple records, each containing a plurality of numerical values which are attributes of said signals, analyzing said signals by processing said stored data to define clusters in a multidimensional attribute space using an iterative minimum distance modelling technique, each of said clusters being a signal represented by its coordinates in said multidimensional attribute space, evaluating similarity between attributes of said access request and attribute profiles represented by said clusters by identifying at least one of said signals representing clusters having a smallest distance to a point in a multidimensional attribute space that represents attributes of said access request, and generating an access control signal based upon a distance between said at least one closest cluster and said point in said multidimensional attribute space that represents said access request.
-
18. A method of determining eligibility of a particular user to access a resource based upon attributes of access being requested, comprising the steps of
collecting data representing attributes of persons eligible for said access and persons ineligible for said access; -
processing said collected data to form a plurality of attribute profiles, each of said profiles being indicative of attributes of either eligible or ineligible persons; determining resemblance of attributes of said particular user to (1) a first one of said attribute profiles, said first profile being a most similar one of said profiles which is indicative of attributes of an eligible person, and (2) a second one of said attribute profiles, said second profile being a most similar one of said profiles which is indicative of attributes of an ineligible person, generating a first signal indicative of a probability of eligibility based upon a degree of resemblance between said attributes of said particular user and said first profile, generating a second signal indicative of a probability of ineligibility based upon a degree of resemblance between said attributes of said particular user and said second profile, and allowing access to the resource by said particular user if the magnitude of said first signal is greater than the magnitude of said second signal.
-
Specification