Detecting Risky Authentication Using the OpenID Connect Token Exchange Time
Abstract
:1. Introduction
- Expansion of RBA coverage: While traditional RBA features concentrate on the first login (and, thus, encounter difficulties in precisely calculating risk), our approach ensures the collection of RBA features from every authentication, including Single Sign-On. Moreover, our approach completely aligns with the trend of the digital workspace, as every authentication that simultaneously happens in both public and private networks can be inspected;
- Elaboration of user experience and security level: A complete server-based approach using OIDC token exchange logs eliminates any user intervention, which is common in traditional client- and script-based approaches. This serves to free the RBA system not only from the complaints of users who are anxious about their privacy but also from threats from attackers observing the RBA mechanisms, such as those seeking to avoid detection and aiming to gain access to valuable corporate assets;
- Assurance of efficiency: Our approach to the nature of the authentication protocol itself does not require any additional solution or scripts to be deployed, which may ease the hesitation of companies to strengthen their authentication mechanism in order to achieve a zero trust framework. Furthermore, our approach has a high accuracy in detecting VPN-tunneling-based attacks and other security events in real-world scenarios.
2. Risk-Based Authentication
2.1. Concept and How it Works
- (1)
- Data Collection: When a user attempts to access a system or perform a transaction, data related to that user, their device, their location, and the nature of the transaction are collected. This data could include the IP addresses, device type, operating system, browser type, geographical location, time of access, and so on. The user’s historical behavior data may also be collected, including typical login times, frequently used devices, and typical transaction patterns;
- (2)
- Risk Assessment: The collected data are then analyzed with the risk-based authentication system, which uses algorithms and machine learning techniques to assess the risk level. This process might involve comparing the current behavior to the user’s historical behavior patterns, checking the IP address against databases of known malicious IPs, analyzing the geographical location, and more. The assessment process can incorporate a wide range of factors and is often customizable to a particular organization’s needs or risk tolerance;
- (3)
- Risk Scoring: The system assigns a risk score based on the results of the risk assessment. This score is a numerical value that represents the perceived level of risk; for example, an unfamiliar device or an access attempt from a new location might increase the risk score;
- (4)
- Adaptive Authentication: If the risk score falls below a certain threshold (indicating low risk), the user might be authenticated with just their username and password. However, if the risk score is above the threshold, the system will trigger additional authentication measures. This could include multi-factor authentication (MFA) methods, such as sending a one-time passcode to a user’s mobile device, requiring an answer to a security question, or using fingerprint or facial recognition;
- (5)
- Feedback Loop: Most risk-based authentication systems have a feedback loop that allows them to learn from each access attempt; for example, if a user repeatedly logs in from a new location, and those logins are determined to be legitimate, the system might adjust its risk-scoring algorithm so that a lower risk score is assigned to logins from that location in the future.
2.2. RBA Features
- (1)
- Login Location: This refers to the geographical location from which a user is attempting to access a system. This is often determined by the user’s IP address but can also involve GPS data from mobile devices. Unusual locations (e.g., access from a foreign country) can indicate potential fraud;
- (2)
- IP Address: The IP address can provide information about the user’s internet service provider and geographical location. IP addresses can also be checked against lists of known malicious IPs. Frequent changes in IP address, or the use of anonymizing services such as VPNs, can increase the risk score;
- (3)
- Device Information: Device information includes the type, make, and model of the device being used, the operating system, and the device’s unique identifiers. Access from an unrecognized or new device can be a sign of potential fraud;
- (4)
- Login Time: The time at which a user typically accesses the system can be a factor in risk assessment. Logins occurring at unusual times (e.g., the middle of the night) might increase the risk score;
- (5)
- Login Pattern: This refers to the user’s typical behavior when logging in, such as the frequency of logins, the time spent logged in, and the services accessed. Changes in these patterns can indicate potential fraud;
- (6)
- Account Activity: Unusual account activity, such as a high number of transactions or changes to account settings, can be a sign of potential fraud. This can also include the type of transactions typically performed by the user;
- (7)
- Keyboard and Mouse Behavior: Also known as behavioral biometrics, this involves patterns in the way that a user interacts with their device. This could include keystroke dynamics, mouse movements, and even touchscreen interactions. Deviations from established behavior can indicate that a different person is using the account;
- (8)
- Previous Login History: This includes past instances of failed and successful logins, as well as the authentication methods used. Multiple recent failed login attempts can increase the risk score;
- (9)
- Browser Fingerprint: This is a set of data that can uniquely identify the specific browser on a device, including the browser type and version, plugins installed, screen resolution, and other settings. This can help to identify whether a user is using a different or unusual browser, which could indicate fraud;
- (10)
- Mobile Device Identifier: Unique identifiers for mobile devices, such as the international mobile equipment identity (IMEI) number, can be used to recognize trusted devices. Access from a new or different device can increase the risk score;
- (11)
- Social Media (or Transaction) Activity: While not as commonly used due to privacy concerns and the complexity of data analysis, some systems may analyze social media activity for signs of potential fraud. This could include unusual activity or posts that contradict information known about the user;
- (12)
- Round-Trip Time (RTT): This is the time that it takes for a data packet to travel from its source to a destination and back. High or varying RTTs can indicate network issues or the potential use of proxies or VPNs, which can be signs of fraudulent activity.
3. Related Works
3.1. Passive TCP Packet Analysis
3.2. Active Web-Ping Response Time Measurement
3.3. Wi-Fi Round-Trip Time Measurement
3.4. Authentication Path Analysis
3.5. Comparison
4. Proposed Approach
4.1. Identity Federation
4.2. OIDC Protocol
- (1)
- A user wants to use a service, usually a web-based one that is provided by an application. The application requires an account to be able to provide the service. The user issues a request to the application to be able to access their identity information, which is stored on the IAM server;
- (2)
- To access the user’s information on the IAM server, the application requires authorization from the user. In order to prevent a replay attack of the authorization code, the application creates a challenge code and a verification code using nonce. Then, the application redirects the user’s web browser to an IAM server along with the challenge code and the code challenge method;
- (3)
- The IAM server prompts the user to login using their credentials if there is no pre-authenticated session. The session key is stored in the user’s web browser once authenticated; this step is bypassed in the case of a Single Sign-On (SSO);
- (4)
- The IAM server creates an authorization code and delivers it to the user with a callback URL that has been pre-registered on the IAM server by the application. The IAM server also stores the received challenge code and the code challenge method for further verification;
- (5)
- The user sends the received authorization code to the accessing application through a received callback URL;
- (6)
- The application requests the IAM server to change the authorization code into an access token. The application also appends the verification code to the request;
- (7)
- The IAM server verifies the received verification code with the stored challenge code and the code challenge method. In addition, it verifies the authorization code and then issues the access token, sending the requested identity information as well. Then, the application checks the user’s identity information (which the IAM server provides) and permits the user’s access to their service. The challenge code is revoked to prevent a replay attack.
4.3. OIDC Token Exchange Time as RBA Feature
4.4. Profiling and Anomaly Detection Design
5. Experiments
5.1. Design
- (1)
- TXT changes when the user connects through a VPN:Using a VPN is a popular way for the attackers to hide their IP and avoid an IP-based detection system. Thus, we attempted to determine whether the TXT differs even though the IP does not change, as a proxy may hide an attacker’s real IP;
- (2)
- TXT changes when a user connects through a mobile hot-spot:At present, many companies strongly recommend that remote workers access the corporate MIS system only from designated remote workplaces. In other words, connecting through the use of mobile hot-spots from public places (e.g., cafes or libraries) is not recommended as there is a risk of unintended information leakage via a shoulder surfing attack. Thus, we tested the change in TXT in the case of hot-spot users;
- (3)
- This approach works well in a real environment as well:Our approach was successful in the lab test environment and, so, we tested the efficiency of TXT-based detection in a real environment.
5.2. TXT Changes When User Connects via VPN
5.3. TXT Changes when User Connects via Hot-Spot
5.4. Observed Findings in Real Traffic (Hot-Spot User, Account Sharing)
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
Appendix A
Abbreviation | Full Name |
RBA | Risk-based authentication |
OIDC | OpenID Connect |
VPN | Virtual Private Network |
MIS | Management Information System |
SaaS | Software-as-a-Service |
IAM | Identity and Access Management |
SSO | Single Sign-On |
SAML | Security Assertion Markup Language |
SCIM | System for Cross-domain Identity Management |
MFA | Multi-Factor Authentication |
ISP | Internet Service Provider |
IMEI | International Mobile Equipment Identity |
RTT | Round-Trip Time |
AWS | Amazon Web Services |
PING | Packet Internet Groper |
JS | Javascript |
OAuth | Open Authentication |
TXT | Token Exchange Time |
GCP | Google Cloud Platform |
Appendix B
- # Comment: retrieve logs of recent 3months from WSo2 Identity Server
- |sort_time
- # Comment: sort by time to prepare calculation of TXT time
- |search contains(line,”Authorization Request received for user”) or contains(line,”Found Authorization”)
- # Comment: filter log which indicates IAM server issuing authorization code (TXT starting point), and receiving authorization code back (TXT finishing point)
- |rexfield = line”USERSTORE\/(ser>.*?)\@[a-z]*.company”
- |rexfield = line”(Client:|ClientID)(:|)(?<clientId>.*?)\,”
- |rexfield = line”DEBUG.*\-(?<message>.*)”
- |fields _time,user,clientId,message,line
- # Comment: filter out unnecessary fields that the log contains
- |serial[evtctxadd topic=gettime key=user maxrows=0 timeout=60s contains(line,”Authorization Request received for user”)or contains(line,”Found Authorization”)
- # Comment: calculates TXT serially with 60seconds time window
- |evalc dummy=if(contains(line,”Authorization Request received for user”),evtctxsetvar(“gettime”,user,”issue_time”,_time),null)
- # Comment: get start time of TXT
- |eval diff_time=if(contains(line,”Found Authorization”),abs(datediff(evtctxgetvar(“gettime”,user,”issue_time”),_time,”msec”)),null)]
- # Comment: get end time of TXT and subtract start time to calculate TXT
- |fields _time,user,clientId,diff_time,line
- |search isnotnull(diff_time)
- # Comment: filter out unnecessary fields again
- |stats avg(diff_time) as avg_diff, min(diff_time) as min_diff, max(diff_time) asmax_diff, count by user, clientId
- # Comment: calculate user’s average, min, max TXT per application
- |eval avg_diff=round(avg_diff,-1)
- # Comment: round TXT
- |search count>=5
- # Comment: Only profile the user’s TXT per application when there’s more than 5 authentication records for 3 months
References
- Gartner Forecasts of Global Knowledge Workers Will Work Hybrid by the End of 2023. Available online: https://www.gartner.com/en/newsroom/press-releases/2023-03-01-gartner-forecasts-39-percent-of-global-knowledge-workers-will-work-hybrid-by-the-end-of-2023 (accessed on 3 October 2023).
- Kotak, J.; Habler, E.; Brodt, O.; Shabtai, A.; Elovici, Y. Information Security Threats and Working from Home Culture: Taxonomy, Risk Assessment and Solutions. Sensors 2023, 23, 4018. [Google Scholar] [CrossRef] [PubMed]
- NIST Special Publication 800-207 Zero Trust Architecture Released August 2020. Available online: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf (accessed on 3 October 2023).
- Department of Defense (DoD). Zero Trust Reference Architecture Version 2.0. July 2022. Available online: https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf (accessed on 3 October 2023).
- Parmar, V.; Sanghvi, H.A.; Patel, R.H.; Pandya, A.S. A comprehensive study on passwordless authentication. In Proceedings of the 2022 International Conference on Sustainable Computing and Data Communication Systems (ICSCDS), Erode, India, 7–9 April 2022; pp. 1266–1275. [Google Scholar]
- Papaioannou, M.; Pelekoudas-Oikonomou, F.; Mantas, G.; Serrelis, E.; Rodriguez, J.; Fengou, M.-A. A Survey on Quantitative Risk Estimation Approaches for Secure and Usable User Authentication on Smartphones. Sensors 2023, 23, 2979. [Google Scholar] [CrossRef] [PubMed]
- Wiefling, S.; Lo Iacono, L.; Dürmuth, M. Is this really you? An empirical study on risk-based authentication applied in the wild. In Proceedings of the ICT Systems Security and Privacy Protection: 34th IFIP TC 11 International Conference, SEC 2019, Lisbon, Portugal, 25–27 June 2019; Proceedings 34. Springer International Publishing: Berlin/Heidelberg, Germany, 2019; pp. 134–148. [Google Scholar]
- Wiefling, S.; Dürmuth, M.; Lo Iacono, L. More than just good passwords? A study on usability and security perceptions of risk-based authentication. In Proceedings of the Annual Computer Security Applications Conference, Austin, TX, USA, 7–11 December 2020; pp. 203–218. [Google Scholar]
- Bumiller, A.; Barais, O.; Aillery, N.; Le Lan, G. Towards a Better Understanding of Impersonation Risks. In Proceedings of the 2022 15th International Conference on Security of Information and Networks (SIN), Sousse, Tunisia, 11–13 November 2022; pp. 1–8. [Google Scholar]
- Doerfler, P.; Thomas, K.; Marincenko, M.; Ranieri, J.; Jiang, Y.; Moscicki, A.; McCoy, D. Evaluating login challenges as a defense against account takeover. In Proceedings of the World Wide Web Conference, San Francisco, CA, USA, 13–17 May 2019; pp. 372–382. [Google Scholar]
- Andriamilanto, N.; Allard, T.; Guelvouit, G.L. “Guess Who?” Large-scale data-centric study of the adequacy of browser fingerprints for web authentication. In Proceedings of the Innovative Mobile and Internet Services in Ubiquitous Computing: Proceedings of the 14th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS-2020), Lodz, Poland, 1–3 July 2020; Springer International Publishing: Berlin/Heidelberg, Germany, 2021; pp. 161–172. [Google Scholar]
- Alaca, F.; Van Oorschot, P.C. Device fingerprinting for augmenting web authentication: Classification and analysis of methods. In Proceedings of the 32nd Annual Conference on Computer Security Applications, Los Angeles, CA, USA, 5–8 December 2016; pp. 289–301. [Google Scholar]
- Wiefling, S.; Dürmuth, M.; Iacono, L.L. What’s in score for website users: A data-driven long-term study on risk-based authentication characteristics. In Proceedings of the Financial Cryptography and Data Security: 25th International Conference, FC 2021, Virtual Event, 1–5 March 2021; Revised Selected Papers, Part II 25; Springer: Berlin/Heidelberg, Germany, 2021; pp. 361–381. [Google Scholar]
- Balebako, R.; Marsh, A.; Lin, J.; Hong, J.; Cranor, L.F. The privacy and security behaviors of smartphone app developers. In Workshop on Usable Security; The Internet Society: Reston, VA, USA, 2014; pp. 1–10. [Google Scholar]
- Bhuyan, S.S.; Kim, H.; Isehunwa, O.O.; Kumar, N.; Bhatt, J.; Wyant, D.K.; Kedia, S.; Chang, C.F.; Dasgupta, D. Privacy and security issues in mobile health: Current research and future directions. Heal. Policy Technol. 2017, 6, 188–191. [Google Scholar] [CrossRef]
- Alt, F.; Schneegass, S. Beyond Passwords—Challenges and Opportunities of Future Authentication. IEEE Secur. Priv. 2022, 20, 82–86. [Google Scholar] [CrossRef]
- Acar, G.; Juarez, M.; Nikiforakis, N.; Diaz, C.; Gürses, S.; Piessens, F.; Preneel, B. FPDetective: Dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, Berlin, Germany, 4–8 November 2013; pp. 1129–1140. [Google Scholar]
- Zheleva, E.; Getoor, L. Privacy in social networks: A survey. In Social Network Data Analytics; Springer: Berlin/Heidelberg, Germany, 2011; pp. 277–306. [Google Scholar]
- Madden, M.; Rainie, L. Americans’ Attitudes about Privacy, Security and Surveillance; Pew Research Center: Washington, DC, USA, 2015. [Google Scholar]
- Egelman, S.; Tsai, J.; Cranor, L.F.; Acquisti, A. Timing is everything? The effects of timing and placement of online privacy indicators. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Boston, MA, USA, 10–13 October 2009; pp. 319–328. [Google Scholar]
- Device Fingerprinting and User Privacy: Striking the Right Balance. Available online: https://medium.com/@TrustDecision/device-fingerprinting-and-user-privacy-striking-the-right-balance-f67b63e555d9 (accessed on 3 October 2023).
- Bonneau, J.; Herley, C.; van Oorschot, P.C.; Stajano, F. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 20–23 May 2012; pp. 553–567. [Google Scholar]
- Debatin, B.; Lovejoy, J.P.; Horn, A.K.; Hughes, B.N. Facebook and online privacy: Attitudes, behaviors, and unintended consequences. J. Comput. -Mediat. Commun. 2009, 15, 83–108. [Google Scholar] [CrossRef]
- Wiefling, S.; Jørgensen, P.R.; Thunem, S.; Iacono, L.L. Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service. ACM Trans. Priv. Secur. 2022, 26, 1–36. [Google Scholar] [CrossRef]
- Aikat, J.; Kaur, J.; Smith, F.D.; Jeffay, K. Variability in TCP round-trip times. In Proceedings of the 3rd ACM SIGCOMM Conference on Internet Measurement, Miami Beach, FL, USA, 27–29 October 2003; pp. 279–284. [Google Scholar]
- Chen, X.; Kim, H.; Aman, J.M.; Chang, W.; Lee, M.; Rexford, J. Measuring TCP round-trip time in the data plane. In Proceedings of the Workshop on Secure Programmable Network Infrastructure, Virtual Event, 10–14 August 2020; pp. 35–41. [Google Scholar]
- Draper-Gil, G.; Lashkari, A.H.; Mamun, M.S.I.; Ghorbani, A.A. Characterization of encrypted and vpn traffic using time-related. In Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP), Rome, Italy, 19 February 2016; pp. 407–414. [Google Scholar]
- Lv, S.; Wang, C.; Wang, Z.; Wang, S.; Wang, B.; Zhang, Y. AAE-DSVDD: A one-class classification model for VPN traffic identification. Comput. Netw. 2023, 236, 109990. [Google Scholar] [CrossRef]
- Kohls, K.; Diaz, C. {VerLoc}: Verifiable Localization in Decentralized Systems. In Proceedings of the 31st USENIX Security Symposium (USENIX Security 22), Boston, MA, USA, 10–12 August 2022; pp. 2637–2654. [Google Scholar]
- Eriksson, B.; Barford, P.; Sommers, J.; Nowak, R. A learning-based approach for IP geolocation. In Proceedings of the Passive and Active Measurement: 11th International Conference, PAM 2010, Zurich, Switzerland, 7–9 April 2010; Proceedings 11. Springer: Berlin/Heidelberg, Germany, 2010; pp. 171–180. [Google Scholar]
- Kruger, C.P.; Hancke, G.P. Enhanced security in industrial internet of things networks using latency based fingerprinting. In Proceedings of the 2020 IEEE 18th International Conference on Industrial Informatics (INDIN), Warwick, UK, 20–23 July 2020; pp. 1–6. [Google Scholar]
- Ezin, L.E.C.; Sadre, R. Efficient probing of heterogeneous iot networks. In Proceedings of the 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (1M), Lisbon, Portugal, 8–12 May 2017; pp. 1052–1058. [Google Scholar]
- Aneja, S.; Aneja, N.; Islam, M.S. Iot device fingerprint using deep learning. In Proceedings of the 2018 IEEE International Conference on Internet of Things and Intelligence System (IOTAIS), Bali, Indonesia, 1–3 November 2018; pp. 174–179. [Google Scholar]
- Lontorfos, G.; Fairbanks, K.D.; Watkins, L.; Robinson, W.H. Remotely inferring device manipulation of industrial control systems via network behavior. In Proceedings of the2015 IEEE 40th Local Computer Networks Conference Workshops (LCN Workshops), Clearwater Beach, FL, USA, 26–29 October 2015; pp. 603–610. [Google Scholar]
- Watkins, L.; Robinson, W.H.; Beyah, R. A Passive Solution to the CPU Resource Discovery Problem in Cluster Grid Networks. IEEE Trans. Parallel Distrib. Syst. 2011, 22, 2000–2007. [Google Scholar] [CrossRef]
- Watkins, L.; Robinson, W.H.; Beyah, R. Using network traffic to infer hardware state: A kernel-level investigation. ACM Trans. Embed. Comput. Syst. 2015, 14, 1–22. [Google Scholar] [CrossRef]
- Rivera, E.; Tengana, L.; Solano, J.; Castelblanco, A.; López, C.; Ochoa, M. Risk-based authentication based on network latency profiling. In Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security, Virtual Event, 13 November 2020; pp. 105–115. [Google Scholar]
- Inspectors Insights—Messages Table. Available online: https://docs.telerik.com/fiddler-everywhere/user-guide/inspector-types#messages-tab (accessed on 3 October 2023).
- Abdou, A.; Matrawy, A.; Van Oorschot, P.C. Accurate manipulation of delay-based internet geolocation. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates, 2–6 April 2017; pp. 887–898. [Google Scholar]
- Orfanos, M.; Perakis, H.; Gikas, V.; Retscher, G.; Mpimis, T.; Spyropoulou, I.; Papathanasopoulou, V. Testing and Evaluation of Wi-Fi RTT Ranging Technology for Personal Mobility Applications. Sensors 2023, 23, 2829. [Google Scholar] [CrossRef] [PubMed]
- Garcia-Fernandez, M.; Hoyas-Ester, I.; Lopez-Cruces, A.; Siutkowska, M.; Banqué-Casanovas, X. Accuracy in WiFi Access Point Position Estimation Using Round Trip Time. Sensors 2021, 21, 3828. [Google Scholar] [CrossRef]
- Selvan, S.; Mahinderjit Singh, M. Adaptive contextual risk-based model to tackle confidentiality-based attacks in fog-IoT paradigm. Computers 2022, 11, 16. [Google Scholar] [CrossRef]
- Bian, H.; Bai, T.; Salahuddin, M.A.; Limam, N.; Daya, A.A.; Boutaba, R. Uncovering Lateral Movement Using Authentication Logs. IEEE Trans. Netw. Serv. Manag. 2021, 18, 1049–1063. [Google Scholar] [CrossRef]
- Department of Defense (DoD). Identity and Access Management Recommended Best Practices for Administrators. March 2023. Available online: https://media.defense.gov/2023/Mar/21/2003183448/-1/-1/0/ESF%20IDENTITY%20AND%20ACCESS%20MANAGEMENT%20RECOMMENDED%20BEST%20PRACTICES%20FOR%20ADMINISTRATORS%20PP-23-0248_508C.PDF (accessed on 3 October 2023).
- Identity Server Documentation. Available online: https://is.docs.wso2.com/en/5.11.0/ (accessed on 3 October 2023).
- Deploying the Playground2 webapp—Download the Sample. Available online: https://is.docs.wso2.com/en/5.11.0/learn/deploying-the-sample-app/#download-the-sample_1 (accessed on 3 October 2023).
- WHOIS. Available online: https://whois.kisa.or.kr (accessed on 3 October 2023).
- Salvato, M.; De Vito, S.; Guerra, S.; Buonanno, A.; Fattoruso, G.; Di Francia, G. An adaptive immune based anomaly detection algorithm for smart WSN deployments. In Proceedings of the 2015 XVIII AISEM Annual Conference, Trento, Italy, 3–5 February 2015; pp. 1–5. [Google Scholar]
- Query Syntax. Available online: https://docs.logpresso.com/en/query/query-syntax (accessed on 3 October 2023).
Methods | Continuously Measurable | Network Coverage | Deploy Huddles | User Intervention | Attacker Observable |
---|---|---|---|---|---|
Passive TCP Packet Analysis [25,26,27,28] | First Login, SSO | Public, Private | High (Traffic Analyzer) | No | No |
Active Ping Response Time [29,30,31,32,33,34,35,36] | First Login Only | Public, Private | High (Agent) | Yes | Yes |
Client-to-Server Active Web-Ping Response Time [37] | First Login Only | Public, Private | Medium (Web browser Script) | Yes | Yes |
Server-to-Client Active Web-Ping Response Time [24] | First Login Only | Public, Private | Medium (Web browser Script) | Yes | Yes |
Wi-Fi Round-Trip Time [40,41,42] | First Login, SSO | Private Only | Low (Wireless Lancard) | No | No |
Authentication Path Analysis [43] | First Login, SSO | Private Only | Low (Server Logging) | No | No |
Token Exchange Time (Proposed Method) | First Login, SSO | Public, Private | Low (Server Logging) | No | No |
Step | WSo2 Log Pattern | Sample Logs |
---|---|---|
Start (4) | Authorization Request Received for User | [2023-07-10 10:19:05,527] [489456ae-db04-498d-9deb-c99f0c011759] DEBUG{org.wso2.carbon.identity.oauth2.OAuth2Service}- Authorization Request received for user: EXAMPLE.COMPANY.USERSTORE/example000055@example.company, ClientID:2_Rc5iEXGeppgMmfLNwH4ogVBqNIa,AuthorizationResponseType:code, RequestedcallbackURI: https://stg.sid.sam.net/qms/exam |
Finish (6) | Found Authorization Code for Client | [2023-07-10 10:19:06,211] [9bccf412-1368-4b5c-a21b-a296a6a96ddd] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler}– Found Authorization Code for Client: 2_Rc5iEXGeppgMmLNwH4ogVBqNIa, authorized user: EXAMPLE.COMPANY.USERSTORE/example000055@example.company, scope: openid |
Spec | IAM Server | VPN Test PC | Hot-spot Test PC | Hot-spot Mobile |
---|---|---|---|---|
Location | East Asia (Korea) | America (North/South), Europe, Middle East, Australia, Asia (South/East) | East Asia (Korea) | East Asia (Korea) |
OS | Redhat Linux | Debian GNU/Linux | Windows 11 Pro | Android |
CPU | 6 vCore | 1 vCore | 4 Core | SM-F707N (Galaxy Z Flip) |
MEM | 48 GB | 4 GB | 16 GB | |
Disk | SSD 600 GB | Persistent Disk 10 GB | SSD 512 GB | |
Software | WSo2 Identity Server [45], Mock Web application [46], MariaDB | Chrome, Surfshark VPN | Chrome | Chrome (Mobile) |
GCP Region | GCP Public IP | VPN Tunneled IP | TXT Average | TXT Max | TXT Min |
---|---|---|---|---|---|
australia- southeast1-b | 34.116.113.234 (Australia) | 61.255.174.30 (Korea) | 237 | 294 | 216 |
europe- west4-a | 34.32.163.9 (Netherlands) | 61.255.174.211 (Korea) | 510 | 1225 | 332 |
asia- south1-c | 35.244.21.199 (India) | 61.255.174.30 (Korea) | 228 | 252 | 210 |
me- central1-a | 34.18.22.213 (Qatar) | 61.255.174.211 (Korea) | 369 | 434 | 344 |
southamerica -east1-b | 35.198.32.210 (Brazil) | 61.255.174.254 (Korea) | 449 | 1199 | 359 |
us- west4-b | 34.125.209.117 (U.S.A.) | 61.255.174.254 (Korea) | 258 | 341 | 233 |
asia- northeast3-a | 34.64.112.18 (Korea) | No VPN | 119 | 201 | 97 |
GCP Region | Average TXT Increase | Average TXT Increase Ratio | Min TXT Increase | Min TXT Increase Ratio |
---|---|---|---|---|
australia- southeast1-b | 118 | 1.99 | 97 | 1.82 |
europe- west4-a | 391 | 4.30 | 213 | 2.80 |
asia- south1-c | 109 | 1.92 | 91 | 1.77 |
me- central1-a | 251 | 3.11 | 225 | 2.90 |
southamerica-east1-b | 331 | 3.79 | 240 | 3.03 |
us- west4-b | 140 | 2.18 | 114 | 1.96 |
Device | Connection | IP | TXT Average | TXT Max | TXT Min |
---|---|---|---|---|---|
PC | Hot-Spot | 106.101.65.217 (LG Uplus) | 194 | 303 | 141 |
PC | Home Internet | 222.107.198.110 (Korea Telecom) | 84 | 138 | 68 |
Mobile | Mobile Internet | 106.101.65.168 (LG Uplus) | 168 | 380 | 120 |
Type | TXT Increase from Home Internet | Ratio of TXT Increase from Home Internet | TXT Increase from Mobile Internet | Ratio of TXT Increase from Mobile User |
---|---|---|---|---|
Average TXT (194ms) | 110 | 2.30 | 26 | 1.15 |
Min TXT (141ms) | 57 | 1.67 | −27 | 0.84 |
Device | Connection | User-Agent Data |
---|---|---|
PC | Hot-Spot | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.3 |
PC | Home Internet | |
Mobile | Mobile Internet | Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Mobile Safari/537.36 |
Result | IP (Masked with *) | Average TXT | Date | Count | ISP (Masked with *) | Note |
---|---|---|---|---|---|---|
Profiled (Normal) | 203.244.*.* | 1,151ms | 5/24~7/11 | 33 | S *** | HQ Office |
115.94.*.* | 1,152ms | 6/14 | 3 | BOR *** | PJT Office 1 | |
106.249.*.* | 1,586ms | 6/16 | 1 | BOR *** | PJT Office 1 | |
112.153.*.* | 1,233ms | 6/19 | 1 | Xsp *** | PJT Office 2 | |
211.254.*.* | 806ms | 6/20 | 1 | BOR *** | PJT Office 1 | |
Detected | 106.101.*.* | 48,933ms | 7/13 | 4 | L ** Telco | Hot-spot |
Device | User-Agent Data |
---|---|
Win 10 PC | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36) |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Han, A.H.; Lee, D.H. Detecting Risky Authentication Using the OpenID Connect Token Exchange Time. Sensors 2023, 23, 8256. https://doi.org/10.3390/s23198256
Han AH, Lee DH. Detecting Risky Authentication Using the OpenID Connect Token Exchange Time. Sensors. 2023; 23(19):8256. https://doi.org/10.3390/s23198256
Chicago/Turabian StyleHan, Alex Heunhe, and Dong Hoon Lee. 2023. "Detecting Risky Authentication Using the OpenID Connect Token Exchange Time" Sensors 23, no. 19: 8256. https://doi.org/10.3390/s23198256
APA StyleHan, A. H., & Lee, D. H. (2023). Detecting Risky Authentication Using the OpenID Connect Token Exchange Time. Sensors, 23(19), 8256. https://doi.org/10.3390/s23198256