modeling an intelligent continuous authentication system to protect financial information resources...
Post on 19-Dec-2015
213 views
TRANSCRIPT
![Page 1: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/1.jpg)
Modeling an Intelligent Continuous Authentication
System to Protect Financial Information
Resources
Thomas G. CalderonAkhilesh Chandra
John J. ChehThe University of Akron
Symposium on Information Systems AssuranceIntegrity, Privacy, Security & Trust in an IT Context
October 20-22, 2005
![Page 2: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/2.jpg)
Objective
1. Examine fundamental principles of CA
2. Propose a four-tier framework for CA
3. Discuss implementation issues
![Page 3: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/3.jpg)
CA defined
CA is a process that verifies the identity of an information systems user continuously for the entire duration of an authorized session.
![Page 4: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/4.jpg)
Motivation
• Current IT environment feeds insecurity
• Controls vulnerable to threats
• Existing solutions are static
• Need for an alternate, robust and dynamic solution
• CA fits the bill !
![Page 5: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/5.jpg)
Implications
• Systems design• Internal controls design• Audit models and techniques• Organizational learning• Behavioral repercussions• Integration with existing solutions & models• Alternative technology based solutions
![Page 6: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/6.jpg)
Fundamental CA Issues
• Traditional Authentication Models
• CA: Network versus User
![Page 7: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/7.jpg)
Duration of a Single Work Session
Enrollment
Evaluation
Presentation
Authentication outcome
Figure 1A: Static Authentication
![Page 8: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/8.jpg)
Enrolment
Evaluation
Presentation
PermitAccess
DenyAccess
DYNAMIC MODEL
Conceptual Model of Authentication
![Page 9: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/9.jpg)
Enrollment(interval 1)
Evaluation
Presentation
Authentication outcome
AutonomousEnrollment
Update(interval 2)
AutonomousEvaluation
AutonomousPresentation(Interval 2)
Authentication outcome
AutonomousEnrollment
Update (interval n)
AutonomousEvaluation
AutonomousPresentation(Interval n)
Authentication outcome
Duration (T) of a Single Work Session
t=1 t=nt=2
Dynamic Environment
Figure 1B: Continuous Authentication
Changes in User Profile
])[1
n
iitT
![Page 10: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/10.jpg)
Intelligent key stroke recognition
deviceIdentify patterns
Autonomous agent
Artificial Intelligence
Software
Transactions log
Intelligent key stroke recognition
device
Captured keystrokes
Monitor evaluate
Presented keystrokes
Authentication outcome
En
rollm
ent
Pre
sen
tati
on
Eva
luat
ion
Figure 2: Physical model of a continuous authentication system
![Page 11: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/11.jpg)
Table 1Summary of Four CA Levels
Level Probability Statement Thresholds Fundamental Principles and Authentication Factors
1 P(User) ptu
Principles: Continuously assesses and verifies presence at a fixed locationFactors: knowledge, possession, and biometrics
2 P(User/Resource) ptu/R
Principles: Continuously assesses and verifies presence and access to a resource. Does not attempt to verify the identities of entities that use specific privileges. Level 1 CA conditions are also satisfied.Factors: knowledge, possession, biometrics, and resources used
3 P(User/Workstation) ptu/W
Principles: Continuously assesses and verifies presence at disparate locations. Does not attempt to verify the identities of entities that use specific privileges. Level 2 CA conditions are also satisfied.Factors: knowledge, possession, biometrics, resources used, and workstations
4 P(User/Transaction or Action) ptu/A
Principles: Continuously assesses and verifies presence at all access points and monitors the identity of entities that use specific privileges. Level 3 CA conditions are also satisfied.Factors: knowledge, possession, biometrics, resources used, workstations, transactions profile and actions
![Page 12: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/12.jpg)
Model Fundamentals
• Authentication confidences and thresholds– Probabilistic values
Versus
• Deterministic or binary authentication
![Page 13: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/13.jpg)
Levels of CA
Level 1 CA: user authentication Level 2 CA: user-resource authentication Level 3 CA: user-resource-system
authentication Level 4 CA: user-resource-system-
transaction authentication
![Page 14: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/14.jpg)
Model Implementation:with Swarm Technology
![Page 15: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/15.jpg)
Swarm Intelligence
Self-Organizing in Social Insects Spatiotemporally Organized Networks of
Pheromone Trails (Bonabeau, Dorigo, and Theraulaz, 1999)
Positive Feedback (Amplification) Recruitment and Reinforcement Trail Laying and Trail Following
Negative Feedback Stabilization of Collective Patterns
Amplification of Fluctuations Random Walks, Errors, Random Task-Switching Continuous Optimization
Multiple Interactions Minimum Density of Mutually Tolerant Agents
![Page 16: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/16.jpg)
Level 1 CA
Level 2 CA
Level 3 CA
Level 4 CAC
A L
eve
l
User TransactionWorkstationResource
Dynamic Conflict Resolution Rules
Figure 3: CAS and Swarm Technology
Local Autonomous Agent Local Autonomous Agent
Local Autonomous Agent
Local Autonomous Agent
Global Autonomous Agent
Virt
ual C
A
tran
sact
ion
log
![Page 17: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/17.jpg)
Application of Swarm Intelligence to Continuous Authentication
Self-Organizing of Multiple Ant-like Monitoring Computer Agents
Spatiotemporally Organized Networks of Profile-based Trails
Positive Feedback (Amplification) Local Autonomous Agents User, Resources, Workstation, and Transaction Transition Rules Local Updates
Negative Feedback Global Autonomous Agent Dynamic Conflict Resolution Rules Global Updates
![Page 18: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/18.jpg)
Ta
ble
2Im
ple
men
tati
on
Su
mm
ary
of
Fo
ur
CA
Lev
els
Level Learning Level Tasks* Intelligent/Predetermined Class Corresponding Intelligent Technologies
1 Minimal
Single comparison of a user’s signature in each time interval t. The medium of signature can be either a knowledge factor (e.g., a password) or biometrics (e.g., biometric finger image). For special cases, CAS’s intelligent key stroke recognition agent recognizes a user’s keystroke latencies.
Predetermined class in most cases, except for special cases like key stroke recognition. As a user ages, his unique biometric signature can gradually change. Multiple patterns can be used over times. This depends on special health conditions or other special situations.
A simple database query engine: A user ID, and password stored in a database as long as iteration processes in Figure 1 exist. For the special cases of key stroke recognition, low level of swarm intelligence is used in coupled with database technology.
2 Modest
Additional profile creates a well-marked trail or pheromone as significance of a particular habit for accessing sensitive information through resource utilization
Intelligent Class in Continuous Model: Enrollment is dynamic, and CAS not only authorizes access but also monitors and updates a user’s profile for future evaluation and continuous authorization in Levels 2, 3, and 4.
Modest level of swarm intelligence-based technology that can handle the additional dimension of resource utilization in relation to privileged information
3 Complex
A user’s information about his/her movement is added to his/her previous profiles in Levels 1 and 2, using a workstation profile. This new dimensional information is an addition to information in Level 2 processes.
Intelligent Class in Continuous Model:CAS with this additional dimension monitors and evaluates a user’s access to various computers in globally networked IT environments.
More complex swarm intelligence technology that can handle two additional dimensions—resource use profile and workstation access profile.
4 Highest
In this highest level, a user’s transaction profile given his/her job and task responsibilities are added to Level 3 CA processes
Intelligent Class in Continuous Model: this class performs similar processes with additional profile management
Most sophisticated swarm intelligence-based technology that can handle four classes of profiles.
![Page 19: Modeling an Intelligent Continuous Authentication System to Protect Financial Information Resources Thomas G. Calderon Akhilesh Chandra John J. Cheh The](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2c5503460f94a01741/html5/thumbnails/19.jpg)
Challenges
1. Mobile computing dynamics2. Technical constraints3. Prevention vs. Detection4. Biometric related issues5. Access control types and Location signatures6. Security layer7. Privacy concerns8. Legal issues9. Audit trail management