Modeling an Intelligent Continuous Authentication

System to Protect Financial Information

Resources

Thomas G. CalderonAkhilesh Chandra

John J. ChehThe University of Akron

Symposium on Information Systems AssuranceIntegrity, Privacy, Security & Trust in an IT Context

October 20-22, 2005

Objective

1. Examine fundamental principles of CA

2. Propose a four-tier framework for CA

3. Discuss implementation issues

CA defined

CA is a process that verifies the identity of an information systems user continuously for the entire duration of an authorized session.

Motivation

• Current IT environment feeds insecurity

• Controls vulnerable to threats

• Existing solutions are static

• Need for an alternate, robust and dynamic solution

• CA fits the bill !

Implications

• Systems design• Internal controls design• Audit models and techniques• Organizational learning• Behavioral repercussions• Integration with existing solutions & models• Alternative technology based solutions

Fundamental CA Issues

• Traditional Authentication Models

• CA: Network versus User

Duration of a Single Work Session

Enrollment

Evaluation

Presentation

Authentication outcome

Figure 1A: Static Authentication

Enrolment

Evaluation

Presentation

PermitAccess

DenyAccess

DYNAMIC MODEL

Conceptual Model of Authentication

Enrollment(interval 1)

Evaluation

Presentation

Authentication outcome

AutonomousEnrollment

Update(interval 2)

AutonomousEvaluation

AutonomousPresentation(Interval 2)

Authentication outcome

AutonomousEnrollment

Update (interval n)

AutonomousEvaluation

AutonomousPresentation(Interval n)

Authentication outcome

Duration (T) of a Single Work Session

t=1 t=nt=2

Dynamic Environment

Figure 1B: Continuous Authentication

Changes in User Profile

])[1

n

iitT

Intelligent key stroke recognition

deviceIdentify patterns

Autonomous agent

Artificial Intelligence

Software

Transactions log

Intelligent key stroke recognition

device

Captured keystrokes

Monitor evaluate

Presented keystrokes

Authentication outcome

En

rollm

ent

Pre

sen

tati

on

Eva

luat

ion

Figure 2: Physical model of a continuous authentication system

Table 1Summary of Four CA Levels

Level Probability Statement Thresholds Fundamental Principles and Authentication Factors

1 P(User) ptu

Principles: Continuously assesses and verifies presence at a fixed locationFactors: knowledge, possession, and biometrics

2 P(User/Resource) ptu/R

Principles: Continuously assesses and verifies presence and access to a resource. Does not attempt to verify the identities of entities that use specific privileges. Level 1 CA conditions are also satisfied.Factors: knowledge, possession, biometrics, and resources used

3 P(User/Workstation) ptu/W

Principles: Continuously assesses and verifies presence at disparate locations. Does not attempt to verify the identities of entities that use specific privileges. Level 2 CA conditions are also satisfied.Factors: knowledge, possession, biometrics, resources used, and workstations

4 P(User/Transaction or Action) ptu/A

Principles: Continuously assesses and verifies presence at all access points and monitors the identity of entities that use specific privileges. Level 3 CA conditions are also satisfied.Factors: knowledge, possession, biometrics, resources used, workstations, transactions profile and actions

Model Fundamentals

• Authentication confidences and thresholds– Probabilistic values

Versus

• Deterministic or binary authentication

Levels of CA

Level 1 CA: user authentication Level 2 CA: user-resource authentication Level 3 CA: user-resource-system

authentication Level 4 CA: user-resource-system-

transaction authentication

Model Implementation:with Swarm Technology

Swarm Intelligence

Self-Organizing in Social Insects Spatiotemporally Organized Networks of

Pheromone Trails (Bonabeau, Dorigo, and Theraulaz, 1999)

Positive Feedback (Amplification) Recruitment and Reinforcement Trail Laying and Trail Following

Negative Feedback Stabilization of Collective Patterns

Amplification of Fluctuations Random Walks, Errors, Random Task-Switching Continuous Optimization

Multiple Interactions Minimum Density of Mutually Tolerant Agents

Level 1 CA

Level 2 CA

Level 3 CA

Level 4 CAC

A L

eve

l

User TransactionWorkstationResource

Dynamic Conflict Resolution Rules

Figure 3: CAS and Swarm Technology

Local Autonomous Agent Local Autonomous Agent

Local Autonomous Agent

Local Autonomous Agent

Global Autonomous Agent

Virt

ual C

A

tran

sact

ion

log

Application of Swarm Intelligence to Continuous Authentication

Self-Organizing of Multiple Ant-like Monitoring Computer Agents

Spatiotemporally Organized Networks of Profile-based Trails

Positive Feedback (Amplification) Local Autonomous Agents User, Resources, Workstation, and Transaction Transition Rules Local Updates

Negative Feedback Global Autonomous Agent Dynamic Conflict Resolution Rules Global Updates

Ta

ble

2Im

ple

men

tati

on

Su

mm

ary

of

Fo

ur

CA

Lev

els

Level Learning Level Tasks* Intelligent/Predetermined Class Corresponding Intelligent Technologies

1 Minimal

Single comparison of a user’s signature in each time interval t. The medium of signature can be either a knowledge factor (e.g., a password) or biometrics (e.g., biometric finger image). For special cases, CAS’s intelligent key stroke recognition agent recognizes a user’s keystroke latencies.

Predetermined class in most cases, except for special cases like key stroke recognition. As a user ages, his unique biometric signature can gradually change. Multiple patterns can be used over times. This depends on special health conditions or other special situations.

A simple database query engine: A user ID, and password stored in a database as long as iteration processes in Figure 1 exist. For the special cases of key stroke recognition, low level of swarm intelligence is used in coupled with database technology.

2 Modest

Additional profile creates a well-marked trail or pheromone as significance of a particular habit for accessing sensitive information through resource utilization

Intelligent Class in Continuous Model: Enrollment is dynamic, and CAS not only authorizes access but also monitors and updates a user’s profile for future evaluation and continuous authorization in Levels 2, 3, and 4.

Modest level of swarm intelligence-based technology that can handle the additional dimension of resource utilization in relation to privileged information

3 Complex

A user’s information about his/her movement is added to his/her previous profiles in Levels 1 and 2, using a workstation profile. This new dimensional information is an addition to information in Level 2 processes.

Intelligent Class in Continuous Model:CAS with this additional dimension monitors and evaluates a user’s access to various computers in globally networked IT environments.

More complex swarm intelligence technology that can handle two additional dimensions—resource use profile and workstation access profile.

4 Highest

In this highest level, a user’s transaction profile given his/her job and task responsibilities are added to Level 3 CA processes

Intelligent Class in Continuous Model: this class performs similar processes with additional profile management

Most sophisticated swarm intelligence-based technology that can handle four classes of profiles.

Challenges

1. Mobile computing dynamics2. Technical constraints3. Prevention vs. Detection4. Biometric related issues5. Access control types and Location signatures6. Security layer7. Privacy concerns8. Legal issues9. Audit trail management