Understanding How the OAAM Device Max Velocity Rule Settings Work
(Doc ID 1279145.1)
Last updated on JUNE 07, 2017
Applies to:Oracle Adaptive Access Manager - Version 10.1.4.5.0 and later
Information in this document applies to any platform.
The "Device Max Velocity" rule is used for detecting "man in the middle" attacks where a hacker obtains the MAC address for a users device that they are logging in from. They replay the users login and provide the users computer MAC address. By doing this they fool the system into thinking the user is logging in from a known and trusted device that is in the users OAAM profile.
The "Device Max Velocity" rule can detect this type of attack, trigger an alert and further block the user form successfully signing in. This is done in conjunction with the Quova subscription data. The rule will check to see if the MAC address is in the list of known devices the user is logged in from. Then it will examine the IP address location where the user is logged in from. If a hacker then tries to login by replaying the users session and also using the users Device MAC address from another location, perhaps 100 miles away, the Rule uses a formula that determines the possibility of that users device traveling at that velocity.
It is possible for a user to login to their application, then get on a Jet and fly to another city and once again login to the same application. Therefore you would want to be able to adjust the variables of the formula to allow for a portable device to travel at least the speed of a Jet. The "Device Max Velocity" rule has two values that the administrator can configure. Those value fields are called "Last Login Withing (Seconds)" and "Miles Per Hour is More Than". Using these two field values you can customize the alloted velocity that a physical device can travel before an alert is triggered.
It is common problem for people to misunderstand how these two settings work together and further fail to set them properly or to test them in a way that makes sense. This note will help to explain the proper way to set this Rule and to conduct a simple test that will verify the rule is working.
How the Rule Formula works:
The Rule first picks up the last successful login in last N seconds. (If there are multiples then the last one (with the highest timestamp) will be picked.
The Rule looks at cityLastLogin and currentCurrentLogin and finds the distance between them which = the distance.
Then calculates thisDistance divided by the difference in login times. That becomes the velocityCalculated.
If velocityCalculated is more than velocityConfigured in the rule (from the UI) then the rule will trigger.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!