Top

Published in:

2024 | OriginalPaper | Chapter

Resilient Risk-Based Adaptive Authentication and Authorization (RAD-AA) Framework

Authors : Jaimandeep Singh, Chintan Patel, Naveen Kumar Chaudhary

Published in: Information Security, Privacy and Digital Forensics

Publisher: Springer Nature Singapore

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

In recent cyber attacks, credential theft has emerged as one of the primary vectors of gaining entry into the system. Once attacker(s) have a foothold in the system, they use various techniques including token manipulation to elevate the privileges and access protected resources. This makes authentication and token-based authorization a critical component for a secure and resilient cyber system. In this paper, we discuss the design considerations for such a secure and resilient authentication and authorization framework capable of self-adapting based on the risk scores and trust profiles. We compare this design with the existing standards such as OAuth 2.0, OIDC, and SAML 2.0. We then study popular threat models such as STRIDE and PASTA and summarize the resilience of the proposed architecture against common and relevant threat vectors. We call this framework Resilient Risk-based Adaptive Authentication and Authorization (RAD-AA). The proposed framework excessively increases the cost for an adversary to launch and sustain any cyber attack and provides much-needed strength to critical infrastructure. We also discuss the machine learning (ML) approach for the adaptive engine to accurately classify transactions and arrive at risk scores.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Vehicle Theft Detection and Tracking Using Surveillance Video for the Modern Traffic Security Management System

next chapter Survey on Blockchain Scalability Addressing Techniques

Biau G, Scornet E (2016) A random forest guided tour. Test 25(2):197–227MathSciNetCrossRefMATH

Bray T (2017) The JavaScript Object Notation (JSON) Data Interchange Format. RFC 8259 (Dec 2017), https://www.rfc-editor.org/info/rfc8259

Campbell B, Bradley J, Sakimura N, Lodderstedt T (2020) OAuth 2.0 Mutual-TLS client authentication and certificate-bound access tokens. RFC 8705, https://www.rfc-editor.org/info/rfc8705

Cantor S, Moreh J, Philpott R, Maler E (2005) Metadata for the oasis security assertion markup language (saml) v2. 0

Fett D, Campbell B, Bradley J, Lodderstedt T, Jones M, Waite D (2022) OAuth 2.0 demonstrating proof-of-possession at the application layer (DPoP). Internet-Draft draft-ietf-oauth-dpop-10, Internet Engineering Task Force, https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/10/, work in Progress

Fielding RT (2000) Architectural styles and the design of network-based software architectures. University of California, Irvine

Groß T (2003) Security analysis of the SAML single sign-on browser/artifact profile. In: Proceesings of the 19th Annual computer security applications conference. IEEE, pp 298–307

Hardt D (2012) The OAuth 2.0 authorization framework. RFC 6749. https://www.rfc-editor.org/info/rfc6749

Lodderstedt T, Bradley J, Labunets A, Fett D (2022) OAuth 2.0 Security best current practice. Internet-Draft draft-ietf-oauth-security-topics-20, Internet Engineering Task Force, https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/20/, work in Progress

10.

Lodderstedt, T., Campbell, B., Sakimura, N., Tonge, D., Skokan, F.: OAuth 2.0 Pushed Authorization Requests. RFC 9126 (Sep 2021), https://www.rfc-editor.org/info/rfc9126

11.

Lodderstedt T, McGloin M, Hunt P (2013) OAuth 2.0 threat model and security considerations. RFC 6819, https://www.rfc-editor.org/info/rfc6819

12.

Masse M (2011) REST API design rulebook: designing consistent RESTful web service interfaces. O’Reilly Media, Inc

13.

McLean S, Read GJ, Thompson J, Baber C, Stanton NA, Salmon PM (2021) The risks associated with artificial general intelligence: a systematic review. J Expe Theor Artif Intell:1–15

14.

Peterson LE (2009) K-nearest neighbor. Scholarpedia 4(2):1883

15.

Hedberg R, Jones M, Solberg A, Bradley J, Marco GD (2022) Openid connect federation 1.0—draft 20. The OpenID Foundation, https://openid.net/specs/openid-connect-federation-1_0.html

16.

Sakimura N, Bradley J, Agarwal N (2015) Proof key for code exchange by OAuth public clients. RFC 7636, https://www.rfc-editor.org/info/rfc7636

17.

Sakimura N, Bradley J, Jones M (2021) The OAuth 2.0 authorization framework: JWT-secured authorization request (JAR). RFC 9101, https://www.rfc-editor.org/info/rfc9101

18.

Sakimura N, Bradley J, Jones M, De Medeiros B, Mortimore C (2014) Openid connect core 1.0. The OpenID Foundation, S3p. https://openid.net/specs/openid-connect-core-1_0.html

19.

Security I (2022) Cost of a data breach report. Technical Report. https://www.ibm.com/security/data-breach

20.

Shostack A (2008) Experiences threat modeling at microsoft. MODSEC@ MoDELS 35

21.

Singh J, Chaudhary NK (2022) Oauth 2.0: architectural design augmentation for mitigation of common security vulnerabilities. J Inf Secur Appl 65:103091

22.

Solomonoff RJ (2002) Progress in incremental machine learning. In: NIPS workshop on universal learning algorithms and optimal search. Citeseer, Whistler, BC

23.

Su Y, Ahn B, Alvee SR, Kim T, Choi J, Smith SC (2021) Ransomware security threat modeling for photovoltaic systems. In: 2021 6th IEEE workshop on the electronic grid (eGRID). IEEE, pp 01–05

24.

UcedaVelez T, Morana MM (2015) Risk centric threat modeling: process for attack simulation and threat analysis. John Wiley & Sons

Title: Resilient Risk-Based Adaptive Authentication and Authorization (RAD-AA) Framework
Authors: Jaimandeep Singh
Chintan Patel
Naveen Kumar Chaudhary
Publisher: Springer Nature Singapore
Book: Information Security, Privacy and Digital Forensics
Print ISBN: 978-981-9950-90-4

Electronic ISBN: 978-981-9950-91-1

Copyright Year: 2024
DOI: https://doi.org/10.1007/978-981-99-5091-1_27

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner