Hi Dimuthu, +1 on using existing infrastructure with IS. We need to implement "Risk Calculator" logic in DAS, with Spark and Siddhi queries. This should not be inside the IS.
What IS needs to do is to query the "Risk Data" with lucene while performing the authentication flow. This component can be added as an extension. What we want to do is to decouple "Risk Calculator" and "Risk Evaluator". Risk Calculator -Should be able to implement by any analytics engine. Not only with WSO2 DAS. Risk Evaluator - This is simple Java Function which does lucene query. The lucene Store needs to be very close to IS cluster, as IS can not do any blocking call to external systems, during authentication flow. I did a PoC for my proposed architecture. Please refer [1], which can now be implemented with IS 5.5.0-M1. The same architecture can be used on IS 5.3.0/5.4.0 with custom authenticators too, but in hard way. [1] https://github.com/ruwanta/wso2is-examples/tree/master/is530/example-functions/components/org.wso2.carbon.identity.sample.extension.feedback Cheers, Ruwan On Fri, Jan 19, 2018 at 9:36 AM, Dimuthu Leelarathne <[email protected]> wrote: > Hi Ruwan, > > Btw .. we are doing this for 5.X series. > > thanks, > Dimuthu > > > On Fri, Jan 19, 2018 at 9:34 AM, Dimuthu Leelarathne <[email protected]> > wrote: > >> Hi Ruwan, >> >> I am thinking of using the existing architecture as it is. Right now >> there is an eventing listeners that publish data to DAS. I propose we reuse >> it as it is. Those event listeners that publish data can be >> X-EventListener, Y-EventListener, etc ... There are a lot of data that we >> can reuse in IS-analytics. >> >> >> >> >> Whatever the risk calculator does is to reuse the existing data-stores as >> the above diagram. >> >> thanks, >> Dimuthu >> >> >> >> On Fri, Jan 19, 2018 at 9:04 AM, Ruwan Abeykoon <[email protected]> wrote: >> >>> Hi Pamoda, >>> Can we enhance the architecture a little bit. We need to decouple "Risk >>> Calculator" and "Identity Framework" further. >>> >>> IS needs a mechanism to receive the feedback from the pub/sub channel >>> and make changes in authentication flow. >>> >>> <https://www.draw.io/#G0B0bx735ZWbanc0M5eDhDamowbzg> >>> >>> 1. The Temporal data is a Lucene store. Held at IS side. Central >>> location for all IS cluster. >>> 2. MQ is used, so that any third party can publish "Risk" or any other >>> information. >>> 3. The authenticator will not request anything from the "Risk >>> Calculator", but queries its own store. This will make things more >>> resilient on chaos scenarios. >>> >>> >>> This allows us to do lot more, e.g >>> >>> >>> >>> - >>> >>> Use stream analytics to make fast decisions. >>> - >>> >>> E.g. Too many authentications attempts coming from a particular >>> IP, on a given time window, then upgrade the flow to Two factor >>> authentication. >>> - >>> >>> Use batch analytics to perform simple behavioural decisions >>> - >>> >>> E.g. Users who has logged in and has session(not logged out), >>> tries to log in on another machine, could be prompted with another >>> screen >>> saying they have existing sessions on other machine. >>> - >>> >>> Throttling and Shaping based on billing tier exceeding conditions. >>> - >>> >>> Use ML to do advanced behavioural decisions >>> - >>> >>> (Seshika will be interested in this) >>> >>> >>> e.g. >>> >>> var agentChanged = queryAnalytics('lucene', '<lucene-query> e.g. name : >>> agent-change-stream, subject: authenticatedSubjectId'); >>> >>> if (agentChanged) { >>> >>> executeStep({'id' : '2'}); >>> >>> } >>> >>> On Fri, Jan 19, 2018 at 8:49 AM, Pamoda Wimalasiri <[email protected]> >>> wrote: >>> >>>> Hi all, >>>> >>>> The figure shows a high-level architecture for the risk score >>>> calculation. >>>> [image: Inline image 2] >>>> >>>> >>>> - Authentication Data Publisher in the Identity Framework publishes >>>> the authentication events to a database >>>> - Authenticator requests a risk score from the risk score >>>> calculator. >>>> - Risk score calculator accesses the user login and geolocation >>>> databases and calculates the risk score. >>>> >>>> We will be considering >>>> >>>> IP address >>>> Geolocation >>>> Number of failed attempts between two successful logins >>>> >>>> when generating the rules to calculate the risk score. >>>> >>>> Regards, >>>> Pamoda >>>> >>>> >>>> On Tue, Jan 16, 2018 at 9:48 AM, Hasitha Hiranya <[email protected]> >>>> wrote: >>>> >>>>> Hi Ruwan, >>>>> >>>>> >>>>> On Tue, Jan 16, 2018 at 9:39 AM, Ruwan Abeykoon <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Hasitha, >>>>>> There is a question about MAC address, which is not available beyond >>>>>> an IP router. What we do is browser fingerprinting with a cookie or >>>>>> something. >>>>>> >>>>>> *>> i.e I usually login to my personal Gmail using my phone. If I use >>>>>> my MAC machine suddenly, google sends an email if this is you. * >>>>>> IS 5.5.0 has default ability to do this with "Conditional >>>>>> Authentication", by fingerprinting the browser. >>>>>> >>>>>> Got it! Thanks for the explanation. >>>>> >>>>>> >>>>>> >>>>>> Cheers, >>>>>> Ruwan >>>>>> >>>>>> >>>>>> On Tue, Jan 16, 2018 at 9:20 AM, Hasitha Hiranya <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> We can also consider the MAC address or some machine ID of last >>>>>>> successful login as well. >>>>>>> >>>>>>> *i.e I usually login to my personal Gmail using my phone. If I use >>>>>>> my MAC machine suddenly, google sends an email if this is you. * >>>>>>> >>>>>>> Also previous success login location is also important. >>>>>>> >>>>>>> *i.e If I log into Facebook From Sri Lanka and after one day of >>>>>>> travelling if I log from United States, Facebook is suspicious and >>>>>>> throw me >>>>>>> some security questions.* >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> On Tue, Jan 16, 2018 at 9:09 AM, Ruwan Abeykoon <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Pamoda, >>>>>>>> Here are some of my thoughts, and not in order or organized. >>>>>>>> >>>>>>>> User Behavior analytics (*UBA*) >>>>>>>> >>>>>>>> - >>>>>>>> >>>>>>>> Implement multi-dimensional clustering (this will detect >>>>>>>> general user behaviours. Not of an individual) >>>>>>>> - >>>>>>>> >>>>>>>> Implement clickstream analytics (This will have knowledge of >>>>>>>> individual, but keep the records indexed with UserID hash, so that, >>>>>>>> we can >>>>>>>> conform to GPDR) >>>>>>>> >>>>>>>> >>>>>>>> Both above algorithms may be run on a separate JVM, (or a feature >>>>>>>> on top of analytics). DAS will publish data to UBA. DAS will detect the >>>>>>>> fields in the analytics dimensions, which can be configured by the end >>>>>>>> user >>>>>>>> (Identity Admin). >>>>>>>> >>>>>>>> - >>>>>>>> >>>>>>>> This will cater 95% of UBA cases. >>>>>>>> - >>>>>>>> >>>>>>>> Events can be generated from IS well as any other application. >>>>>>>> E.g. Tomcat Filter, .Net Handler. >>>>>>>> - >>>>>>>> >>>>>>>> Self learning(or appears learning) *without ML.* Will be purely >>>>>>>> math based (statistics, and probability) >>>>>>>> - >>>>>>>> >>>>>>>> Automatic detection of new knowledge. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> - >>>>>>>> >>>>>>>> Uses DAS Siddhi. Should not use Spark. >>>>>>>> - >>>>>>>> >>>>>>>> Need to provide a gadget to visualize the clustered data and >>>>>>>> drill down. >>>>>>>> >>>>>>>> >>>>>>>> Clickstream >>>>>>>> >>>>>>>> - >>>>>>>> >>>>>>>> Click stream analysis is done with probability matrix of >>>>>>>> time-correlated events. >>>>>>>> - >>>>>>>> >>>>>>>> We keep a matrix in memory per each user, backed by DB. >>>>>>>> - >>>>>>>> >>>>>>>> Updates done on memory copy and periodically synced to DB >>>>>>>> (since few lost events does not really make much difference in >>>>>>>> probability >>>>>>>> matrix). >>>>>>>> - >>>>>>>> >>>>>>>> HA can be done with sharding of UserID. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Analysis >>>>>>>> >>>>>>>> - >>>>>>>> >>>>>>>> Each event is sent to cluster analytics and clickstream >>>>>>>> analytics. >>>>>>>> - >>>>>>>> >>>>>>>> They will provide a result in a probability array of each type >>>>>>>> of anomaly. >>>>>>>> - >>>>>>>> >>>>>>>> Admin is given a UI to configure threshold of probability >>>>>>>> values, which he think important. >>>>>>>> - >>>>>>>> >>>>>>>> Admin can select an action(this is a Siddhi event publisher. >>>>>>>> One is to publish to JMS topic towards IS) >>>>>>>> - >>>>>>>> >>>>>>>> IS can decide upon authentication flow using its “Conditional >>>>>>>> Authentication in IS 5.5.0” >>>>>>>> >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Ruwan >>>>>>>> >>>>>>>> On Tue, Jan 16, 2018 at 9:09 AM, Pamoda Wimalasiri <[email protected] >>>>>>>> > wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Jan 16, 2018 at 8:13 AM, Prakhash Sivakumar < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> On Mon, Jan 15, 2018 at 8:28 PM, Dimuthu Leelarathne < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Pamoda, >>>>>>>>>>> >>>>>>>>>>> Authentication history is a broad term. How do we plan to >>>>>>>>>>> identify exceptions? >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> As authentication history, we can consider >>>>>>>>> >>>>>>>>> - number of consecutive invalid login attempts (as suggested >>>>>>>>> by Johan) >>>>>>>>> - geo velocity: time and location of the previous successful >>>>>>>>> login and the current login. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>>> thanks, >>>>>>>>>>> Dimuthu >>>>>>>>>>> >>>>>>>>>>> On Mon, Jan 15, 2018 at 8:04 PM, Johann Nallathamby < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> *[-IAM, RRT]* >>>>>>>>>>>> >>>>>>>>>>>> Apart from the business transaction value, following factors >>>>>>>>>>>> can be considered for risk calculation. >>>>>>>>>>>> >>>>>>>>>>>> 1. Environment - IP, network, geographical location, time of >>>>>>>>>>>> the day, device/OS/Device fingerprinting >>>>>>>>>>>> 2. Context - Previous successful login time, consecutive >>>>>>>>>>>> invalid login attempts followed by a successful attempt >>>>>>>>>>>> 3. User behavior - typing speed, etc. >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> Johann. >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Jan 15, 2018 at 4:50 PM, Pamoda Wimalasiri < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi all, >>>>>>>>>>>>> >>>>>>>>>>>>> I'm currently working on a risk score calculation method for >>>>>>>>>>>>> the authentication request of IAM. I'm still doing the background >>>>>>>>>>>>> research >>>>>>>>>>>>> on the behavior of other similar approaches [1] and the >>>>>>>>>>>>> technologies that >>>>>>>>>>>>> can be used. >>>>>>>>>>>>> >>>>>>>>>>>>> According to my research, the risk score can be calculated >>>>>>>>>>>>> based on parameters such as >>>>>>>>>>>>> >>>>>>>>>>>>> - IP address >>>>>>>>>>>>> - Geographical location >>>>>>>>>>>>> - Authentication history >>>>>>>>>>>>> >>>>>>>>>>>>> Are we considering only the past data here ? >>>>>>>>>> >>>>>>>>>> We should include the current active sessions too. For example if >>>>>>>>>> the user is already in an authenticated session and if she/he is >>>>>>>>>> trying to >>>>>>>>>> authenticate again, the 2nd attempt might be an attacker. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>> - Time of day >>>>>>>>>>>>> >>>>>>>>>>>>> In existing approaches, the total level of risk is calculated >>>>>>>>>>>>> by the sum of weighted scores of each parameter. >>>>>>>>>>>>> >>>>>>>>>>>>> Any suggestions are highly appreciated. >>>>>>>>>>>>> >>>>>>>>>>>>> [1] https://backstage.forgerock.com/docs/am/5.5/authenticati >>>>>>>>>>>>> on-guide/index.html#authn-adaptive >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> Pamoda >>>>>>>>>>>>> -- >>>>>>>>>>>>> >>>>>>>>>>>>> *Pamoda Wimalasiri* >>>>>>>>>>>>> Software Engineer - WSO2 >>>>>>>>>>>>> >>>>>>>>>>>>> Email : [email protected] >>>>>>>>>>>>> Mobile : +94713705814 <+94%2077%20936%207571> >>>>>>>>>>>>> Web : https://wso2.com/ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> >>>>>>>>>>>> *Johann Dilantha Nallathamby* >>>>>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>>>>> WSO2, Inc. >>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>> >>>>>>>>>>>> Mobile: *+94 77 7776950* >>>>>>>>>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>>>>>>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>>>>>>>>> Medium: *https://medium.com/@johann_nallathamby >>>>>>>>>>>> <https://medium.com/@johann_nallathamby>* >>>>>>>>>>>> Twitter: *@dj_nallaa* >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Dimuthu Leelarathne >>>>>>>>>>> Director, Solutions Architecture >>>>>>>>>>> >>>>>>>>>>> WSO2, Inc. (http://wso2.com) >>>>>>>>>>> email: [email protected] >>>>>>>>>>> Mobile: +94773661935 <+94%2077%20366%201935> >>>>>>>>>>> Blog: http://muthulee.blogspot.com >>>>>>>>>>> >>>>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Prakhash Sivakumar >>>>>>>>>> Software Engineer | WSO2 Inc >>>>>>>>>> Platform Security Team >>>>>>>>>> Mobile : +94771510080 <+94%2077%20151%200080> >>>>>>>>>> Blog : https://medium.com/@PrakhashS >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> *Pamoda Wimalasiri* >>>>>>>>> Software Engineer - WSO2 >>>>>>>>> >>>>>>>>> Email : [email protected] >>>>>>>>> Mobile : +94713705814 <+94%2077%20936%207571> >>>>>>>>> Web : https://wso2.com/ >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Ruwan Abeykoon* >>>>>>>> *Associate Director/Architect**,* >>>>>>>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >>>>>>>> *lean.enterprise.middleware.* >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Hasitha Abeykoon* >>>>>>> Associate Technical Lead; WSO2, Inc.; http://wso2.com >>>>>>> *cell:* *+94 719363063* >>>>>>> *blog: **abeykoon.blogspot.com* <http://abeykoon.blogspot.com> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Ruwan Abeykoon* >>>>>> *Associate Director/Architect**,* >>>>>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >>>>>> *lean.enterprise.middleware.* >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Hasitha Abeykoon* >>>>> Associate Technical Lead; WSO2, Inc.; http://wso2.com >>>>> *cell:* *+94 719363063* >>>>> *blog: **abeykoon.blogspot.com* <http://abeykoon.blogspot.com> >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> *Pamoda Wimalasiri* >>>> Software Engineer - WSO2 >>>> >>>> Email : [email protected] >>>> Mobile : +94713705814 <+94%2077%20936%207571> >>>> Web : https://wso2.com/ >>>> >>>> >>> >>> >>> -- >>> >>> *Ruwan Abeykoon* >>> *Associate Director/Architect**,* >>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >>> *lean.enterprise.middleware.* >>> >>> >> >> >> -- >> Dimuthu Leelarathne >> Director, Solutions Architecture >> >> WSO2, Inc. (http://wso2.com) >> email: [email protected] >> Mobile: +94773661935 <077%20366%201935> >> Blog: http://muthulee.blogspot.com >> >> Lean . Enterprise . Middleware >> > > > > -- > Dimuthu Leelarathne > Director, Solutions Architecture > > WSO2, Inc. (http://wso2.com) > email: [email protected] > Mobile: +94773661935 <+94%2077%20366%201935> > Blog: http://muthulee.blogspot.com > > Lean . Enterprise . Middleware >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
