Profiling User Behaviour to Reveal Computer Misuse

Mike DowmanAndrea Szymkowiak

Natalie CoullLeslie Ball

The University of Abertay Dundee

Funded by the Carnegie Trust

Outline

• Can we identify people through how they interact with computers?

• Could you be leaving a biometric signature every time you use a computer even though you don’t realise it?

• Can we tell anything about a person’s state of mind through how they interact with a computer?

Biometrics: Introduction

• Physiological

Biometrics

• Behavioural

Psychology of Typing

• Every time we type a word there tends to be a consistent temporal structure

• This structure is associated with individual words (not groups of letters, or multi-word phrases)

Can we use key timing data to detect if a password is being used by someone it doesn’t belong to?

Movement and Emotion

• Mood affects movement– Emotional stress or anxiety more varied

application of force (Noteboom et al. (2001), Journal of Applied Physiology) or timing (Coombes et al. (2005), Journal of Motor Behaviour).

• Can we detect state of mind from typing?

• Could this give us an indication of when people are using computers to commit crimes?

Experiment Design

• 35 participants• each logged in 36 times• over 3 separate sessions• using the same username and password each

time• stressed and neutral conditions were

alternated

Data Recorded

• How long each key was held down (hold time)

• The time between releasing one key and pressing the next (possibly negative if there is overlap) (latency)

Data Recorded

• How long each key was held down (hold time)

• The time between releasing one key and pressing the next (possibly negative if there is overlap) (latency)

Do people type with consistent timing patterns?Are the timings of different people clearly

distinct?Do people type differently when under stress?

Generating Stress

• IADS sounds (Bradley and Lang, 1999) were played to participants using headphones before and during typing

Two conditions:(1) Sounds were ‘neutral’ everyday noises,

such as paper being crumpled up, or an electric fan

(2) Sounds were ‘stressful’ sounds such as couples fighting, sirens or a bee buzzing

Evaluating Response to Sounds

Do the sounds really affect people’s state of mind?

Galvanic skin response (GSR):Electrodes were attached to the skin, and

used to measure its conductivityConductivity should rise if participant

becomes stressed

Two People’s Latency Times

-100

0

100

200

300

400

500

A B E R T A Y E X P E R I M E N U N D E R S T A N D S O M E T H I N

Inte

r-ke

y L

aten

cy (

ms)

`

Two People’s Hold Times

30

50

70

90

110

130

150

A B E R T A Y E X P E R I M E N T U N D E R S T A N D S O M E T H I N G

Ho

ld t

imes

(m

s)

Latency Times – Two Touch Typists

-100

0

100

200

300

400

500

A B E R T A Y E X P E R I M E N U N D E R S T A N D S O M E T H I N

Inte

r-ke

y L

aten

cy (

ms)

`

Who is this?

-100

0

100

200

300

400

500

A B E R T A Y E X P E R I M E N U N D E R S T A N D S O M E T H I N

Inte

r-ke

y L

aten

cy (

ms)

`

Hold Times – Two Touch Typists

30

50

70

90

110

130

150

A B E R T A Y E X P E R I M E N T U N D E R S T A N D S O M E T H I N G

Ho

ld t

imes

(m

s)

Who is this?

30

50

70

90

110

130

150

A B E R T A Y E X P E R I M E N T U N D E R S T A N D S O M E T H I N G

Ho

ld t

imes

(m

s)

The Biometric System

` `

Matching Algorithm

ACCEPT REJECT

login attempt reference timings

Testing 1

• 36 login records were collected from each of 35 people

• Each person used the same username and password

Genuine login attempts• 35 of a person’s login records were used as a

reference sample• The other one was used as the login attempt

Would the login be accepted (correct) or rejected (error)?

36 logins * 35 people = 1,260 total attempts

Testing 2

Imposters• 35 of a person’s login records were used as a

reference• Any one of the other login records from a

different user could be the attempt

Would the login be rejected (correct) or accepted (error)?

35 people for reference samples * 34 other people for login attempts * 36 login records per person = 42,840 total attempts

Results

The system works well with:• Latencies• HoldsBut best with both together

A sensitivity parameter controls how close an attempt has to match the reference sample to be accepted

Depending on the application we may want a more strict or a more forgiving system

Overall System Performance

The equal error rate is 2.8%So it’s 97.2% accurate

0

0.2

0.4

0.6

0.8

1

0.9 1.1 1.3 1.5

Sensitivity parameter

Pro

po

rtio

n i

nc

orr

ec

t

False rejectrate

Falseaccept rate

Detecting Stress

We measured the peak increase in galvanic skin response in the first 5 seconds of sound presentation

On average, skin conductivity was greater with the stressful sounds than with the neutral ones (t-test, P < 0.01)

But will typing patterns be any different?

Effect of Stress on TypingAn omnibus paired data multivariate randomization

test for difference in means, run on the data of all the participants, showed that there was a difference in:

• hold times (P < 0.01)But not in• latencies

On average there was less variability in hold times under stress (t-test, P < 0.05)

But there was no significant difference in mean latency or hold times

Stress has changed the pattern of timings more than the overall speed of typing

Applications

• On-line shopping: Are you spending money using someone else’s account?

• Credit cards: there’s a distinct timing sequence to how we type in numbers

• ATM/Chip and PIN: Is it really us? Are we acting under duress?

• Self-service check-in at airports: Is he showing signs of abnormal stress?

• Investment banks: Is she gambling £1,000,000,000 without our permission?

Key Advantages

(1) No need for special hardware(2) Works over the internet(3) It’s hard to fake a timing pattern(4) Passwords can easily be changed -

unlike fingerprints(5) We can detect signs of abnormal

behaviour – not just identity

References• Bradley, M. M. and Lang, P. J. (1999). International affective

digitized sounds (IADS): Stimuli, instruction manual and affective ratings (Technical report B-2). Gainesville, FL: The Centre for Research in Psychophysiology, University of Florida.

• Gaines, R. Lisowski, W., Press, S. and Shapiro, N. Authentication by keystroke timing: Some preliminary results. Rand Report R-256-NSF. Rand Corporation, Santa Monica, CA, 1980.

• Hugo Gamboa and Ana Fred, “A behavioural biometric system based on human-computer interaction,” in SPIE 5404 - Biometric Technology for Human Identification, A. K. Jain and N. K. Ratha, Eds., Orlando, USA, August 2004, pp. 381–392.

• Joyce, R. and Gupta, G. (1990). Identity Authentication Based on Keystroke Latencies. Communications of the ACM, 33(2):168-176.

• Ting, I. H., Clark, L., Kimble, C., Kudenko, D. and Wright, P. (2007). APD-A Tool for Identifying Behavioural Patterns Automatically from Clickstream Data. In Knowledge-Based Intelligent Information and Engineering Systems. Berlin: Springer.

• Viviani, P. and Terzuolo, C. (1982). On the relation between word-specific patterns and the central control model of typing: A reply to Gentner. Journal of Experimental Psychology: Human perception and Performance, 8:811-813.