An examination of user behavior for user re-authentication

The research presented addresses the problem of insider threat mitigation and detection in computer security. The underlying hypothesis is that one can successfully model user behavior on the basis of user's inputs and on GUI changes as a response to those inputs. In particular, the goal is to determine to what extent users can be characterized by their mouse movements, keystroke dynamics and GUI events. The implemented system raises an alarm when the current behavior of user U, deviates sufficiently from learned “normal” behavior of user U. A closed-setting deployment scenario is assumed and a supervised learning algorithm is applied to discriminate among N users. The strength of the keystroke, mouse and GUI classifier, individually and in combination, is investigated on a set of 61 users. The results obtained show that by combining all three sources of information one can differentiate these individuals with a false positive rate of 14.47% and a false negative rate of 1.78% with the detection time of 2.20 minutes (if user utilized I/O devices). Experiments with a second dataset of 73 users illustrate that even if all users are given an identical task—in this case filling in a form word-by-word from a template—they can still be discriminated. The scalability of the system is examined to determine how well the approach scales to more users or to a scenario where one cannot know the behavior of all users in advance and therefore wants to discriminate between whether it is or is not the valid user. Finally, the accuracy and the computational efficiency of the system are investigated in the presence of a limited amount of data for the profile of user.