Resilient Risk based Adaptive Authentication and Authorization (RAD-AA) Framework

TL;DR

The paper introduces RAD-AA, a resilient, risk-based adaptive authentication and authorization framework that enhances security against credential theft and token manipulation by self-adapting based on risk scores and trust profiles, incorporating ML techniques.

Contribution

It proposes a novel resilient framework that adapts authentication and authorization processes based on risk assessments, improving security over existing standards like OAuth 2.0, OpenID Connect, and SAML 2.0.

Findings

Framework increases attack costs for adversaries

Resilience against common threat vectors demonstrated

ML-based risk scoring improves adaptive accuracy

Abstract

In recent cyber attacks, credential theft has emerged as one of the primary vectors of gaining entry into the system. Once attacker(s) have a foothold in the system, they use various techniques including token manipulation to elevate the privileges and access protected resources. This makes authentication and token based authorization a critical component for a secure and resilient cyber system. In this paper we discuss the design considerations for such a secure and resilient authentication and authorization framework capable of self-adapting based on the risk scores and trust profiles. We compare this design with the existing standards such as OAuth 2.0, OpenID Connect and SAML 2.0. We then study popular threat models such as STRIDE and PASTA and summarize the resilience of the proposed architecture against common and relevant threat vectors. We call this framework as Resilient Risk based Adaptive Authentication and Authorization (RAD-AA). The proposed framework excessively increases the cost for an adversary to launch and sustain any cyber attack and provides much-needed strength to critical infrastructure. We also discuss the machine learning (ML) approach for the adaptive engine to accurately classify transactions and arrive at risk scores.