1 / 27

Profiling User Behaviour to Reveal Computer Misuse

Profiling User Behaviour to Reveal Computer Misuse. Mike Dowman Andrea Szymkowiak Natalie Coull Leslie Ball The University of Abertay Dundee Funded by the Carnegie Trust. Outline. Can we identify people through how they interact with computers?

ebarb
Télécharger la présentation

Profiling User Behaviour to Reveal Computer Misuse

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Profiling User Behaviour to Reveal Computer Misuse Mike Dowman Andrea Szymkowiak Natalie Coull Leslie Ball The University of Abertay Dundee Funded by the Carnegie Trust

  2. Outline • Can we identify people through how they interact with computers? • Could you be leaving a biometric signature every time you use a computer even though you don’t realise it? • Can we tell anything about a person’s state of mind through how they interact with a computer?

  3. Biometrics: Introduction • Physiological

  4. Biometrics • Behavioural

  5. Psychology of Typing • Every time we type a word there tends to be a consistent temporal structure • This structure is associated with individual words (not groups of letters, or multi-word phrases) • Can we use key timing data to detect if a password is being used by someone it doesn’t belong to?

  6. Movement and Emotion • Mood affects movement • Emotional stress or anxiety  more varied application of force (Noteboom et al. (2001), Journal of Applied Physiology) or timing (Coombes et al. (2005), Journal of Motor Behaviour). • Can we detect state of mind from typing? • Could this give us an indication of when people are using computers to commit crimes?

  7. Experiment Design • 35 participants • each logged in 36 times • over 3 separate sessions • using the same username and password each time • stressed and neutral conditions were alternated

  8. Data Recorded • How long each key was held down (hold time) • The time between releasing one key and pressing the next (possibly negative if there is overlap) (latency)

  9. Data Recorded • How long each key was held down (hold time) • The time between releasing one key and pressing the next (possibly negative if there is overlap) (latency) Do people type with consistent timing patterns? Are the timings of different people clearly distinct? Do people type differently when under stress?

  10. Generating Stress • IADS sounds (Bradley and Lang, 1999) were played to participants using headphones before and during typing Two conditions: • Sounds were ‘neutral’ everyday noises, such as paper being crumpled up, or an electric fan • Sounds were ‘stressful’ sounds such as couples fighting, sirens or a bee buzzing

  11. Evaluating Response to Sounds Do the sounds really affect people’s state of mind? Galvanic skin response (GSR): Electrodes were attached to the skin, and used to measure its conductivity • Conductivity should rise if participant becomes stressed

  12. Two People’s Latency Times

  13. Two People’s Hold Times

  14. Latency Times – Two Touch Typists

  15. Who is this?

  16. Hold Times – Two Touch Typists

  17. Who is this?

  18. The Biometric System login attempt reference timings Matching Algorithm ACCEPTREJECT

  19. Testing 1 • 36 login records were collected from each of 35 people • Each person used the same username and password Genuine login attempts • 35 of a person’s login records were used as a reference sample • The other one was used as the login attempt Would the login be accepted (correct) or rejected (error)? 36 logins * 35 people = 1,260 total attempts

  20. Testing 2 Imposters • 35 of a person’s login records were used as a reference • Any one of the other login records from a different user could be the attempt Would the login be rejected (correct) or accepted (error)? 35 people for reference samples * 34 other people for login attempts * 36 login records per person = 42,840 total attempts

  21. Results The system works well with: • Latencies • Holds But best with both together A sensitivity parameter controls how close an attempt has to match the reference sample to be accepted Depending on the application we may want a more strict or a more forgiving system

  22. Overall System Performance The equal error rate is 2.8% So it’s 97.2% accurate

  23. Detecting Stress We measured the peak increase in galvanic skin response in the first 5 seconds of sound presentation On average, skin conductivity was greater with the stressful sounds than with the neutral ones (t-test, P < 0.01) But will typing patterns be any different?

  24. Effect of Stress on Typing An omnibus paired data multivariate randomization test for difference in means, run on the data of all the participants, showed that there was a difference in: • hold times (P < 0.01) But not in • latencies On average there was less variability in hold times under stress (t-test, P < 0.05) But there was no significant difference in mean latency or hold times • Stress has changed the pattern of timings more than the overall speed of typing

  25. Applications • On-line shopping: Are you spending money using someone else’s account? • Credit cards: there’s a distinct timing sequence to how we type in numbers • ATM/Chip and PIN: Is it really us? Are we acting under duress? • Self-service check-in at airports: Is he showing signs of abnormal stress? • Investment banks: Is she gambling £1,000,000,000 without our permission?

  26. Key Advantages (1) No need for special hardware (2) Works over the internet (3) It’s hard to fake a timing pattern (4) Passwords can easily be changed - unlike fingerprints (5) We can detect signs of abnormal behaviour – not just identity

  27. References • Bradley, M. M. and Lang, P. J. (1999). International affective digitized sounds (IADS): Stimuli, instruction manual and affective ratings (Technical report B-2). Gainesville, FL: The Centre for Research in Psychophysiology, University of Florida. • Gaines, R. Lisowski, W., Press, S. and Shapiro, N. Authentication by keystroke timing: Some preliminary results. Rand Report R-256-NSF. Rand Corporation, Santa Monica, CA, 1980. • Hugo Gamboa and Ana Fred, “A behavioural biometric system based on human-computer interaction,” in SPIE 5404 - Biometric Technology for Human Identification, A. K. Jain and N. K. Ratha, Eds., Orlando, USA, August 2004, pp. 381–392. • Joyce, R. and Gupta, G. (1990). Identity Authentication Based on Keystroke Latencies. Communications of the ACM, 33(2):168-176. • Ting, I. H., Clark, L., Kimble, C., Kudenko, D. and Wright, P. (2007). APD-A Tool for Identifying Behavioural Patterns Automatically from Clickstream Data. In Knowledge-Based Intelligent Information and Engineering Systems. Berlin: Springer. • Viviani, P. and Terzuolo, C. (1982). On the relation between word-specific patterns and the central control model of typing: A reply to Gentner. Journal of Experimental Psychology: Human perception and Performance, 8:811-813.

More Related