Hi Pamoda, What are the use cases we try to implement with the calculated risk score?
On Tue, Jan 23, 2018 at 10:43 PM, Ruwan Abeykoon <[email protected]> wrote: > Hi Dimuthu, > +1 on using existing infrastructure with IS. > > We need to implement "Risk Calculator" logic in DAS, with Spark and Siddhi > queries. This should not be inside the IS. > > What IS needs to do is to query the "Risk Data" with lucene while > performing the authentication flow. This component can be added as an > extension. > > What we want to do is to decouple "Risk Calculator" and "Risk Evaluator". > +1 @Ruwan: If we wanted to adopt real time elevated authentication mechanism, can we use the same architecture? Or are you proposing different mechanism for that? Thanks, > Risk Calculator -Should be able to implement by any analytics engine. Not > only with WSO2 DAS. > Risk Evaluator - This is simple Java Function which does lucene query. The > lucene Store needs to be very close to IS cluster, as IS can not do any > blocking call to external systems, during authentication flow. > > I did a PoC for my proposed architecture. Please refer [1], which can now > be implemented with IS 5.5.0-M1. The same architecture can be used on IS > 5.3.0/5.4.0 with custom authenticators too, but in hard way. > > [1] https://github.com/ruwanta/wso2is-examples/tree/master/is530/example- > functions/components/org.wso2.carbon.identity.sample.extension.feedback > > Cheers, > Ruwan > > > > > On Fri, Jan 19, 2018 at 9:36 AM, Dimuthu Leelarathne <[email protected]> > wrote: > >> Hi Ruwan, >> >> Btw .. we are doing this for 5.X series. >> >> thanks, >> Dimuthu >> >> >> On Fri, Jan 19, 2018 at 9:34 AM, Dimuthu Leelarathne <[email protected]> >> wrote: >> >>> Hi Ruwan, >>> >>> I am thinking of using the existing architecture as it is. Right now >>> there is an eventing listeners that publish data to DAS. I propose we reuse >>> it as it is. Those event listeners that publish data can be >>> X-EventListener, Y-EventListener, etc ... There are a lot of data that we >>> can reuse in IS-analytics. >>> >>> >>> >>> >>> Whatever the risk calculator does is to reuse the existing data-stores >>> as the above diagram. >>> >>> thanks, >>> Dimuthu >>> >>> >>> >>> On Fri, Jan 19, 2018 at 9:04 AM, Ruwan Abeykoon <[email protected]> wrote: >>> >>>> Hi Pamoda, >>>> Can we enhance the architecture a little bit. We need to decouple "Risk >>>> Calculator" and "Identity Framework" further. >>>> >>>> IS needs a mechanism to receive the feedback from the pub/sub channel >>>> and make changes in authentication flow. >>>> >>>> <https://www.draw.io/#G0B0bx735ZWbanc0M5eDhDamowbzg> >>>> >>>> 1. The Temporal data is a Lucene store. Held at IS side. Central >>>> location for all IS cluster. >>>> 2. MQ is used, so that any third party can publish "Risk" or any other >>>> information. >>>> 3. The authenticator will not request anything from the "Risk >>>> Calculator", but queries its own store. This will make things more >>>> resilient on chaos scenarios. >>>> >>>> >>>> This allows us to do lot more, e.g >>>> >>>> >>>> >>>> - >>>> >>>> Use stream analytics to make fast decisions. >>>> - >>>> >>>> E.g. Too many authentications attempts coming from a particular >>>> IP, on a given time window, then upgrade the flow to Two factor >>>> authentication. >>>> - >>>> >>>> Use batch analytics to perform simple behavioural decisions >>>> - >>>> >>>> E.g. Users who has logged in and has session(not logged out), >>>> tries to log in on another machine, could be prompted with another >>>> screen >>>> saying they have existing sessions on other machine. >>>> - >>>> >>>> Throttling and Shaping based on billing tier exceeding conditions. >>>> - >>>> >>>> Use ML to do advanced behavioural decisions >>>> - >>>> >>>> (Seshika will be interested in this) >>>> >>>> >>>> e.g. >>>> >>>> var agentChanged = queryAnalytics('lucene', '<lucene-query> e.g. name >>>> : agent-change-stream, subject: authenticatedSubjectId'); >>>> >>>> if (agentChanged) { >>>> >>>> executeStep({'id' : '2'}); >>>> >>>> } >>>> >>>> On Fri, Jan 19, 2018 at 8:49 AM, Pamoda Wimalasiri <[email protected]> >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> The figure shows a high-level architecture for the risk score >>>>> calculation. >>>>> [image: Inline image 2] >>>>> >>>>> >>>>> - Authentication Data Publisher in the Identity Framework >>>>> publishes the authentication events to a database >>>>> - Authenticator requests a risk score from the risk score >>>>> calculator. >>>>> - Risk score calculator accesses the user login and geolocation >>>>> databases and calculates the risk score. >>>>> >>>>> We will be considering >>>>> >>>>> IP address >>>>> Geolocation >>>>> Number of failed attempts between two successful logins >>>>> >>>>> when generating the rules to calculate the risk score. >>>>> >>>>> Regards, >>>>> Pamoda >>>>> >>>>> >>>>> On Tue, Jan 16, 2018 at 9:48 AM, Hasitha Hiranya <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Ruwan, >>>>>> >>>>>> >>>>>> On Tue, Jan 16, 2018 at 9:39 AM, Ruwan Abeykoon <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Hasitha, >>>>>>> There is a question about MAC address, which is not available beyond >>>>>>> an IP router. What we do is browser fingerprinting with a cookie or >>>>>>> something. >>>>>>> >>>>>>> *>> i.e I usually login to my personal Gmail using my phone. If I >>>>>>> use my MAC machine suddenly, google sends an email if this is you. * >>>>>>> IS 5.5.0 has default ability to do this with "Conditional >>>>>>> Authentication", by fingerprinting the browser. >>>>>>> >>>>>>> Got it! Thanks for the explanation. >>>>>> >>>>>>> >>>>>>> >>>>>>> Cheers, >>>>>>> Ruwan >>>>>>> >>>>>>> >>>>>>> On Tue, Jan 16, 2018 at 9:20 AM, Hasitha Hiranya <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> We can also consider the MAC address or some machine ID of last >>>>>>>> successful login as well. >>>>>>>> >>>>>>>> *i.e I usually login to my personal Gmail using my phone. If I use >>>>>>>> my MAC machine suddenly, google sends an email if this is you. * >>>>>>>> >>>>>>>> Also previous success login location is also important. >>>>>>>> >>>>>>>> *i.e If I log into Facebook From Sri Lanka and after one day of >>>>>>>> travelling if I log from United States, Facebook is suspicious and >>>>>>>> throw me >>>>>>>> some security questions.* >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> On Tue, Jan 16, 2018 at 9:09 AM, Ruwan Abeykoon <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Pamoda, >>>>>>>>> Here are some of my thoughts, and not in order or organized. >>>>>>>>> >>>>>>>>> User Behavior analytics (*UBA*) >>>>>>>>> >>>>>>>>> - >>>>>>>>> >>>>>>>>> Implement multi-dimensional clustering (this will detect >>>>>>>>> general user behaviours. Not of an individual) >>>>>>>>> - >>>>>>>>> >>>>>>>>> Implement clickstream analytics (This will have knowledge of >>>>>>>>> individual, but keep the records indexed with UserID hash, so >>>>>>>>> that, we can >>>>>>>>> conform to GPDR) >>>>>>>>> >>>>>>>>> >>>>>>>>> Both above algorithms may be run on a separate JVM, (or a feature >>>>>>>>> on top of analytics). DAS will publish data to UBA. DAS will detect >>>>>>>>> the >>>>>>>>> fields in the analytics dimensions, which can be configured by the >>>>>>>>> end user >>>>>>>>> (Identity Admin). >>>>>>>>> >>>>>>>>> - >>>>>>>>> >>>>>>>>> This will cater 95% of UBA cases. >>>>>>>>> - >>>>>>>>> >>>>>>>>> Events can be generated from IS well as any other application. >>>>>>>>> E.g. Tomcat Filter, .Net Handler. >>>>>>>>> - >>>>>>>>> >>>>>>>>> Self learning(or appears learning) *without ML.* Will be >>>>>>>>> purely math based (statistics, and probability) >>>>>>>>> - >>>>>>>>> >>>>>>>>> Automatic detection of new knowledge. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> - >>>>>>>>> >>>>>>>>> Uses DAS Siddhi. Should not use Spark. >>>>>>>>> - >>>>>>>>> >>>>>>>>> Need to provide a gadget to visualize the clustered data and >>>>>>>>> drill down. >>>>>>>>> >>>>>>>>> >>>>>>>>> Clickstream >>>>>>>>> >>>>>>>>> - >>>>>>>>> >>>>>>>>> Click stream analysis is done with probability matrix of >>>>>>>>> time-correlated events. >>>>>>>>> - >>>>>>>>> >>>>>>>>> We keep a matrix in memory per each user, backed by DB. >>>>>>>>> - >>>>>>>>> >>>>>>>>> Updates done on memory copy and periodically synced to DB >>>>>>>>> (since few lost events does not really make much difference in >>>>>>>>> probability >>>>>>>>> matrix). >>>>>>>>> - >>>>>>>>> >>>>>>>>> HA can be done with sharding of UserID. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Analysis >>>>>>>>> >>>>>>>>> - >>>>>>>>> >>>>>>>>> Each event is sent to cluster analytics and clickstream >>>>>>>>> analytics. >>>>>>>>> - >>>>>>>>> >>>>>>>>> They will provide a result in a probability array of each type >>>>>>>>> of anomaly. >>>>>>>>> - >>>>>>>>> >>>>>>>>> Admin is given a UI to configure threshold of probability >>>>>>>>> values, which he think important. >>>>>>>>> - >>>>>>>>> >>>>>>>>> Admin can select an action(this is a Siddhi event publisher. >>>>>>>>> One is to publish to JMS topic towards IS) >>>>>>>>> - >>>>>>>>> >>>>>>>>> IS can decide upon authentication flow using its “Conditional >>>>>>>>> Authentication in IS 5.5.0” >>>>>>>>> >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> Ruwan >>>>>>>>> >>>>>>>>> On Tue, Jan 16, 2018 at 9:09 AM, Pamoda Wimalasiri < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Tue, Jan 16, 2018 at 8:13 AM, Prakhash Sivakumar < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> On Mon, Jan 15, 2018 at 8:28 PM, Dimuthu Leelarathne < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Pamoda, >>>>>>>>>>>> >>>>>>>>>>>> Authentication history is a broad term. How do we plan to >>>>>>>>>>>> identify exceptions? >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> As authentication history, we can consider >>>>>>>>>> >>>>>>>>>> - number of consecutive invalid login attempts (as suggested >>>>>>>>>> by Johan) >>>>>>>>>> - geo velocity: time and location of the previous successful >>>>>>>>>> login and the current login. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> thanks, >>>>>>>>>>>> Dimuthu >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Jan 15, 2018 at 8:04 PM, Johann Nallathamby < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> *[-IAM, RRT]* >>>>>>>>>>>>> >>>>>>>>>>>>> Apart from the business transaction value, following factors >>>>>>>>>>>>> can be considered for risk calculation. >>>>>>>>>>>>> >>>>>>>>>>>>> 1. Environment - IP, network, geographical location, time of >>>>>>>>>>>>> the day, device/OS/Device fingerprinting >>>>>>>>>>>>> 2. Context - Previous successful login time, consecutive >>>>>>>>>>>>> invalid login attempts followed by a successful attempt >>>>>>>>>>>>> 3. User behavior - typing speed, etc. >>>>>>>>>>>>> >>>>>>>>>>>>> Regards, >>>>>>>>>>>>> Johann. >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Jan 15, 2018 at 4:50 PM, Pamoda Wimalasiri < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I'm currently working on a risk score calculation method for >>>>>>>>>>>>>> the authentication request of IAM. I'm still doing the >>>>>>>>>>>>>> background research >>>>>>>>>>>>>> on the behavior of other similar approaches [1] and the >>>>>>>>>>>>>> technologies that >>>>>>>>>>>>>> can be used. >>>>>>>>>>>>>> >>>>>>>>>>>>>> According to my research, the risk score can be calculated >>>>>>>>>>>>>> based on parameters such as >>>>>>>>>>>>>> >>>>>>>>>>>>>> - IP address >>>>>>>>>>>>>> - Geographical location >>>>>>>>>>>>>> - Authentication history >>>>>>>>>>>>>> >>>>>>>>>>>>>> Are we considering only the past data here ? >>>>>>>>>>> >>>>>>>>>>> We should include the current active sessions too. For example >>>>>>>>>>> if the user is already in an authenticated session and if she/he is >>>>>>>>>>> trying >>>>>>>>>>> to authenticate again, the 2nd attempt might be an attacker. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>>>> - Time of day >>>>>>>>>>>>>> >>>>>>>>>>>>>> In existing approaches, the total level of risk is calculated >>>>>>>>>>>>>> by the sum of weighted scores of each parameter. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Any suggestions are highly appreciated. >>>>>>>>>>>>>> >>>>>>>>>>>>>> [1] https://backstage.forgerock.com/docs/am/5.5/authenticati >>>>>>>>>>>>>> on-guide/index.html#authn-adaptive >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>> Pamoda >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Pamoda Wimalasiri* >>>>>>>>>>>>>> Software Engineer - WSO2 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Email : [email protected] >>>>>>>>>>>>>> Mobile : +94713705814 <+94%2077%20936%207571> >>>>>>>>>>>>>> Web : https://wso2.com/ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> >>>>>>>>>>>>> *Johann Dilantha Nallathamby* >>>>>>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>>>>>> WSO2, Inc. >>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>> >>>>>>>>>>>>> Mobile: *+94 77 7776950* >>>>>>>>>>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>>>>>>>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>>>>>>>>>> Medium: *https://medium.com/@johann_nallathamby >>>>>>>>>>>>> <https://medium.com/@johann_nallathamby>* >>>>>>>>>>>>> Twitter: *@dj_nallaa* >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Dimuthu Leelarathne >>>>>>>>>>>> Director, Solutions Architecture >>>>>>>>>>>> >>>>>>>>>>>> WSO2, Inc. (http://wso2.com) >>>>>>>>>>>> email: [email protected] >>>>>>>>>>>> Mobile: +94773661935 <+94%2077%20366%201935> >>>>>>>>>>>> Blog: http://muthulee.blogspot.com >>>>>>>>>>>> >>>>>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Prakhash Sivakumar >>>>>>>>>>> Software Engineer | WSO2 Inc >>>>>>>>>>> Platform Security Team >>>>>>>>>>> Mobile : +94771510080 <+94%2077%20151%200080> >>>>>>>>>>> Blog : https://medium.com/@PrakhashS >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> *Pamoda Wimalasiri* >>>>>>>>>> Software Engineer - WSO2 >>>>>>>>>> >>>>>>>>>> Email : [email protected] >>>>>>>>>> Mobile : +94713705814 <+94%2077%20936%207571> >>>>>>>>>> Web : https://wso2.com/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> *Ruwan Abeykoon* >>>>>>>>> *Associate Director/Architect**,* >>>>>>>>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >>>>>>>>> *lean.enterprise.middleware.* >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Hasitha Abeykoon* >>>>>>>> Associate Technical Lead; WSO2, Inc.; http://wso2.com >>>>>>>> *cell:* *+94 719363063* >>>>>>>> *blog: **abeykoon.blogspot.com* <http://abeykoon.blogspot.com> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Ruwan Abeykoon* >>>>>>> *Associate Director/Architect**,* >>>>>>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >>>>>>> *lean.enterprise.middleware.* >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Hasitha Abeykoon* >>>>>> Associate Technical Lead; WSO2, Inc.; http://wso2.com >>>>>> *cell:* *+94 719363063* >>>>>> *blog: **abeykoon.blogspot.com* <http://abeykoon.blogspot.com> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Pamoda Wimalasiri* >>>>> Software Engineer - WSO2 >>>>> >>>>> Email : [email protected] >>>>> Mobile : +94713705814 <+94%2077%20936%207571> >>>>> Web : https://wso2.com/ >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> *Ruwan Abeykoon* >>>> *Associate Director/Architect**,* >>>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >>>> *lean.enterprise.middleware.* >>>> >>>> >>> >>> >>> -- >>> Dimuthu Leelarathne >>> Director, Solutions Architecture >>> >>> WSO2, Inc. (http://wso2.com) >>> email: [email protected] >>> Mobile: +94773661935 <077%20366%201935> >>> Blog: http://muthulee.blogspot.com >>> >>> Lean . Enterprise . Middleware >>> >> >> >> >> -- >> Dimuthu Leelarathne >> Director, Solutions Architecture >> >> WSO2, Inc. (http://wso2.com) >> email: [email protected] >> Mobile: +94773661935 <+94%2077%20366%201935> >> Blog: http://muthulee.blogspot.com >> >> Lean . Enterprise . Middleware >> > > > > -- Regards, *Darshana Gunawardana*Technical Lead WSO2 Inc.; http://wso2.com *E-mail: [email protected] <[email protected]>* *Mobile: +94718566859*Lean . Enterprise . Middleware
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
