Data processing: artificial intelligence – Miscellaneous
Reexamination Certificate
1999-03-12
2001-12-25
Powell, Mark R. (Department: 2122)
Data processing: artificial intelligence
Miscellaneous
C706S052000
Reexamination Certificate
active
06334121
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention generally relates to computer system security and, more particularly to, authenticating users at the operating system level in multi-user computer systems. It supports system administrators in limiting the ability of unauthorized users to disrupt system operations by using a neural network and set of rules to track usage patterns and flag suspicious activity on the system.
2. Background Description
Multi-user operating systems often have holes in their built-in security measures that can allow access by unauthorized users. The UNIX operating system (OS) will be used to illustrate the state of operating system security issues; however, these problems exist in varying degrees for many state-of-the-art operating systems, today. (UNIX is a registered trademark of SCO.)
The UNIX operating system, though used extensively in all kinds of environments, was not really designed with security in mind. See “On the Security of UNIX” by Dennis M. Ritchie (reprinted in UNIX System Manager's Manual 4.3, Berkeley Software Distribution, University of California, April 1986). The need for greater security arose in the early 1980's when Universities moved their UNIX systems from laboratories to computer centers and many business and Government institutions started installing UNIX systems. Additional features such as remote login, remote command execution, file transfer, electronic mail and networking have made operating systems more complex. Moreover, massive connections of UNIX systems to the Internet have opened more possibilities of security attack on these systems.
FIG. 1
shows a block diagram of a UNIX system server
102
connected to both a Local Area Network (LAN)
103
and the Internet
104
. The LAN
103
includes a plurality of client workstations
105
i
to
105
n
which access the system server
102
. Additional client workstations
106
i
to
106
n
also access the system server
102
via the Internet
104
. The system server
102
includes a data storage device
107
, such as one or more mass storage devices, storing databases and other information which may be accessed by a workstation, either via the LAN
103
or the Internet
104
.
Security is one of the biggest concerns for Open systems like UNIX systems. As the systems and tools become more secure, the hackers or persons intent on “breaking” into the systems become even more knowledgeable. If a UNIX system has connectivity outside of a “trusted” network (i.e., the LAN
103
), for instance when connected to the Internet
104
, various security barriers have been devised, as generally indicated at
108
. Such barriers are known in the art as “firewalls”. However, these security barriers can be breached.
Security problems can result in costly disruptions from normal operations and/or the loss of private or proprietary data through destruction or theft. Depending on the importance of the data, its loss or theft may pose personal, business, national or international threat. While the extent of damage could be minimized by using various measures, the optimal solution would be to prevent any intrusion or break-in or at least minimize the damage if an intrusion should occur.
The goals of computer and network security are three-fold:
Integrity of data—deals with preservation of contents against all unauthorized change.
Privacy of information—relates to restricting access to objects only to authorized persons.
Availability of computer resources—implies that all authorized users have access to the system for legitimate use.
Typically, a process of authentication restricts user access to a computer system. All modem computing systems that have capabilities for multiple users have a means of identifying who is using the computer at any given time. User authentication is typically implemented in the form of password protection for a system. Password protection is, however, a weak defense. Passwords that are not randomly generated, can often be easily cracked. Passwords that are randomly generated pose a different threat because they are often written down, so as not to be forgotten.
Security problems arise when someone breaks into a system using a legitimate user identification (ID) with the intent of doing illegitimate activities. In the UNIX OS, for instance, a special user (root) is used for administrative purposes. Anyone gaining access to a root account ID can bypass all security restrictions within the system. In the UNIX OS, the finger or who commands are typically used to determine who is logged on.
These commands return the account IDs (userids) of all persons presently logged on. Currently, the system administrator
101
has no way to verify that the person who is using a particular ID is in fact the owner of the ID.
SUMMARY OF THE INVENTION
It is therefore an object of the invention to provide support to system administrators in limiting the ability of unauthorized users to disrupt system operations by monitoring and reporting abnormal user usage patterns.
The present invention is a method that will prevent a destructive command from being executed. Several commands for each of the system users are tracked. A combination of security rules and user usage patterns are used to flag suspicious activity on the system. Security rules are centered around those types of commands that are potentially destructive in nature and take into account the user's normal level of access privileges. For example, if a typical user tries to assign himself “super user”, or root, privileges, the security rules catch this and take appropriate action to limit further damage. The attempt is then logged to a system security file that the system administrator will review or other appropriate action is taken automatically. A unique advantage of the invention is that it can prevent previously authorized users from executing destructive commands by detecting unusual patterns in their usage of the system.
It is another object of the invention to incorporate machine learning techniques into the method.
An artificial neural network learns a user's usage patterns and integrates these with the security rules. The neural network will recognize normal usage patterns for a particular user. When the commands do not follow the normal usage pattern, the commands used will be checked against the systems's security rules. For example, should someone steal a userid and password, and start using commands in a pattern unusual for the legitimate user, the present invention will detect a difference in the pattern of command usage. When such a difference is detected, it will be compared to the set of security rules and the system will take the appropriate action. All of the activity of the security rules will be logged for the system administrator's review.
The implementation of the security system in the present invention is invisible to the user. Users will not know that their command usage pattern is kept on the system and updated by a neural network. The neural network technology is such that the exact usage patterns stored therein are indecipherable, even to the most determined intruder. To make the system even more invisible, the commands that are captured by the system are encoded before running them through the neural network and the security rules. While files to do this are hidden in the user's directory, the contents of these files contain only encoded information and so users are not able to view them. The files to run these can only be changed by the system administrator. This system also may have two or more threshold levels for security monitoring: one for normal operations and any number for heightened security.
According to the invention, a user's normal usage pattern is learned by an artificial neural network and then used to detect abnormal activity. It reports on unusual happenings which may be very helpful in detecting unauthorized use of the system. If there is sufficient need, the system can be implemented to automatically alert the system ad
Primeaux David
Robinson, Jr. Willard L.
Sundar Doraiswamy
Booker Kelvin
McGurieWood LLP
Powell Mark R.
Virginia Commonwealth University
LandOfFree
Usage pattern based user authenticator does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Usage pattern based user authenticator, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Usage pattern based user authenticator will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2582266