Академический Документы
Профессиональный Документы
Культура Документы
In this work we introduce the idea of using behavioral The detection mode shares the first two stages with the
biometrics in intrusion detection applications. We propose enrollment mode. The third stage in this mode is the
a new approach to user profiling, which can be used to verification process where the signature calculated during
detect intrusion without the need for any special hardware the data processing stage is compared against the
implementation and without forcing the user to perfom reference signature of the legitimate user. Different
any special actions’. The technique is based on using comparison algorithms are used for each signature factor;
“keystroke dynamics” and “mouse dynamics” biometrics. the more the deviation from the reference signature, the
The profiles computed in this case are more accurate than less the system is confident in the identity of the user.
those obtained through the traditional statistical profiling Keystroke dynamics is considered a strong behavioral
techniques, since they are based on distinctive biological biometric [ 1,2,3]. The functionality of this biometric is to
Characteristics of users.. measure the dwell time (the length of time a key is held
Using biometrics in intrusion detection systems opens a down) and flight time (the time to move from one key to
new dimension in the detection process. By combining another) for keyboard actions. After these measurements
traditional intrusion detection systems that focus on the have been collected, then the collected actions are
actions performed by the user, with biometrics that focus translated into a number of digraphs or tri-gruphs to be
on the identity of the user, such systems are able to detect analyzed in order to produce a pattem that identifies the
the type of intrusion where an attacker gains access to the user who generated these keyboard actions.
resources and starts to perform normal non-intrusive Table 1 shows a combination of tri-graphs generated
procedures, causing information leakage or any other from three sessions for two different users, and the
vulnerabilities. Differences in usage pattern cannot be corresponding time used to perform the tri-graphs in
detected if the attacker knows the operation sequences milliseconds. The tri-graphs shown are centered by the
and his access limits; such an attack, however, can be character ‘a’ (ASCII code 65). From the table we can
uncovered if the detection is based on biometrics notice the similarity between the response time for the
information. first user’s sessions, we can also notice obvious difference
Like all other biometric systems, our detector operates in in behavior between the two users which can easily be
two modes: enrollment mode, and detected for some of the tri-graphs (marked in bold).
identificationherifcation mode. The operation of each In access control applications the extracted group of
mode consists of three consecutive stages. In the first digraphs and tri-graphs are pre-defined since the user is
stage of the enrollment mode, a data capturing process is asked to enter a paragraph containing them. In intrusion
conducted by a lightweight software module, which detection applications, however, this scenario is not
captures all mouse and keyboard actions, and converts applicable. Detecting the behavior from an unexpected set
them into a set of more organized and meaningful of digraphs requires large amount of data to be collected
statements. These statements are directly passed to the in the enrollment mode so as to cover a higher percentage
next stage of data processing where behavioral modeling of the captured data in the verification mode.
and feature extraction is conducted. This process Our detection algorithm generates a Keystroke Dynamics
accumulates all actions received from the previous Signature or KDS, which is used as a reference user
process over a pre-defined session period and performs a profile and matched against active user profiles to
number of algorithms on the data to produce the Mouse dynamically detect masqueraders.
Dynamics Signature (MDS) and Keystroke Dynamics To construct the KDS, we propose a key oriented neural
Signature (KOS) for the user being monitored [ 5 ] . Finally, network based approach, where a neural network is
in the third stage, the generated signature is stored in a trained for each keyboard key to best simulate its usage
database as a reference signature for the enrolled user, dynamics with reference to other keys. We also propose a
technique which can be used to approximate a di-
graphhi-graph value based on other detected graphs and
‘ Patent Pending
0-7803-9290-6/05/$20.00 02005 IEEE. 452
Proceedings of the 2005 IEEE
Workshop on Information Assurance and Security
United States Military Academy, West Point, NY