Abstract: A computer-implemented method includes receiving a request to authenticate a user to remotely access a secure device and establishing, in response to the user being granted remote access to the secure device, a remote user session for the user. The computer-implemented method further includes identifying a plurality of actions performed during the remote user session. The computer-implemented method further includes comparing a first combination of actions in the plurality of actions to a plurality of policies for malicious intent. The computer-implemented method further includes determining a level of risk for malicious intent for the first combination of actions. The computer-implemented method further includes generating, in response to the level of risk of the first combination of actions exceeding a given threshold level, one or more preventive actions. A corresponding computer system and computer program product are also disclosed.

Abstract: A computer-implemented method includes receiving a request to authenticate a user to remotely access a secure device and establishing, in response to the user being granted remote access to the secure device, a remote user session for the user. The computer-implemented method further includes identifying a plurality of actions performed during the remote user session. The computer-implemented method further includes comparing a first combination of actions in the plurality of actions to a plurality of policies for malicious intent. The computer-implemented method further includes determining a level of risk for malicious intent for the first combination of actions. The computer-implemented method further includes generating, in response to the level of risk of the first combination of actions exceeding a given threshold level, one or more preventive actions. A corresponding computer system and computer program product are also disclosed.