Access authorization with anomaly detection

US 7,904,956 B2
Filed: 10/01/2004
Issued: 03/08/2011
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage medium whose contents cause a computer to:

activate a first policy applicable to a process executing within a computer, wherein the process is an instance of an application program executing on the computer;

monitor the computer to detect an anomalous state in the computer by analyzing network traffic flowing into the computer to detect abnormal packet patterns;

responsive to detecting the anomalous state in the computer, activate a second policy applicable to the process executing within the computer, wherein the second policy is more restrictive than the first policy;

receive a request to access a resource of the computer from the process executing within the computer; and

responsive to receiving the request, determine whether to grant access to the resource based on whether the first policy or the second policy is activated, wherein the process executing within the computer is granted access to the resource when the first policy is activated; and

the process executing within the computer is denied access to the resource when the second policy is activated, wherein the computer readable storage medium is not a signal.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility for providing access authorization is provided. The facility initially enforces a first, less restrictive policy when making its access control decisions. Subsequent to detecting an anomaly, the facility enforces a second, more restrictive policy when making its access control decisions. The facility returns to enforcing the first, less restrictive policy when the anomaly no longer exists. In another embodiment, the facility enforces a policy after detecting an anomaly and until the anomaly has ended.

45 Citations

View as Search Results

24 Claims

1. A computer-readable storage medium whose contents cause a computer to:
- activate a first policy applicable to a process executing within a computer, wherein the process is an instance of an application program executing on the computer;
  
  monitor the computer to detect an anomalous state in the computer by analyzing network traffic flowing into the computer to detect abnormal packet patterns;
  
  responsive to detecting the anomalous state in the computer, activate a second policy applicable to the process executing within the computer, wherein the second policy is more restrictive than the first policy;
  
  receive a request to access a resource of the computer from the process executing within the computer; and
  
  responsive to receiving the request, determine whether to grant access to the resource based on whether the first policy or the second policy is activated, wherein the process executing within the computer is granted access to the resource when the first policy is activated; and
  
  the process executing within the computer is denied access to the resource when the second policy is activated, wherein the computer readable storage medium is not a signal.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-readable storage medium of claim 1, wherein the anomalous state is detected in the process executing on the computer, and the second policy is activated against the process.
  - 3. The computer-readable storage medium of claim 1, wherein the anomalous state is detected in a group of processes, and the second policy is activated against the group of processes.
  - 4. The computer-readable storage medium of claim 1, wherein the second policy is activated against all processes executing in the computer.
  - 5. The computer-readable storage medium of claim 1 further comprising contents that cause the computer to:
    - monitor the computer to detect a cessation of the anomalous state; and
      
      upon detecting the cessation of the anomalous state, cease the application of the second policy within the computer.
  - 6. The computer-readable storage medium of claim 1, wherein the contents are integrated into and execute as part of an operating system suitable for executing on the computer.
  - 7. The computer-readable storage medium of claim 1, wherein the first and second policies are maintained as part of a centralized policy store.

8. A computer-readable storage medium whose contents cause a computer to:
- activate a first policy applicable to an application program;
  
  subsequent to activating the first policy, receive a first authorization query for a resource by the application program; and
  
  return an allow decision for the first authorization query by applying the first policy applicable to the application program;
  
  detect an anomalous state;
  
  subsequent to detecting the anomalous state, receive a second authorization query for the resource by the application program; and
  
  subsequent to detecting the anomalous state, return a deny decision for the second authorization query by applying a second policy applicable to the application program, wherein the computer readable storage medium is not a signal.
- View Dependent Claims (9, 18, 19, 20, 21, 22, 23)
- - 9. The computer-readable storage medium of claim 8 further comprising contents that cause the computer to:
    - detect an end to the anomalous state;
      
      subsequent to detecting the end of the anomalous state, receive a third authorization query for the resource by the application program; and
      
      subsequent to detecting the end of the anomalous state, providing an allow decision for the third authorization query by applying the first policy applicable to the application program.
  - 18. The computer-readable storage medium of claim 8 wherein the anomalous state is detected by comparing system calls issued by the application program with a graph representing system calls issued by previous instances of the application program that ran on the computer.
  - 19. The computer-readable storage medium of claim 18 wherein the graph is generated by tracking the previous instances of the application program that ran on the computer.
  - 20. The computer-readable storage medium of claim 8 wherein the application program is a web application program executing on the computer.
  - 21. The computer-readable storage medium of claim 20 wherein the anomalous state is detected by monitoring network traffic generated by the web application program.
  - 22. The computer-readable storage medium of claim 8 wherein the anomalous state is detected by an entry being added to an audit log.
  - 23. The computer-readable storage medium of claim 22 wherein the entry includes an indication of a rule, whether the rule was allowed or denied, and the resource.

10. A method in a computing system for applying a policy within a computer comprising:
- receiving a first authorization query for access to a resource by an application program;
  
  providing a response to the first authorization query indicating that access is authorized based on applying a first policy appropriate for the application program;
  
  detecting an anomalous state;
  
  subsequent to detecting the anomalous state, receiving a second authorization query for access to the resource by the application program;
  
  providing a response to the second authorization query based on applying a second policy appropriate for the application program;
  
  detecting an end to the anomalous state;
  
  subsequent to detecting the end of the anomalous state, receiving a third authorization query for access to the resource by the application program; and
  
  providing a response to the third authorization query indicating that access is authorized based on applying the first policy applicable to the application program.
- View Dependent Claims (11)
- - 11. The method of claim 10, wherein the second policy is more restrictive than the first policy.

12. A system for applying a policy to determine authorization to access a resource, the system comprising:
- a first policy applicable to a principal;
  
  a second policy applicable to the principal; and
  
  an authorization module operable to apply the first policy to the principal to determine whether the principal has authorization to perform a requested action on a computer in a non-anomalous state, the authorization module further operable to apply the second policy to the principal to determine whether the principal has authorization to perform the requested action on the computer in an anomalous state.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12, wherein the principal is an application program process running on the computer.
  - 14. The system of claim 12, wherein the principal is a combination of an application program process running on the computer and a user context under which the application process is running on the computer.
  - 15. The system of claim 12, wherein the first and second policies are applied to a process of the application program executing on the computer.
  - 16. The system of claim 12, wherein the first and second policies are applied to all processes of the application program executing on the computer.
  - 17. The system of claim 12, wherein the first and second policies are maintained as part of a centralized policy.

24. A system for applying a policy to determine authorization to access a resource, the system comprising:
- a first policy applicable to a process executing on a computer;
  
  a second policy applicable to the process executing on the computer; and
  
  an authorization module operable to apply the first policy to the process to determine whether the process is authorized to perform a requested action on the computer when the computer is in a non-anomalous state, the authorization module further operable to apply the second policy to the process to determine whether the process is authorized to perform the requested action on the computer when the computer is in an anomalous state, wherein the first and second policies are applied to the process executing on the computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Vayman, Mark, Golan, Gilad
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US10/957,029
Publication Number

US 20060075492A1
Time in Patent Office

2,349 Days
Field of Search

726/25, 726/23, 713/155, 713/200, 707/101
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

Access authorization with anomaly detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Access authorization with anomaly detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links