Defending Against Identity Threats Using Risk-Based Authentication

Dasu, Lalitha Sravanti; Dhamija, Mannav; Dishitha, Gurram; Vivekanandan, Ajith; Sarasvathi, V.

doi:10.2478/cait-2023-0016

Abstract

Defending against identity-based threats, which have predominantly increased in the era of remote access and working, requires non-conventional, dynamic, intelligent, and strategic means of authenticating and authorizing. This paper aims at devising detailed risk-scoring algorithms for five real-time use cases to make identity security adaptive and risk-based. Zero-trust principles are incorporated by collecting sign-in logs and analyzing them continually to check for any anomalies, making it a dynamic approach. Users are categorized as risky and non-risky based on the calculated risk scores. While many adaptive security mechanisms have been proposed, they confine identities only to users. This paper also considers devices as having an identity and categorizes them as safe or unsafe devices. Further, results are displayed on a dashboard, making it easy for security administrators to analyze and make wise decisions like multifactor authentication, mitigation, or any other access control decisions as such.

References

Hassan, A., B. Nuseibeh, L. Pasquale. Engineering Adaptive Authentication. – In: Proc. of IEEE International Conference on Autonomic Computing and Self-Organizing Systems Companion (ACSOS-C’21), IEEE, 2021, pp. 275-280.
Search in Google Scholar Back to article
Lal, N. A., S. Prasad, M. Farik. A Review of Authentication Methods. – International Journal of Scientific & Technology Research, Vol. 5, 2016, pp. 246-249.
Search in Google Scholar Back to article
Bonneau, J. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. – In: Proc. of IEEE Symposium on Security and Privacy, IEEE, 2012, pp. 538-552.
Search in Google Scholar Back to article
Wang, D., Z. Zhang, P. Wang, J. Yan, X. Huang. Targeted Online Password Guessing: An Underestimated Threat. – In: Proc. of ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 1242-1254.
Search in Google Scholar Back to article
Steinegger, R. H., D. Deckers, P. Giessler, S. Abeck. Risk-Basedauthenticator for Web Applications. – In: Proc. of 21st European Conference on Pattern Languages of Programs, 2016, pp. 1-11.
Search in Google Scholar Back to article
Atlam, H. F., M. A. Azad, M. O. Alassafi, A. A. Alshdadi, A. Alenezi. Risk-Based Access Control Model: A Systematic Literature Review. – Future Internet, Vol. 12, 2020, No 6, p.103.
Search in Google Scholar Back to article
Microsoft Digital Defence Report 2021. https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2021
Search in Google Scholar Back to article
Wiefling, S., L. L. Iacono, M. Dürmuth. Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. – In: Proc. of IFIP International Conference on ICT Systems Security and Privacy Protection, Cham, Springer, 2019, pp. 134-148.
Search in Google Scholar Back to article
Ashibani, Y., Q. H. Mahmoud. An Intelligent Risk-Based Authentication Approach for Smartphone Applications. – In: Proc. of IEEE International Conference on Systems, Man, and Cybernetics (SMC’20), IEEE, 2020, pp. 3807-3812.
Search in Google Scholar Back to article
Phan, K. Implementing Resiliency of Adaptive Multi-Factor Authentication Systems. – Culminting Projects in Information Assurance, Vol. 65, 2018, p. 96.
Search in Google Scholar Back to article
Wiefling, S., T. Patil, M. Dürmuth, L. L. Iacono. Evaluation of Risk-Based Re-Authentication Methods. – In: Proc. of IFIP International Conference on ICT Systems Security and Privacy Protection, Cham, Springer, 2020, pp. 280-294.
Search in Google Scholar Back to article
Compromised Credentials Report. https://restech.solutions/wp-content/uploads/Dark-Web-Scan-Sample-Company.pdf
Search in Google Scholar Back to article
Vistas – How Fast Is a Private Jet? https://www.vistajet.com/en/stories/fastest-private-jet/#:~:text=Most%20commercial%20aircraft%20typically%20fly,according%20to%20Flight%20Deck%20Friend.
Search in Google Scholar Back to article
Microsoft Report Shows Increasing Sophistication of Cyber Threats. https://blogs.microsoft.com/on-the-issues/2020/09/29/microsoft-digital-defense-report-cyber-threats/
Search in Google Scholar Back to article
Gartner Identifies Top Security and Risk Management Trends for 2021. https://www.gartner.com/en/newsroom/press-releases/2021-03-23-gartner-identifies-top-security-and-risk-management-t?s=09
Search in Google Scholar Back to article
Vattikuti, S., M. R. Hegde, M. Manish, V. Bodduvaram, V. Sarasvathi. DDoS Attack Detection and Mitigation Using Anomaly Detection and Machine Learning Models. – In: Proc. of IEEE International Conference on Computation System and Information Technology for Sustainable Solutions (CSITSS’21), 2021, pp. 1-6.
Search in Google Scholar Back to article
Kumar, P. R., P. H. Raj, P. Jelciana. Exploring Security Issues and Solutions in Cloud Computing Services – A Survey. – Cybernetics and Information Technologies, Vol. 17, 2017, No 4, pp. 3-31.
Search in Google Scholar Back to article
Alosaimi, W., M. Zak, K. Al-Begain, R. Alroobaea, M. Masud. Mitigation of Distributed Denial of Service Attacks in the Cloud. – Cybernetics and Information Technologies, Vol. 17, 2017, No 4, pp. 32-51.
Search in Google Scholar Back to article

Defending Against Identity Threats Using Risk-Based Authentication

Abstract

Paradigm

My account