To make the CA and CI system more robust, we proposed the system architecture according to Figure 14.1, where template update has been taken into consideration. Some of the following interesting issues need to be researched to improve our current system performance:
• In KD, we have followed the user’s global keystroke rhythms for missing digraphs and mono- graphs. We feel that alternate approximation technique for the missing digraphs and mono- graphs could improve the system performance. In [74] researchers have used linear correlation 142
14.2 MINORISSUES
between pairs of keys to address this issue. We could use this approach in our research as a starting point.
• We observed that the outlier removal process played an important role in the user’s profile creation process. Therefore, it is important to determine a proper outlier removal technique, in order to improve the system performance [61].
• We have noticed that the user’s mood and time of day influence the dynamics [38]. We have also seen that users behave differently for different applications e.g. the user’s behaviour will change from playing games to typing documents. These could be useful to adjust the Tlockout
threshold to improve the system performance. As an example, when a user is plays games we can lower the Tlockoutthreshold or we can adjust the parameters A, B, C and D of the
Algorithm 3.3.
• We have compared our approach with state of the art periodic approaches. The periodic ap- proach can be seen as a special case of a Sliding Window based approach [121], where the window size and the step size are same. It would be interesting to see the results for Sliding Windowbased approach when the window size and step size are different.
• In our research, we assumed that at any time a session could be hijacked. In a practical scenario, the session hijacking can happen when the system is unattended for a small but sig- nificant amount of time, i.e. when there is no activity for an amount of time that would allow the user to leave his work place and for an attacker to get unnoticed access to the system.. Therefore, it is safe to assume that if there is continuous system activity (i.e. without a signif- icant amount of pause), that then the data is coming from the same user (i.e. either genuine user or imposter user). So, to make our system more robust we can change the algorithmic parameters and the lockout threshold according to the user’s activity. As an example, we can increase Tlockoutthreshold or we can adjust the parameters A, B, C, and D of the Algorithm
3.3 after a significant pause of the user’s activity and relax them during a period of continuous activity.
• As mentioned in Section 13.3, our dataset has user’s application usage information (i.e. SI), these could also be useful as a clustering technique to improve the system performance. A preliminary results related to application based clustering approach to improve the system accuracy for CI can be found in [109] when using KD.
• We did not perform any analysis on the computational cost or system overhead for our CA system. Because computations are performed on single actions will each calculation of the change of the trust take limited time. We have selected behavioural biometrics because of the lower computational complexity compared to for example face recognition. More elaborate analysis is required before producing a deployable system.
• We believe that the sample size for the template creation has a very high impact on behavioural biometric research. We did not perform any analysis regarding this and we take this as a future work.
• There is an analogy between actions on a PC and on a touch screen. The touch screen tap- ping can be compared with keystroke actions while the swipes can be compared with mouse movements. We have performed research on mouse actions and keystroke actions separately and combined. The research on mobile devices using only swipe actions can be compared to the research using only mouse actions. As can be seen from the thesis will the performance change when including both keystroke and mouse actions and we believe that a similar obser- vation can be made when including tapping with swipe actions. Our proposed techniques are general enough that they can be applied to any continuous authentication system, irrespective of the biometric modality. However, this needs to be confirmed with more experiments and analysis, and can be taken as a future work.
14. FUTUREWORK
• Stylometry features [23, 24] and language identification technique [120] could be applied to improve the system performance. In literature stylometry features have been computed over a block of data, therefore we have to apply this technique in our research in a different way. If a user did not lock out from the CA system after a significant amount of keystroke actions, we can compute stylometry features within these keystroke actions (see Block wise Feature Extraction and Comparisonmodule in Figure 14.1). Based on the classification results of these stylometry features we can re-adjust the algorithmic parameters to make the CA system more robust. Similarly, language identification technique and state of the art statistical features can be applied to improve the system performance.
• The objective of CI is to use it as forensic evidence. Through our experiment we produce the proof of the CI concept and the possibility to explore this in future. In our research, we directly use classification scores to identify the potential adversary. Therefore, it has a limitation to produce this evidence in court. The likelihood-ratio computation (i.e. P (SC|Hp)
P (SC|Hd), where SC
is the score computed by the CIS, Hpis the prosecution hypothesis and Hdis the hypothesis
of the defence) could be explored to convert the identification scores as a forensic evidence in CI [6, 125].
Part V
Appendix A
BeLT - Behaviour Logging Tool
We present the design and implementation of a Windows operating system based logging tool, which can capture keystroke, mouse, software interaction and hardware usage simultaneously and contin- uously. Log data can be stored locally or transmitted in a secure manner to a server. Filter drivers are used to log with high precision. Privacy of the users and confidentiality of sensitive data have been taken into account throughout the development of the tool. Our behaviour logging software is mainly designed for behavioural biometrics research, but its scope could also be beneficial to proactive forensics and intrusion detection.
This chapter is based on the papers published in: [106] MONDAL, S., BOURS, P., JOHANSEN, L., STENVI, R.,ANDØVERBØ, M. Importance of a Versatile Logging Tool for Behavioural Bio- metrics and Continuous Authentication Research. IGI Global, 2015, ch. Handbook of Research on Homeland Security Threats and Countermeasures.
A.1
Introduction
Facing an increasing number of computer users and cyber-crime enabled by weak authentication mechanisms, a CA system that can monitor a claimed user’s identity throughout a session could be a strong addition. It is challenging enough to design a CA system, which is unobtrusive, user friendly (where the legitimate user is never or very infrequently locked out by the system) and at the same time secure enough to detect any illegitimate user as soon as possible. There are many possible ways to implement a CA system, but behavioural biometrics are promising enough to achieve cost effectiveness (because no special hardware is required) and unobtrusiveness [151]. To create such a system, it is necessary to analyse a large amount of information about multiple users regarding how they interact with their computers. This information includes keystrokes, mouse usages, software interaction and hardware events. It is also necessary to focus on the input of the user via mouse and keyboard simultaneously to defend against an attacker avoiding detection by restricting to one input device because the system only checks the other input device [1, 10, 63, 146]. Software Interaction and Hardware usage information could be used to improve the system performance.
Existing literature does not very well cover approaches that combine both keyboard and mouse logging with arbitrary application interaction. The granularity of measurements is sometimes too coarse for analysis with respect to behavioural biometrics. Surveying the literature, we found also that there is a lack of discussion about the capture software and the capture environment. Few of the articles provided information on the technology behind the capture software. Most of the datasets and tools used for capture are not publicly available. Hence, it is impossible to replicate their results and methodology. We address these issues and present a tool that combines different methods of interaction of a user with a computer, and we disclose implementation details so that the technologies used to capture keyboard, mouse, and application interaction can be employed in alternative implementations.
Most of the logging tools available at present can capture only mouse and keystroke informa- tion [50, 53, 77]. According to our knowledge only AppMonitor [5] can store software interactions, limited to two specific applications. Therefore, there is strong demand within the behavioural bio- metrics based CA research community to design a logging tool that can capture the relevant users behaviour information and share the captured data with the research community for analysis. Based on our survey of related work, our tool BeLT is the first tool which can capture extensive amounts of information, i.e. keyboard, mouse, arbitrary application interaction as well as certain hardware
A. BELT - BEHAVIOURLOGGINGTOOL Client Application OpenSSL BeLT GUI Application One-way, TLS encrypted data traffic. With data transfer protocol RFC5424 SysLog-NG Log server:Syslog-NG (1999) Update server:HTTPS (443)
Not part of the project scope
Insecure public network Logging server Update server Web server Update path /belt_update_list.txt Data import Two-way, HTTPS encrypted communication between client and server.
BeLT update Data Export Analysis Application Patch /belt_patch_list.txt
Figure A.1: Deployment diagram of BeLT system.
events, simultaneously and unobtrusively. Also, it gives users the choice to store the information either on the local computer or have it sent to a secure server.