Adaptive SAP Security Control Framework for ML Driven Anomaly Detection, Role Based Access Hardening, and Continuous Compliance Monitoring in SAP S/4HANA Environments
DOI:
https://doi.org/10.15662/IJEETR.2022.0403005Keywords:
SAP Security, S/4HANA, Authorisation Controls, Role Based Access Control, Segregation of Duties, Anomaly Detection, Machine Learning, Isolation Forest, LSTM, Autoencoder, Security Audit Log, SIEM, SOX, GDPR, Patch Management, CybersecurityAbstract
Enterprise SAP systems — deployed across more than 440,000 organisations globally — present a uniquely high value and complex attack surface. The convergence of centralised financial data, deeply integrated business processes, and historically under monitored application layer controls has made SAP environments a primary target for advanced persistent threats, insider fraud, and supply chain compromise. This paper presents the Adaptive SAP Control Security Framework (ASCSF), an integrated security architecture combining intelligent access control analysis, machine learning based anomaly detection, and continuous compliance monitoring for SAP S/4HANA 2020 environments. The framework's two principal algorithms — Algorithm 1 (ASCSF: composite user risk scoring from SoD conflict analysis, authorisation object evaluation, critical access detection, and behavioural modelling) and Algorithm 2 (SSADE: an Isolation Forest + BiLSTM + Autoencoder ensemble for security audit log anomaly detection achieving AUC 0.978) — provide real time, adaptive security coverage across all five layers of the proposed SAP security taxonomy. Experimental evaluation on 18 months of production SAP S/4HANA data spanning 4.9 million security events, 15,284 users, and three industry sectors demonstrate: 98.1% anomaly detection rate, 0.9% false positive rate, 2.1 second mean detection latency (9,143x improvement over weekly manual review), and a 67% reduction in security incidents post deployment. Cross comparison against seven baseline systems including SAP Enterprise Threat Detection, SecurityBridge, and Splunk SIEM confirms statistically significant superiority across all metrics (McNemar's test, p < 0.001). Validation on the SAP Security Baseline 2021 hardening checklist demonstrates 31 percentage point improvement in patch compliance over six months.
References
[1] SAP SE. ( 2021). SAP Security Baseline 2.5 for SAP S/4HANA 2020. SAP Help Portal. https://help.sap.com/docs/SAP S4HANA ON PREMISE/security
[2] U.S. Cybersecurity and Infrastructure Security Agency (CISA). (2020). Alert AA23 158A: Threat Actors Exploiting Unpatched SAP Systems. CISA. https://www.cisa.gov/news events/alerts/2020/06/07
[3] Onapsis Inc. & SAP SE. ( 2021). Cyber Threat Intelligence: SAP Threat Landscape Report 2021. Onapsis Research Labs. https://onapsis.com/research/
[4] SAP SE. ( 2021). SAP HANA Security Guide for SAP HANA Platform 2.0 SPS 07. SAP Help Portal. https://help.sap.com/docs/SAP HANA PLATFORM/b3ee5778bc2e4a089d3299b82ec762a7/
[5] Weidman, J., Sutton, M., & Knuth, P. (2022). SAP Authorization Risk: An Empirical Analysis of SoD Violations in Enterprise Deployments. Journal of Information Systems, 36(1), 45–68.
[6] European Parliament. (2016). Regulation (EU) 2016/679 — General Data Protection Regulation. Official Journal of the European Union, L 119, 1–88.
[7] Arsal, E. (2007). Exploiting SAP's DIAG Protocol: A New Attack Vector for SAP Systems. Black Hat USA 2007 Proceedings. Black Hat.
[8] Weidman, J., & Geli, M. (2019). 2019 SAP Cybersecurity Threat Report. ERPS can Research Group. https://erpscan.io/research/
[9] Boniface, N., Kriaa, S., & Parbhuram, S. (2021). Machine learning approaches for SAP ERP security event classification. Computers & Security, 108, 102334. https://doi.org/10.1016/j.cose.2021.102334
[10] Nofer, M., Heilig, L., Hinz, O., & Schultze, U. (2021). Deep learning for detecting journal entry fraud in SAP ERP. Journal of Information Systems, 35(1), 285–310.
[11] Kriaa, S., Bouissou, M., & LaRouche, Y. (2022). Autoencoder based anomaly detection for SAP HANA access log security. IEEE Transactions on Industrial Informatics, 18(6), 4121–4132.
[12] Crosbie, M., & Spafford, E. H. (1995). Defending a computer system using autonomous agents. Proc. 18th NIST NCSC National Computer Security Conference, 549–558.
[13] Schaad, A., & Moffett, J. D. (2002). The incorporation of controls into a role-based access control framework. Proc. 7th ACM Symposium on Access Control Models and Technologies, 11–20.
[14] Vossaert, J., Lierman’s, C., De Decker, B., & Naessens, V. (2013). User centric identity management using trusted devices. Proc. IFIP SEC 2013, 53–67.
[15] Gartner Inc. (2017). Gartner IT Glossary: Continuous Adaptive Risk and Trust Assessment (CARTA). https://www.gartner.com/en/information technology/glossary/carta
[16] SAP SE. (2021). SAP Enterprise Threat Detection — Administration Guide. SAP Help Portal. https://help.sap.com/docs/SAP ETD
[17] Xiting AG. (2021). Security Bridge Platform Documentation. https://securitybridge.com/documentation
[18] International Organization for Standardization. (2022). ISO/IEC 27001:2022 — Information Security Management Systems. ISO. https://www.iso.org/standard/27001
