Anil John
Making Digital Services Secure and Trustworthy

Anil John

Near Real-Time Anomaly Detection and Remediation

 Tweet  Share  Comment  Print  Email

Real-time or near real-time anomaly detection and applying appropriate remediation is becoming more and more a necessity when delivering online services at scale. This blog post looks at some of the potential components associated with this type of compensating control.

The US Patent & Trademark Office recently published a patent application from Apple for ‘Fraud Detection for Identity Management Systems’. The Patently Apple website has a non-patent-y write-up on it that is worth reading for the details (Thanks to @NishantK via @coremania for the pointer).

While the specifics of Apple’s approach may be unique to them, I would like to focus at a high enough level of abstraction to identify the generic components of the process. The viewpoint used is the perspective of the Relying Party the client is interacting with.

  1. An event is raised by a client
    • The challenge here is to make sure that the events we focus on are contextually relevant
    • Client logon, password reset, generation of an authentication statement for external entity when acting as a CSP etc.
  2. Anomalies are detected based on characteristics of event
  3. Link anomaly to client identifiers
    • The client may be identified using a variety of identifiers at the network, device, application and user levels and the anomalies themselves may be related to one or more of the identifiers
    • Internet/LAN, device identifier, device fingerprint, application identifier, credential/token identifier etc.
  4. Generate reputation score(s) for client identifiers
    • Using the variety of information, both historical and real-time, reputation scores are generated for one or more of the client identifiers. Scores are also stored for use in future events.
    • Statistical modeling, data analytics and more. From what I understand this is both art and science
  5. Implement remedial action based on reputation scores
    • The actions could vary based on a variety of factors such as sensitivity of data, impact of wrongful action and more
    • Deny access, prompt for additional authentication factors, out of band verification, alert a carbon based life form etc

In the current online environment, where high value online services need to be delivered, high token strength and up-front identity proofing simply gets you in the game with no assurances of survival. In order to hold your own in this type of environment, compensating controls such as those noted above need to be implemented as part and parcel of your online service delivery.

Question: What are some of the typical anomaly indicators used by experienced providers during an authentication event?


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog ( The opinions expressed here are my own and do not represent my employer’s view in any way.

By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a Public Interest Technologist. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone