Data resource control through a control policy defining an authorized context for utilization of a protected data resource

US 9,948,682 B2
Filed: 08/07/2016
Issued: 04/17/2018
Est. Priority Date: 08/11/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for controlling a data resource of a datastore, using a computer processor and a computer readable physical memory, comprising:

traversing a referent attribute of a first node of a non-hierarchical data structure referencing a security node,wherein the security node comprises a protected resource of the security node that is at least one of a protected primitive and a protected referent referring to a second node of the non-hierarchical data structure;

receiving an authorization request from a device for utilization of the protected resource of the security node, the authorization request comprising a state dataset comprising one or more state attributes each having a state value associated with a state of the device at generation of the authorization request;

referencing a control policy that defines an authorized context in which the device is authorized to utilize the protected resource of the security node, the control policy comprising a first component that is a control algorithm and optionally a second component that is a control dataset,wherein the control dataset comprising one or more control attributes each having a control value range, the control value range of each of the one or more control attributes usable as inputs to the control algorithm;

selecting the control algorithm to be extracted from the security node based on an application program generating the authorization request;

extracting the control algorithm of the control policy from the security node, the control algorithm comprising one or more conditionals each comparing a first input that is a context value with a second input that is any one of a different context value and a control value range of the control dataset,wherein the context value is at least one of the state value of one or more of the state attributes and an external value associated with a source other than the authorization request of the device, andwherein the one or more conditionals of the control algorithm are expressed in a Turing complete language, the Turing complete language comprising an if operation, a then operation, and an else operation;

retrieving each of the context value specified in the control algorithm from at least one of the state dataset and the external dataset;

determining that the context dataset conforms with the authorized context by evaluating each of one or more conditionals of the control algorithm; and

authorizing utilization of the protected resource of the security node by the device when it is determined that the context dataset conforms to the authorized context defined by the control policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a method, a device, and/or a system of a data resource control data structure. In one embodiment, a computer-implemented method includes receiving an authorization request from a device to utilize a protected resource within a datastore. A control policy that defines an authorized context in which the device is authorized to utilize the protected resource is extracted from a security node of a non-hierarchical data structure. The control policy includes a control algorithm and optionally a control dataset. Context values specified in the control algorithm are retrieved to form a context dataset. Utilization of the protected resource is authorized when it is determined by the control algorithm that the context dataset conforms to the authorized context. The security node may organize data into a domain structure that includes a unique identifier, an identity element, a content element, and a context element.

Citations

19 Claims

1. A computer-implemented method for controlling a data resource of a datastore, using a computer processor and a computer readable physical memory, comprising:
- traversing a referent attribute of a first node of a non-hierarchical data structure referencing a security node,wherein the security node comprises a protected resource of the security node that is at least one of a protected primitive and a protected referent referring to a second node of the non-hierarchical data structure;
  
  receiving an authorization request from a device for utilization of the protected resource of the security node, the authorization request comprising a state dataset comprising one or more state attributes each having a state value associated with a state of the device at generation of the authorization request;
  
  referencing a control policy that defines an authorized context in which the device is authorized to utilize the protected resource of the security node, the control policy comprising a first component that is a control algorithm and optionally a second component that is a control dataset,wherein the control dataset comprising one or more control attributes each having a control value range, the control value range of each of the one or more control attributes usable as inputs to the control algorithm;
  
  selecting the control algorithm to be extracted from the security node based on an application program generating the authorization request;
  
  extracting the control algorithm of the control policy from the security node, the control algorithm comprising one or more conditionals each comparing a first input that is a context value with a second input that is any one of a different context value and a control value range of the control dataset,wherein the context value is at least one of the state value of one or more of the state attributes and an external value associated with a source other than the authorization request of the device, andwherein the one or more conditionals of the control algorithm are expressed in a Turing complete language, the Turing complete language comprising an if operation, a then operation, and an else operation;
  
  retrieving each of the context value specified in the control algorithm from at least one of the state dataset and the external dataset;
  
  determining that the context dataset conforms with the authorized context by evaluating each of one or more conditionals of the control algorithm; and
  
  authorizing utilization of the protected resource of the security node by the device when it is determined that the context dataset conforms to the authorized context defined by the control policy.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising:
    - extracting the control dataset of the control policy from the security node of the non-hierarchical data structure; and
      
      assembling the control policy from the control dataset and the control algorithm.
  - 3. The method of claim 1,wherein the external value of the one or more external attributes is any one of a value retrieved from a memory address, a value retrieved from a function call, a value retrieved from an application programming interface (API), a value retrieved from one or more nodes of the datastore, and a value retrieved from a second state dataset of a device other than the device that generated the authorization request, andwherein the control value range specifies any one of a location, a geospatial coordinate, a type of device, an operating system, a type of application program, a query time, a query date, a number of uses of the protected resource, a type of use of the protected resource, a number of accesses of data of the protected resource, a duration of use of the data of the protected resource, and an identifier of an user,wherein the state value of the one or more state attributes is any one of a location of the device, a geospatial coordinate of the device, a type of the device, an operating system of the device, a type of application program running on the device, a time at which the authorization request was generated, a date on which the authorization request was generated, a number of uses of the protected resource by the device, a type of use of the protected resource by the device, a number of accesses of data of the protected primitive by the device, a duration of use of the data of the protected primitive by the device, and an identifier of an user of the device.
  - 4. The method of claim 1, wherein the security node organizes data according to a domain structure that comprises:
    - a unique identifier (UID) whereby the security node is uniquely addressable within the datastore;
      
      an identity element (TY element) comprising one or more attribute-value pairs that include an identification data to at least one of label the security node and distinguish the security node from any other node within the datastore;
      
      a content element (NT element) comprising one or more attribute-value pairs that include a contained data that the security node contains; and
      
      a context element (XT element) comprising one or more attribute-value pairs that include contextual data that further characterizes the security node.

5. A computer readable physical memory comprising:
- a plurality of nodes of a non-hierarchical data structure, the non-hierarchical data structured defined by at least one of the plurality of nodes includes a non-hierarchical reference to another of the plurality of nodes, each node of the plurality of nodes defined by a node structure comprising;
  
  an identifier (ID) of a particular node whereby the particular node is referenced by at least one of the plurality of nodes;
  
  a referent attribute that references at least one other node of the plurality of nodes,a security node of the non-hierarchical data structure, the security node defined by the node structure and further comprising;
  
  a protected resource secured by a control policy establishing an authorized context for which utilization of the protected resource is authorized, the control policy for evaluation a context dataset associated with an authorization request of a device in relation to the authorized context defined by the control policy, the control policy comprising a first component that is a control algorithm and optionally a second component that is a control dataset,wherein the context dataset is at least one of a state dataset that comprises a state value for each of one or more state attributes associated with a state of the device at generation of the authorization request and an external dataset comprising an external value for each of one or more external attributes associated with a source other than the authorization request of the device;
  
  the control algorithm that is the first component of the control policy comprising one or more conditionals each comparing a first input that is any of the state value of one or more state attributes and the external value of one or more external attributes with a second input that any of a different state value of the one or more state attributes, a different external value of the one or more external attributes, and a control value range of the control dataset, andan identifier of the control algorithm that applies the control algorithm when a specific application program generates the authorization request.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The memory of claim 5, wherein the one or more conditionals of the control algorithm are expressed in a Turning complete language, the Turning complete language comprising an if operation, a then operation and an else operation.
  - 7. The memory of claim 5, wherein the security node is referred to as a shield node where the protected resource is a protected referent pointing to a specific node of the plurality of nodes, the specific node referred to as a shielded node.
  - 8. The memory of claim 5, wherein the security node further comprising:
    - the control dataset that is the second component of the control policy that is optional, the control dataset comprising one or more control attributes having a control value range specified for each of the one or more control attributes, the control value range of each of the one or more control attributes usable as an input to the control algorithm.
  - 9. The memory of claim 5, wherein the security node further comprising:
    - a first control algorithm used as the first component of the control policy when a first application program of the device generates the authorization request, anda second control algorithm used as the first component of the control policy when a second application program of the device generates the authorization request.
  - 10. The memory of claim 5,wherein the external value of the one or more external attributes is any one of a value retrieved from a memory address, a value retrieved from a function call, a value retrieved from an application programming interface (API), a value retrieved from one or more nodes of the datastore, and a value retrieved from a second state dataset of a device other than the device that generated the authorization request, andwherein the control value range specifies any one of a location, a geospatial coordinate, a type of device, an operating system, a type of application program, a query time, a query date, a number of uses of the protected resource, a type of use of the protected resource, a number of accesses of data of the protected resource, a duration of use of the data of the protected resource, and an identifier of a user,wherein the state value of the one or more state attributes is any one of a location of the device, a geospatial coordinate of the device, a type of the device, an operating system of the device, a type of application program running on the device, a time at which the authorization request was generated, a date on which the authorization request was generated, a number of uses of the protected resource by the device, a type of use of the protected resource by the device, a number of accesses of data of the protected primitive by the device, a duration of use of the data of the protected primitive by the device, and an identifier of a user of the device.
  - 11. The memory of claim 5, wherein the node structure further comprising:
    - an identity element (TY element) comprising one or more attribute-value pairs that include identification data to at least one of label the particular node and distinguish the particular node from any other node within the datastore,wherein the identifier (ID) of the particular node is a unique identifier (UID) whereby the particular node is uniquely addressable within the datastore;
      
      a content element (NT element) comprising one or more attribute-value pairs that include the contained data that the particular node contains; and
      
      a context element (XT element) comprising one or more attribute-value pairs that include contextual data that further characterizes the particular node.

12. A system comprising:
- a datastore comprising;
  
  a plurality of nodes of a non-hierarchical data structure, the non-hierarchical data structure defined by at least one of the plurality of nodes includes a non-hierarchical reference to another of the plurality of nodes, each node of the plurality defined by a node structure comprising;
  
  an identifier (ID) of a particular node whereby the particular node is referenced by at least one of the plurality of nodes, anda referent attribute that references at least one other node of the plurality of nodes,a security node of the non-hierarchical data structure, the security node defined by the node structure and further comprising;
  
  a protected resource secured by a control policy establishing an authorized context for which utilization of the protected resource is authorized, the control policy for evaluation of a context dataset associated with an authorization request of a device in relation to the authorized context defined by the control policy, the control policy comprising a first component that is a control algorithm and optionally a second component that is a control dataset,wherein the context dataset is at least one of a state dataset that comprises a state value for each of one or more state attributes associated with a state of the device at generation of the authorization request and an external dataset comprising an external value for each of one or more external attributes associated with a source other than the authorization request of the device,the control algorithm that is the first component of the control policy comprising one or more conditionals each comparing a first input that is any of the state value of one or more state attributes and the external value of one or more external attributes with a second input that is any of a different state value of the one or more state attributes, a different external value of the one or more external attributes, and a control value range of the control dataset, anda server comprising;
  
  a processor,a memory, anda computer readable physical memory comprising instructions to;
  
  receive the authorization request of the device;
  
  selecting the control algorithm to be extracted from the security node based on an application program generating the authorization request; and
  
  evaluate the context dataset associated with the authorization request with the control algorithm to determine an authorization of the protected resource.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the one or more conditionals of the control algorithm are expressed in a Turing complete language, the Turing complete language comprising an if operation, a then operation, and an else operation.
  - 14. The system of claim 12, wherein the security node is referred to as a shield node where the protected resource is a protected referent pointing to a specific node of the plurality of nodes, the specific node referred to as a shielded node.
  - 15. The system of claim 12, the security node further comprising:
    - the control dataset that is the second component of the control policy that is optional, the control dataset comprising one or more control attributes having a control value range specified for each of the one or more control attributes, the control value range of each of the one or more control attributes usable as an input to the control algorithm.
  - 16. The system of claim 12, the security node further comprising:
    - a first control algorithm used as the first component of the control policy when a first application program of the device generates the authorization request, anda second control algorithm used as the second component of the control policy when a second application program of the device generates the authorization request.
  - 17. The system of claim 12, wherein the external value of the one or more external attributes is any one of a value retrieved from a memory address, a value retrieved from a function call, a value retrieved from an application programming interface (API), a value retrieved from one or more nodes of the datastore, and a value retrieved from a second state dataset of a device other than the device that generated the authorization request.
  - 18. The system of claim 12,wherein the control value range specifies any one of a location, a geospatial coordinate, a type of device, an operating system, a type of application program, a query time, a query date, a number of uses of the protected resource, a type of use of the protected resource, a number of accesses of data of the protected resource, a duration of use of the data of the protected resource, and an identifier of a user,wherein the state value of the one or more state attributes is any one of a location of the device, a geospatial coordinate of the device, a type of the device, an operating system of the device, a type of application program running on the device, a time at which the authorization request was generated by the device, a date on which the authorization request was generated by the device, a number of uses of the protected resource by the device, a type of use of the protected resource by the device, a number of accesses of data of the protected primitive by the device, a duration of use of the data of the protected primitive by the device, and an identifier of a user of the device.
  - 19. The system of claim 12, wherein the node structure further comprising:
    - an identity element (TY element) comprising one or more attribute-value pairs that include an identification data to at least one of label the particular node and distinguish the particular node from any other node within the datastore,wherein the identifier (ID) of the particular node is an unique identifier (UID) whereby the particular node is uniquely addressable within the datastore;
      
      a content element (NT element) comprising one or more attribute-value pairs that include a contained data that the particular node contains; and
      
      a context element (XT element) comprising one or more attribute-value pairs that include a contextual data that further characterizes the particular node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vescel LLC
Original Assignee
Vescel LLC
Inventors
Anton, Dhryl, McFall, Michael
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/230,421
Publication Number

US 20170048253A1
Time in Patent Office

618 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/10 for controlling access to d...

H04L 63/20 for managing network securi...

Data resource control through a control policy defining an authorized context for utilization of a protected data resource

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Data resource control through a control policy defining an authorized context for utilization of a protected data resource

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links