Near Real-Time Anomaly Detection and Remediation

Real-time or near real-time anomaly detection and applying appropriate remediation is becoming more and more a necessity when delivering online services at scale. This blog post looks at some of the potential components associated with this type of compensating control.

The US Patent & Trademark Office recently published a patent application from Apple for ‘Fraud Detection for Identity Management Systems’. The Patently Apple website has a non-patent-y write-up on it that is worth reading for the details (Thanks to @NishantK via @coremania for the pointer).

While the specifics of Apple’s approach may be unique to them, I would like to focus at a high enough level of abstraction to identify the generic components of the process. The viewpoint used is the perspective of the Relying Party the client is interacting with.

1. An event is raised by a client
   • The challenge here is to make sure that the events we focus on are contextually relevant
   • Client logon, password reset, generation of an authentication statement for external entity when acting as a CSP etc.
2. Anomalies are detected based on characteristics of event
   • This does depend up the instrumentation and/or sensors available to monitor and report on the event
   • Velocity of transaction, ip black/white lists, unknown device fingerprint etc.
3. Link anomaly to client identifiers
   • The client may be identified using a variety of identifiers at the network, device, application and user levels and the anomalies themselves may be related to one or more of the identifiers
   • Internet/LAN, device identifier, device fingerprint, application identifier, credential/token identifier etc.
4. Generate reputation score(s) for client identifiers
   • Using the variety of information, both historical and real-time, reputation scores are generated for one or more of the client identifiers. Scores are also stored for use in future events.
   • Statistical modeling, data analytics and more. From what I understand this is both art and science
5. Implement remedial action based on reputation scores
   • The actions could vary based on a variety of factors such as sensitivity of data, impact of wrongful action and more
   • Deny access, prompt for additional authentication factors, out of band verification, alert a carbon based life form etc

In the current online environment, where high value online services need to be delivered, high token strength and up-front identity proofing simply gets you in the game with no assurances of survival. In order to hold your own in this type of environment, compensating controls such as those noted above need to be implemented as part and parcel of your online service delivery.

Question: What are some of the typical anomaly indicators used by experienced providers during an authentication event?

RELATED INFO

• US PTO: Fraud Detection for Identity Management Systems
• Patently Apple: Apple Reveals their New Fraud Detection Identity System
• FRAUD as a Digital Platform Service
• Are Federated Credentials and Continuous Identity Verification Compatible?