An access control system is implemented with a maximum-likelihood "soft" decision process that determines whether a user's actions are most like those of a valid user or most like those of a hacker. Data obtained from transactions involving both valid users and hackers is clustered in a multidimensional attribute space, with each of the clusters representing an attribute profile of similar user behaviors. The similarity between the attributes of an access attempt and the attribute profiles represented by the clusters is evaluated, to identify profiles of valid and fraudulent users that most closely resemble the attributes of the access attempt. An access decision can then be made simply based upon which type of user (valid or fraudulent) the access attempt most closely resembles. Alternatively, the access decision can be made by comparing probabilities of eligibility for access, based upon the relative closeness of the resemblances between the profiles for valid and fraudulent users and the profile of the user attempting to gain access, and a function which relates the probability of eligibility to other factors, such as the confidence of the decision, the value of the resource, and so on. In this way, a particular access request is characterized as most likely valid or most likely fraudulent. The history of previous access attempts by particular users may be stored and used subsequently in the access decision process.