You are on page 1of 10


G.V. Sai Dheeraj
Email-appu !"!#$%ah&&.'&.i( 3/4 B. E , ECE, College of Engineering, ANITS, Vishakapatnam.

Email-)ura*ala )ridhar!"+,$%ah&&.'&.i( 3/4 B.E, ECE, College of Engineering, ANITS - Vishakapatnam.

ABSTRACT Biometrics is one of the stupendous sciences that bought a great revolution in the information technology field. It is the science of measuring and statistically analyzing biological data, used to recognize different body parts like the eyes, fingerprints, facial characteristics, voice. In this paper we introduce the idea of using behavioral biometrics in intrusion detection applications.A new biometricsbased technique, which can be used to detect intrusion without the need for any special hardware implementation and without forcing the user to perform any special actions. he technique is based on using !keystroke dynamics" and !mouse dynamics" biometrics. INTRODUCTION #ifferent types of biometrics are currently available in the market, and are

widely classified



various two

security can be and categories,

applications. !physiological

Biometrics into


!behavioral biometrics". $hysiological biometrics identify the user based on physiological characteristics, such as fingerprints and eye retina%iris scanning, whereas behavioral biometrics depend on detecting the behavior of the user. he detection framework is based on &eystroke and mouse dynamics biometrics, which represent two separate but related biometrics. #ata collection is performed using a common detection module, but processing for each biometrics technology is based on different algorithms. 'ere is an overview of the biometrics technologies involved in the detector. he utilization of biometrics technology, however, has so far been limited to identity and verification access in authentication control

who operate out of these network segments. here are also a number of secondary obstacles to the use of biometrics for intrusion detection such as whether the technology allows dynamic detection. A popular biometrics system. which restricts their use to only networks segments that provide them. BIOMETRIC MODALITIES: Biometric characteristics can be classified broadly into two main classes2 applications such as intrusion detection systems have been left out of this technology. for data is certain &eystroke dynamics doesn+t require collection regular keyboard monitoring. his e*cludes the possibility of passive monitoring. which is essential for intrusion detection. In this respect. dynamic.ouse dynamics. and it simply requires a standard computer mouse for data collection. such systems are able to detect any intrusions. By combining traditional intrusion detection systems that focus on the actions conducted by the user. dynamics hardware .ouse and keystroke dynamics biometrics are two related technologies. with biometrics hat focus on the identity of the user. . fulfills all the characteristics required for intrusion detection since it allows passive. and real-time monitoring of users. 'ence important security circumstances can be used for dynamic monitoring./0I.based applications. mouse dynamics and keystroke dynamics are complementary biometrics.a and device under biometrics. making the systems irrelevant for a significant number of remote users. Actually. however. )o the ob1ective is to combine these two technologies in a common detector. and a keyboard is essential for command line based applications. . is keystroke special enough-. which escapes some of these limitations. he two primary reasons for this can be given as (irst. most biometrics systems require special hardware device for biometrics data the method is adapted with the traditional keystroke technology by addressing issues such as passive and dynamic monitoring. )econd. most biometrics systems require an active involvement of the user who is asked to provide some data sample that can be used to verify his identity. or real-time . A mouse is device for graphical user interface .

his process • Behavioral are related to the behavior of a person. he detection mode shares the first two stages with the enrollment mode. he third stage in this mode is the verification process where the signature calculated during the data processing stage is compared against the reference signature of the legitimate user. stages. which runs on the monitored victim-. which captures all mouse and keyboard actions. and identification %verification mode. for potential mouse responsible movement and keystroke data collection. the more the deviation the from less the the reference system is signature3 BASIC ARCHITECTURE: he client module. he detector operates in two modes2 enrollment mode. which checks it against the stored profiles. In the he operation of of the each mode consists of three consecutive first stage enrollment mode. a data capturing confident in the identity of the user.#). hese statements are directly passed to the ne*t stage of data processing where behavioral modeling and feature e*traction is conducted.ore modern approaches are the study of keystroke dynamics and of voice. in the third stage. and converts them into a set of more organized and meaningful statements. fingerprints.e. and iris process is conducted by a lightweight software module. .. his data is sent to the server software.&#)for the user being monitored. he server software is in charge of analyzing the data and computing a biometric profile. hand recognition. #ifferent comparison algorithms are used for each signature factor.ouse #ynamics )ignature . is machine . accumulates all actions received from the previous process over a predefined session period and performs a number of algorithms on the data to produce the .g.and &eystroke #ynamics )ignature . . (inally. face geometry hese are recognition. he computed profile is then submitted to a behavior comparison unit.• $hysiological are related to the shape of the body. which runs on a separate machine. the generated signature is stored in a database as a reference signature for the enrolled user.

5ach of these solutions has advantages and disadvantages. with the second solution. utilizing both mouse dynamics and keystroke dynamics biometrics much increases the accuracy and speed of the detection the system. In order to ensure that only users abiding by this policy access the monitored network. which may impact the collected data. )ince real life usage of most of the /0I based operating systems involves a combination of mouse and keyboard actions. An alternative may consist of enforcing the presence of agent software on any remote accessing machine. It is common practice in most organizations that remote access be regulated by a (ig 4. hen the administrator can require that users use this particular remote login implementation for remote access. In contrast. our biometric detector is e*tended with a Enforcing Biometrics Data Collection . for local users the security administrator can simply make sure that the data collection software is installed on local machines. (irst. (or remote users our approach consists of either providing our own remote login software or e*tending secure remote login software such as ))'. there is no delay in the data collection whereas transparency is not guaranteed.Among all biometrics. the mouse and keystroke dynamics biometrics are considered the most practical from an implementation point of view.#etector Architecture defined and strict policy. (irst solution allows collecting data transparently but may suffer from delays in the collection process. process without influence on the cost or performance of In the architecture presented in the previous section the client software is installed on the monitored machine.

which monitors both attempted and established he connections to the target machine. If the network analyzer detects resource usage on the target machine while there is no biometric data collected during a session. distributed intrusion detection systems. After these measurements have been collected. he functionality of this biometric is to measure the dwell time . this will raise the possibility that corresponding network traffic is due to a malicious process. 6n the other hand. (orgery can happen by observing the biometrics generation process or by stealing biometrics samples.and flight time . then the collected actions are translated into a number of digraphs or trigraphs to . he proposed architecture raises two important issues. In contrast with physiological biometrics. his is common to all processing session will be different from samples collected from a web browsing session. if the biometric detector is able to monitor activities on the target machine while the network analyzer failed to detect the network traffic resulting from such activities. In the particular case of mouse and keystroke dynamics forgery by observation is e*tremely difficult to achieve.the length of time a key is held down. )econd the biometrics system is sub1ect to forgery3 this is common to all biometrics technologies. which is not being e*ecuted by a legitimate user. his applies even when the data collection module is installed on the target machine. (irst the client%server communication scheme used is sub1ect to protocol attacks. a word connections list established by the traffic analyzer is compared against the active users list maintained by the core biometrics discrepancies detector. are then and possible reported as intrusions to the security administrator.the time to move from one key to traffic analyzer.for keyboard actions. the impact of biometrics sample theft can be alleviated for behavioral biometrics by using secure )amples communication collected from protocols. this will raise the possibility that the attacker managed to modify the behavior of the running application. Ke stro!e D namics Biometrics: &eystroke dynamics is considered a strong behavioral biometric.

however. where a neural network is trained for each keyboard key to best simulate presented its usage can dynamics be used with to reference to other keys. he detection algorithm generates a &eystroke #ynamics )ignature or &#). he pressure . he tri-graphs shown are centered by the character 7a+ . aiming to speed up the user enrollment process. able 4 shows a combination of tri-graphs generated from three sessions for two different users. In access control applications the e*tracted group of digraphs and tri-graphs are predefined since the user is asked to enter a paragraph containing analyzed in order to produce a pattern that identifies the user who generated these keyboard actions. key oriented neural network based approach is adapted . which is used as a reference user profile and matched against active user profiles to dynamically detect masqueraders. and the corresponding time used to perform the tri-graphs in milliseconds. he advantage of using . A technique is which appro*imate a digraph%tri-graph value based on other detected graphs and the locations of the keys with reference to each other. In intrusion detection applications.ab<I5= is that the keystroke latencies can be captured at the timing resolution of 4ms via the .ab<I5= system timer. #etecting the behavior from an une*pected set of digraphs requires large amount of data to be collected in the enrollment mode so as to cover a higher percentage of the captured data in the verification mode. he keystroke pressure is measured in volts ranging from > to 4> volts in the form of time discrete signal. this scenario is not applicable.A)8II code 9:-. able 42 ime used to perform different tri-graphs for two different users o construct the &#).

drag and drop. and then process the data obtained from these actions in order to analyze the behavior of the user. . and skewness. a unique set of values characterizing the user+s behavior over the monitoring period. kurtosis. point and silence behavioral movement-. total harmonic distortion. include and general .ouse dynamics is a new behavioral biometric recently introduced. fundamental frequency.e. peak value. (igure ?2 #i-graph appro*imation matrices for two different users .i. root mean square. signal in noise and distortion. mouse no movement.(( -.ab<I5= utilizes neural networks and statistical approaches to generate a number of factors from the captured set of actions3 these factors are used to construct what is called a . (eatures to be e*tracted from the frequency domain signal include mean.ouse #ynamics )ignature or . he idea behind this biometric is to monitor all mouse actions generated as a result of user interaction with a graphical user interface. he analysis transformed into the frequency domain by using (ast (ourier ransform .discrete time signals are then Mo"se D namics Biometrics: .#). he (( and the features are computed using the inbuilt )pectral measurements present in . energy.ouse actions click.

o give an idea about the detectable deviation. and their distinctiveness comparing large number of sessions for two different users. (igure @ shows data from five different sessions for the same user compared to a reference signature of the same user. 5ach point on these figures represents an intercepted mouse action.)#. (igure A2 Active profiles of a given user compared to the reference profile of a different user (igure :2 Average )peed for #ifferent ypes of Actions. (igures @ and A show e*amples of biometrics profiles based on the average speed against the traveled distance factor denoted . (or instance. (igure A shows a comparison between five signatures for the same user compared against a reference signature of a different user .(igure @2 Active profiles compared to the reference profile for the same user with respect to the reference signature of a different user. he *-a*is represents the traveled distance and the y-a*is represents the movement speed. (igure 92 ypes of Actions 'istogram. comparing large number of sessions for two different users.'ere also we notice the closeness of the profiles of the same user. he comparison technique used for this factor consists of computing the sum of the absolute difference between the curves3 this represents how far the curves are from each other3 if it is higher than a threshold then those curves .

raore !A Bew Biometrics echnology based on . he developed approach proves its effectiveness in responding to the simulated attacks in the conducted e*periments...5. technical Ceport 585-> @-:. 5ach session is represented by a line connecting the three readings involved in this factor. ##2 #rag and #rop-. and with respect to its corresponding values in other users signatures.ouse #ynamics". a new approach can be developed for avoiding computer intrusions and hacking. )eptember ?>>@. It calculates the significance of each factor with respect to the other factors in the same signature. he main ob1ective is to provide a self contained module specialized in intruder detection during user identity misuse. (igure : shows the relation between the movement speed and the type of performed action for the three recognized types of actions .A. References: 4. Behavior differences can be easily detected for the two users and values and ratios between entries can easily be identified. <ictoria. (igure 9 shows the histogram of the types of actions for a number of sessions for two different users.belong to two different users.ouse dynamics combined. #epartment of 5lectrical and 8omputer 5ngineering. (rom the figure we can notice the deviation between signatures of the two users as well as the reproducibility of this factor.ovement. and very low number of point and click actions. $82 $oint and 8lick.ouse . A neural network is trained for each enrolled user resulting different detection scheme to be used for each of them. 0niversity of <ictoria. he detection algorithm developed in this utilizes the seven detectable factors. 8anada. CONCLUSION: 0sing &eystroke dynamics and . threshold can be determined for each user during the enrollment phase when the reference mouse signature is generated. Ahmed. A large number of sessions for two different users are shown. Including .2 . A. I. he more factors in the user signature has a great influence on the accuracy of the detection process. (rom the figure we can notice that the first user performs very low number of regular mouse movements and depends mostly on point click and drag drop types while the second performs very high number of regular mouse movements.

. <ol. #epartment of 5lectrical and 8omputer 5ngineering. <.. .ay%Dune ?>>@. @.5. Ahmed. . @.A. ! oward Celiable 0ser Authentication through Biometrics". .onitoring Interaction 0niversity of <ictoria.agazine. 4 Bo. <ictoria. . E. . I. raore 'uman echnical !)ecurity 8omputer Ceport.?.arch ?>>A. 8anada. through #evices". I555 )ecurity F $rivacy .atyas. Ciha. A. pp A:-AG. Dr.