Handling Insider Threats using Self-Adaptive Authorization

Insider threat is an ever-growing concern for governments and private organizations, as evident in recent high profile cases covered in the media. Our research aims to provide an automatic means to handling insider threat, by identifying anomalies in trusted user behaviour, and responding to insider threats by adapting a user's ability to access. For example, restricting a malicious user's access to critical resources.

Our particular focus is the design of the Self-Adaptive Authorization Framework (SAAF). The SAAF framework lays down the foundations for adaptive authorization, whereby authorization infrastructures are capable of responding to anomalies synonymous to insider threat, with the intent of preventing the continuation of an identified threat.

A prototype implementation of SAAF has been deployed as part of a federated authorization infrastructure, composed of an ABAC/XACML authorization service (PERMIS), SimpleSAML identity providers, and our SAAF autonomic controller. The SAAF autonomic controller implements a MAPE-K (Monitor, Analyse, Plan, Execute) feedback loop, which monitors the execution of a target authorization infrastructure, analyses for non-conventional operational states (that contain anomalous user behavior) and adapts authorization constraints to halt such anomalous behavior.

Try our demo! An ethical game of hacking through Snakes and Ladders

Further Information:

Research by:

This research is a collaboration based at the University of Kent, Canterbury, UK.