Hi Ruwan, Btw .. we are doing this for 5.X series.
thanks, Dimuthu On Fri, Jan 19, 2018 at 9:34 AM, Dimuthu Leelarathne <[email protected]> wrote: > Hi Ruwan, > > I am thinking of using the existing architecture as it is. Right now there > is an eventing listeners that publish data to DAS. I propose we reuse it as > it is. Those event listeners that publish data can be X-EventListener, > Y-EventListener, etc ... There are a lot of data that we can reuse in > IS-analytics. > > > > > Whatever the risk calculator does is to reuse the existing data-stores as > the above diagram. > > thanks, > Dimuthu > > > > On Fri, Jan 19, 2018 at 9:04 AM, Ruwan Abeykoon <[email protected]> wrote: > >> Hi Pamoda, >> Can we enhance the architecture a little bit. We need to decouple "Risk >> Calculator" and "Identity Framework" further. >> >> IS needs a mechanism to receive the feedback from the pub/sub channel and >> make changes in authentication flow. >> >> <https://www.draw.io/#G0B0bx735ZWbanc0M5eDhDamowbzg> >> >> 1. The Temporal data is a Lucene store. Held at IS side. Central location >> for all IS cluster. >> 2. MQ is used, so that any third party can publish "Risk" or any other >> information. >> 3. The authenticator will not request anything from the "Risk >> Calculator", but queries its own store. This will make things more >> resilient on chaos scenarios. >> >> >> This allows us to do lot more, e.g >> >> >> >> - >> >> Use stream analytics to make fast decisions. >> - >> >> E.g. Too many authentications attempts coming from a particular >> IP, on a given time window, then upgrade the flow to Two factor >> authentication. >> - >> >> Use batch analytics to perform simple behavioural decisions >> - >> >> E.g. Users who has logged in and has session(not logged out), >> tries to log in on another machine, could be prompted with another >> screen >> saying they have existing sessions on other machine. >> - >> >> Throttling and Shaping based on billing tier exceeding conditions. >> - >> >> Use ML to do advanced behavioural decisions >> - >> >> (Seshika will be interested in this) >> >> >> e.g. >> >> var agentChanged = queryAnalytics('lucene', '<lucene-query> e.g. name : >> agent-change-stream, subject: authenticatedSubjectId'); >> >> if (agentChanged) { >> >> executeStep({'id' : '2'}); >> >> } >> >> On Fri, Jan 19, 2018 at 8:49 AM, Pamoda Wimalasiri <[email protected]> >> wrote: >> >>> Hi all, >>> >>> The figure shows a high-level architecture for the risk score >>> calculation. >>> [image: Inline image 2] >>> >>> >>> - Authentication Data Publisher in the Identity Framework publishes >>> the authentication events to a database >>> - Authenticator requests a risk score from the risk score calculator. >>> - Risk score calculator accesses the user login and geolocation >>> databases and calculates the risk score. >>> >>> We will be considering >>> >>> IP address >>> Geolocation >>> Number of failed attempts between two successful logins >>> >>> when generating the rules to calculate the risk score. >>> >>> Regards, >>> Pamoda >>> >>> >>> On Tue, Jan 16, 2018 at 9:48 AM, Hasitha Hiranya <[email protected]> >>> wrote: >>> >>>> Hi Ruwan, >>>> >>>> >>>> On Tue, Jan 16, 2018 at 9:39 AM, Ruwan Abeykoon <[email protected]> >>>> wrote: >>>> >>>>> Hi Hasitha, >>>>> There is a question about MAC address, which is not available beyond >>>>> an IP router. What we do is browser fingerprinting with a cookie or >>>>> something. >>>>> >>>>> *>> i.e I usually login to my personal Gmail using my phone. If I use >>>>> my MAC machine suddenly, google sends an email if this is you. * >>>>> IS 5.5.0 has default ability to do this with "Conditional >>>>> Authentication", by fingerprinting the browser. >>>>> >>>>> Got it! Thanks for the explanation. >>>> >>>>> >>>>> >>>>> Cheers, >>>>> Ruwan >>>>> >>>>> >>>>> On Tue, Jan 16, 2018 at 9:20 AM, Hasitha Hiranya <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> We can also consider the MAC address or some machine ID of last >>>>>> successful login as well. >>>>>> >>>>>> *i.e I usually login to my personal Gmail using my phone. If I use my >>>>>> MAC machine suddenly, google sends an email if this is you. * >>>>>> >>>>>> Also previous success login location is also important. >>>>>> >>>>>> *i.e If I log into Facebook From Sri Lanka and after one day of >>>>>> travelling if I log from United States, Facebook is suspicious and throw >>>>>> me >>>>>> some security questions.* >>>>>> >>>>>> Thanks >>>>>> >>>>>> On Tue, Jan 16, 2018 at 9:09 AM, Ruwan Abeykoon <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Pamoda, >>>>>>> Here are some of my thoughts, and not in order or organized. >>>>>>> >>>>>>> User Behavior analytics (*UBA*) >>>>>>> >>>>>>> - >>>>>>> >>>>>>> Implement multi-dimensional clustering (this will detect general >>>>>>> user behaviours. Not of an individual) >>>>>>> - >>>>>>> >>>>>>> Implement clickstream analytics (This will have knowledge of >>>>>>> individual, but keep the records indexed with UserID hash, so that, >>>>>>> we can >>>>>>> conform to GPDR) >>>>>>> >>>>>>> >>>>>>> Both above algorithms may be run on a separate JVM, (or a feature on >>>>>>> top of analytics). DAS will publish data to UBA. DAS will detect the >>>>>>> fields >>>>>>> in the analytics dimensions, which can be configured by the end user >>>>>>> (Identity Admin). >>>>>>> >>>>>>> - >>>>>>> >>>>>>> This will cater 95% of UBA cases. >>>>>>> - >>>>>>> >>>>>>> Events can be generated from IS well as any other application. >>>>>>> E.g. Tomcat Filter, .Net Handler. >>>>>>> - >>>>>>> >>>>>>> Self learning(or appears learning) *without ML.* Will be purely >>>>>>> math based (statistics, and probability) >>>>>>> - >>>>>>> >>>>>>> Automatic detection of new knowledge. >>>>>>> >>>>>>> >>>>>>> >>>>>>> - >>>>>>> >>>>>>> Uses DAS Siddhi. Should not use Spark. >>>>>>> - >>>>>>> >>>>>>> Need to provide a gadget to visualize the clustered data and >>>>>>> drill down. >>>>>>> >>>>>>> >>>>>>> Clickstream >>>>>>> >>>>>>> - >>>>>>> >>>>>>> Click stream analysis is done with probability matrix of >>>>>>> time-correlated events. >>>>>>> - >>>>>>> >>>>>>> We keep a matrix in memory per each user, backed by DB. >>>>>>> - >>>>>>> >>>>>>> Updates done on memory copy and periodically synced to DB (since >>>>>>> few lost events does not really make much difference in probability >>>>>>> matrix). >>>>>>> - >>>>>>> >>>>>>> HA can be done with sharding of UserID. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Analysis >>>>>>> >>>>>>> - >>>>>>> >>>>>>> Each event is sent to cluster analytics and clickstream >>>>>>> analytics. >>>>>>> - >>>>>>> >>>>>>> They will provide a result in a probability array of each type >>>>>>> of anomaly. >>>>>>> - >>>>>>> >>>>>>> Admin is given a UI to configure threshold of probability >>>>>>> values, which he think important. >>>>>>> - >>>>>>> >>>>>>> Admin can select an action(this is a Siddhi event publisher. One >>>>>>> is to publish to JMS topic towards IS) >>>>>>> - >>>>>>> >>>>>>> IS can decide upon authentication flow using its “Conditional >>>>>>> Authentication in IS 5.5.0” >>>>>>> >>>>>>> >>>>>>> Cheers, >>>>>>> Ruwan >>>>>>> >>>>>>> On Tue, Jan 16, 2018 at 9:09 AM, Pamoda Wimalasiri <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Jan 16, 2018 at 8:13 AM, Prakhash Sivakumar < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> On Mon, Jan 15, 2018 at 8:28 PM, Dimuthu Leelarathne < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi Pamoda, >>>>>>>>>> >>>>>>>>>> Authentication history is a broad term. How do we plan to >>>>>>>>>> identify exceptions? >>>>>>>>>> >>>>>>>>> >>>>>>>> As authentication history, we can consider >>>>>>>> >>>>>>>> - number of consecutive invalid login attempts (as suggested by >>>>>>>> Johan) >>>>>>>> - geo velocity: time and location of the previous successful >>>>>>>> login and the current login. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>>> thanks, >>>>>>>>>> Dimuthu >>>>>>>>>> >>>>>>>>>> On Mon, Jan 15, 2018 at 8:04 PM, Johann Nallathamby < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> *[-IAM, RRT]* >>>>>>>>>>> >>>>>>>>>>> Apart from the business transaction value, following factors can >>>>>>>>>>> be considered for risk calculation. >>>>>>>>>>> >>>>>>>>>>> 1. Environment - IP, network, geographical location, time of the >>>>>>>>>>> day, device/OS/Device fingerprinting >>>>>>>>>>> 2. Context - Previous successful login time, consecutive invalid >>>>>>>>>>> login attempts followed by a successful attempt >>>>>>>>>>> 3. User behavior - typing speed, etc. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Johann. >>>>>>>>>>> >>>>>>>>>>> On Mon, Jan 15, 2018 at 4:50 PM, Pamoda Wimalasiri < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi all, >>>>>>>>>>>> >>>>>>>>>>>> I'm currently working on a risk score calculation method for >>>>>>>>>>>> the authentication request of IAM. I'm still doing the background >>>>>>>>>>>> research >>>>>>>>>>>> on the behavior of other similar approaches [1] and the >>>>>>>>>>>> technologies that >>>>>>>>>>>> can be used. >>>>>>>>>>>> >>>>>>>>>>>> According to my research, the risk score can be calculated >>>>>>>>>>>> based on parameters such as >>>>>>>>>>>> >>>>>>>>>>>> - IP address >>>>>>>>>>>> - Geographical location >>>>>>>>>>>> - Authentication history >>>>>>>>>>>> >>>>>>>>>>>> Are we considering only the past data here ? >>>>>>>>> >>>>>>>>> We should include the current active sessions too. For example if >>>>>>>>> the user is already in an authenticated session and if she/he is >>>>>>>>> trying to >>>>>>>>> authenticate again, the 2nd attempt might be an attacker. >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> - Time of day >>>>>>>>>>>> >>>>>>>>>>>> In existing approaches, the total level of risk is calculated >>>>>>>>>>>> by the sum of weighted scores of each parameter. >>>>>>>>>>>> >>>>>>>>>>>> Any suggestions are highly appreciated. >>>>>>>>>>>> >>>>>>>>>>>> [1] https://backstage.forgerock.com/docs/am/5.5/authenticati >>>>>>>>>>>> on-guide/index.html#authn-adaptive >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Pamoda >>>>>>>>>>>> -- >>>>>>>>>>>> >>>>>>>>>>>> *Pamoda Wimalasiri* >>>>>>>>>>>> Software Engineer - WSO2 >>>>>>>>>>>> >>>>>>>>>>>> Email : [email protected] >>>>>>>>>>>> Mobile : +94713705814 <+94%2077%20936%207571> >>>>>>>>>>>> Web : https://wso2.com/ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> *Johann Dilantha Nallathamby* >>>>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>>>> WSO2, Inc. >>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>> >>>>>>>>>>> Mobile: *+94 77 7776950* >>>>>>>>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>>>>>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>>>>>>>> Medium: *https://medium.com/@johann_nallathamby >>>>>>>>>>> <https://medium.com/@johann_nallathamby>* >>>>>>>>>>> Twitter: *@dj_nallaa* >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Dimuthu Leelarathne >>>>>>>>>> Director, Solutions Architecture >>>>>>>>>> >>>>>>>>>> WSO2, Inc. (http://wso2.com) >>>>>>>>>> email: [email protected] >>>>>>>>>> Mobile: +94773661935 <+94%2077%20366%201935> >>>>>>>>>> Blog: http://muthulee.blogspot.com >>>>>>>>>> >>>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Prakhash Sivakumar >>>>>>>>> Software Engineer | WSO2 Inc >>>>>>>>> Platform Security Team >>>>>>>>> Mobile : +94771510080 <+94%2077%20151%200080> >>>>>>>>> Blog : https://medium.com/@PrakhashS >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Pamoda Wimalasiri* >>>>>>>> Software Engineer - WSO2 >>>>>>>> >>>>>>>> Email : [email protected] >>>>>>>> Mobile : +94713705814 <+94%2077%20936%207571> >>>>>>>> Web : https://wso2.com/ >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Ruwan Abeykoon* >>>>>>> *Associate Director/Architect**,* >>>>>>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >>>>>>> *lean.enterprise.middleware.* >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Hasitha Abeykoon* >>>>>> Associate Technical Lead; WSO2, Inc.; http://wso2.com >>>>>> *cell:* *+94 719363063* >>>>>> *blog: **abeykoon.blogspot.com* <http://abeykoon.blogspot.com> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Ruwan Abeykoon* >>>>> *Associate Director/Architect**,* >>>>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >>>>> *lean.enterprise.middleware.* >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Hasitha Abeykoon* >>>> Associate Technical Lead; WSO2, Inc.; http://wso2.com >>>> *cell:* *+94 719363063* >>>> *blog: **abeykoon.blogspot.com* <http://abeykoon.blogspot.com> >>>> >>>> >>> >>> >>> -- >>> >>> *Pamoda Wimalasiri* >>> Software Engineer - WSO2 >>> >>> Email : [email protected] >>> Mobile : +94713705814 <+94%2077%20936%207571> >>> Web : https://wso2.com/ >>> >>> >> >> >> -- >> >> *Ruwan Abeykoon* >> *Associate Director/Architect**,* >> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >> *lean.enterprise.middleware.* >> >> > > > -- > Dimuthu Leelarathne > Director, Solutions Architecture > > WSO2, Inc. (http://wso2.com) > email: [email protected] > Mobile: +94773661935 <077%20366%201935> > Blog: http://muthulee.blogspot.com > > Lean . Enterprise . Middleware > -- Dimuthu Leelarathne Director, Solutions Architecture WSO2, Inc. (http://wso2.com) email: [email protected] Mobile: +94773661935 Blog: http://muthulee.blogspot.com Lean . Enterprise . Middleware
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
