US-12627704-B2 - Systems and methods for access control

Abstract

A computer-implemented method for access control includes detecting, by a security agent of a computing device, a request by a user of the computing device for access to a controlled asset. The method also includes authenticating, by the security agent, the user in response to the request. The method includes granting, by the security agent, access to the controlled asset based on determining that an initial risk score for the authenticated user does not exceed a predetermined threshold. Additionally, the method includes periodically calculating, by the security agent using at least one security policy and at least one machine learning model, an updated risk score of the authenticated user based on a behavior of the user. The method further includes performing a security action in response to determining the updated risk score exceeds the predetermined threshold. Various other methods, systems, and computer-readable media are also disclosed.

Inventors

• Steven Einbender
• Alfred Hartmann

Assignees

• HOME DEPOT PRODUCT AUTHORITY, LLC

Dates

Publication Date

20260512

Application Date

20240702

Claims (17)

1. 1 . A computer-implemented method for access control, the method comprising: detecting, by a security agent of a computing device, a request by a user of the computing device for access to a controlled asset; authenticating, by the security agent, the user in response to the request; granting, by the security agent, access to the controlled asset based on determining that an initial risk score for the authenticated user does not exceed a predetermined threshold; periodically calculating, by the security agent using at least one security policy and at least one machine learning model, an updated risk score of the authenticated user based on a behavior of the user; and performing a security action to mitigate a security risk associated with the user in response to determining the updated risk score exceeds the predetermined threshold; wherein periodically calculating the updated risk score comprises: calculating, for each of the at least one security policy and the at least one machine learning model, a cumulative risk weight for the behavior of the user during a current time period, an average risk weight over a shifting time period, and a standard deviation of risk weights over an extended time period; combining, for each of the at least one security policy and the at least one machine learning model, the cumulative risk weight, the average risk weight, and the standard deviation into a respective total risk score; and combining each of the respective total risk scores into the updated risk score; and wherein the extended time period and the shifting time period are longer than the current time period and the extended time period is longer than the shifting time period.
2. 2 . The method of claim 1 , wherein the controlled asset comprises at least one of: an application; a storage; a network; a process of the computing device; or a remote resource.
3. 3 . The method of claim 1 , wherein authenticating the user comprises: authenticating an identity of the user; and identifying at least one authorized privilege associated with the identity of the user.
4. 4 . The method of claim 3 , wherein the identity of the user comprises at least one of: a personal identity of the user; an identity of the computing device used by the user; or a process identifier associated with the user using the computing device.
5. 5 . The method of claim 1 , wherein determining that the initial risk score does not exceed the predetermined threshold comprises: calculating the initial risk score using the at least one security policy and the at least one machine learning model; combining a result of the at least one security policy and a result of the at least one machine learning model; and comparing the combination with the predetermined threshold.
6. 6 . The method of claim 1 , wherein granting access to the controlled asset comprises establishing a secure user session for the user on the computing device to access the controlled asset.
7. 7 . The method of claim 6 , wherein periodically calculating the updated risk score comprises: monitoring the behavior of the user during the secure user session; and dynamically updating the initial risk score based on the behavior of the user during the secure user session.
8. 8 . The method of claim 7 , wherein monitoring the behavior of the user comprises at least one of: monitoring a usage of an application of the computing device; monitoring a usage of a storage of the computing device; monitoring a usage of a network of the computing device; monitoring a usage of a process of the computing device; or monitoring a usage of a remote resource.
9. 9 . The method of claim 1 , wherein the at least one security policy comprises at least one of: a set of rules for risk assessment; or advanced analytics that apply behavioral context to the set of rules for risk assessment.
10. 10 . The method of claim 1 , wherein the at least one machine learning model comprises at least one of: a behavioral model comprising multiple unsupervised models with baseline risk weights, wherein each unsupervised model is trained using historical behaviors within a predetermined time period, to predict a confidence interval of a security risk for the current time period; or a behavioral model comprising multiple supervised models with probabilistic risk weights, wherein each supervised model is trained using labeled training data within the predetermined time period, to predict a probability of the security risk for the current time period.
11. 11 . The method of claim 1 , wherein performing the security action comprises at least one of: terminating access to the controlled asset; terminating a user session; restricting a use of the controlled asset; restricting a use of a different resource; blocking the user of the computing device; blocking a process of the computing device; quarantining the computing device; updating a security report; and alerting an administrator.
12. 12 . The method of claim 1 , further comprising retraining the at least one machine learning model using the updated risk score and the behavior of the user.
13. 13 . A system for access control, the system comprising: at least one processor; and a memory having stored thereon instructions executable by the processor to cause the system to perform one or more operations, the instructions comprising: a detection module, stored in memory, that causes a security agent of a computing device to detect a request by a user of the computing device for access to a controlled asset; an authentication module, stored in memory, that causes the security agent to authenticate the user in response to the request; a grant module, stored in memory, that causes the security agent to grant the authenticated user access to the controlled asset based on determining that an initial risk score for the authenticated user does not exceed a predetermined threshold; a calculation module, stored in memory, that causes the security agent to periodically calculate, using at least one security policy and at least one machine learning model, an updated risk score of the authenticated user based on a behavior of the user; and a security module, stored in memory, that causes the security agent to perform a security action to mitigate a security risk associated with the user in response to determining the updated risk score exceeds the predetermined threshold; wherein the at least one processor executes instructions stored in the memory comprising the detection module, the authentication module, the grant module, the calculation module, and the security module; wherein the calculation module periodically calculates the updated risk score by: calculating, for each of the at least one security policy and the at least one machine learning model, a cumulative risk weight for the behavior of the user during a current time period, an average risk weight over a shifting time period, and a standard deviation of risk weights over an extended time period; combining, for each of the at least one security policy and the at least one machine learning model, the cumulative risk weight, the average risk weight, and the standard deviation into a respective total risk score; and combining each of the respective total risk scores into the updated risk score; and wherein the extended time period and the shifting time period are longer than the current time period and the extended time period is longer than the shifting time period.
14. 14 . The system of claim 13 , wherein the grant module determines that the initial risk score does not exceed the predetermined threshold by: calculating the initial risk score using the at least one security policy and the at least one machine learning model; combining a result of the at least one security policy and a result of the at least one machine learning model; and comparing the combination with the predetermined threshold.
15. 15 . The system of claim 13 , wherein the grant module grants access to the controlled asset by establishing a secure user session for the user on the computing device to access the controlled asset.
16. 16 . The system of claim 15 , wherein the calculation module periodically calculates the updated risk score by: monitoring the behavior of the user during the secure user session; and dynamically updating the initial risk score based on the behavior of the user during the secure user session.
17. 17 . A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to: detect, by a security agent of the computing device, a request by a user of the computing device for access to a controlled asset; authenticate, by the security agent, the user in response to the request; grant, by the security agent, access to the controlled asset based on determining that an initial risk score for the authenticated user does not exceed a predetermined threshold; periodically calculate, by the security agent using at least one security policy and at least one machine learning model, an updated risk score of the authenticated user based on a behavior of the user; and perform a security action to mitigate a security risk associated with the user in response to determining the updated risk score exceeds the predetermined threshold; wherein periodically calculating the updated risk score comprises: calculating, for each of the at least one security policy and the at least one machine learning model, a cumulative risk weight for the behavior of the user during a current time period, an average risk weight over a shifting time period, and a standard deviation of risk weights over an extended time period; combining, for each of the at least one security policy and the at least one machine learning model, the cumulative risk weight, the average risk weight, and the standard deviation into a respective total risk score; and combining each of the respective total risk scores into the updated risk score; and wherein the extended time period and the shifting time period are longer than the current time period and the extended time period is longer than the shifting time period.

Description

TECHNICAL FIELD This disclosure generally relates to zero trust access control of managed assets over time, given the behavior of authenticated users, using a combination of security rules and policies and trained machine learning models. BACKGROUND In controlled computing systems with potentially sensitive data or risky resources, users need to be authenticated and verified as having appropriate permissions. For example, a financial institution may require users to log in with security information, such as a password, to verify the user's identity. For tightly controlled systems, zero trust security may require all users to be authenticated and validated to determine whether each user has authorization to access data or resources. In other words, the system does not trust any users implicitly, and zero trust access controls are applied to control each user's access. Users that fail authentication may be blocked from accessing the system or resources. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a flow diagram of an example method for zero trust access control. FIG. 2 is a block diagram of an example system for zero trust access control. FIG. 3 is a block diagram of an example system for monitoring controlled assets. FIG. 4 is a block diagram of training example machine learning models. FIG. 5 is an illustration of an example total risk score derived from different example time periods. FIG. 6 is a block diagram of an example combined risk score. FIG. 7 is a block diagram of an example retraining of a machine learning model. DETAILED DESCRIPTION Zero trust security controls access to data and resources for all users of a system. Conventional approaches can authenticate users or verify system access at a specific point in time, usually when access is first requested. These approaches may use pre-established authentication and authorization processes to determine the identity of users. For example, access may be granted based upon the authenticated identity and its authorized privileges. Authorized privileges can be assigned to each identity, and systems can retrieve this information from an account directory. Methods to authenticate users may be considered identity controls. Conventional systems often do not reassess security over time and may be based on only verifying user identify. For example, access that is granted to a particular user account may be time-bounded and limited, but users are typically not continuously re-assessed. These are often point-in-time decisions that only assess the initial login. However, identity controls may be weak against breaches of identifying data. For example, user accounts may be subjected to stolen identities, compromised credentials, malicious insiders, or compromised systems that subvert the authorized intent. This can lead to previously-authenticated users posing a threat to the system or to the controlled assets. Thus, better methods of continuously controlling user access are needed. Various embodiments of the present disclosure relate to systems, computer-implemented methods, and non-transitory computer readable media for zero trust access control. Using a security agent residing on an endpoint device, the disclosed embodiments may enable continuous and dynamic observation and analysis of user and endpoint activity. Then, the security agent may calculate an aggregated risk score for user behavior based on a combination of security policies and trained machine learning models. In addition, the security agent can determine that particular behavior or activity during a user session is a potential risk, based on the risk score, and subsequently perform various security actions to mitigate the risk. For example, the disclosed systems may dynamically revoke user access to a controlled asset in real time or change user account privileges. Thus, the security agent continuously performs a loop of observation, analysis, and restriction. Various embodiments of the present disclosure provide improvements to conventional approaches by adding a layer of security protection through continuous monitoring of authenticated users. Rather than only authenticating a user during an initial access request, the disclosed methods can provide an aggregated risk score associated with the initial access request as well as with continuous monitoring and risk assessment of the connection to a controlled asset. The security agent can use the calculated risk score to determine whether to approve the initial access request. The security agent can then continue to monitor and assess the risk score to determine whether to revoke the access. During a connected session, the disclosed systems may assess risk in near real-time, such as by periodically calculating a new risk score using the most recent behavior data in addition to evaluating user behavior for longer time periods. In addition, the disclosed systems may use a sliding time window to evaluate changes in behavior over time. More frequent calc