Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Got Ya! -- Sensors for Identity Management Specific Security Situational Awareness

Daniela Pöhn, Heiner Lüken

TL;DR

This work argues that identity management (IdM) is a high-value target for attackers and that traditional security situational awareness (SA) lacks IdM-specific sensors to distinguish legitimate from malicious IdM actions. It proposes a generic, layered IdM-specific SA framework spanning internal and external identity data, threat modeling, detection, comprehension, and projection, and demonstrates its practicality with an OAuth 2.x proof-of-concept. The authors derive sensor sets and context data tailored to IdM, illustrate how detection can be guided by protocol-specific signals, and validate the approach through a minimal OAuth test environment with rule-based anomaly detection. The contribution is a first step toward IdM-aware SA, with future work aimed at incorporating external sensors, cross-organizational data, and evaluation on real-world logs to broaden applicability across federated IdM ecosystems.

Abstract

Security situational awareness refers to identifying, mitigating, and preventing digital cyber threats by gathering information to understand the current situation. With awareness, the basis for decisions is present, particularly in complex situations. However, while logging can track the successful login into a system, it typically cannot determine if the login was performed by the user assigned to the account. An account takeover, for example, by a successful phishing attack, can be used as an entry into an organization's network. All identities within an organization are managed in an identity management system. Thereby, these systems are an interesting goal for malicious actors. Even within identity management systems, it is difficult to differentiate legitimate from malicious actions. We propose a security situational awareness approach specifically to identity management. We focus on protocol-specifics and identity-related sources in a general concept before providing the example of the protocol OAuth with a proof-of-concept implementation.

Got Ya! -- Sensors for Identity Management Specific Security Situational Awareness

TL;DR

This work argues that identity management (IdM) is a high-value target for attackers and that traditional security situational awareness (SA) lacks IdM-specific sensors to distinguish legitimate from malicious IdM actions. It proposes a generic, layered IdM-specific SA framework spanning internal and external identity data, threat modeling, detection, comprehension, and projection, and demonstrates its practicality with an OAuth 2.x proof-of-concept. The authors derive sensor sets and context data tailored to IdM, illustrate how detection can be guided by protocol-specific signals, and validate the approach through a minimal OAuth test environment with rule-based anomaly detection. The contribution is a first step toward IdM-aware SA, with future work aimed at incorporating external sensors, cross-organizational data, and evaluation on real-world logs to broaden applicability across federated IdM ecosystems.

Abstract

Security situational awareness refers to identifying, mitigating, and preventing digital cyber threats by gathering information to understand the current situation. With awareness, the basis for decisions is present, particularly in complex situations. However, while logging can track the successful login into a system, it typically cannot determine if the login was performed by the user assigned to the account. An account takeover, for example, by a successful phishing attack, can be used as an entry into an organization's network. All identities within an organization are managed in an identity management system. Thereby, these systems are an interesting goal for malicious actors. Even within identity management systems, it is difficult to differentiate legitimate from malicious actions. We propose a security situational awareness approach specifically to identity management. We focus on protocol-specifics and identity-related sources in a general concept before providing the example of the protocol OAuth with a proof-of-concept implementation.

Paper Structure

This paper contains 28 sections, 2 figures, 2 tables.

Table of Contents

  1. INTRODUCTION
  2. BACKGROUND
  3. Identity Management
  4. Situational Awareness
  5. RELATED WORK
  6. IDENTITY SECURITY SITUATIONAL AWARENESS
  7. Internal Identity Management Layer
  8. Digital identities.
  9. Authentication and authorization.
  10. Logged authentication actions.
  11. External Identity Layer
  12. Cross-organizational identity management.
  13. Usage of external services.
  14. Threat Layer
  15. Detection Layer
  16. ...and 13 more sections

Figures (2)

  • Figure 1: Generic workflow of the OAuth protocol.
  • Figure 2: Security personnel GUI showing a malicious OAuth request.