DETECTING ANOMALIES IN ACCESS CONTROL LISTS
First Claim
1. A method implemented on a computing device having a processor for detecting candidate anomalies in an access control list, comprising:
- using the computing device having the processor to perform the following;
inputting the access control list and a list of semantic groups;
extracting policy statements from the access control list;
detecting any candidate object-level anomalies using the extracted policy statements;
generating a real-time anomaly detection report containing the candidate object-level anomalies; and
presenting the real-time anomaly detection report in real time to an administrator for verification and correction of the candidate object-level anomalies.
2 Assignments
0 Petitions
Accused Products
Abstract
An access control anomaly detection system and method to detect potential anomalies in access control permissions and report those potential anomalies in real time to an administrator for possible action. Embodiments of the system and method input access control lists and semantic groups (or any dataset having binary matrices) to perform automated anomaly detection. This input is processed in three broad phases. First, policy statements are extracted from the access control lists. Next, object-level anomaly detection is performed using thresholds by categorizing outliers in the policies discovered in the first phase as potential anomalies. This object-level anomaly detection can yield object-level security anomalies and object-level accessibility anomalies. Group-level anomaly detection is performed in the third phase by using semantic groups and user sets extracted in first phase to find maximal overlaps using group mapping. This group-level anomaly detection can yield group-level security anomalies and group-level accessibility anomalies.
31 Citations
20 Claims
-
1. A method implemented on a computing device having a processor for detecting candidate anomalies in an access control list, comprising:
using the computing device having the processor to perform the following; inputting the access control list and a list of semantic groups; extracting policy statements from the access control list; detecting any candidate object-level anomalies using the extracted policy statements; generating a real-time anomaly detection report containing the candidate object-level anomalies; and presenting the real-time anomaly detection report in real time to an administrator for verification and correction of the candidate object-level anomalies. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
9. A method implemented on a computing device having a processor for auditing an access control list to identify potential anomalies, comprising:
using the computing device having the processor to perform the following; extracting from the access control list a policy statement pair having a user portion and an object portion; determining a first object-level anomaly threshold, a second object-level anomaly threshold, and a third object-level anomaly threshold; constructing a first user comparison term and a second user comparison term from the user portion; constructing an object comparison term from the object portion; finding object-level anomalies using the first and the second comparison terms, the object comparison term, and the first, second, and third anomaly thresholds; determining a cover set and an unmatched user set; finding group-level anomalies using the cover set and the unmatched user set; generating a real-time anomaly detection report containing the object-level anomalies and the group-level anomalies; and displaying the real-time anomaly detection report containing the object-level anomalies and the group-level anomalies to an administrator in real time for verification. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
-
19. A computer-implemented method for finding anomalies in an access control list, comprising:
-
grouping objects in a hash table having a same set of users to create an input matrix; extracting a policy statement pair from the access control list by generating the policy statement pair for a unique bit-string in the input matrix; obtaining three object-level anomaly thresholds; constructing a first user comparison term and a second user comparison term from a user portion of the policy statement pair; constructing an object comparison term from an object portion of the policy statement pair; determining that the first user comparison term, the second user comparison term, and the object comparison term are less than or equal to the respective object-level anomaly thresholds; finding a candidate object-level accessibility anomaly by determining that some users in the policy statement pair do not have access to a second object set while users in a first object set do have access; finding a candidate object-level security anomaly by determining that some users in the policy statement pair have access to the second object set and that users in the first user set also have access; performing group mapping to generate a cover set and an unmatched user set; determining group-level accessibility anomalies and group-level security anomalies using the cover set and the unmatched user set; generating a real-time anomaly detection report containing the candidate object-level accessibility anomalies, the object-level security anomalies, the group-level accessibility anomalies, and the group-level security anomalies; and displaying the real-time anomaly detection report in real time to an administrator. - View Dependent Claims (20)
-
Specification