Self-adaptive authorization is a solution to handling insider threat. Insider threat is referred to as the possibility of trusted insiders (such as employees of an organisation) abusing their trust for personal gain, revenge, espionage and so forth. We also assume that the result of credential stealing is synonymous to insider threat.
Authorization infrastructures present a unique insight into insider threat, as often trusted employees who turn rogue (malicious insiders) utilise their trust in an appropriate manner. For example, accessing an organisation's resources / intellectual property via their assigned access rights. Therefore, malicious insiders could be identified via monitoring the use of authorization services, coupled with further contextual information obtained from the resources that are accessed.
Violations, classified as a set of signature based rules and anomaly based rules, provide the trigger conditions that are searched for within the data collected through monitoring activities. The conformance to such violations represent anomalous activity, and the potential for insider threat. Some types of violations include:
It is important to note that our aim is not to predict users becoming malicious, rather that user behaviour which conforms to violations is deemed as malicious. The presence of these violations within the system state generate enough risk to warrant some form of response to the user(s).