Policy-driven contextual risk evaluation in OAuth 2.0 authentication frameworks for AI chatbot-based RPA systems

IF 4.9 3区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computers & Electrical Engineering Pub Date : 2025-10-09 DOI:10.1016/j.compeleceng.2025.110759

Soonhong Kwon, Wooyoung Son, Jong-Hyouk Lee

{"title":"Policy-driven contextual risk evaluation in OAuth 2.0 authentication frameworks for AI chatbot-based RPA systems","authors":"Soonhong Kwon, Wooyoung Son, Jong-Hyouk Lee","doi":"10.1016/j.compeleceng.2025.110759","DOIUrl":null,"url":null,"abstract":"<div><div>With the advent of smartphones, we can access internet services regardless of location. This shift in environment has led to the demand for services that can be utilized anytime, anywhere. Consequently, Robotic Process Automation (RPA) technology, which automates simple and repetitive tasks in industrial settings, is gaining significant attention. There is a growing trend to combine this with Artificial Intelligence (AI) chatbot technology to achieve full automation and handle higher-level tasks. However, when performing high-level tasks based on an AI chatbot-based RPA system, situations arise where the AI chatbot relies on the user’s judgment. In such scenarios, the absence of an appropriate mechanism or technology to perform identity verification between the user and the AI chatbot exposes the system to security threats like personal information leakage and system takeover. Accordingly, this paper proposes an OAuth 2.0 integrated authentication framework utilizing a context-based risk assessment approach. This framework aims to reduce the likelihood of security threats and minimize the scale of damage caused by such threats. It achieves this by enabling access control based on the user’s context while requiring the user to provide minimal information when utilizing the AI chatbot-based RPA system. More specifically, the proposed framework employs a risk assessment based on the sigmoid function, which accounts for sensitivity variations across different contexts. This approach enables sensitive adjustments to access permissions in response to contextual changes, rather than applying a fixed risk assessment. This demonstrates the framework’s capability to provide a trustworthy automated work environment through appropriate access control. Specifically, the proposed risk assessment formula quantitatively analyzes sensitivity changes for each contextual variable through mathematical interpretation. Based on this, it structurally derives the correlation between risk scores and policies. Furthermore, experimental results confirm consistency between policy flow and risk assessment, such as issuing ‘Full Access Tokens’ in normal situations and applying Access Denied in high-risk situations. Furthermore, using data flow diagrams and STRIDE, potential security threats within the proposed framework were modeled. Simulation of actual security threats demonstrated the framework’s ability to mitigate these threats, with an average latency of 9.22ms and memory usage of 64.00MB required for threat response. This empirically demonstrates that the proposed framework is a valid authentication structure capable of simultaneously achieving real-time performance, security, and lightweight characteristics even in AI-based automated environments.</div></div>","PeriodicalId":50630,"journal":{"name":"Computers & Electrical Engineering","volume":"128 ","pages":"Article 110759"},"PeriodicalIF":4.9000,"publicationDate":"2025-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Electrical Engineering","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0045790625007025","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

With the advent of smartphones, we can access internet services regardless of location. This shift in environment has led to the demand for services that can be utilized anytime, anywhere. Consequently, Robotic Process Automation (RPA) technology, which automates simple and repetitive tasks in industrial settings, is gaining significant attention. There is a growing trend to combine this with Artificial Intelligence (AI) chatbot technology to achieve full automation and handle higher-level tasks. However, when performing high-level tasks based on an AI chatbot-based RPA system, situations arise where the AI chatbot relies on the user’s judgment. In such scenarios, the absence of an appropriate mechanism or technology to perform identity verification between the user and the AI chatbot exposes the system to security threats like personal information leakage and system takeover. Accordingly, this paper proposes an OAuth 2.0 integrated authentication framework utilizing a context-based risk assessment approach. This framework aims to reduce the likelihood of security threats and minimize the scale of damage caused by such threats. It achieves this by enabling access control based on the user’s context while requiring the user to provide minimal information when utilizing the AI chatbot-based RPA system. More specifically, the proposed framework employs a risk assessment based on the sigmoid function, which accounts for sensitivity variations across different contexts. This approach enables sensitive adjustments to access permissions in response to contextual changes, rather than applying a fixed risk assessment. This demonstrates the framework’s capability to provide a trustworthy automated work environment through appropriate access control. Specifically, the proposed risk assessment formula quantitatively analyzes sensitivity changes for each contextual variable through mathematical interpretation. Based on this, it structurally derives the correlation between risk scores and policies. Furthermore, experimental results confirm consistency between policy flow and risk assessment, such as issuing ‘Full Access Tokens’ in normal situations and applying Access Denied in high-risk situations. Furthermore, using data flow diagrams and STRIDE, potential security threats within the proposed framework were modeled. Simulation of actual security threats demonstrated the framework’s ability to mitigate these threats, with an average latency of 9.22ms and memory usage of 64.00MB required for threat response. This empirically demonstrates that the proposed framework is a valid authentication structure capable of simultaneously achieving real-time performance, security, and lightweight characteristics even in AI-based automated environments.

查看原文本刊更多论文

基于AI聊天机器人的RPA系统OAuth 2.0认证框架中策略驱动的上下文风险评估

随着智能手机的出现，我们可以访问互联网服务，无论在哪里。这种环境的转变导致了对可以随时随地使用的服务的需求。因此，机器人过程自动化（RPA）技术，在工业环境中自动化简单和重复的任务，正在获得显著的关注。越来越多的趋势是将其与人工智能（AI）聊天机器人技术相结合，以实现完全自动化并处理更高级别的任务。然而，当基于AI聊天机器人的RPA系统执行高级任务时，会出现AI聊天机器人依赖于用户判断的情况。在这种情况下，缺乏适当的机制或技术来执行用户和AI聊天机器人之间的身份验证，会使系统面临个人信息泄露和系统接管等安全威胁。因此，本文提出了一种基于上下文的风险评估方法的OAuth 2.0集成认证框架。该框架旨在降低安全威胁的可能性，并将此类威胁造成的损害规模降至最低。它通过启用基于用户上下文的访问控制来实现这一点，同时要求用户在使用基于AI聊天机器人的RPA系统时提供最少的信息。更具体地说，所提出的框架采用了基于s型函数的风险评估，该函数考虑了不同背景下的敏感性变化。此方法支持根据上下文变化对访问权限进行敏感调整，而不是应用固定的风险评估。这证明了框架通过适当的访问控制提供可信赖的自动化工作环境的能力。具体而言，所提出的风险评估公式通过数学解释定量分析了每个上下文变量的敏感性变化。在此基础上，从结构上推导出风险评分与政策之间的相关性。此外，实验结果证实了策略流与风险评估之间的一致性，例如在正常情况下发布“完全访问令牌”，在高风险情况下应用拒绝访问。此外，利用数据流图和STRIDE，对提出的框架内的潜在安全威胁进行了建模。对实际安全威胁的模拟证明了该框架减轻这些威胁的能力，威胁响应所需的平均延迟为9.22ms，内存使用为64.00MB。这从经验上证明了所提出的框架是一种有效的身份验证结构，即使在基于人工智能的自动化环境中也能够同时实现实时性能、安全性和轻量级特征。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Electrical Engineering 工程技术-工程：电子与电气

CiteScore

9.20

自引率

7.00%

发文量

661

审稿时长

47 days

期刊介绍： The impact of computers has nowhere been more revolutionary than in electrical engineering. The design, analysis, and operation of electrical and electronic systems are now dominated by computers, a transformation that has been motivated by the natural ease of interface between computers and electrical systems, and the promise of spectacular improvements in speed and efficiency. Published since 1973, Computers & Electrical Engineering provides rapid publication of topical research into the integration of computer technology and computational techniques with electrical and electronic systems. The journal publishes papers featuring novel implementations of computers and computational techniques in areas like signal and image processing, high-performance computing, parallel processing, and communications. Special attention will be paid to papers describing innovative architectures, algorithms, and software tools.