The system performance measure techniques that are applied in this analysis will be discussed in this section. The CAS performance measure technique is common for both the experimental protocols i.e. Protocol-1and Protocol-2. The complete description of CAS performance measure technique was provided in Chapter 4.
Due to the different objective of these two protocols we have applied two different performance measure techniques for CIS. The description of these techniques are given below.
10.4.1 CIS Performance Measure for Protocol 1
This is a straight forward performance measure for Protocol-1, where every time that a user is locked out by the CAS system, the adversary ID is determined by the CIS system. In Figure 10.7 we dis- played these adversary IDs in green (meaning a successfully identified adversary) and red (meaning identification of another person than the actual adversary). When the system is unsuccessful in iden- tifying the correct adversary ID, we display the Rank-1 identity along with the rank of the correct imposter. In Figure 10.7 one such case is presented, where the system identifies the imposter as number 38, while the correct adversary ID of 8 is found at Rank-2 (R-2 marked in blue). During this experiment out of the 22 lockouts the CIS identified the correct adversary 21 times, therefore, the recognition accuracy for this example is ACC22
8 = 95.45%. Note that here 22 is the genuine user
and 8 is the imposter user.
10.4.2 CIS Performance Measure for Protocol 2
To measure the system performance for Protocol-2, we used a threshold (i.e. Topen) that will decide
whether the adversary is within the group of known users or not. If the U serscore ≥ Topen(see
Algorithms 10.1, 10.2 or 10.3 for U serscore) then we will say that the adversary is within the set of
known adversaries, otherwise he/she said to be an unknown adversary. If we find that the adversary is known to the system, then the system will establish the identity of the adversary. In our study, we will define four different values that will provide the overall system performance for this protocol, where the summation of these four values will be 100%.
10. CONTINUOUSIDENTIFICATIONCONCEPTS 0 50 100 150 200 250 85 90 95 100 Event Number System Trust Genuine User − 22 Imposter User − 8 8 8 8 8 8 8 8 8 38 R−2 8 8 8 8 8 8 8 8 8 8 8 8 8 Accuracy − 95.45% ANIA − 13
Figure 10.7: CIS performance measure for Protocol-1 with genuine user 22 and imposter user 8.
0 50 100 150 200 250 300 350 400 450 85 90 95 100 Event Number System Trust Genuine User − 8 Imposter User − 22 222222222222 22F22 22 22 22 22222222222222222222 22 22 22 22F22 222222 22 2222 22 Accuracy − 94.29% ANIA − 14
Figure 10.8: CIS performance measure for Protocol-2 with genuine user 8 and imposter user 22.
• True ID (TID) : Where U serscore≥ Topeni.e. adversary is within the known user set and
correctly identified.
• False ID (FID) : This is the sum of two different components. 108
10.5 SUMMARY 0 50 100 150 200 85 90 95 100 Event Number System Trust Genuine User − 8 Imposter User − 65 T T T T T T T T T T T T T 51 T T T T T T T Accuracy − 95.24% ANIA − 12
Figure 10.9: CIS performance measure for Protocol-2 with genuine user 8 and imposter user 65.
– U serscore≥ Topeni.e.adversary is within the known user set but, falsely identified.
– In the second case, the adversary is not in the known user set, but the system says other- wise with a false adversary ID i.e. U serscore≥ Topen.
• True Not In (TNotIn) : Where U serscore< Topeni.e.adversary was indeed not in the known
user set.
• False Not In (FNotIn) : In this case system says the adversary is not in the known user set (i.e. U serscore< Topen) but, actually the adversary is within the known user set.
In Figure 10.8 one case was present for Protocol-2 with genuine user 8 and imposter user 22 where imposter user 22 presents in the known adversary user set. In this example, we see that two cases where the system says the adversary is not in the known user set (marked F in red color). Therefore, in this example T ID8
22 = 94.29%, F N otIn822 = 5.71%, T N otIn822 = 0%
and F ID8 22= 0%.
In Figure 10.9 another case was present for Protocol-2 with genuine user 8 and imposter user 65 where imposter user 65 not present in the known adversary user set. In this example, we see that one case where the system says the adversary is in the known user set with a false ID (marked 51 in red color). Therefore, in this example T N otIn865= 95.24%, F ID658 = 4.76%, T ID865= 0%,
F N otIn8
65= 0%. In these examples (i.e. Figures 10.7, 10.8, and 10.9), we have used Dataset-3
(see Section 5.3.1 for more details about this dataset) and Topen= 0.8.
10.5
Summary
In this section we provided the following:
• We described three different identification schemes using pairwise user coupling. This ap- proach was followed to mitigate the problem of behavioural biometric modalities (i.e. low inter-class variation and high intra-class variation). But note that this approach can be applied to any pattern identification problem.
10. CONTINUOUSIDENTIFICATIONCONCEPTS
• For the three described algorithms the number of pairwise comparisons increases from S1 to S2 and from S2 to S3, so T16 T26 T3.
• We believe that the assumption made in S1, i.e. the correct subject always has the highest score for every pair of analysis. This assumption is not always valid for every dataset, especially for behavioural biometrics based datasets because of large intra-class variations. Therefore, it might produce lower identification accuracy.
Chapter 11
Continuous Identification using a Combination
of Keystroke and Mouse Dynamics
In this chapter, we investigated the performance of a continuous identification for a PC under var- ious analysis techniques discussed in Chapter 10. We have used our own datasets for this analysis i.e. Dataset-2. This dataset is a combination of keystroke and mouse usage behaviour data. The complete description of this dataset and the extracted features are given in the Section 5.2.
This chapter is based on the papers published in: [101] MONDAL, S.,ANDBOURS, P. Combin- ing keystroke and mouse dynamics for continuous user authentication and identification. In IEEE Int. Conf. on Identity, Security and Behavior Analysis (ISBA’16)(2016), IEEE, pp. 1–8.
11.1
Background Knowledge
In this section, we discuss the background knowledge required to better understand this research. This includes the classifier used in this study and the profile creation process.
11.1.1 Classifier
Person identification by analysing the user’s behaviour profile is challenging due to limited infor- mation, large intra-class variations and the sparse nature of the information. We have also observed that the statistical analysis (i.e. distance based classifiers) failed to achieve the desired results due to these challenges. Therefore a machine learning based approach was followed in this research, more precisely we have used the Decision Tree (DT) classifier in our research. A brief description of this classifier is given below.
DT is a tree structure based predictive learning model which maps features of an observation(s) about an item to the item’s target value where leaves represent class labels and branches represent conjunctions of features that lead to those class labels [12]. In this study, we have used Bagging (bootstrap aggregation)DT which gives stability and accuracy for the classifier.
11.1.2 Profile Creation
In this section we describe the profile creation process for CAS and CIS (see Section 10.1 for the de- scription of CAS and CIS). The complete CAS profile creation process was described in the Chapter 8 for both the experimental protocols used in this research (see Section 10.3 about the details of these protocols). We have used our own datasets for the analysis i.e. Dataset-2. There are 53 participants in this dataset, but, we have only used 25 participants in this research.
We use the DT classifier with the PUC approaches for CIS. For each combination of genuine user i and imposter user j we created a training set CISi
j. This classifier was trained with the training
data miof user i and the training data mjof user j. For example, we have N = 25 users from
Dataset-2, so we have N × (N − 1) = 600 different CIS classifier models for any given action (see Section 5.2.5 and 5.2.6 about these actions). We have six different types of actions, therefore in total 6 × 600 = 3600 DT classifier models were generated. Before building the classifier models, we first apply the feature selection technique for both CAS and CIS as described in Section 8.3 for mouse move and drag-drop actions.
11. CIUSING ACOMBINATION OFKEYSTROKE ANDMOUSEDYNAMICS
Drag-Drop Comparison
Drag-Drop Action
Drag-Drop Profile
Mouse Move Comparison
Mouse Move Action
Mouse Move Profile
Double Click Comparison
Double Click Action
Double Click Profile
Single Click Comparison
Single Click Action
Single Click Profile
Key Digraph Comparison
Key Digraph Action
Key Digraph Profile
Single Key Comparison
Single Key Action
Single Key Profile
+
Separation of Actions Actions Before lockout Score Score Score Score Score Score All Scores Resultsnt Score Resultsnt Score Resultsnt Score Resultsnt Score Resultsnt Score Resultsnt ScoreFigure 11.1: Expanded block diagram of the CIS Comparison Module.
We have also experimented with other classifiers i.e. SVM, ANN and CPANN in this research, but, due to a lower learning accuracy we did not use these classifiers in the analysis.
11.1.3 System Architecture
The CIS comparison and decision making process described in Section 10.2 is valid when we have only one type of actions performed by the users. Due to different different types of actions performed by the users, we applied different classifier models for different actions. The block diagram of the expanded CIS Comparison Module is shown in Figure 11.1.
In Figure 11.1 we can see that first we separate different actions performed by the users before lockout from CAS. For example, when a user was able to perform 100 actions before lockout by the CAS, then this could e.g. be split into 40 Single Key Actions, 15 Key Digraph Actions, 20 Mouse Move Actions, 20 Single click Actions, 5 Double click Actions and no Drag-Drop Actions. The specific actions go to the corresponding comparison modules and provide scores that are input to the next module.