We are excited. After a long period of time we are about to release an update to our access control system. With grant raised from Tubitak we have integrated a plan recognition algorithm to our access control system which helps us to infer users intentions and alert operators in suspicious cases.
When we have started thinking about this project we were just thinking, our access control systems collect tones of information from the field, we know how users behave which should allow us to perceive their usage patterns. We also assumed any covered threat from inside would use the access control but would leave traces behind that should not match with the daily usage. May it be a stolen card or a malicious user they would have been doing stuff which may be different then their regular behavior. This assumption made us think that in case we know users’ very own patterns we may notice action that won’t fit into these patterns.
Recognition of behavior that won’t fit to usage patterns, or so called out-of-pattern behavior is used in numerous cases like credit card fraud. Your bank get suspicious if you start using your card in a city you don’t live and usually visit, shop in store you normally don’t, or may just more often then you normally won’t. Any action that won’t fit to your pattern may hint to your bank that there may be something suspicious. In that case they mostly send you a short message asking if it’s you – if it’s not you that’s bad.
Unfortunately this won’t work for access control scenarios. First, any action that may normally be expected and even part of your daily habits may be out of pattern because it’s not just the action itself that matters but also it’s order. So relationship between actions which does not matter for credit card fraud detection matters for access control.
Furthermore it doesn’t make sense to alert the user themselves for these suspicious events we must alert the operators. But image how many times daily you go out of your path for a short visit somewhere else then your original target, or you just break your daily routine to stop by a friend’s office to say hi. Now we think everything that doesn’t fit to your pattern is suspicious just like your bank who sends a short message every time an unusual charge has been made to your credit card. I recently received a message for zero Euros charged (booking site checking credit card for online reservation). Now imagine that’s not the credit card holder but an operator who’s in charge of all credit card holders – ok, we would need a lot of operators. So this system needs to separate serious doubt from minor anomalies before raising the flag.
Eventually, detecting suspicious behavior in access control is more then anomali detection. We need to know every users’ own patterns, observe their current actions, evaluate these action in relation to one previous action to infer their plans, then decide if these actions are in or out of patterns. Then we need to put these suspicious actions in an order by threat level so we can alert operators.
In fact, this is what our new smart access control system does. Small hint; we did it using plan recognition, with a probabilistic algorithm that employs a utility function and a Markov Model for library generation. Details to come.