1. Field of the Invention
The present invention relates to a computer access control system, and more particularly to an automatic and dynamic access control system and method for assigning privileges based on observed behavior.
2. Description of the Related Art
Access and control of access are two prevailing paradigms in computer networks. The basic theories underlying access in its broad sense are centuries old. For example, access to clubs, for example the New York Yacht Club, has typically been based on an individual""s standing in the community. Standing being the amalgamation of traits, credentials, references, and the like. Individuals who exhibit desirable traits are granted greater access to resources not available to another individual who has demonstrated undesirable traits.
Various methods of controlling access to computer file systems have been addressed and developed. For example, standard file systems, e.g. UNIX, are controlled by super-users, or those with the right to set access rights of others on the file system. Access control is based on a user ID. The user ID is limiting, with one variable, the scope of the access control policies is limited. For example, with standard user ID-based access control, the super-user has no practical method to limit the access to an operating system kernal upgrade to those with a sufficient level of expertise in maintaining and compiling kernals.
Another related art includes IRC. In IRC chat environments an individual either does or does not have acces to a given chat community. This may depend on manual settings accessible by an administrator or the community. The same is true for the right to create and join new communities, or channels. After violating one or more of the community""s rules, messages may be sent to the community""s administrator, and subsequently the individual may have their access rights changed. The alteration of access rights in this situation requires several manual operations, and no automated process exists.
Online auctions, for example EBAY.com, provides a method of rating potential buyers and sellers based on other users experiences with the-individual. The rating takes the form of a +1, xe2x88x921, or 0 from each user who has posted a rating for the individual. Buyers and sellers can then check both a list of comments, plus the sum of all numeric grades. For example, if a potential seller has both many positive comments and a high positive numeric grade, then a buyer should feel secure in doing business with the associated seller. Although this process does provide a means for a user to be rated on their behavior, no standardized grading process is used. Each commentor""s numeric grade is based on individual opinions. Therefore, one reviewer""s 1 rating might be another""s 0. Also the process is manual, requiring user input, if no user makes a comment then no rating will be available. Further, this and other methods lack a means to take into account the passage of time. For instance, a rating made two years ago has a lower credibility then one made last week. Finally, these systems do not function to change the individual""s access privileges.
Another system which relates to privacy is the PGP or Pretty Good Privacy. This system provides users with a method for protecting data through asymmetric encryption. Although this affects others access control, it does not do so on the basis of qualities of the requestor. Like the methods above, PGP, must be altered manually if desired.
Alternatively, PIC provides a language to express meta-tags, but does not provide a method for updating the meta-tags.
Finally, PICSRules provides a method to filter information requests based on meta-tags. Like the PICS labels standard above, it does not provide a method to update meta-tags automatically, and it only provides yes/no responses. The method lacks a function to specify multiple types of access authorization, e.g. read-only, read-write, or read-write-execute.
Therefore a need exists of a system and method for dynamically enabling access control for a computer network user which is automatically generated based on the observed behavior of the individual.
In one embodiment of the present invention, a method for controlling an entity""s access to a resource based on observed behavior of the entity is described. The method assigns the entity a default authorization meta-tag, monitors the entity""s behavior, and updates the entity""s meta-tag based upon the observed behavior.
The authorization meta-tag is multidimensional. Further, the meta-tag can be embodied in a PICS label. Further, access can be granted to the resource policies having a present level of rating from the entity""s authorization meta-tag. The resource can be, for example, data and executables.
The meta-tag may characterize, for example, an entity""s dependability, expertise, interactivity, activity, quality of input and hostility. Though other characteristics are contemplated. The meta-tag may further include a confidence level rating for one or more ratings contained in the meta-tag. The authorization meta-tag may change in relation to time.
Another embodiment of the present invention discloses a computer usable medium having computer readable program code for automatically updating a key-value rating based on the observed behavior of users. The computer readable program code in the computer program product includes a computer readable program code for causing a computer to retrieve a policy from a policy database, determine an update to the key-value rating, and post the updated key-value rating in the key-value rating database.
The key-value rating includes at least one pair of indicia describing a user. The key-value rating is stored and accessed as a meta-tag, the meta-tag having at least one key-value rating pair. Further, the key-value rating is assigned to a new user and stored in the key-value rating database. The key-value rating includes a value corresponding to the observable behavior.
The observed behavior having one of a defined observable behavior and a Boolean combination of defined observable behaviors. The Boolean combination is defined as a plurality of behaviors linked by an operation in a policy.
The computer determines an update by comparing the retrieved policy to the observed behavior. Further, the computer posts an update to the key-value rating database when the retrieved policy matches-the observed behavior.
In another embodiment the invention includes a program storage device readable by machine, tangibly embodying a program of instructions executable by the machine for automatically updating a key-value rating based on observed behavior. A policy is retrieved from a policy database, an update to the key-value rating is determined, and the updated key-value rating is posted in a key-value rating database.
The key-value rating is assigned to new users as a default key-value rating. The key-value rating is stored in the key-value rating database. The key-value rating is modified according to the policy, the policy specifies the modification based on observed behavior.
The update is determined by comparing the retrieved policy to the observed behavior; if the observed behavior is equal to a behavior defined in the policy increment the key-value rating; if the observed behavior is not equal to a behavior defined in the policy the key-value rating is not updated.