In this paper we present open research questions and options for data analysis of our previously ... more In this paper we present open research questions and options for data analysis of our previously designed dataset called TWOS: The Wolf of SUTD. In specified research questions, we illustrate the potential use of the TWOS dataset in multiple areas of cyber security, which does not limit only to malicious insider threat detection but are also related to authorship verification and identification, continuous authentication, and sentiment analysis. For the purpose of investigating the research questions , we present several state-of-the-art features applicable to collected data sources, and thus we provide researchers with a guidance how to start with data analysis. The TWOS dataset was collected during a gamified competition that was devised in order to obtain realistic instances of malicious insider threat. The competition simulated user interactions in/among competing companies, where two types of behaviors (normal and malicious) were incentivized. For the case of malicious behavior, we designed two types of malicious periods that was intended to capture the behavior of two types of insiders – masqueraders and traitors. The game involved the participation of 6 teams consisting of 4 students who competed with each other for a period of 5 days. Their activities were monitored by several data collection agents and producing data for mouse, keyboard, process and file-system monitor, network traffic, emails, and login/logout data sources. In total, we obtained 320 hours of active participation that included 18 hours of masquerader data and at least two instances of traitor data. In addition to expected malicious behaviors, students explored various defensive and offensive strategies such as denial of service attacks and obfuscation techniques, in an effort to get ahead in the competition. The TWOS dataset was made publicly accessible for further research purposes. In this paper we present the TWOS dataset that contains realistic instances of insider threats based on a gamified competition. The competition simulated user interactions in/among competing companies, where two types of behaviors (normal and malicious) were incentivized. For the case of malicious behavior, we designed sessions for two types of insider threats (masqueraders and traitors). The game involved the participation of 6 teams consisting of 4 students who competed with each other for a period of 5 days, while their activities were monitored considering several heterogeneous sources (mouse, keyboard, process and file-system monitor, network traffic, emails and login/logout). In total , we obtained 320 hours of active participation that included 18 hours of masquerader data and at least two instances of traitor data. In addition to expected malicious behaviors, students explored various defensive and offensive strategies such as denial of service attacks and obfuscation techniques , in an effort to get ahead in the competition. Furthermore, we illustrate the potential use of the TWOS dataset in multiple areas of cyber security, which does not limit to malicious insider threat detection, but also areas such as authorship verification and identification, continuous authentication, 54 and sentiment analysis. We also present several state-of-the-art features that can be extracted from different data sources in order to guide researchers in the analysis of the dataset. The TWOS dataset is publicly accessible for further research purposes.
In this paper we focus on a context independent continuous authentication system that reacts on e... more In this paper we focus on a context independent continuous authentication system that reacts on every separate action performed by a user. We contribute with a robust dynamic trust model algorithm that can be applied to any continuous authentication system, irrespective of the biometric modality. We also contribute a novel performance reporting technique for continuous authentication. Our proposed approach was validated with extensive experiments with a unique behavioural biometric dataset. This dataset was collected under complete uncontrolled condition from 53 users by using our data collection software. We considered both keystroke and mouse usage behaviour patterns to prevent a situation where an attacker avoids detection by restricting to one input device because the system only checks the other input device. During our research, we developed a feature selection technique that could be applied to other pattern recognition problems. The best result obtained in this research is that 50 out of 53 genuine users are never inadvertently locked out by the system, while the remaining 3 genuine users (i.e. 5.7%) are sometimes locked out, on average after 2265 actions. Furthermore, there are only 3 out of 2756 impostors not been detected, i.e. only 0.1% of the impostors go undetected. Impostors are detected on average after 252 actions.
In this paper, we analyze the performance of a continuous user authentication and identification ... more In this paper, we analyze the performance of a continuous user authentication and identification system for a PC under various analysis techniques. We applied a novel identification technique called Pairwise User Coupling (PUC) on our own dataset for the analysis. This dataset is a combination of keystroke and mouse usage behaviour data. We obtained an identification accuracy of 62.2% for a closed-set experiment, where the system needs on average of 471 actions to detect an impostor. In case of an open-set experiment the Detection and Identification Rate (DIR) of 58.9% was obtained, where the system needs on average of 333 actions to detect an impostor.
—In this paper we consider an additional functional-ity to continuous authentication which is the... more —In this paper we consider an additional functional-ity to continuous authentication which is the identification of an impostor. We use continuous authentication to protect a mobile device. Once it is detected that it is not the genuine user that is using the mobile device, it is important to lock it, but in a closed user group, valuable information could also be gained from determining who the actual person was that was operating the device. This new concept is termed continuous identification and in this paper we will show that we can identify the impostors with almost 98% accuracy in case the security settings are such that an impostor is detected after 15 actions on average. In case of a higher security, we already can detect impostors after 4 actions on the mobile device, but in that case the recognition rate of the correct impostor drops to almost 83%.
In this paper we will show that context has an influence on the performance of a continuous authe... more In this paper we will show that context has an influence on the performance of a continuous authentication system. When context is considered we notice that the performance of the system improves by a factor of approximately 3. Even when testing and training are not based on exactly the same task, but on a similar task, we see an improvement of the performance over a system where the context is not included. In fact, we proof that the performance of the system depends on which particular kind of task is used for the training.
In this study, the authors will describe how performance results for continuous authentication (C... more In this study, the authors will describe how performance results for continuous authentication (CA) should be reported. Most research on alleged CA is in fact periodic authentication, and performance is then reported in false match and false non-match rates. Here the authors will describe average number of impostor or genuine actions as the performance indicators, and will describe a more detailed performance reporting method. The authors’ current results have been reported in continuous authentication, based on analysis performed on two different datasets, and compared those results to the best results in comparable research, where they show that their results outperform most other known results.
In this paper, we investigate the performance of a continuous biometric authentication system und... more In this paper, we investigate the performance of a continuous biometric authentication system under various different analysis techniques. We test these on a publicly available continuous mouse dynamics database, but the techniques can be applied to other biometric modalities in a continuous setting also. We test all different combinations of fusion techniques, threshold settings, score boosting techniques and static versus dynamic trust models. We extensively describe the way that performance is reported when analyzing the performance of a continuous authentication system. Contrary to a biometric system for access control at the start of a session can the performance not simply be reported by a single EER value or a DET curve. We show that the optimal performance we can reach with our new techniques improves significantly over the best known performance on the same dataset.
Continuous Authentication by analysing the user's behaviour profile on the computer input devices... more Continuous Authentication by analysing the user's behaviour profile on the computer input devices is challenging due to limited information, variability of data and the sparse nature of the information. As a result, most of the previous research was done as a periodic authentication, where the analysis was made based on a fixed number of actions or fixed time period. Also, the experimental data was obtained for most of the previous research in a very controlled condition, where the task and environment were fixed. In this paper, we will focus on actual continuous authentication that reacts on every single action performed by the user. The experimental data was collected in a complete uncontrolled condition from 52 users by using our data collection software. In our analysis, we have considered both keystroke and mouse usages behaviour pattern to avoid a situation where an attacker avoids detection by restricting to one input device because the continuous authentication system only checks the other input device. The result we have obtained from this research is satisfactory enough for further investigation on this domain.
In this chapter we will discuss how keystroke dynamics can be used for true continuous authentic... more In this chapter we will discuss how keystroke dynamics can be used for true continuous authentication.We have collected keystroke dynamics data of 53 participants who used the computer freely and we have analysed the collected data. We will describe a system that decides on the genuineness of the user based on each and every single keystroke action of the current user and we will represent the results in a new manner.The continuous authentication system will lock out a user if the trust in genuineness of the current user is too low. Ideally such a system would never lock out a genuine user and detect an impostor user within as few keystroke actions as possible.
"This paper discusses the complexity measurement of a password in relation to the performance of ... more "This paper discusses the complexity measurement of a password in relation to the performance of a keystroke dynamics system. The performance of any biometric system depends on the stability of the biometric data provided by the user. We first present a new way to calculate the complexity related to the typing of a password. This complexity metric is then validated with the keystroke dynamics data collected in an experiment, as well as the user’s experience during the experiment. Next, we show that the performance of the keystroke dynamics biometric system will depend on the complexity of the password and in particular that the performance of the system decreases with an increasing complexity. This leads then to the conclusion that random passwords might, although harder to guess by an attacker, might not be the most suitable choice in case of keystroke dynamics."
In this paper, we will present a multimodal architecture for continuous authentication using beha... more In this paper, we will present a multimodal architecture for continuous authentication using behavioural biometrics. We will point out common shortcomings in current research on continuous authentication and present a model where the system changes the trust in the genuineness of the current user with every action this user makes. We use a multimodal architecture to ensure both performance optimizations as well as providing a higher security due to the in-creased difficulty for spoofing multiple behavioural biometrics simultaneously.
In this paper, we demonstrate a new way to perform continuous authentication using Mouse Dynamics... more In this paper, we demonstrate a new way to perform continuous authentication using Mouse Dynamics as the behavioural biometric modality. In the proposed scheme, the user will be authenticated per mouse event performed on his/her system. We have used a publicly available mouse dynamics dataset and extracted per event features suitable for the proposed scheme. In this research, we have used the mouse dynamics data of 49 users and evaluated the system performance with 6 machine learning algorithms. In this approach, the genuine user has never been classified as an impostor throughout a full session whereas the average number of mouse actions an impostor could perform before detection is 94 from the best classification algorithm with a person based threshold.
In this paper we have discussed a low cost system which uses dynamic hand gesture recognition tec... more In this paper we have discussed a low cost system which uses dynamic hand gesture recognition technique to control the VLC media player. This application contains a central computation module which segments the foreground part of the frame using skin detection and approximate median technique. The recognition of gesture is done by creating a Decision Tree, that uses various features extracted from the segmented part. This hand gesture recognition technique introduces a new, natural way to interact with computers.
In this paper we present open research questions and options for data analysis of our previously ... more In this paper we present open research questions and options for data analysis of our previously designed dataset called TWOS: The Wolf of SUTD. In specified research questions, we illustrate the potential use of the TWOS dataset in multiple areas of cyber security, which does not limit only to malicious insider threat detection but are also related to authorship verification and identification, continuous authentication, and sentiment analysis. For the purpose of investigating the research questions , we present several state-of-the-art features applicable to collected data sources, and thus we provide researchers with a guidance how to start with data analysis. The TWOS dataset was collected during a gamified competition that was devised in order to obtain realistic instances of malicious insider threat. The competition simulated user interactions in/among competing companies, where two types of behaviors (normal and malicious) were incentivized. For the case of malicious behavior, we designed two types of malicious periods that was intended to capture the behavior of two types of insiders – masqueraders and traitors. The game involved the participation of 6 teams consisting of 4 students who competed with each other for a period of 5 days. Their activities were monitored by several data collection agents and producing data for mouse, keyboard, process and file-system monitor, network traffic, emails, and login/logout data sources. In total, we obtained 320 hours of active participation that included 18 hours of masquerader data and at least two instances of traitor data. In addition to expected malicious behaviors, students explored various defensive and offensive strategies such as denial of service attacks and obfuscation techniques, in an effort to get ahead in the competition. The TWOS dataset was made publicly accessible for further research purposes. In this paper we present the TWOS dataset that contains realistic instances of insider threats based on a gamified competition. The competition simulated user interactions in/among competing companies, where two types of behaviors (normal and malicious) were incentivized. For the case of malicious behavior, we designed sessions for two types of insider threats (masqueraders and traitors). The game involved the participation of 6 teams consisting of 4 students who competed with each other for a period of 5 days, while their activities were monitored considering several heterogeneous sources (mouse, keyboard, process and file-system monitor, network traffic, emails and login/logout). In total , we obtained 320 hours of active participation that included 18 hours of masquerader data and at least two instances of traitor data. In addition to expected malicious behaviors, students explored various defensive and offensive strategies such as denial of service attacks and obfuscation techniques , in an effort to get ahead in the competition. Furthermore, we illustrate the potential use of the TWOS dataset in multiple areas of cyber security, which does not limit to malicious insider threat detection, but also areas such as authorship verification and identification, continuous authentication, 54 and sentiment analysis. We also present several state-of-the-art features that can be extracted from different data sources in order to guide researchers in the analysis of the dataset. The TWOS dataset is publicly accessible for further research purposes.
In this paper we focus on a context independent continuous authentication system that reacts on e... more In this paper we focus on a context independent continuous authentication system that reacts on every separate action performed by a user. We contribute with a robust dynamic trust model algorithm that can be applied to any continuous authentication system, irrespective of the biometric modality. We also contribute a novel performance reporting technique for continuous authentication. Our proposed approach was validated with extensive experiments with a unique behavioural biometric dataset. This dataset was collected under complete uncontrolled condition from 53 users by using our data collection software. We considered both keystroke and mouse usage behaviour patterns to prevent a situation where an attacker avoids detection by restricting to one input device because the system only checks the other input device. During our research, we developed a feature selection technique that could be applied to other pattern recognition problems. The best result obtained in this research is that 50 out of 53 genuine users are never inadvertently locked out by the system, while the remaining 3 genuine users (i.e. 5.7%) are sometimes locked out, on average after 2265 actions. Furthermore, there are only 3 out of 2756 impostors not been detected, i.e. only 0.1% of the impostors go undetected. Impostors are detected on average after 252 actions.
In this paper, we analyze the performance of a continuous user authentication and identification ... more In this paper, we analyze the performance of a continuous user authentication and identification system for a PC under various analysis techniques. We applied a novel identification technique called Pairwise User Coupling (PUC) on our own dataset for the analysis. This dataset is a combination of keystroke and mouse usage behaviour data. We obtained an identification accuracy of 62.2% for a closed-set experiment, where the system needs on average of 471 actions to detect an impostor. In case of an open-set experiment the Detection and Identification Rate (DIR) of 58.9% was obtained, where the system needs on average of 333 actions to detect an impostor.
—In this paper we consider an additional functional-ity to continuous authentication which is the... more —In this paper we consider an additional functional-ity to continuous authentication which is the identification of an impostor. We use continuous authentication to protect a mobile device. Once it is detected that it is not the genuine user that is using the mobile device, it is important to lock it, but in a closed user group, valuable information could also be gained from determining who the actual person was that was operating the device. This new concept is termed continuous identification and in this paper we will show that we can identify the impostors with almost 98% accuracy in case the security settings are such that an impostor is detected after 15 actions on average. In case of a higher security, we already can detect impostors after 4 actions on the mobile device, but in that case the recognition rate of the correct impostor drops to almost 83%.
In this paper we will show that context has an influence on the performance of a continuous authe... more In this paper we will show that context has an influence on the performance of a continuous authentication system. When context is considered we notice that the performance of the system improves by a factor of approximately 3. Even when testing and training are not based on exactly the same task, but on a similar task, we see an improvement of the performance over a system where the context is not included. In fact, we proof that the performance of the system depends on which particular kind of task is used for the training.
In this study, the authors will describe how performance results for continuous authentication (C... more In this study, the authors will describe how performance results for continuous authentication (CA) should be reported. Most research on alleged CA is in fact periodic authentication, and performance is then reported in false match and false non-match rates. Here the authors will describe average number of impostor or genuine actions as the performance indicators, and will describe a more detailed performance reporting method. The authors’ current results have been reported in continuous authentication, based on analysis performed on two different datasets, and compared those results to the best results in comparable research, where they show that their results outperform most other known results.
In this paper, we investigate the performance of a continuous biometric authentication system und... more In this paper, we investigate the performance of a continuous biometric authentication system under various different analysis techniques. We test these on a publicly available continuous mouse dynamics database, but the techniques can be applied to other biometric modalities in a continuous setting also. We test all different combinations of fusion techniques, threshold settings, score boosting techniques and static versus dynamic trust models. We extensively describe the way that performance is reported when analyzing the performance of a continuous authentication system. Contrary to a biometric system for access control at the start of a session can the performance not simply be reported by a single EER value or a DET curve. We show that the optimal performance we can reach with our new techniques improves significantly over the best known performance on the same dataset.
Continuous Authentication by analysing the user's behaviour profile on the computer input devices... more Continuous Authentication by analysing the user's behaviour profile on the computer input devices is challenging due to limited information, variability of data and the sparse nature of the information. As a result, most of the previous research was done as a periodic authentication, where the analysis was made based on a fixed number of actions or fixed time period. Also, the experimental data was obtained for most of the previous research in a very controlled condition, where the task and environment were fixed. In this paper, we will focus on actual continuous authentication that reacts on every single action performed by the user. The experimental data was collected in a complete uncontrolled condition from 52 users by using our data collection software. In our analysis, we have considered both keystroke and mouse usages behaviour pattern to avoid a situation where an attacker avoids detection by restricting to one input device because the continuous authentication system only checks the other input device. The result we have obtained from this research is satisfactory enough for further investigation on this domain.
In this chapter we will discuss how keystroke dynamics can be used for true continuous authentic... more In this chapter we will discuss how keystroke dynamics can be used for true continuous authentication.We have collected keystroke dynamics data of 53 participants who used the computer freely and we have analysed the collected data. We will describe a system that decides on the genuineness of the user based on each and every single keystroke action of the current user and we will represent the results in a new manner.The continuous authentication system will lock out a user if the trust in genuineness of the current user is too low. Ideally such a system would never lock out a genuine user and detect an impostor user within as few keystroke actions as possible.
"This paper discusses the complexity measurement of a password in relation to the performance of ... more "This paper discusses the complexity measurement of a password in relation to the performance of a keystroke dynamics system. The performance of any biometric system depends on the stability of the biometric data provided by the user. We first present a new way to calculate the complexity related to the typing of a password. This complexity metric is then validated with the keystroke dynamics data collected in an experiment, as well as the user’s experience during the experiment. Next, we show that the performance of the keystroke dynamics biometric system will depend on the complexity of the password and in particular that the performance of the system decreases with an increasing complexity. This leads then to the conclusion that random passwords might, although harder to guess by an attacker, might not be the most suitable choice in case of keystroke dynamics."
In this paper, we will present a multimodal architecture for continuous authentication using beha... more In this paper, we will present a multimodal architecture for continuous authentication using behavioural biometrics. We will point out common shortcomings in current research on continuous authentication and present a model where the system changes the trust in the genuineness of the current user with every action this user makes. We use a multimodal architecture to ensure both performance optimizations as well as providing a higher security due to the in-creased difficulty for spoofing multiple behavioural biometrics simultaneously.
In this paper, we demonstrate a new way to perform continuous authentication using Mouse Dynamics... more In this paper, we demonstrate a new way to perform continuous authentication using Mouse Dynamics as the behavioural biometric modality. In the proposed scheme, the user will be authenticated per mouse event performed on his/her system. We have used a publicly available mouse dynamics dataset and extracted per event features suitable for the proposed scheme. In this research, we have used the mouse dynamics data of 49 users and evaluated the system performance with 6 machine learning algorithms. In this approach, the genuine user has never been classified as an impostor throughout a full session whereas the average number of mouse actions an impostor could perform before detection is 94 from the best classification algorithm with a person based threshold.
In this paper we have discussed a low cost system which uses dynamic hand gesture recognition tec... more In this paper we have discussed a low cost system which uses dynamic hand gesture recognition technique to control the VLC media player. This application contains a central computation module which segments the foreground part of the frame using skin detection and approximate median technique. The recognition of gesture is done by creating a Decision Tree, that uses various features extracted from the segmented part. This hand gesture recognition technique introduces a new, natural way to interact with computers.
Uploads
Papers by Soumik Mondal