System and method for adaptive control of user actions based on user's behavior

摘要

Disclosed are system, method and computer program product for adaptive control of actions of a user on a computer system. The system monitors one or more actions of the user, applies restriction rules to detect prohibited user actions, and blocks prohibited actions that violate at least one restriction rule. The system also collects information on allowed actions of the user and corresponding system events, analyzes in real-time the collected information about system events corresponding to the allowed actions to detect anomalous actions that did not violate any of the restriction rules, but caused abnormal increase in the usage of certain system resources. When an anomalous action is detected, the system identifies restriction rules that are associated with the detected anomalous action and edits these rules or creates new restriction rules to include the anomalous action prohibited to the user.

主权项

1. A method for adaptive control of user actions on a computer system, comprising:
monitoring, by a hardware processor, one or more actions of the user on the computer system; identifying one or more prohibited actions of the user that violate one or more restriction rules; blocking prohibited actions of the user that violate one or more restriction rules; collecting information about allowed actions of the user and one or more system events corresponding to the allowed actions of the user; analyzing the collected information about system events corresponding to the allowed actions of the user using configuration rules to detect one or more anomalous actions of the user, wherein an anomalous action of the user does not violate any of the restriction rules, but causes one or more of an abnormal increase in the usage of certain system resources, loading of certain content, launching of certain application, and usage of a data entry device; when an anomalous action is detected based on a violation of at least one of the configuration rules, determining whether one or more restriction rules correspond to a template of at least one of the violated configuration rules; when no corresponding restriction rule is identified, allowing execution of the anomalous action of the user on the computer system; when a corresponding restriction rule is identified, (i) editing the corresponding restriction rule or creating a new restriction rule to include the anomalous action prohibited to the user, and (ii) blocking the anomalous action on the computer system; and when the new restriction rule is created: (i) collecting information on operation of the new restriction rule; (ii) analyzing the collected information on operation of the new restriction rule to determine whether the new restriction rule operates correctly; and (iii) if the new restriction rule does not operate correctly, editing the new restriction rule.