Topic 1: Data-Driven Authentication and Authorization
Data-driven Authentication Synopsis:
Simple password based authentication are widely used and easy to deploy. But, as an individual user now-a-days is involved in hundreds of online resources, s/he needs to manage a lot of passwords which is difficult, and also insecure as they can be easily guessed or cracked by hackers. Alternatives like two-factor authentication (2FA), multi-factor authentication (MFA), biometrics like iris scanning, facial recognition, fingerprint matching techniques are around for some time, but the adaptation rate is low due to some issues in terms of implementation and usability, and even these alternatives can also be compromised. Data driven authentication research will focus on highlighting the shortcomings of these techniques, and introduce novel techniques involving gait signature, facial expressions, gaze, behavioral attributes and other dynamic profiles of the individuals. These in turn will eliminate the need to remember passwords, and make the authentication process safe and secure.
Authorization Rule Extraction, Synthesis and Refinement:
Once an individual is authenticated into a system, s/he is subjected to an authorization process to determine whether s/he should be permitted access to a protected resource. There are many different types of access control models used by the organizations, but each has its shortcomings over the other due to dynamic nature of the cyber systems. One primary class of such models are role-based access controls in which authorization decisions are made by assigning roles to users and permissions to roles. A related body of work called role-mining has been focused on extracting meaningful roles from organizational data including individual user permissions. This problem is complicated, especially when the problem domain size is large. We use recent advances in big data analytics to mine contextually meaningful roles.
Another primary example is attribute-based access control (ABAC) which has gained in popularity in recent years. In this authorization model, access control rules are defined based on conditional statements on attributes of subjects, objects, and actions. Extracting the explicit and hidden attributes of entities requires a thorough data-driven understanding of the subjects (users), and objects (resources) in the system. Little research has been dedicated to extraction and identification of these attributes from the contextual data, investigation of how an optimal set of rules could be defined based on attributes, or transition from older access control models such as discretionary access control (DAC) to ABAC.