Most authentication systems are black and white, once you are in , you are in. It was brought our attention recently, that authentication should be an ongoing process, not a one time gate with continuous unchecked free rein once in.
The reasons are well founded.
1) Students at universities and employees at businesses, have all kinds of devices which can get stolen/borrowed while open.
My high school kids can attest this many times over. Often the result is just an innocuous string of embarrassing texts emanating from their phones claiming absurd things. For example ” I won’t be at the party, I was digging for a booger and got a nose bleed” , blasted out to their friends after they left their phone unlocked.
2) People will also deliberately give out their authentication to friends and family
This leaves a hole in standard authentication strategies .
Next year we plan to add an interesting twist to our Intrusion Detection Device ( NetGladiator). The idea was actually not mine, but was suggested by a customer recently at our user group meeting in Western Michigan.
Here is the plan.
The idea for our intrusion detection device would be to build a knowledge base of a user’s habits over time and then match those established patterns against a tiered alert system when there is any kind of abrupt change.
It should be noted that we would not be monitoring content, and thus we would be far less invasive than Google Gmail ,with their targeted advertisements, we would primarily just following the trail or path of usage and not reading content.
The heuristics would consist of a three-pronged model.
Prong one, would look at general trending access across all users globally . If an aggregate group of users on the network were downloading an IOS update, then this behavior would be classified as normal for individual users.
Prong two , would look at the pattern of usage for the authenticated user. For example most people tune their devices to start at a particular page. They also likely use a specific e-mail client, and then have their favorite social networking sites. String together enough these and you would develop unique foot print for that user. Yes the user could deviate from their pattern of established usage as long as there were still elements of their normal usage in their access patterns.
Prong three would be the alarming level. In general a user would receive a risk rating when they deviated into suspect behaviors outside their established baseline. Yes this is profiling similar to psychological profiling on employment tests, which are very accurate at predicting future behavior.
A simple example of a risk factor would be a user that all of sudden starts executing login scripts en masse outside of their normal pattern. Something this egregious would be flagged as high risk, and the administrator could specify an automatic disconnection for the user at a high risk level. Lower risk behavior would be logged for after the fact forensics if any internal servers became compromised.