Access authorization with anomaly detection
First Claim
Patent Images
1. A computer-readable storage medium whose contents cause a computer to:
- activate a first policy applicable to a process executing within a computer, wherein the process is an instance of an application program executing on the computer;
monitor the computer to detect an anomalous state in the computer by analyzing network traffic flowing into the computer to detect abnormal packet patterns;
responsive to detecting the anomalous state in the computer, activate a second policy applicable to the process executing within the computer, wherein the second policy is more restrictive than the first policy;
receive a request to access a resource of the computer from the process executing within the computer; and
responsive to receiving the request, determine whether to grant access to the resource based on whether the first policy or the second policy is activated, wherein the process executing within the computer is granted access to the resource when the first policy is activated; and
the process executing within the computer is denied access to the resource when the second policy is activated, wherein the computer readable storage medium is not a signal.
2 Assignments
0 Petitions
Accused Products
Abstract
A facility for providing access authorization is provided. The facility initially enforces a first, less restrictive policy when making its access control decisions. Subsequent to detecting an anomaly, the facility enforces a second, more restrictive policy when making its access control decisions. The facility returns to enforcing the first, less restrictive policy when the anomaly no longer exists. In another embodiment, the facility enforces a policy after detecting an anomaly and until the anomaly has ended.
45 Citations
24 Claims
-
1. A computer-readable storage medium whose contents cause a computer to:
- activate a first policy applicable to a process executing within a computer, wherein the process is an instance of an application program executing on the computer;
monitor the computer to detect an anomalous state in the computer by analyzing network traffic flowing into the computer to detect abnormal packet patterns;
responsive to detecting the anomalous state in the computer, activate a second policy applicable to the process executing within the computer, wherein the second policy is more restrictive than the first policy;
receive a request to access a resource of the computer from the process executing within the computer; and
responsive to receiving the request, determine whether to grant access to the resource based on whether the first policy or the second policy is activated, wherein the process executing within the computer is granted access to the resource when the first policy is activated; and
the process executing within the computer is denied access to the resource when the second policy is activated, wherein the computer readable storage medium is not a signal. - View Dependent Claims (2, 3, 4, 5, 6, 7)
- activate a first policy applicable to a process executing within a computer, wherein the process is an instance of an application program executing on the computer;
-
8. A computer-readable storage medium whose contents cause a computer to:
- activate a first policy applicable to an application program;
subsequent to activating the first policy, receive a first authorization query for a resource by the application program; and
return an allow decision for the first authorization query by applying the first policy applicable to the application program;
detect an anomalous state;
subsequent to detecting the anomalous state, receive a second authorization query for the resource by the application program; and
subsequent to detecting the anomalous state, return a deny decision for the second authorization query by applying a second policy applicable to the application program, wherein the computer readable storage medium is not a signal. - View Dependent Claims (9, 18, 19, 20, 21, 22, 23)
- activate a first policy applicable to an application program;
-
10. A method in a computing system for applying a policy within a computer comprising:
-
receiving a first authorization query for access to a resource by an application program; providing a response to the first authorization query indicating that access is authorized based on applying a first policy appropriate for the application program; detecting an anomalous state; subsequent to detecting the anomalous state, receiving a second authorization query for access to the resource by the application program; providing a response to the second authorization query based on applying a second policy appropriate for the application program; detecting an end to the anomalous state; subsequent to detecting the end of the anomalous state, receiving a third authorization query for access to the resource by the application program; and providing a response to the third authorization query indicating that access is authorized based on applying the first policy applicable to the application program. - View Dependent Claims (11)
-
-
12. A system for applying a policy to determine authorization to access a resource, the system comprising:
-
a first policy applicable to a principal; a second policy applicable to the principal; and an authorization module operable to apply the first policy to the principal to determine whether the principal has authorization to perform a requested action on a computer in a non-anomalous state, the authorization module further operable to apply the second policy to the principal to determine whether the principal has authorization to perform the requested action on the computer in an anomalous state. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
24. A system for applying a policy to determine authorization to access a resource, the system comprising:
-
a first policy applicable to a process executing on a computer; a second policy applicable to the process executing on the computer; and an authorization module operable to apply the first policy to the process to determine whether the process is authorized to perform a requested action on the computer when the computer is in a non-anomalous state, the authorization module further operable to apply the second policy to the process to determine whether the process is authorized to perform the requested action on the computer when the computer is in an anomalous state, wherein the first and second policies are applied to the process executing on the computer.
-
Specification