Hi Hasitha, There is a question about MAC address, which is not available beyond an IP router. What we do is browser fingerprinting with a cookie or something.
*>> i.e I usually login to my personal Gmail using my phone. If I use my MAC machine suddenly, google sends an email if this is you. * IS 5.5.0 has default ability to do this with "Conditional Authentication", by fingerprinting the browser. Cheers, Ruwan On Tue, Jan 16, 2018 at 9:20 AM, Hasitha Hiranya <[email protected]> wrote: > Hi all, > > We can also consider the MAC address or some machine ID of last successful > login as well. > > *i.e I usually login to my personal Gmail using my phone. If I use my MAC > machine suddenly, google sends an email if this is you. * > > Also previous success login location is also important. > > *i.e If I log into Facebook From Sri Lanka and after one day of travelling > if I log from United States, Facebook is suspicious and throw me some > security questions.* > > Thanks > > On Tue, Jan 16, 2018 at 9:09 AM, Ruwan Abeykoon <[email protected]> wrote: > >> Hi Pamoda, >> Here are some of my thoughts, and not in order or organized. >> >> User Behavior analytics (*UBA*) >> >> - >> >> Implement multi-dimensional clustering (this will detect general user >> behaviours. Not of an individual) >> - >> >> Implement clickstream analytics (This will have knowledge of >> individual, but keep the records indexed with UserID hash, so that, we can >> conform to GPDR) >> >> >> Both above algorithms may be run on a separate JVM, (or a feature on top >> of analytics). DAS will publish data to UBA. DAS will detect the fields in >> the analytics dimensions, which can be configured by the end user (Identity >> Admin). >> >> - >> >> This will cater 95% of UBA cases. >> - >> >> Events can be generated from IS well as any other application. E.g. >> Tomcat Filter, .Net Handler. >> - >> >> Self learning(or appears learning) *without ML.* Will be purely math >> based (statistics, and probability) >> - >> >> Automatic detection of new knowledge. >> >> >> >> - >> >> Uses DAS Siddhi. Should not use Spark. >> - >> >> Need to provide a gadget to visualize the clustered data and drill >> down. >> >> >> Clickstream >> >> - >> >> Click stream analysis is done with probability matrix of >> time-correlated events. >> - >> >> We keep a matrix in memory per each user, backed by DB. >> - >> >> Updates done on memory copy and periodically synced to DB (since few >> lost events does not really make much difference in probability matrix). >> - >> >> HA can be done with sharding of UserID. >> >> >> >> Analysis >> >> - >> >> Each event is sent to cluster analytics and clickstream analytics. >> - >> >> They will provide a result in a probability array of each type of >> anomaly. >> - >> >> Admin is given a UI to configure threshold of probability values, >> which he think important. >> - >> >> Admin can select an action(this is a Siddhi event publisher. One is >> to publish to JMS topic towards IS) >> - >> >> IS can decide upon authentication flow using its “Conditional >> Authentication in IS 5.5.0” >> >> >> Cheers, >> Ruwan >> >> On Tue, Jan 16, 2018 at 9:09 AM, Pamoda Wimalasiri <[email protected]> >> wrote: >> >>> >>> >>> On Tue, Jan 16, 2018 at 8:13 AM, Prakhash Sivakumar <[email protected]> >>> wrote: >>> >>>> On Mon, Jan 15, 2018 at 8:28 PM, Dimuthu Leelarathne <[email protected] >>>> > wrote: >>>> >>>>> Hi Pamoda, >>>>> >>>>> Authentication history is a broad term. How do we plan to identify >>>>> exceptions? >>>>> >>>> >>> As authentication history, we can consider >>> >>> - number of consecutive invalid login attempts (as suggested by >>> Johan) >>> - geo velocity: time and location of the previous successful login >>> and the current login. >>> >>> >>> >>>> >>>>> thanks, >>>>> Dimuthu >>>>> >>>>> On Mon, Jan 15, 2018 at 8:04 PM, Johann Nallathamby <[email protected]> >>>>> wrote: >>>>> >>>>>> *[-IAM, RRT]* >>>>>> >>>>>> Apart from the business transaction value, following factors can be >>>>>> considered for risk calculation. >>>>>> >>>>>> 1. Environment - IP, network, geographical location, time of the day, >>>>>> device/OS/Device fingerprinting >>>>>> 2. Context - Previous successful login time, consecutive invalid >>>>>> login attempts followed by a successful attempt >>>>>> 3. User behavior - typing speed, etc. >>>>>> >>>>>> Regards, >>>>>> Johann. >>>>>> >>>>>> On Mon, Jan 15, 2018 at 4:50 PM, Pamoda Wimalasiri <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> I'm currently working on a risk score calculation method for the >>>>>>> authentication request of IAM. I'm still doing the background research >>>>>>> on >>>>>>> the behavior of other similar approaches [1] and the technologies that >>>>>>> can >>>>>>> be used. >>>>>>> >>>>>>> According to my research, the risk score can be calculated based on >>>>>>> parameters such as >>>>>>> >>>>>>> - IP address >>>>>>> - Geographical location >>>>>>> - Authentication history >>>>>>> >>>>>>> Are we considering only the past data here ? >>>> >>>> We should include the current active sessions too. For example if the >>>> user is already in an authenticated session and if she/he is trying to >>>> authenticate again, the 2nd attempt might be an attacker. >>>> >>>> >>>>>>> - Time of day >>>>>>> >>>>>>> In existing approaches, the total level of risk is calculated by the >>>>>>> sum of weighted scores of each parameter. >>>>>>> >>>>>>> Any suggestions are highly appreciated. >>>>>>> >>>>>>> [1] https://backstage.forgerock.com/docs/am/5.5/authenticati >>>>>>> on-guide/index.html#authn-adaptive >>>>>>> >>>>>>> Thanks, >>>>>>> Pamoda >>>>>>> -- >>>>>>> >>>>>>> *Pamoda Wimalasiri* >>>>>>> Software Engineer - WSO2 >>>>>>> >>>>>>> Email : [email protected] >>>>>>> Mobile : +94713705814 <+94%2077%20936%207571> >>>>>>> Web : https://wso2.com/ >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Johann Dilantha Nallathamby* >>>>>> Senior Lead Solutions Engineer >>>>>> WSO2, Inc. >>>>>> lean.enterprise.middleware >>>>>> >>>>>> Mobile: *+94 77 7776950* >>>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>>> Medium: *https://medium.com/@johann_nallathamby >>>>>> <https://medium.com/@johann_nallathamby>* >>>>>> Twitter: *@dj_nallaa* >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Dimuthu Leelarathne >>>>> Director, Solutions Architecture >>>>> >>>>> WSO2, Inc. (http://wso2.com) >>>>> email: [email protected] >>>>> Mobile: +94773661935 <+94%2077%20366%201935> >>>>> Blog: http://muthulee.blogspot.com >>>>> >>>>> Lean . Enterprise . Middleware >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Prakhash Sivakumar >>>> Software Engineer | WSO2 Inc >>>> Platform Security Team >>>> Mobile : +94771510080 <+94%2077%20151%200080> >>>> Blog : https://medium.com/@PrakhashS >>>> >>> >>> >>> >>> -- >>> >>> *Pamoda Wimalasiri* >>> Software Engineer - WSO2 >>> >>> Email : [email protected] >>> Mobile : +94713705814 <+94%2077%20936%207571> >>> Web : https://wso2.com/ >>> >>> >> >> >> -- >> >> *Ruwan Abeykoon* >> *Associate Director/Architect**,* >> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >> *lean.enterprise.middleware.* >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > *Hasitha Abeykoon* > Associate Technical Lead; WSO2, Inc.; http://wso2.com > *cell:* *+94 719363063* > *blog: **abeykoon.blogspot.com* <http://abeykoon.blogspot.com> > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Ruwan Abeykoon* *Associate Director/Architect**,* *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * *lean.enterprise.middleware.*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
