Oracle Adaptive Access Manager

Adaptive Access Manager is an antifraud system with functionality of multifactor authentication of users.

The software solution Adaptive Access Manager provides possibilities of multifactor authentication to users of commercial applications and tracking of attempts of fraud with the subsequent blocking of like those. Software can adapt to changes of conditions, in real time preventing malicious actions before the end of transaction - financial transfer or purchase of goods.

In Oracle Adaptive Access Manager protection of password entry is implemented using "virtual devices" for password entry using a computer mouse on a special algorithm. Identification by the user of the website and the application into which he enters the data is provided. "Virtual keyboard" or a slider^[1] serve as such to means^[1].

Virtual keyboard, (2015)

Slider, (2015)

That malefactors did not intercept the virtual device, the arrangement of keys in the device at each session changes. The virtual devices transferred to the browser to the user do not contain text information - only the graphics image. The size of the transferred image, its density can be changed in each session. All this makes impossible reuse by malefactors of the virtual device, providing to the user the technology similar to the one-time password (OTP). The virtual device is always individual, and not ciphered password, and a disposable token is transferred to the server.

The ability to integrate an authentication system with alternative methods of data transmission, such as e-mail or Sms is provided. Such integration is necessary during the work with applications in the compromised environment, for example, via Internet kiosks. In this case for confirmation of the personality the user should enter the one-time password sent to its mobile phone or to the address of its e-mail through the SMS or the message or to appeal to the operator to permit a session.

Identification of the websites by the user happens when receiving the virtual device. At the first registration the user can select not only type of the device with which he prefers to work, but also the graphics image serving as a substrate of the virtual device and also a key phrase. The image, a key phrase and a time stamp unambiguously define the website, thus there is a mutual identification – the application authenticates the user, and the user precisely knows where he addresses and to whom provides the credentials.

After successful authentication and during the work with applications the user should undergo authorization. In terms of the application and a monitoring system of fraud, term meaning "authorization" are different, but anyway at a given time, the user's right to accomplishment of some actions or further work is checked. In applications usually there are roles to which the list of the actions permitted within the application is attributed. Authorization in applications is a check of compliance of actions of users to their rights and the list of the roles existing at them at the moment. Authorizations of users in a monitoring system is a confirmation of authentication which can happen as in the background, it is imperceptible for the user, and is explicit, for example, by means of additional questions (Question Pad) asked the user at the critical moments. The decision on accomplishment of forced confirmation of authentication is made by a monitoring system and depends on a risk degree of the fact that on the application at the moment of time the attack is made, and the subsequent actions of the user can do harm. As a result the decision on a possibility of further work of the user with the application or its part is made.

For prevention of fraudulent activity of Oracle Adaptive Access Manager has models of threats and mechanisms, fast assessment of a status of a session by the predeterminated rules, spending time and resources for counteraction to real threats, but not for attempts of identification of their types. The mechanism of a monitoring system estimates a session condition regarding a risk degree of the fact that in this session fraudulent activity can be taken, and prevents them.

A set of the identification marks collected during the user's session can form a basis of determination of the facts in expert system. Such tags characterize the device from which there was an input in network, location of this device, behavioural characteristics of the user working with the application. It is possible to save up rather large volume of historical data with information on the previous sessions of the user, about his identification marks. Then, when comparing historical data with current, with high probability it is possible to define attempts of commission of illegal acts and to warn them.

Usually the user has a limited number of devices, using which he goes on-line and using which it works with applications. The computers installed in a workplace or houses, the personal PDA can be such devices. Emergence of the new device in the user should attract suspicion of a monitoring system and keen interest in its actions. Information on devices may contain rather large number of parameters - it can be data on an installed software, on the cookies set, physical characteristics. The monitoring system of OAAM has rather reasonable mechanisms of determination of identity of devices, and after minor change of their status does not rank these devices as unknown and does not give the alarm.

As one more factor defining a session status serve the geographic location of the user and characteristic of connection, such as connection speed, name of provider, names of domains of the first and second level. For obtaining such information it is necessary to integrate a monitoring system with suppliers of location-based data, for example, of Quova, Maxmind, IP2location.

Having information on the user, the device and location at the order, it is possible to create the behavior model of the user consisting of a rule set which define a risk degree of the fact that the current user is a malefactor. Such rules can estimate degree of reliability of the user on such factors as the place of access to the network, the device by means of which he connects to the web how many times he was mistaken on the password entry. Each rule has the coefficient of the importance defining it weight, and the mechanism of a monitoring system counts the total weight of the rules which worked in model and makes the decision on accomplishment of actions, for example, on permission or prohibition of user login in the application, on generation of the notification on commission of suspicious actions from user side.

If to put security model into practice, then at the very beginning of the session to password entry it is possible to cut unreliable users from access to the application, and when using this technology together with "virtual devices", to receive multifactor authentication where the second factor is the computer or the CPC of the user.

Occasionally there are situations when the ordinary users who purchased the new computer or traveling all over the world fall under suspicion. Then, it is possible to apply standard technology of "questions and answers" where as required the user is offered to answer control questions, the answer to which is known only by the user, to additional user authentication. The user answers the same questions at registration in the application and it remembers answers.

You should not be limited to one model of security, and as required to connect additional, integrating them in policy characterizing different aspects of work of the user with applications. Can be such additional models:

• Business policy - activate the business rules set in the organization for the purpose of risk mitigation of accomplishment of fraudulent transactions; here enter:
  • Tracking of transactions during the sessions
  • Rules of accomplishment of transactions
  • the Logic managed by key values (for example, the amount of financial transaction)

• Process politicians (workflow) – the rules defining "normal" behavior of the user during the work with applications are applied to tracking of a different sort of deviations from a normal operation mode:
  • Time spent for work with the page
  • the Executed transactions
  • Pages to which access was got
  • the Subsequent pointers of a resource (URL)/steps and a period between each step
  • Check on deviations from normal behavior
  • the Predetermined models of possible risks

• Politicians of treatment of data of the third-party systems – the monitoring system should be integrated with data of the third-party systems, such as:
  • Data on the IP addresses
  • Black/white lists

Other systems of determination of fraudulent activity

Applying model, the estimating "normal" behavior of the user during the work with the application – duration of its work, intensity, the number of actions, it is possible to receive the third factor at user authentication (additional authentication).

The monitoring system of fraudulent activity of Oracle Adaptive Access Manager (Fig. 4) in real time processes the entering data representing information on users, their location, devices, the made transactions by means of the rules collected in model on different categories for check and detection of cases of fraud.

System architecture of monitoring, (2015)

Each rule has the weight and coefficient of the importance (W and S) which are processed at the level of models and are transferred to the mechanism of calculation of risks for decision-making. If risk assessment exceeds tolerable limit, response is initiated. Blocking of actions of the user, the requirement of additional authentication or generation of the notification on an incident requiring additional investigation can be such action.

The description of rules, formation of models, purpose of weighting coefficients happens is transparent for system administrators of monitoring, and a system does not represent a certain "black box" with unknown algorithms of event handling and decision making. As useful addition to the monitoring system working in a real mode of time serves the module for information analysis and verification of rules in offline mode when it is possible to create an additional copy of the database of events of a monitoring system and to make all experiments with it. Such module not only facilitates system implementation, but also allows to create new models of protection for more proper response of a monitoring system to new threats. Besides, using such module it is possible to be connected to the existing databases of applications for electronic business and to analyze already carried out transactions regarding search of fraudulent.

The monitoring system of OAAM includes not only automatic sensors of fraudulent activity, but also and the graphical interface for service of the system and for the analysis of its current status. Administrators can trace notifications, monitor magazines of registration, current transactions. In OAAM there is a graphical interface for creation of roles where the possibility of separation of duties among the personnel servicing a monitoring system is provided. Roles:

• The system administrator – is in his competence maintenance of working capacity a system component
• The security officer of a system – is responsible for creation and setup of models of security; in case of need the officer should have an opportunity to disconnect or change rules in models.
• The security officer on investigation of incidents – is responsible for verification of notifications and investigation of incidents
• The operator on work with clients – is responsible for work with clients

The multifactor authentication implemented in a program way, integration into monitors give the chance of risk assessment of each interactive login, each transaction, raising the security level at authentication of users.

Notes