online risk-based authentication using behavioral biometrics risk-based...

Online risk-based authentication using behavioral biometrics

Issa Traore & Isaac Woungang & Mohammad S. Obaidat &Youssef Nakkabi & Iris Lai

Published online: 5 June 2013# Springer Science+Business Media New York 2013

Abstract In digital home networks, it is expected that independent smart devices com-municate and cooperate with each other, without the knowledge of the fundamentalcommunication technology, on the basis of a distributed operating system paradigm. Insuch context, securing the access rights to some objects such as data, apparatus, andcontents, is still a challenge. This paper introduces a risk-based authentication techniquebased on behavioral biometrics as solution approach to tackle this challenge. Risk-basedauthentication is an increasingly popular component in the security architecture deployedby many organizations to mitigate online identity fraud. Risk-based authentication usescontextual and historical information extracted from online communications to build arisk profile for the user that can be used accordingly to make authentication andauthorization decisions. Existing risk-based authentication systems rely on basic web

Multimed Tools Appl (2014) 71:575–605DOI 10.1007/s11042-013-1518-5

An abridged version of this work [30] has been published in the Proc. of the 4th International Conference onDigital Home (ICDH 2012), Guangzhou, China, pp. 138–145, Nov. 23―25, 2012

I. Traore : Y. Nakkabi : I. LaiDepartment of Electrical and Computer Engineering, University of Victoria, Victoria, BC V8W 3P6,Canada

I. Traoree-mail: [email protected]

Y. Nakkabie-mail: [email protected]

I. Laie-mail: [email protected]

I. WoungangDepartment of Computer Science, Ryerson University, Toronto, ON M5B 2K3, Canadae-mail: [email protected]

M. S. Obaidat (*)Department of Computer Science and Software Engineering, Monmouth University, West Long Branch,NJ 07764, USAe-mail: [email protected]

communication information such as the source IP address or the velocity of transactionsperformed by a specific account, or originating from a certain IP address. Such informa-tion can easily be spoofed, and as such, put in question the robustness and reliability ofthe proposed systems. In this paper, we propose a new online risk-based authenticationsystem that provides more robust user identity information by combining mouse dynam-ics and keystroke dynamics biometrics in a multimodal framework. We propose aBayesian network model for analyzing free keystrokes and free mouse movementsinvolved in web sessions. Experimental evaluation of our proposed model with 24participants yields an Equal Error Rate of 8.21 %. This is very encouraging consideringthat we are dealing with free text and free mouse movements, and the fact that many websessions tend to be very short.

Keywords Risk-based authentication . Network security . Mouse dynamics . Keystrokedynamics biometric technology . Bayesian network model . Digital home network .

Infrastructure technology

1 Introduction

In the recent years, home networking and infrastructure technology has evolvedsignificantly due to the introduction of digital networks in the home sector.According to the well-known HAVi (Home Audio/Video Interoperability) standard,objects of a home network are expected to interact in a collaborative manner witheach other without the need for a communication technology, with the ultimate goalthat the lives of people will be enhanced as they collaborate, create, learn, work,and play. In a digital network, in addition to achieve a fast delivery of services toconstituents, online risk-based authentication is also a vital requirement to evolvingdigital network operations since access-protected objects that are involved (forinstance, data, apparatus, and contents such as films, digital home applications,etc.) can be exposed to various different users of the home network, no matterwhether these users are authorized, unauthorized, or undesired. Thus, securing theaccess rights to these objects is imperative. This paper introduces a risk-basedauthentication technique based on behavioral biometrics as a solution to thisproblem.

Risk-based authentication is a security mechanism that uses both contextual andhistorical user information, along with data provided during Internet communicationsto determine the probability of whether or not a user interaction is genuine [8, 9, 13,24, 31, 32]. Examples of contextual information include the user computer mappingor fingerprint, his IP address and IP geo-location. Examples of historical informationinclude the user’s behavior and transaction patterns, which may be captured, forinstance, by measuring the velocity of transactions performed by a specific account,or originating from a certain IP address, user or source, or made at a certain merchantor service provider.

Despite the increasing popularity of risk-based authentication in the security industry,much of the above historical and contextual data used in existing systems may besubject to fraud [31]. For instance, a criminal could poll a user’s computer and thenreplicate the settings on a different machine with the intention of fooling the authen-tication system. Furthermore, existing systems use ad hoc or simplistic risk managementmodels along with rule-based techniques for user behavioral and transactional patterns

576 Multimed Tools Appl (2014) 71:575–605

analysis. These systems are operationally ineffective due to the rapidly evolving natureof online fraud patterns as well as the fact that new and unseen fraud cases areemerging frequently. Such cases cannot be completely covered by static rules from arule based system.

In this work, we propose a new risk-based authentication system that uses acombination of mouse dynamics biometrics and keystroke dynamics biometrics datacaptured in online sessions. A key characteristic of risk-based authentication is thatthe process must be virtually invisible to end users. This means that in our model,mouse and keystroke dynamics must be captured and processed freely.

Although keystroke dynamics biometric has been studied extensively and usedfor authentication since the early 1980’s, most of the existing proposals havefocused primarily on fixed text recognition [5, 16, 19, 25]. Fixed text recognitionconsists of enrolling the user using a predefined text or phrase, and performing thedetection by asking the user to type exactly the same string. While fixed textrecognition may be used in static authentication (i.e. login), it is not appropriatein risk-based authentication, where the user must be authenticated in a non-intrusiveway. Under such scenario, the user must be authenticated based on text freelytyped, which does not necessarily match the enrolment sample. This is referred toas free text detection [18]. Free text detection in web environments is verychallenging because of the limited amount of keystrokes involved in many websessions (e.g. online banking).

Similar challenges are involved in mouse dynamics biometric analysis. Most of theexisting mouse dynamics analysis systems target primarily static authentication by requiringthe user to perform a predefined set of actions [4, 7, 28, 29]. The small amount of mouseactions generated in many web sessions, limit severely the performance of free mousemovement analysis in web environments [17].

In this work, we tackle the above challenges by developing an online risk-basedauthentication scheme that integrates mouse dynamics and free text analysis using aBayesian network model. Due to the limited amount of mouse actions or keystrokesinvolved in a typical web session, relatively lower performance is achieved whenusing each of the individual modalities in isolation in our Bayesian network model.However, by combining the two modalities, the overall performance is improvedsignificantly. The performance of the proposed scheme is computed using the follow-ing standard biometric performance metrics:

& False Acceptance Rate (FAR): this measures the likelihood that an impostor may befalsely accepted by the system as genuine;

& False Rejection Rate (FRR): this measures the likelihood that a genuine user may berejected by the system as an impostor;

& Equal Error Rate (ERR): this corresponds to the operating point where FAR and FRRhave the same value.

The experimental evaluation of the proposed multimodal framework with 24 participantsyields an EER of 8.21 %.

The rest of the paper is structured as follows. Section 2 summarizes and discussesthe related work. Section 3 provides an overview of the Bayesian network model. Ourproposed approach is also introduced. Section 4 describes in more detail our featuressets and the proposed biometric processing models. Section 5 describes the experi-mental evaluation of our approach and discusses the results obtained. Section 6 pre-sents some concluding remarks and outlines some future work.

Multimed Tools Appl (2014) 71:575–605 577

2 Related work

2.1 On risk-based authentication

A fundamental characteristic of emerging risk-based authentication technologies is toemploy the user’s behavioral information along with identity and contextual informationin the risk management process. However, to our knowledge, none of the works published sofar in the research literature has taken into account the user behavioral patterns in the riskmanagement process. Most of the published works on using behavioral pattern in risk-basedauthentication are industry whitepapers [31]. Likewise, several risk-based authenticationproducts using behavioral patterns are currently being commercialized [22, 26] and usedmainly in sectors like the financial services industry. A leading risk-based authentication toolcurrently available is the RSA Adaptive Authentication System (RAAS) that protects trans-parently the online user activity both at the login and transactional levels by collating fraudindicators, user profiles, transaction behavioral patterns, and so on [2]. Another leading toolreferred to as AdmitOne Security Suite (ASS) roughly provides the same features as RAAS[1]. However, a key difference between these tools is that in addition to traditional datasources such as IP address and device characteristics, ASS collects and processes keystrokedynamics biometrics (although using fixed text detection). The lack of published experi-mental results makes it, however, impossible to assess the effectiveness of the abovecommercial systems.

To our knowledge, most of the published proposals in the research literature have been atthe transactional level [8–10].

In this context, Dimmock et al. [10] introduced a computational risk assessment tech-nique for dynamic and flexible access decision-making. The proposed approach allowsbasing access control decisions on risk and trust rather than on credentials only. However,the approach assumes a prior knowledge of outcomes of all possible combinations of statesand actions during the decision-making process, which is not realistic. Furthermore, thesubjects in their model are autonomous agents, not humans; and we know that humanidentity and behavior are essential aspects of risk-based authentication.

Diep et al. [9] presented a framework for contextual risk-based access control forubiquitous computing environments. In their scheme, access control decisions are madeby assessing the risk based on the contextual information, the value of requested resources orservices, and the consequences of unauthorized system transactions. A mathematical riskassessment and scoring technique called Multifactor Evaluation Process (MFEP) is pro-posed, in which numerical weights are assigned to risks factors in terms of confidentiality,integrity, and availability of the related outcomes.

Cheng et al. [8] proposed a new risk based access control model named Quantified RiskAdaptive Access Control (QRAAC) that uses a quantitative risk assessment technique basedon fuzzy logic. QRAAC replaces the traditional binary decision-making used in accesscontrol scheme with a dynamic, multi–decision access control based on objective riskmeasures. The scale of the quantified risk estimates is divided into several risk ranges, eachassociated with a specific decision and action assigned according to the risk tolerances.

2.2 On keystroke dynamics

Most existing literature on keystroke dynamics focused on fixed text detection [5, 16, 19, 21,25]. Limited amount of works has been accomplished on free text detection. Representativeones are captured in [11, 12, 18, 23, 33].


Monrose and Rubin [23] proposed an approach for free text analysis of keystrokes usingclustering based on a variation of the maximin-distance algorithm. Several kinds of distancemeasures were introduced to compute the pattern similarities and dissimilarities includingthe normalized Euclidean distance and the weighted and non-weighted maximum probabil-ity measures. The reference profile was constructed by computing the mean and standarddeviations for each of the latencies and durations for the features involved in the collecteddata. By collecting over a period of 7 weeks the typing samples from 42 users performingstructured and unstructured tasks in various computing environments, 90 % correct classi-fication was obtained for fixed text detection while only 23 % correct classification wasachieved for free text detection.

Dowland et al. [11] collected keystroke dynamics samples by monitoring the usersduring their regular computing activities without any particular constraints imposed onthem [11, 12]. A user profile was determined by calculating the mean and standarddeviation of the digraph latency and by considering only the digraphs occurring aminimum number of times across the collected typing samples. An experimentalevaluation of their scheme with five participants yielded correct acceptance rates inthe range of 60 %.

Villani et al. [33] proposed a long-text-input keystroke biometric system for identifyingperpetrators of inappropriate e-mail communication or fraudulent Internet activity by calcu-lating the mean and standard deviation of key presses and transitions. An experimentalevaluation of their scheme involved 118 participants, which were divided into differentgroups according to the type of keyboard used and the performed task (copy task or freetext). The obtained accuracy results varied from 44.2 % when the enrollment was done on alaptop with fixed text and the testing was done on a desktop with free text, to 100 % when acopy task was performed in both the enrollment and testing phases on a laptop computer(using fixed text).

Gunetti and Picardi [18] introduced and used a metric based on the degree of disorder ofan array for free text analysis of keystrokes. An experimental evaluation of their schemeinvolved 40 users considered as legal users who provided 15 typing samples each, and 165users considered as imposters who provided one sample each, by entering their loginidentifier and then freely typing some text through a web-based interface. Overall, a FARof 0.00489 %, a FRR of 4.8333 %, and an EER in the range 0.5–1 % were achieved. It mustbe noted that although the performance obtained in this case is excellent, the average lengthof the samples varied from 700 to 900 characters. Determining what the performance of theproposed scheme would be with session size as small as 100 characters (which is typical inweb environments) is still an open problem.

2.3 On mouse dynamics

The last decade has witnessed an increasing interest in mouse dynamics biometric research[3, 4, 7, 17, 27, 28]. Next, we discuss some of these proposals.

The Mouse-lock system proposed by Revett et al. [28] uses mouse dynamics biometricfor static authentication (at the login time). The user interface consists of thumbnail imagesoriented in a circle. By using the mouse, the user enters a password by clicking 5 of thedisplayed images in the correct sequence similar to the rotary lock. An experimentalevaluation of the proposed scheme involving 6 users providing 100 genuine samples eachand 20 impostor samples yielded FAR and FRR between 2 % and 5 %.

Bours and Fullu [7] proposed a login system using mouse dynamics based on a speciallydesigned graphical interface in the form of a maze. To log in, users have to move the cursor


by following the paths. An experimental evaluation of the proposed approach involving 28participants achieved an EER ranging between 26.8 % and 29 %.

Aksarı and Artuner [4] proposed a mouse dynamics authentication scheme, in whichusers were required to log in by clicking randomly for ten times the displayed squares on thecomputer screen. An experimental evaluation of the proposed approach involved 10 userswho produced in total 111 sessions, yielding an EER at 5.9 %.

In the Web Interaction Display and Monitoring (WIDAM) system proposed by Gamboaand Fred [17], a web-based memory game was used to capture mouse movements and clicks.Extracted features such as angle and curvature, movement duration, position, velocity, andacceleration, were analyzed using a statistical sequential classifier. An experimental evalu-ation of the proposed scheme involving 25 volunteers playing the memory games for about10 to 15 min yielded an EER ranging from 5 % and 48.9 % while the number of strokes wasbetween 1 and 100. Strokes were defined as successive mouse clicks in this approach.

Pusara and Brodley [27] proposed a user re-authentication system based on mousedynamics. In the proposed approach, features such as mean, standard deviations, and thirdmoment values were calculated for a number of mouse actions and processed using adecision tree classifier. Experimental data was collected from 18 test users during an averageof 2 h period during which the participants were using Internet Explorer on a Windowsmachine. The data from 7 users was considered invalid due to the low entries. The testresults showed a false positive rate at 0.43 % and a false negative rate at 1.75 %.

Ahmed and Traore [3] proposed a mouse dynamics biometric recognition approach inwhich 39 mouse dynamics features were extracted and analyzed using neural networks. Theproposed approach was evaluated by conducting various experiments involving both freeand fixed mouse movements. An overall FAR of 2.4649 % and FRR of 2.4614 % wereobtained in the main experiment with 22 participants, in which tests were conducted onvarious hardware and software systems. Seven test users participated in a second experimentproviding 49 sessions. In this experiment, the same hardware and software applications wereused. The test results consisted of FAR and FRR of 1.25 % and 6.25 %, respectively. A thirdexperiment was limited to the same machine and while the previous seven participants wereasked to use the same application and perform the same predefined set of actions. FAR andFRR of 2.245 % and 0.898 %, respectively, were obtained in this experiment.

Like keystroke dynamics, most of the existing works on mouse dynamics targetpredefined or fixed mouse movement. Under this category fall the MouseLock systemintroduced by Revett et al. [28], the Web Interaction Display and Monitoring (WIDAM)system proposed by Gamboa and Fred [17], and the maze-based login scheme by Bours andFullu [7] as outlined above. In the few works where free mouse movements were studied,like in [3], the main challenge has been the degradation of the accuracy as the session lengthdecreases. Such challenge must be addressed in online environments where small sessionsare common.

3 Background and approach

3.1 Bayesian network model

A Bayesian network (also named as Bayesian belief network) consists of a directed acyclicgraph (DAG) which represents conditional probability relationships among a set of randomvariables X = {X1,…, Xn} [15]. In the DAG, every node represents a random variable, andeach arc represents a dependency relationship between nodes. An arc from a node Xi to node


Xj denotes a parent–child relationship between Xi and Xj: Xi is said to be a parent of Xj, andconversely Xj is said to be a child of Xi. Furthermore, a conditional probability distribution isassociated with each node Xi that captures the conditional probabilities of this node to itsimmediate parent nodes denoted P(Xi |Parents(Xi)).

A Bayesian network captures the conditional independence relationships between thevariables involved in the graph structure while providing at the same time a compactrepresentation of the joint probability distribution over these variables. The joint probabilitydistribution over all the variables X1,…, Xn in the Bayesian network is given by:

P X 1 ¼ x1;::Xn ¼ xnð Þ ¼ ∏n

i−1P X i ¼ xi Parentsj X ið Þð Þ

where xi denotes a particular assignment to variable Xi (1≤ i≤n).Given two variables Xi and Xj, the conditional probability P(Xi | Xj) is obtained by the

Bayesian theorem as follows:

P X i X j

��

� � ¼ P X j X ij� �

P X ið ÞP X j

� �

From the Bayesian network, we can obtain the conditional probability P(Xi, Xj) if theprior probability P(Xi) is known, and evidence of Xj is observed. This feature of Bayesiannetwork is used to model the causality in the real world.

3.2 Bayesian network learning

As explained earlier, a Bayesian network is a directed acyclic graph (DAG) in which eachnode is associated with a probability distribution table. In general, there are two types ofBayesian network learning approaches, namely, structure learning and parameter learning.

Parameter learning consists of learning the probability distributions of a DAG. Parameterlearning consists of obtaining updated posterior probability distributions given prior prob-ability knowledge and observations.

Structure learning consists of learning the DAG structure of a Bayesian network givensome observations. Different approaches of structure learning include model selection andmodel averaging. The model selection approach uses a scoring criterion to find the mostprobable DAG structure (i.e. the one with the highest probability score) within the set of allpossible DAGs. In this approach, it is assumed that there is only one optimal DAG. TheModel averaging approach also uses a scoring criterion, and is recommended when thenumber of variables is small, and scores of multiple DAGs are close to each other. In thiscase, the inference is done by averaging posterior probabilities of the DAGs.

It is known that given n random variables, finding the optimal DAG structure is a NP hardproblem. This is because the number of DAGs increases exponentially with the number ofvariables. For this reason, heuristic search algorithms, such as greedy search and Monte-Carlomethods are developed to approximate the search of optimal DAG. One such algorithm that weuse in our work to learn Bayesian network structures is the Augmented Naive Bayes (TAN)algorithm. The TAN algorithm uses a greedy approach based on the minimum descriptionlength (MDL) scoring criterion. MDL scoring is based on minimum description lengthprinciple. In data compression, we use regularity to compress the data. This is similar to usingsymbols to describe strings. The fewer symbols are needed to describe the data set the better thecompression of the data. In the model selection approach, the optimal model is the one withshortest encodings. The MDL score is composed of two terms. One term defines the number of


bits to encode a Bayesian network. The other term is the log likelihood of the data. The searchstarts from an empty network and looks for probable naive Bayesian network to which itincrementally adds or removes arcs until achieving the maximum local scores. The TANalgorithm can find the optimal network in polynomial time. In our proposed system, we useTAN algorithm [6] implemented in Weka1 to learn a Bayesian network structure in enrolmentstage. Once the Bayesian network structure is learned, the conditional probability distribution iscalculated according to the given training set.

3.3 Proposed approach

We extract a separate model of the user behavior for each of the individual biometricmodalities (i.e. mouse and keystroke) using a Bayesian network. The global user profile isobtained by fusing the outcome of the individual Bayesian networks using the Bayesianfusion scheme explained in the next section.

To enroll a user, we extract for each separate modality a specific Bayesian network modelfrom the enrollment sample. The extracted Bayesian network structure is stored as part of theuser profile. Hence, each user will have different Bayesian network structures for each of thetwo modalities.

To authenticate a user, we apply the monitored sample to the Bayesian network structurescorresponding to the profile for the claimed identity and compute the individual biometricscores. The individual scores are then fused giving the global matching score, which iscompared to a threshold for decision making purpose.

3.4 Bayesian fusion

Let n denote the number of different modalities involved in our multimodal framework, andlet si denote the matching score between a monitored sample and an individual profile formodality i (1≤ i≤n). We estimate the a posteriori probabilities using Bayes rule as follows:

P G s1j ;…snð Þ ¼ P s1;…; sn Gjð ÞP Gð ÞP s1;…; sn Gjð ÞP Gð Þ þ P s1;…; sn Ijð ÞP Ið Þ

where P(I) and P(G) are the prior probabilities of the impostor and genuine classes,respectively; and P(s1, …, sn|I) and P(s1, …, sn|G) are the conditional probabilities of theimpostor and genuine classes given score si (1≤ i≤n). Assuming a conditional independencebetween the matching scores for the different modalities, given G or I, we obtain thefollowing:

P G s1;…snjð Þ ¼ P Gð Þ∏ni¼1P si Gjð Þ

P Gð Þ∏ni¼1P si Gjð Þ þ P Ið Þ∏n

i¼1P si Ijð ÞOften, the prior probabilities of individual modalities P(x) are unknown. It is customary

in this case to assume that all concepts are equally likely, which gives the following:

P G s1;…snjð Þ ¼ ∏ni¼1P si Gjð Þ

∏ni¼1P si Gjð Þ þ∏n

i¼1P si Ijð Þ

1 Weka is an open source data mining software developed by the University of Waikato. It provides variousmachine learning algorithms.


This equation can also be expressed as:

P G s1;…snjð Þ ¼ ∏ni¼1P si Gjð Þ

∏ni¼1P si Gjð Þ þ∏n

i¼1 1−P si Gjð Þð ÞThe above equation represents the Bayesian fusion score for n different modalities.

4 Data and biometric processing model

4.1 Keystroke dynamics biometric model

Keystroke dynamics biometric analysis consists of extracting unique behavioral patternsfrom how a user types on a keyboard. Two main types of information are usually extractedfrom the keystrokes, namely, the dwell time and the flight time. The dwell time (also calledthe hold time) is the time between pressing a key and releasing it. The flight time (also calledinter-key time) is the time between pressing two consecutive keys. The dwell and flighttimes can be used to compute the times associated with monograph (i.e. dwell time), digraph(i.e. flight time) or n-gram (in general). An n-gram is a sequence of n consecutive keys. Thetime associated with an n-gram k1… kn is computed as the sum of the dwell times for the kiand flight times for ki ki+1,where 1≤ i≤n-1.

In this work, keystrokes are divided into four categories based on the character ASCIIcodes and the mechanical keyboard layout2: Upper Case Keystrokes, Lower Case Key-strokes, Control Keystrokes, and Other Keystrokes. Keystrokes print characters such as “%”,“&” and capitalized letters are categorized as Upper Case Keystrokes. The reason is thatusers must either press Caps lock key ahead or press Shift key at the same time to print thesecharacters. All Upper Case Keystroke characters are listed in Table 1.

Lower Case Keystrokes allow printing lower case letters on the computer screen;characters from “a” to “z” fall under this category. Control Keystrokes do not result inprinting characters. Examples of Control Keystrokes are tab key, back space key, anddelete keys.

The remaining keystrokes are grouped into the Other Keystrokes category. For eachcategory of keystrokes, we calculate the mean and standard deviation of the dwell times aswell as the distribution of each type of keystrokes within a sequence of keystrokes. Theextracted keystroke dynamics features are listed in Table 2.

We extract the keystroke dynamics features by processing batches of consecutive key-strokes. By default, we consider batches of size n=10. From each batch, we extract a featurevector consisting of 20 features organized under 11 keystroke dynamics factors listed in Table 2.Each factor is represented by one or several features. Hence, each factor can be considered as aseparate feature vector. The concatenation of these individual feature vectors yields our globalfeature space for keystroke dynamics. Every session consists of a number of keystrokedynamics feature vectors or records. Every record corresponds to a sequence of n=10 consec-utive keystrokes.

For the mean and standard deviation of the flight time feature vectors M_FT and SD_FTmentioned in Table 2, we only consider the down – down (DD) flight times and the release –down (RD) flight times. Each of these categories yields a separate feature.

2 In this work, we consider the most popular keyboard layout, which is the United States keyboard layout forWindows, Mac OS, and Linux.


For the percentage of occurrences per keystroke category (i.e. PER_TP feature vector),we consider all four categories.

When a user is typing a capitalized letter, he/she might be holding the Shift key and theletter key at the same time. For this type of behaviour where the user is holding multiplekeys, we calculate the percentage of occurrences within a sequence of keystrokes. This isrepresented as the PER_MUL feature in Table 2.

We compute the means for two different types of flight times based on themechanical keyboard layout and the user behaviour in typing consecutive keys. Thefirst type of flight time is the flight time corresponding to when both consecutive keysbelong to the Upper Case Keystrokes category, or neither of the consecutive keys isfrom the Upper Case Keystrokes category. The second type of flight time is whenonly one key out of two belongs to the Upper Case Keystrokes category (i.e. while

Table 1 Upper case keystroke characters

A B C D E F G H I J K

L M N O P Q R S T U V

W X Y Z ! “ # $ % & (

) * + : < > ? @ ^ _ {

} | ~

Table 2 Keystroke dynamics biometrics features

Factor Acronym Unit Numberof features

Description

Mean of dwell time M_DT Second 1 The mean dwell time of a sequenceof keystrokes.

Mean of flight time M_FT Second 2 The mean flight time of a sequenceof keystrokes.

Mean of trigraph Time M_TRIT Second 1 The mean trigraph time of asequence of keystrokes.

Standard deviation ofdwell time

SD_DT Second 1 The standard deviation of dwelltime of a sequence of keystrokes.

Standard deviation offlight time

SD_FT Second 2 The standard deviation of flighttime of a sequence of keystrokes.

Standard deviation oftrigraph time

SD_TRIT Second 1 The standard deviation of trigraphtime of a sequence of keystrokes.

Mean of dwell timeper category

M_DTTP Second 4 The mean of dwell time for eachkeystroke category in a sequenceof keystrokes.

Percentage of occurrencesper category

PER_TP % 4 The distribution of each keystrokecategory in a sequence ofkeystrokes.

Percentage of occurrencesof holding multiple keys

PER_MUL % 1 The percentage of occurrences ofholding multiple keys in asequence of keystrokes.

Average Typing Speed ATS Character/Second

1 The average typing speed of asequence of keystrokes.

Mean of flight times pertype of user behaviour

M_FTTP Second 2 The mean of flight time for eachtype of user keystroke behaviour.


the other keystroke does not). These two types of means are represented as theM_FTTP featurevector in Table 2.

4.2 Mouse dynamics biometric model

Mouse dynamics biometric analysis consists of extracting unique behavioural characteristicsfor a user based on his mouse actions, which consist of mouse movements and mouse clicks.

The raw mouse data consist of mouse movement coordinate, movement angle, the time tomove the mouse from one location to the other, and the time of mouse clicks. As proposed in[3], the mouse movement directions can be divided into eight areas of 45° each as shown inFig. 1. Mouse features are extracted from batches of consecutive mouse actions. By default,we consider batches of size n=30.

We extract 66 features from the raw data organized under the 10 factors listed in Table 3.Each factor is represented by a separate feature vector consisting of one or several features.The concatenation of these individual feature vectors correspond to a 66-dimentional featurevector or record. Likewise, each session consists of several mouse records, each correspond-ing to (n=30) consecutive mouse actions.

In Table 3, the factors PER_MAD, PER_DD, PER_MTD, ADD, ASD, AVXD, AVYD,and ATVD are calculated for each of the eight movement directions (identified above). As aresult, each of these factors is represented by eight feature values, each corresponding to aseparate direction. A silence occurrence is identified when the mouse move distance is 0.The percentage of silence occurrence in a sequence of mouse actions is represented by thefeature SR.

4.3 Data analysis

After extracting the features, noise reduction is performed on keystroke dynamics biometricfeatures and mouse dynamics biometric features as explained in the following.

As mentioned above, flight time is defined as the time between two consecutive key-strokes. For instance, the flight time (down-down) is the time between pressing the first keyand pressing the second key. First, the flight time value must be positive since the keys arepressed consecutively. Second, by analyzing sample collected raw data for five random users(from our experiment), we observed that only a small amount of samples involve flight timesbeyond 3 s. The percentage of records with flight time (down-down) greater than 3 s is

Fig. 1 Mouse movement directions


5.34 % in the corresponding keystroke sample. As a result, we applied a filter by removingthe data that is outside the range [0 s, 3 s].

For mouse dynamics data, we apply two types of filters. First, we apply the movingaverage filter on the captured mouse move position data: computer screen x-y coordinates,and remove noise data on mouse dynamics feature values.

Using the moving average, we take the means of five points as the new values ofthe center point. We apply the moving average filter on x-coordinates and y-coordi-nates separately. The second filter applied on mouse dynamics data is similar to thefilter applied on keystroke dynamics. The mouse dynamics data considered are mousemove time and speed. In the mouse dynamics data set collected for the above sampleusers, we observed the percentage of data with mouse move time less than 1.5 s andmouse move speed less than 5,000 pixels per second to be 97.44 %. Therefore, wefilter out as noise mouse move time and mouse move speed falling out of the range[0 s, 1.5 s] and [0 pixels, 5000 pixels], respectively.

As discussed earlier, we learn a Bayesian network to build the user profile, and then use itto classify the monitored samples. In the Bayesian network learning step, it is assumed thatvariables are discrete and finite. Since most of the features extracted from keystrokes andmouse actions are continuous, we convert them into nominal features using a discretizationtechnique. For keystroke dynamics data discretization, we used the entropy baseddiscretization method developed by Fayyad and Irani [14], while for mouse dynamics datadiscretization, we use Kononenko’s Minimum Description Length (MDL)-based method[20]. The general approach is to discretize a continuous feature and then replace each feature

Table 3 Mouse dynamics biometric features

Factor Acronym Unit Numberof features

Description

Average click time ACT Second 1 The average of mouse clicks time.

Silence ratio SR % 1 The percentage of silence occurrence ofa sequence of mouse actions.

Percentage of mouse actionper mouse movementdirection

PER_MAD % 8 The percentage of mouse actionoccurrence of a sequence of mouseactions in each mouse move direction.

Percentage of distance permouse movement direction

PER_DD % 8 The percentage of mouse move distanceof a sequence of mouse actions in eachmouse move direction.

Percentage of mouse movetime per mouse movementdirection

PER_MTD % 8 The percentage of mouse move time of asequence of mouse actions in eachmouse move direction.

Average distance per mousemovement direction

ADD Pixel 8 The average distance in each mousemovement direction.

Average speed per mousemovement direction

ASD Pixel/Second 8 The average speed in each mousemovement direction.

Average velocity in X axis permouse movement direction

AVXD Pixel/Second 8 The average velocity in X axis in eachmouse movement direction.

Average velocity in Y axis permouse movement direction

AVYD Pixel/Second 8 The average velocity in Y axis in eachmouse movement direction.

Average tangential velocityper mouse movementdirection

ATVD Pixel/Second 8 The average tangential velocity in eachmouse movement direction.


value with its corresponding discrete interval. After discretizing the data, the conditionalprobability is computed as the fraction of training records that falls within the correspondinginterval for the specific user.

5 Experimental evaluations

5.1 Experimental method and setup

The experimental evaluation was conducted on a simpler version of a social network websitethrough which users share personal information such as family events or photos with friends.The main page is a normal user log on page, using user name and password authentication asshown in Fig. 2.

After accessing an account, the website allows a user to perform the following actions:Post status, Post pictures, Add comments on account owner’s pictures, Browse friends list,Add comments on friends’ statuses, and Add comments on friends’ pictures.

Each user was required to log in the web site as themselves (genuine user) or other users(intruder). For each login session, the logging type was recorded. Users have access to theusernames and passwords of other users, in order to allow impersonation attacks.

The architecture of the website consists of a web server and a database server. The webserver and the database server were set up on a computer with Dual CPU 3.2 GHz andmemory 2.00 GB RAM in our lab. The server was Windows Server 2008. The databaseserver was MySQL server. Users used their own desktops, laptops or handheld devices (i.e.iPhone) to access the website. Requests originated from four different geographic locations,including Victoria (British Columbia, Canada), Toronto (Ontario, Canada), Oslo (Norway),and Shanghai (China).

Fig. 2 Experimental website logon page


5.2 Collected data

In total, 24 users with different background and computer skills participated in the exper-iment. The experiment lasted for about 8 weeks. In total, 193 legitimate visits and 101intrusive visits were contributed by the test users. Table 4 provides a breakdown of thesample keystroke and mouse data collected.

Table 5 Bayesian network training records and validation results for legal users (PCCR stands for thepercentage of correctly classified records)

Positive Training Negative Training PCCR (%)

Number ofSessions

Number ofRecords

Number ofSessions

Number ofRecords

User 2 Keystroke Dynamics 2 579 32 2,235 91.61

Mouse Dynamics 3 8,407 14 35,889 95.70


Mouse Dynamics 4 9,632 28 28,985 92.57


Mouse Dynamics 3 4,900 12 32,682 97.85


Mouse Dynamics 3 6,809 11 32,222 98.91


Mouse Dynamics 10 2,794 7 20,893 98.43


Mouse Dynamics 2 6,761 12 33,066 96.42


Mouse Dynamics 5 3,963 20 26,294 98.41


Mouse Dynamics 3 7,772 12 21,004 98.83


Mouse Dynamics 3 6,128 21 23,703 94.27

User 21 Keystroke Dynamics 4 271 30 2217 95.70

Mouse Dynamics 5 6,096 23 33,313 98.64


Mouse Dynamics 2 9,853 21 24,178 93.60

User 24 Keystroke dynamics 4 44 33 2,382 99.22

Mouse Dynamics 4 5,155 14 29,220 96.84

Table 4 Collected samples statistics

Keystrokes Mouse actions

Genuine data Attack data Genuine data Attack data

Number of Samples per user Minimum 11 42 303 371

Maximum 6,337 1,268 84,503 22,093

Average 1,264 417 19,007 6,205

Total number of samples (all users) 22,585 6,696 344,005 103,620


In Table 4, the data collected under each of the different modalities (keystroke, mouseactions) were grouped by sessions. Here, a session corresponds to a regular login sessionwhich spans from the time the user logs in to when he/she logs out. The samples collectedwithin one session were grouped by a unique session ID.

In the experiment, every test user contributed different numbers of sessions. Although thetotal numbers of samples provided by test users were high, the number of samples for eachsession was low. For example, 62.6 % of genuine keystroke sessions contain less than 100keystrokes.

5.3 Evaluation method

For each of the users, a reference profile was generated for each individual modality basedon a training set consisting of positive and negative records. Only genuine records were usedin the training sets. Genuine data is divided into enrolment data and test data based on thetimeline. The earliest data (received in time) was used for enrolment while the data collectedsubsequently was used for testing. For each of the legal users, the positive records in thetraining set consisted of genuine enrolment samples for that user while the negative trainingrecords consisted of enrolment data from other randomly selected legal users. The numbersof selected users (for training per user) varied for each modality: the number of selected legalusers for keystroke dynamics was eight whereas the number of selected users for mousedynamics was 4.

By analyzing the sample data, we found that the minimum number of positive recordsrequired to effectively train the Bayesian network for each of the different modalities varies;

IsAuthorized

SD_FT2PER_TP3

SD_DTM_FTTP1

M_FT1

M_TRIT

M_DTTP4

M_DTM_DTTP2ATS PER_TP2

M_FTTP2

M_DTTP3PER_TP4

SD_FT1

SD_TRITM_FT2

PER_MUL

M_DTTP1

PER_TP1

(a) User 2

IsAuthorized

PER_MUL

PER_TP3

SD_DT

M_FTTP1

M_FT1

SD_FT2

M_DTTP4

M_DTM_DTTP2

PER_TP2

M_DTTP3

PER_TP4M_FT2

M_TRITSD_FT1

SD_TRIT

M_DTTP1 PER_TP1

ATS

M_FTTP2

(b) User 7

Fig. 3 Keystroke bayesian network for two different users: User 2 and User 7


Tab

le6

Examples

ofmouse

dynamicsrecordsfortwodifferentusers:U

ser2andUser7.The

sampledataconsistsof

tenrecordsperuser,eachrepresentedrow-w

ise.Eachof

the

10mouse

dynamicsfactorsis

representedby

asetof

columns

correspondingto

thenumbers

involved.For

instance,columnACTrefers

totheAverage

ClickTim

efeature.

Colum

nnames

correspond

tothefeatureacronymsin

Table3.

The

Prob.

(%)columnistheclassprobability

oftherecord.The

columntitledOther

Prob.

(%)liststheclass

probability

obtained

byapplying

thegivenrecord

ontheotheruser’sprofile

network

No.

ACT

SR

PER_M

AD

PER_D

D

12

34

56

78

12

User2

10

090

00

06.66667

00

3.33333

50.4969

0

20

093.3333

00

06.66667

00

054.292

0

30

093.3333

00

06.66667

00

053.4335

0

40

093.3333

00

06.66667

00

053.1572

0

50

093.3333

00

06.66667

00

053.1401

0

60

096.6667

00

03.33333

00

063.1086

0

70

0100

00

00

00

0100

0

80

0100

00

00

00

0100

0

90

080

00

06.66667

00

13.3333

42.4088

0

100

083.3333

00

06.66667

00

1044.6626

0

User7

10

013.3333

030

26.6667

03.33333

026.6667

4.53523

0

20

013.3333

030

26.6667

00

030

5.668

0

30

013.3333

026.6667

26.6667

03.3333

030

6.20396

0

40

013.3333

023.3333

26.6667

06.66667

030

6.4369

0

50

013.3333

020

26.6667

010

030

6.45873

0

60

013.3333

016.6667

26.6667

013.3333

030

6.77545

0

70

013.3333

013.3333

26.6667

016.6667

030

7.31596

0

80

013.3333

010

26.6667

020

030

7.78034

0

90

033.3333

1043.3333

13.3333

00

00

41.3229

3.02354

100

036.6667

1043.3333

100

00

042.7305

3.08091

No.

PER_M

TD

ADD

ASD

78

12

34

56

78

12

User2

10

0.57595

15.5444

00

0185.94

00

39.56

1943.06

0


Tab

le6

(contin

ued)

No.

ACT

SR

PER_M

AD

PER_D

D

12

34

56

78

12

20

015.7757

00

0185.94

00

01971.96

0

30

015.24

00

0185.94

00

01905

0

40

015.0718

00

0185.94

00

01883.97

0

50

015.0614

00

0185.94

00

01882.68

0

60

015.4414

00

0261.77

00

01930.17

0

70

015.8957

00

00

00

01986.96

0

80

015.9047

00

00

00

01988.08

0

90

2.30382

15.4387

00

0185.94

00

32.825

1929.84

0

100

1.72786

15.3868

00

0185.94

00

34.91

1923.35

0

User7

10

4.75174

60

27.2356

7.005

0107.17

012.1075

564.51

0

20

5.87544

60

27.2356

7.005

00

010.9189

564.51

0

30

3.48554

60

25.5087

7.005

04.47

010.9189

564.51

0

40

3.48432

60

26.2386

7.005

05.435

010.9189

564.51

0

50

3.48554

60

28.5983

7.005

07.23

010.9189

564.51

0

60

3.48311

60

28.002

7.005

08.975

010.9189

564.51

0

70

3.48675

60

23.46

7.005

011.18

010.9189

564.51

0

80

3.48554

60

17.88

7.005

012.7533

010.9189

564.51

0

90

034.441

8.4

32.4585

10.4725

00

00

2741.94

803.517

100

031.7736

8.4

32.4585

7.09

00

00

2528.34

803.517

No.

AVXD

AVYD

ATVD

67

81

23

45

67

81

User2

10

04750

−856.481

00

0910.596

00

1375

1943.06

20

00

−830.357

00

0910.596

00

01971.98

30

00

−776.786

00

0910.596

00

01905.02

40

00

−736.607

00

0910.596

00

01883.98

50

00

−691.964

00

0910.596

00

01882.67


Tab

le6

(contin

ued)

No.

ACT

SR

PER_M

AD

PER_D

D

12

34

56

78

12

60

00

−676.724

00

01816.67

00

01930.15

70

00

−662.5

00

00

00

01986.93

80

00

−604.167

00

00

00

01988.04

90

03906.25

−947.917

00

0910.596

00

1250

1929.83

100

04166.67

−920

00

0910.596

00

1291.67

1923.35

Average:

User7

1−3

79.12

01108.54

00

−1630

−185.99

0450.549

0141.385

564.51

20

0995.472

00

−1630

−185.99

00

0135.777

564.51

3−1

.6978

0995.472

00

−1367.8

−185.99

03.39559

0135.77

564.51

4−1

34.18

0995.472

00

−1359.2

−185.99

0168.364

0135.777

564.51

5−2

14.46

995.472

00

−1477.8

−185.99

0299.743

0135.77

564.51

6−2

85.64

0995.472

00

−1385.9

−185.99

0377.585

0135.77

564.51

7−3

78.67

0995.472

00

−1127.1

−185.99

0502.068

0135.777

564.51

8−4

43.01

0995.472

00

−669.49

−185.99

0575.253

0135.777

564.51

90

00

−458.03

−672.73

−2541.6

−555.71

00

00

2741.98

100

00

−423.38

−672.73

−2541.6

−431.42

00

00

2528.36

Average:

PER_D

DPER_M

TD

34

56

78

12

34

56

User2

00

44.7434

00

4.75973

15.5508

00

083.8733

0

00

45.708

00

016.1267

00

083.8733

0

00

46.5665

00

016.1267

00

083.8733

0

00

46.8428

00

016.1267

00

083.8733

0


Tab

le6

(contin

ued)

PER_D

DPER_M

TD

34

56

78

12

34

56

00

46.8599

00

016.1267

00

083.8733

0

00

36.8914

00

079.4521

00

020.5479

0

00

00

00

100

00

00

0

00

00

00

100

00

00

0

00

42.5633

00

15.0279

13.8229

00

083.8733

0

00

43.1776

00

12.1598

14.3988

00

083.8733

0

User7

46.3198

10.5898

020.2517

018.3034

2.34917

078.4837

4.69834

09.71703

57.8891

13.2348

00

023.2081

2.58519

086.369

5.17039

00

52.7517

14.4862

01.15549

025.4026

1.53364

050.854

3.06727

041.0596

49.2611

15.0302

02.91538

026.3564

1.5331

050.3484

3.0662

041.5679

46.1772

15.0811

05.83708

026.4458

1.53364

049.7734

3.06727

042.1401

39.5263

15.8207

010.1349

027.7426

1.53257

049.1815

3.06513

042.7377

28.6054

17.0828

017.0401

029.9558

1.53417

048.5704

3.06834

043.3403

17.389

18.1671

024.8063

031.8572

1.53364

047.9958

3.06727

043.9177

50.6275

5.02604

00

00

30.3725

2.96084

61.8911

4.77555

00

51.5881

2.60044

00

00

31.6444

2.96367

61.9503

3.44168

00

ASD

AVXD

34

56

78

12

34

5

User2

00

2231.24

00

4945

1689.81

00

0−2

033.11

00

2231.24

00

01727.68

00

0−2

033.11

00

2231.24

00

01669.64

00

0−2

033.11

00

2231.24

00

01656.25

00

0−2

033.11

00

2231.24

00

01665.18

00

0−2

033.11

00

4362.83

00

01719.83

00

0−3

966.67

00

00

00

1783.33

00

00

00

00

00

1808.33

00

00


Tab

le6

(contin

ued)

PER_D

DPER_M

TD

34

56

78

12

34

56

00

2231.24

00

4103.13

1645.83

00

0−2

033.11

00

2231.24

00

4363.75

1650

00

0−2

033.11

User7

1651.07

663.038

0588.85

01118.82

564.51

0−2

19.28

−628.69

0

1651.07

663.038

00

01008.75

564.51

0−2

19.28

−628.69

0

1390.98

663.038

03.79

01008.75

564.51

0−2

23.96

−628.69

0

1381.52

663.038

0215.23

01008.75

564.51

0−2

15.14

−628.69

0

1493.35

663.038

0368.903

01008.75

564.51

0−2

01.98

−628.69

0

1397.27

663.038

0474.038

01008.75

564.51

0−1

67.37

−628.69

0

1139.08

663.038

0629.23

01008.75

564.51

0−1

56.58

−628.69

0

681.277

663.038

0726.515

01008.75

564.51

0−1

25.45

−628.69

0

2844.12

859.315

00

00

2650.08

409.091

−1044.7

−654.92

0

2844.12

654.8

00

00

2444.13

409.091

−1044.7

−492.27

0

ATVD

Prob.

(%)

Other

Prob.

(%)

23

45

67

8

User2

00

02231.27

00

4945.01

90.0133

0.23414

00

02231.27

00

080.4819

0.8928

00

02231.27

00

089.2275

0.12969

00

02231.27

00

089.2275

0.12969

00

02231.27

00

089.2275

0.12969

00

04362.88

00

089.5076

25.8388

00

00

00

01.39453

72.4951

00

00

00

01.39453

17.0877

00

02231.27

00

4103.22

82.0799

0.05645

00

02231.27

00

4363.85

62.5346

0.16893

Average:

67.51

11.72

User7

01651

663.088

0588.836

01118.87

20.6488

1.96E-04


Tab

le6

(contin

ued)

PER_D

DPER_M

TD

34

56

78

12

34

56

01651

663.088

00

01008.83

99.6566

7.748.28

01390.92

663.088

03.79638

01008.83

99.8521

0.56022

01381.5

663.088

0215.336

01008.83

41.8488

0.01335

01493.28

663.088

0368.904

01008.83

99.4266

0.8948

01397.25

663.088

0474.076

01008.83

28.5048

0.00917

01139.02

663.088

0629.261

01008.83

33.378

0.28892

0681.198

663.088

0726.497

01008.83

0.11765

1.23196

803.606

2844.13

859.347

00

00

99.091

4.88E-08

803.606

2844.13

654.95

00

00

88.0621

1.44E-06

Average:

59.20

1.07


Tab

le7

Examples

ofkeystrokerecordsfortwodifferentusers:User2andUser7.

The

sampledata

consistsof

tenrecordsperuser,each

representedrow-w

ise.Eachof

the11

keystrokefactorsisrepresentedby

asetof

columns

correspondingto

thenumbersinvolved.For

instance,columns

M_D

Treferto

thekeystrokedynamicsMeanof

DwellTim

efeatures.C

olum

nnames

correspond

tothefeatureacronymsin

Table2.The

Prob.(%

)columnistheclassprobability

oftherecord.T

hecolumntitledOtherProb.(%

)liststheclass

probability

obtained

byapplying

thegivenrecord

ontheotheruser’sprofile

network

No.

SD_D

TSD_F

TSD_T

RIT

M_D

TM_F

TM_T

RIT

M_D

TTP

12

12

12

34

User2

10.039956

0.099961

0.104128

0.150589

0.0849

0.1191

0.0342

0.1788

00.084889

0.085

0

20.032755

0.099873

0.098411

0.137492

0.0781

0.1193

0.0412

0.1901

00.077333

0.085

0

30.032093

0.097302

0.093934

0.132825

0.0772

0.1236

0.0464

0.1939

00.076333

0.085

0

40.026215

0.098131

0.08989

0.135317

0.0716

0.1222

0.0506

0.1856

00.070111

0.085

0

50.026572

0.088267

0.079932

0.139159

0.0725

0.1097

0.0372

0.1728

00.069125

0.085

0.087

60.024306

0.087728

0.084767

0.131967

0.0788

0.1103

0.0315

0.181

00.077

0.085

0.087

70.008588

0.083881

0.084966

0.13217

0.0882

0.1242

0.036

0.1804

00.08875

0.085

0.087

80.010111

0.085277

0.085236

0.112897

0.0874

0.1191

0.0317

0.1644

00.08775

0.085

0.087

90.011252

0.055687

0.05843

0.177971

0.086

0.1074

0.0214

0.1938

00.085889

00.087

100.016706

0.125797

0.116139

0.190079

0.0899

0.1471

0.0572

0.2231

00.085625

00.107

User7

10.050926

0.034017

0.047274

0.412757

0.2494

0.0848

−0.1646

0.0533

00.2494

00

20.051139

0.3958

0.415266

0.548219

0.2492

0.2179

−0.0313

0.1862

00.2492

00

30.051428

0.395951

0.415302

0.549435

0.249

0.2175

−0.0315

0.1833

00.249

00

40.052935

0.397011

0.418432

0.551459

0.2539

0.2148

−0.0391

0.1792

00.2539

00

50.04818

0.396128

0.415551

0.54908

0.2499

0.2183

−0.0316

0.1841

00.2499

00

60.046413

0.396829

0.415518

0.547756

0.2472

0.2157

−0.0315

0.1867

0.266

0.245111

00

70.046371

0.395937

0.41904

0.550498

0.2601

0.2182

−0.0419

0.1817

0.292

0.252125

00

80.063524

0.394407

0.415421

0.543795

0.2475

0.2218

−0.0257

0.1969

0.233333

0.253571

00

90.080408

0.394777

0.413249

0.542432

0.2326

0.2208

−0.0118

0.2561

0.233333

0.232286

00

100.089118

0.400932

0.427231

0.538673

0.2077

0.2661

0.0584

0.3244

0.1915

0.2185

00

No.

PER_T

PPER_M

UL

ATS

M_F

TTP

Prob.

(%)

Other

Prob.

(%)

12

34

12


Tab

le7

(con

tinued)

User2

10

9010

040

10.996

0.195

098.94364

0.141929

20

9010

040

11.0521

0.1943

095.52419

0.253472

30

9010

040

10.7915

0.193

095.52419

0.253472

40

9010

040

11.0159

0.1925

099.86999

0.999164

50

8010

1040

11.1142

0.1863

099.91925

0.174863

60

8010

1040

9.87393

0.1963

099.60287

0.834865

70

8010

1040

9.56358

0.2094

099.12065

0.260601

80

8010

1040

9.72261

0.2029

099.12065

0.202846

90

900

1040

9.4924

0.1951

016.94235

52.26201

100

800

2040

8.90837

0.197222

0.649

7.256421

18.44556

Average:

81.18

7.38

User7

10

100

00

100

6.67098

0.334

094.24533

1.94E-07

20

100

00

906.06019

0.4669

08.223747

2.10E-05

30

100

00

906.17017

0.4714

08.223747

2.10E-05

40

100

00

906.19754

0.4647

080.78504

2.10E-05

50

100

00

906.01406

0.472778

0.4

8.223747

4.82E-06

610

900

090

5.88674

0.484222

0.4

0.381316

1.98E-04

720

800

090

5.66572

0.506625

0.413

5.297715

1.98E-04

830

700

090

6.42273

0.540857

0.326667

99.95875

7.40E-06

930

700

090

6.1902

0.565167

0.279

96.99214

7.40E-06

1040

600

080

5.89522

0.609

0.3364

98.82046

4.03E-06

Average:

50.12

4.83E-05


the minimum number of keystroke dynamics records was 200 and the minimum number ofmouse dynamics records was 2,500.

To evaluate the system’s performance, we calculated the FRR and FAR. A false rejectionoccurs when a genuine user is incorrectly rejected by the system as an imposter. A falseacceptance occurs when the system fails to detect an imposter; in other words, the imposteris able to impersonate a genuine user.

To test for false rejection, for each of the genuine users, we compared one-by-one the restof their genuine sessions (not involved in building their profiles) against their own profile.The FRR for each of the genuine user was obtained as the ratio between the number of falserejections and the total number of trials. The overall FRR was obtained as the average of theindividual FRRs obtained for all the genuine users.

To test for false acceptance, for each of the genuine users, we compared one-by-oneagainst his/her profile the attack sessions generated for this user. The individual FAR wascomputed for each user as the ratio between the number of false acceptances and the numberof test trials. The overall FAR was computed as the average of the individual FAR over allthe genuine users.

5.4 User enrollment and verification

We used stratified 10-fold cross validation to train the Bayesian network corresponding to auser profile. The validation steps are briefly explained in the following. First, randomize therecords and divide them into 10 equal size subsets (or 10 folds). Each fold has similar classdistribution. This type of validation is called stratified validation. Second, repeat the run testsfor 10 times. In each round i (1≤ i≤10), the ith subset is removed from the training set and isused as a test set. We then obtain the correctly classified records for 10 tests. The correctlyclassified records are the records whose predicted class probability is over 50 %. The totalnumber of correctly classified records is the sum for 10 tests. The percentage of correctlyclassified records (PCCR) is the total number of correctly classified records divided by thetotal number of records. Table 5 lists the numbers of sessions and records in each training setand the PCCR corresponding to legal users’ profiles.

Figure 3 displays the trained keystroke Bayesian Networks for two different users; User 2and User 7. In the verification stage, we apply sample keystroke dynamics records on theBayesian network profile of a given user to compute the probability that the records weregenerated by the user. Obviously, the probability is expected to be high if the records belongto the user and low otherwise.

Table 6 lists examples of mouse records from genuine sessions for User 2 and User 7.Similarly, Table 6 shows some examples of keystroke dynamics records for User 2 and User7. The records are consecutive in time and are selected from a genuine session for each of theusers. The Prob. (%) column is the class probability of the record. The column titled Other

Table 8 FRR/FAR results for keystroke dynamics while varying the threshold

Threshold (%) 0.00 5.00 10.00 15.00 20.00 25.00 30.00 35.00 40.00 45.00 50.00

FAR (%) 96.00 49.42 32.92 30.92 25.25 25.25 20.67 8.67 7.00 7.00 7.00

FRR (%) 0.00 0.00 3.33 5.83 10.93 14.52 38.62 46.76 49.04 55.48 56.99

Threshold (%) 55.00 60.00 65.00 70.00 75.00 80.00 85.00 90.00 95.00 100.00

FAR (%) 5.33 3.67 3.67 2.00 2.00 2.00 2.00 0.00 0.00 0.00

FRR (%) 66.68 72.27 79.36 82.69 85.19 88.46 88.72 95.06 98.33 100.00


Prob. (%) lists the class probability obtained by applying the given record on the other user’sprofile network. It can be noted that the Other Prob. (%) values are much lower than the classprobabilities. For example, in Table 7, by applying the record No. 1 of User 2 on User 7’sBayesian network profile, the class probability is 0.14 %, while the class probability ofapplying the same record on User 2’s own network is 98.94 %. Table 7 lists examples ofmouse records from genuine sessions for User 2 and User 7. The class probability valuesfrom mouse data samples obtained by applying the data on trained Bayesian networks areshown as well. The Other Prob. (%) column has the same meaning as in Table 6. It can benoted that the Other Prob. (%) values are much lower than the class probabilities.

5.5 Evaluation results

Keystrokes and mouse actions were collected from a total of 24 test users. Due to limitednumbers of sessions contributed by some test users, the total number of users having enoughdata for enrolment was 12. These users represent our legal users in calculating the FAR andFRR. We evaluated the performance of each individual modality for each user separately.Averaging users’ FRR and FAR yielded the overall FRR and FAR for that modality. Tables 8and 9 display individual performance results corresponding to each of the different modal-ities by varying the threshold.

Figure 4 shows the Receiver Operating Characteristic (ROC) curves corresponding to theindividual modalities. From this figure, it can be observed that the mouse dynamics haveslightly lower equal error rate (EER) at 22.41 %, while keystroke dynamics yields an EER at24.78 %.

Fig. 4 ROC Curves for individual modalities

Table 9 FRR/FAR results for mouse dynamics while varying the threshold

Threshold (%) 0.00 5.00 10.00 15.00 20.00 25.00 30.00 35.00 40.00 45.00 50.00

FAR (%) 100.00 53.99 34.33 21.71 16.97 7.58 6.06 4.55 4.55 0.00 0.00

FRR (%) 0.00 2.50 7.50 23.38 33.99 46.25 64.06 73.64 80.00 88.30 89.32

Threshold (%) 55.00 60.00 65.00 70.00 75.00 80.00 85.00 90.00 95.00 100.00

FAR (%) 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

FRR (%) 90.68 90.91 92.73 92.73 96.36 100.00 100.00 100.00 100.00 100.00


We combined both modalities using Bayesian fusion. Table 10 shows the FRR/FAR,whereas Fig. 5 shows the corresponding ROC curve. The overall EER is 8.21 %. This islower than either the EER of keystroke dynamics or the EER of mouse dynamics, and can beconsidered as very encouraging considering the small size of many of the web sessionsinvolved.

The obtained results are very encouraging considering the limited amount of free text andfree mouse movements available in many web sessions.

6 Conclusions

We have presented a risk-based authentication system for web environments that combinesmouse and keystroke dynamics biometrics using Bayesian network models. Web environ-ments are characterized by the limited amount of keystrokes and mouse actions involved inmany sessions. This makes detection hard, especially for free samples produced without anypredefined baseline. Our proposed approach achieves an EER of 8.21 %, which is encour-aging. Risk-based authentication can be applied from two different perspectives: proactivelyand reactively. When applied proactively, risk-based authentication can be integrated withthe login process and used to block from the beginning access to users flagged as risky. Incontrast, reactive risk-based authentication can be used to identify and revert ongoing orcompleted transactions considered as risky.

Fig. 5 ROC Curve for mouse dynamics and keystroke dynamics fusion

Table 10 FRR/FAR results by combining keystroke dynamics and mouse dynamics

Threshold (%) 0.00 5.00 10.00 15.00 20.00 25.00 30.00 35.00 40.00 45.00 50.00

FAR (%) 97.42 8.21 4.17 4.17 1.39 0.00 0.00 0.00 0.00 0.00 0.00

FRR (%) 0.00 6.58 17.04 28.21 39.89 44.73 63.34 70.70 72.57 75.07 76.53

Threshold (%) 55.00 60.00 65.00 70.00 75.00 80.00 85.00 90.00 95.00 100.00

FAR (%) 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

FRR (%) 82.22 87.36 89.97 92.74 92.74 95.24 95.97 98.96 99.48 100.00


Although proactive risk-based authentication may be considered as more desirablethan reactive risk-based authentication, the cost of a misclassification error is fargreater in the former than in the latter. In other words, more stringent accuracyrequirements underlie proactive approaches compared to reactive ones. Actually, eachcategory is adequate for specific scenarios. While proactive risk based authenticationis important in situations where confidentiality is essential such as in military orintelligence transactions, reactive risk-based authentication may be enough in situa-tions where integrity is the primary concern. For instance, in online banking trans-actions, malicious transactions (e.g. illegal transfer between accounts) can be reverted(immediately) by the end of the session if the user is classified as risky. As shownabove, the experimental evaluation of our proposed risk-based authentication schemeyields an EER of 8.21 %. Although such performance can be considered relativelylow for proactive risk-based authentication, we believe that it is adequate for reactiverisk-based authentication. In this case, the goal is not to prevent the user from usingthe system, but rather to identify malicious sessions and trigger appropriate riskmitigation measures.

As future work, we intend to focus on improving the performance of our proposed systemby studying alternative machine learning techniques such as neural networks and artificialimmune systems. We will also expand our experimental dataset by involving moreparticipants.

References

1. [Online] Available: http://www.admitonesecurity.com. AdmitOne Security Suite2. [Online] Available: http://www.rsa.com. RSA Adaptive Authentication System3. Ahmed AA, Traore I (2007) A new biometric technology based on mouse dynamics. IEEE Transactions

on Dependable and Secure Computing 4(3):165–1794. Aksarı Y, Artuner H (2009) Active authentication by mouse movements. In Proc. of the IEEE

24th Intl. Symposium on Computer and Information Sciences (ISCIS’09), Metu, Northern Cypruspp. 571–574

5. Bergadano F, Gunetti D, Picardi C (2002) User authentication through keystroke dynamics. ACM TransInf Syst Secur 5(4):367–397

6. Bouckaert RR (2004) Bayesian network classifiers in Weka. University of Waikato, http://weka.sourceforge.net/manuals/weka.bn.pdf

7. Bours P, Fullu CJ (2009) A login system using mouse dynamics. In Proc. of the 5th Intl. Conference onIntelligent Information Hiding and Multimedia Signal Processing (IIH-MSP’09), Kyoto, Japan, Sept. 12–14

8. Cheng P-C, Rohatgi P, Keser C, Karger P, Wagner GM, Reninger AS (2007) Fuzzy multi–level security:an experiment on quantified risk–adaptive access control. IBM Research Report RC24190

9. Diep NN, Lee S, Lee Y-K, Lee HJ (2007) Contextual risk-based access control. Secur Manag, pp. 406–412

10. Dimmock N, Bacon J, Ingram D, Moody K (2005) Risk models for trust–based access control. In Proc. ofthe 3rd Annual Conference on Trust Management (iTrust’05), Series LNCS, Vol. 3477, Springer, May,426 pages

11. Dowland P, Furnell S, Papadaki M (2002) Keystroke analysis as a method of advanced user authenticationand response. In Proc. of the 17th Intl. Conference on Information Security: Visions and Perspectives(IFIP TC11), The Netherlands, May 07–09, pp. 215–226

12. Dowland P, Singh H, Furnell S (2001) A preliminary investigation of user authentication using continuouskeystroke analysis”, In Proc. of the 8th IFIP Annual Working Conference on Information SecurityManagement and Small System Security, Las Vegas, Nevada

13. Enokido T, Takizawa M (2011) Purpose-based information flow control for cyber engineering. IEEETrans Ind Electro 58(6):2216–2225


http://www.admitonesecurity.com/

http://www.rsa.com/

http://weka.sourceforge.net/manuals/weka.bn.pdf

http://weka.sourceforge.net/manuals/weka.bn.pdf

14. Fayyad UM, Irani KB (1993) Multi-interval discretization of continuous-valued attributes for classificationlearning. In Proc. of the 13th Intl. Joint Conference on Artificial Intelligence, Chambery, France, Aug. 28 –Sept. 3

15. Friedman N, Geiger D, Goldszmidt M (1997) Bayesian network classifiers. Mach Learn 29:131–16316. Gaine R, Lisowski W, Press SJ, and Shapiro N (1980) Authentication by keystroke timing: Some

preliminary results. Rand Report No R-2526-NSF, Rand Corporation17. Gamboa H, Fred A (2003) An identity authentication system based on human computer interaction

behaviour. In Proc. of the 3rd Intl. Workshop on Pattern Recognition in Information Systems, Angers,France, pp. 46–55

18. Gunetti D, Picardi C (2005) Keystroke analysis of free text. ACM Trans Inf Syst Secur 8(3):312–34719. Jiang C-H, Shieh S, Liu J-C (2007) Keystroke statistical learning model for web authentication. In Proc.

of the 2nd ACM Symposium on Information, Computer and Communications Security (ASIACCS’07),Singapore, Mar., pp. 359–361

20. Kononenko I (1995) On biases in estimating multi-valued attributes. In Proc. of the 14th Intl. JointConference on Artificial Intelligence, Montreal, Quebec, Canada, Aug. 20–25

21. Legget J, Williams G (1988) Dynamic identity verification via keystroke characteristics. InternationalJournal on Man–machine Studies 35:859–870

22. Lian S, Chen X, Wang J (2012) Content distribution and copyright authentication based on combinedindexing and watermarking. Multimedia Tools Appl 57(1):49–66

23. Monrose F, Rubin A (1997) Authentication via keystroke dynamics”, In Proc. of the 4th ACM Conferenceon Computer and Communications Security, Zurich, Switzerland, April 01–04, pp. 48–56

24. Obaidat MS, Macchairllo DT (1993) An on-line neural network system for computer access security.IEEE Trans Ind Electron 40(2):235–242

25. Obaidat MS, Sadoun B (1997) Verification of computer users using keystroke dynamics. IEEETransactions on Systems, Man, and Cybernetics, Part B 27(2):261–269

26. Orozco M, Graydon M, Shirmohammadi S, El Saddik A (2012) Experiments in haptic-based authenti-cation of humans, International Journal of Multimedia Tools and Applications - Springer Science +Business Media B.V. (To Appear)

27. PusaraM, Brodley C (2004) User Re-authentication via mouse movement. In Proc. of the 11th ACMWorkshopon Visualization and Data Mining for Computer Security (CCS’04), Oct. 25–29, Washington, DC, USA

28. Revett K, Jahankhani H, De Magalhaes S, Santos H (2008) A survey of user authentication based on mousedynamics, In Proc. of the 4th Intl. Conference on Global E-Security, London, UK, June 23–25, pp. 210–219

29. Syukri A, Okamoto E, Mambo (1998) A user identification system using signature written with mouse. InProc. of the Australasian Conference on Information Security and Privacy (ACISP ’98), Vol. 1438,Brisbane, Australia, pp. 403–414

30. Traore I, Woungang I, Obaidat MS, Nakkabi Y, Lai I (2012) Combining mouse and keystroke dynamicsbiometrics for risk-based authentication in web environments. In Proc. of the 4th IEEE Intl. Conferenceon Digital Home (ICDH 2012), Guangzhou, China, pp. 138–145, Nov. 23–25

31. Tubin G (2005) Emergence of risk-based authentication in online financial services: You Can’t Hide YourLyin’ IP. Whitepaper #V43:15N, Tower Group, May

32. Tuptuk N, Lupu E (2007) Risk based authorization for mobile Ad Hoc networks. In Proc. of the 1st Intl.Conference on Autonomous Infrastructure, Management and Security: Inter-Domain Management (AIMS2007), LNCS 4543, Springer-Verlag, Berlin, Heidelberg, pp. 188–191

33. Villani M, Tappert C, Giang N, Simone J, Fort H, St., Sung-Hyuk C (2006) Keystroke biometricrecognition studies on long-text input under ideal and application-oriented conditions, In Proc. of theIEEE Conference on Computer Vision and Pattern Recognition Workshop (CVPRW’06), New York,USA, June 17–22, pp. 39


Dr. Issa Traore obtained a PhD in Software Engineering in 1998 from Institute Nationale Polytechnique(INPT)-LAAS/CNRS, Toulouse, France. He has been with the faculty of the Department of Electrical andComputer Engineering of the University of Victoria since 1999. He is currently an Associate Professor and theCoordinator of the Information Security and object Technology (ISOT) Lab (http://www.isot.ece.uvic.ca) atthe University of Victoria. His research interests include biometrics technologies, computer intrusion detec-tion, network forensics, software security, and software quality engineering. He has published over 100technical papers in computer security in the last 10 years. He is currently serving as Associate Editor for theInternational Journal of Communication Networks and Distributed Systems (IJCNDS).

Dr. Isaac Woungang received hisM.S. & Ph. D degrees, inMathematics, from theUniversité de laMéditerranée-Aix Marseille II, France, and Université du Sud, Toulon & Var, France, in 1990 and 1994 respectively. In 1999, hereceived a M.S degree from the INRS-Materials and Telecommunications, University of Quebec, Montreal,Canada. From 1999 to 2002, he worked as a software engineer at Nortel Networks. . Since 2002, he has beenwith Ryerson University, where he is now an Associate Professor of Computer Science and Coordinator of theDistributed Applications and Broadband (DABNEL) Lab (http//www.scs.ryerson.ca/iwoungan).


http://dx.doi.org/http://www.isot.ece.uvic.ca/


Prof. Mohammad S. Obaidat (Fellow of IEEE and Fellow of SCS) is an internationally well-known academic/researcher/scientist. He received his Ph.D. and M. S. degrees in Computer Engineering with a minor in ComputerScience from Ohio State University. Dr. Obaidat is currently a full Professor of Computer Science at MonmouthUniversity, NJ, USA. Among his previous positions are Chair of the Department of Computer Science andDirector of the Graduate Program at Monmouth University. He has received extensive research funding and haspublished over Fifteen (15) books and over 570 refereed technical articles. Mohammad is the Editor-in-Chief of 3scholarly journals and is also an editor, advisory editor of numerous international journals and transactionsincluding IEEE journals/transactions. He has chaired numerous international conferences and given numerouskeynote speeches all over the works. http://bluehawk.monmouth.edu/mobaidat.

Dr. Youssef Nakkabi is a Senior Scientist at the Electrical and Computer Engineering Department, University ofVictoria. Dr. Nakkabi received BSc degree in Electrical and Computer Sciences from the University of Fez,Morocco in 1998, a MSc degree in Automatic Control and Computer Engineering from Paul Sabatier University(UPS)-LAAS-CNRS, Toulouse, France in 2000 and Ph.D. Degree from University of Perpignan in conjunctionwith the “Institut National des Sciences Appliquées” of Toulouse, France in 2007. His research interests includeintrusion detection systems, and behavioral biometrics systems. He is member of the Security and ObjectTechnology (ISOT) Research Laboratory at the University of Victoria (http://www.isot.ece.uvic.ca).




Iris Lai recently received her M.Sc. degree in Computer Science at the University of Victoria, B.C., Canada,in the area of Biometric Security. She is member of the Security and Object Technology (ISOT) ResearchLaboratory at the University of Victoria (http://www.isot.ece.uvic.ca).



online risk-based authentication using behavioral biometrics risk-based...

Documents