Transcript Design Sprint - Pace University

Research Experiment Design Sprint:
Keystroke Biometric Intrusion Detection
Ned Bakelman
Advisor: Dr. Charles Tappert
Problem Statement
Using Keystroke Biometrics, how quickly and accurately
can the unauthorized use of a computer be determined?
In other words, how quickly and accurately can the
unauthorized use of a computer by an intruder be
detected using Keystroke Biometrics?
Background
• DARPA (Defense Advanced Research Projects Agency) through their Cyber
Genome Program is funding research in computer intrusion detection
• This includes the use of keystroke analysis
• Pace University has developed a keystroke
biometrics system for text input
• Studies have shown that 300 keystrokes
provides good accuracy
• The Pace Keystroke Biometric System (PKBS)
has been updated to handle completely free
(application independent) keystroke samples
DARPA, Cyber Genome Program, DARPA-BAA-10-36, 2010
Foxnews.com, Chiaramonte, Perry, http://www.foxnews.com/scitech/2011/10/07/us-military-drones-infected-withmysterious-computer-virus, last updated: October 7, 2011
CNN.com, Lawrence, Chris, http://www.cnn.com/2011/10/10/us/military-dronesvirus/index.html?eref=rss_politics&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+rss%2Fcnn_all
politics+%28RSS%3A+Politics%29&utm_content=Google+Feedfetcher, last updated: October 10, 2011
Methodology
• Monitor each computer and continuously authenticate
the user from their keystroke input
• Assume one authorized user per computer
• An intruder is defined as someone other than the
authorized user
• Each authentication event is viewed as a window which
can occur several times within a short period of time. We
want to detect an intruder during each passing of a
window.
Intruder Scenarios
• User Bob leaves his office for lunch with his computer running and
unlocked
• Intruder Trudy sits down at Bob’s desk and uses the computer while
Bob is at lunch
• Trudy may perform less malicious activities such as using the
computer to type documents, surf the web, check her Facebook
account, etc.
• Trudy may perform very malicious activities such as sending emails
impersonating Bob, entering fake claims in an expense tracking
system, attempting to steal passwords or account info that Bob may
have saved on his computer to gain access to personal or company
bank accounts, etc.
Research Experiment Design Sprint
• Design experiments to investigate the problem statement
regarding the intruder scenarios
• Ideas
• What unique keywords or commands might an intruder key in to
detect passwords, accounts, etc?
• What mouse behavior or web activity (searches, etc.) might an
intruder perform?
• These would be activities not typical of a true user
• Also
• Keystroke entry is a time series event
• How would you simulate the time series keystroke data of an
authentic user with intruder data?
Normal User versus Intruder User
• What is normal or typical user activity
• Email, word processing, spreadsheet entry, web surfing, etc.
• What is intruder activity
• Are there special characteristics?
• Can they be distinguishable from normal activity?
• Can special characteristics of intruder data be used to assist
with intruder detection? If so, how?