HR4RS stamp
Abel Verard
For a long time, technology companies such as Facebook or Google have tried to offer solutions for the identity management of their users. These service providers have thus become identity providers, so that the federated identity is the key so that users can authenticate in different resources, applications and services with the same account and password. In identity federations, both users and providers of these resources, applications, and services trust the identity providers and the standards that have been defined to support this way of working. However, these standards present a multitude of vulnerabilities that can allow an attacker to impersonate a legitimate user when accessing a resource, service or application, or steal their password or hijack their session once it has been established.
In this context, an investigation by the URJC has proposed a method for detecting anomalous behavior, the purpose of which is to protect the user against these possible threats. The system consists of avoiding or detecting these impersonation attacks through a five-step flow that allows characterizing user behavior to integrate it into the process of accessing these applications, resources or services. In this way, the provider with whom the user usually interacts must select the attributes to build and model the behavioral footprint for each user and characterize what is normal for him. The next step is to evaluate the models and validate them to integrate them into the accesses to the resources, services or applications that are offered to improve their security levels.
As Marta Beltrán, a researcher at the Cybersecurity Cluster group, explains, the footprint “can be built using both static and dynamic attributes of user behavior. This includes characteristics of the browser you use, the device and the access network, as well as the dynamics of using the mouse, keyboard, touch interface, etc. Each provider has to select the fingerprint that best suits their security and privacy requirements, there is no one that can be recommended for all use cases. And it is that we do not realize it, but our way of accessing and using a service or application is very personal (what functionalities we use, at what rate we type, if we use more or less the mouse, etc.) and practically unique, which can have great advantages when it comes to protecting our security.”
A mechanism that would reduce cyber attacks
Alejandro G. Martín, lead author of the work and researcher at the Data Science Lab, points out that "by applying automatic learning mechanisms, providers can realize that a user is behaving abnormally and trigger the necessary actions." Of course, he stresses that always "in collaboration with the provider of federated identities that is being used and with the user himself to protect his security in the most appropriate way."
Therefore, this model is based on a "circle of trust" between providers and users, a concept that identifies that a certain user is known in a certain community and has access to specific services within it.
Federated identity management standards such as OpenID Connect y OAuth 2.0 have been adopted very quickly by users. The gesture of the Social Login, a single login that allows us to connect to different providers with a single Google, Facebook or Apple account, which can compromise the user's security. As revealed by the IBM Security survey, 70% of Spaniards use this method to authenticate themselves in different services on a daily basis.
In this sense, the proposed method, based on UEBA mechanisms (User and Entity Behavior Analytics) to detect anomalies in the behavior of legitimate users using machine learning techniques, may be the solution to this threat. The proposed solution has been validated through a web chat called letschat using Open ID Connect for user authentication. The set of data and results that has been generated to carry out the validation with eleven different users has been published in the repository Mendeley so that it can be used by other researchers.
