Upload
winifred-bond
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Profiling User Behaviour to Reveal Computer Misuse
Mike DowmanAndrea Szymkowiak
Natalie CoullLeslie Ball
The University of Abertay Dundee
Funded by the Carnegie Trust
Outline
• Can we identify people through how they interact with computers?
• Could you be leaving a biometric signature every time you use a computer even though you don’t realise it?
• Can we tell anything about a person’s state of mind through how they interact with a computer?
Biometrics: Introduction
• Physiological
Biometrics
• Behavioural
Psychology of Typing
• Every time we type a word there tends to be a consistent temporal structure
• This structure is associated with individual words (not groups of letters, or multi-word phrases)
Can we use key timing data to detect if a password is being used by someone it doesn’t belong to?
Movement and Emotion
• Mood affects movement– Emotional stress or anxiety more varied
application of force (Noteboom et al. (2001), Journal of Applied Physiology) or timing (Coombes et al. (2005), Journal of Motor Behaviour).
• Can we detect state of mind from typing?
• Could this give us an indication of when people are using computers to commit crimes?
Experiment Design
• 35 participants• each logged in 36 times• over 3 separate sessions• using the same username and password each
time• stressed and neutral conditions were
alternated
Data Recorded
• How long each key was held down (hold time)
• The time between releasing one key and pressing the next (possibly negative if there is overlap) (latency)
Data Recorded
• How long each key was held down (hold time)
• The time between releasing one key and pressing the next (possibly negative if there is overlap) (latency)
Do people type with consistent timing patterns?Are the timings of different people clearly
distinct?Do people type differently when under stress?
Generating Stress
• IADS sounds (Bradley and Lang, 1999) were played to participants using headphones before and during typing
Two conditions:(1) Sounds were ‘neutral’ everyday noises,
such as paper being crumpled up, or an electric fan
(2) Sounds were ‘stressful’ sounds such as couples fighting, sirens or a bee buzzing
Evaluating Response to Sounds
Do the sounds really affect people’s state of mind?
Galvanic skin response (GSR):Electrodes were attached to the skin, and
used to measure its conductivityConductivity should rise if participant
becomes stressed
Two People’s Latency Times
-100
0
100
200
300
400
500
A B E R T A Y E X P E R I M E N U N D E R S T A N D S O M E T H I N
Inte
r-ke
y L
aten
cy (
ms)
`
Two People’s Hold Times
30
50
70
90
110
130
150
A B E R T A Y E X P E R I M E N T U N D E R S T A N D S O M E T H I N G
Ho
ld t
imes
(m
s)
Latency Times – Two Touch Typists
-100
0
100
200
300
400
500
A B E R T A Y E X P E R I M E N U N D E R S T A N D S O M E T H I N
Inte
r-ke
y L
aten
cy (
ms)
`
Who is this?
-100
0
100
200
300
400
500
A B E R T A Y E X P E R I M E N U N D E R S T A N D S O M E T H I N
Inte
r-ke
y L
aten
cy (
ms)
`
Hold Times – Two Touch Typists
30
50
70
90
110
130
150
A B E R T A Y E X P E R I M E N T U N D E R S T A N D S O M E T H I N G
Ho
ld t
imes
(m
s)
Who is this?
30
50
70
90
110
130
150
A B E R T A Y E X P E R I M E N T U N D E R S T A N D S O M E T H I N G
Ho
ld t
imes
(m
s)
The Biometric System
` `
Matching Algorithm
ACCEPT REJECT
login attempt reference timings
Testing 1
• 36 login records were collected from each of 35 people
• Each person used the same username and password
Genuine login attempts• 35 of a person’s login records were used as a
reference sample• The other one was used as the login attempt
Would the login be accepted (correct) or rejected (error)?
36 logins * 35 people = 1,260 total attempts
Testing 2
Imposters• 35 of a person’s login records were used as a
reference• Any one of the other login records from a
different user could be the attempt
Would the login be rejected (correct) or accepted (error)?
35 people for reference samples * 34 other people for login attempts * 36 login records per person = 42,840 total attempts
Results
The system works well with:• Latencies• HoldsBut best with both together
A sensitivity parameter controls how close an attempt has to match the reference sample to be accepted
Depending on the application we may want a more strict or a more forgiving system
Overall System Performance
The equal error rate is 2.8%So it’s 97.2% accurate
0
0.2
0.4
0.6
0.8
1
0.9 1.1 1.3 1.5
Sensitivity parameter
Pro
po
rtio
n i
nc
orr
ec
t
False rejectrate
Falseaccept rate
Detecting Stress
We measured the peak increase in galvanic skin response in the first 5 seconds of sound presentation
On average, skin conductivity was greater with the stressful sounds than with the neutral ones (t-test, P < 0.01)
But will typing patterns be any different?
Effect of Stress on TypingAn omnibus paired data multivariate randomization
test for difference in means, run on the data of all the participants, showed that there was a difference in:
• hold times (P < 0.01)But not in• latencies
On average there was less variability in hold times under stress (t-test, P < 0.05)
But there was no significant difference in mean latency or hold times
Stress has changed the pattern of timings more than the overall speed of typing
Applications
• On-line shopping: Are you spending money using someone else’s account?
• Credit cards: there’s a distinct timing sequence to how we type in numbers
• ATM/Chip and PIN: Is it really us? Are we acting under duress?
• Self-service check-in at airports: Is he showing signs of abnormal stress?
• Investment banks: Is she gambling £1,000,000,000 without our permission?
Key Advantages
(1) No need for special hardware(2) Works over the internet(3) It’s hard to fake a timing pattern(4) Passwords can easily be changed -
unlike fingerprints(5) We can detect signs of abnormal
behaviour – not just identity
References• Bradley, M. M. and Lang, P. J. (1999). International affective
digitized sounds (IADS): Stimuli, instruction manual and affective ratings (Technical report B-2). Gainesville, FL: The Centre for Research in Psychophysiology, University of Florida.
• Gaines, R. Lisowski, W., Press, S. and Shapiro, N. Authentication by keystroke timing: Some preliminary results. Rand Report R-256-NSF. Rand Corporation, Santa Monica, CA, 1980.
• Hugo Gamboa and Ana Fred, “A behavioural biometric system based on human-computer interaction,” in SPIE 5404 - Biometric Technology for Human Identification, A. K. Jain and N. K. Ratha, Eds., Orlando, USA, August 2004, pp. 381–392.
• Joyce, R. and Gupta, G. (1990). Identity Authentication Based on Keystroke Latencies. Communications of the ACM, 33(2):168-176.
• Ting, I. H., Clark, L., Kimble, C., Kudenko, D. and Wright, P. (2007). APD-A Tool for Identifying Behavioural Patterns Automatically from Clickstream Data. In Knowledge-Based Intelligent Information and Engineering Systems. Berlin: Springer.
• Viviani, P. and Terzuolo, C. (1982). On the relation between word-specific patterns and the central control model of typing: A reply to Gentner. Journal of Experimental Psychology: Human perception and Performance, 8:811-813.