Intrusion Detection Using Keystroke Dynamics

Abstract

In an effort to confront the challenges brought forward by the increased need for access control, we present an improved technique for authorized access to computer system resources and data via keystroke dynamics. A database of keystrokes of login ids and passwords collected from 38 users is constructed. From the samples collected, signatures were formed using three membership functions of Fuzzy Logic. Users were authenticated by comparing the typing pattern to their respective signatures. We have included the usage of the SHIFT and the CAPS LOCK keys as part of the feature sets. We analyzed the performance of the three membership functions of Fuzzy Logic based on features like FAR and FRR to evaluate the efficiency of the detection algorithms. The paper presents the results of the analysis thereby providing an inexpensive method of intrusion detection as compared to other behavioral biometric methods.

1 Introduction

One of the primary means of authenticating users and providing security to computers are textual passwords. Passwords are convenient and require no specialized hardware. However, users frequently share password with others, forget passwords, and select poor passwords that may be easily defeated. Compromised passwords and shared accounts are frequently exploited by both external attackers and insiders.

One idea to overcome this is to use keystroke dynamics. It is a novel approach in which a legitimate user’s typing patterns such as durations of keystrokes, latencies between keystrokes etc. are combined with the user’s password to generate a hardened password that is convincingly more secure than conventional passwords.

2 Literature Survey

Keystroke Dynamics is the manner and rhythm in which an individual types characters on a keyboard or keypad. It gives the detailed timing information that describes exactly when each key was pressed and released as a person is typing. Ever since Forsen et al. [1] investigated for the first time whether users could be distinguished by the way they type many different techniques for keystroke dynamics have been proposed.

In almost every technique the common feature sets used to form the signatures are:

• Enter: the Enter key is considered to be part of the password.

• KeyUp–KeyUp: Time between the key releases of consecutive keys is used as a feature.

• KeyUp–KeyDown: Time between the release of one key and the press of the next is used.

• KeyDown–KeyDown: Time between the key presses of consecutive keys is used as a feature.

2.1 Anomaly Detectors for Password Timing

Our main focus is on developing an intrusion detection system using the static login method. Various studies have been done on the use of anomaly detectors to analyze password-timing data.

Table 16.1 summarizes some of the anomaly detectors along with their results relevant to our study. False accept rate (FAR) denotes the rate that an imposter is allowed access. Similarly False reject rate (FRR) denotes the rate that the legitimate user is denied access. After thoroughly studying various anomaly detectors summarized in the Table 16.1 we concluded that fuzzy logic has a reasonable balance between FRR and FAR errors. Hence we planned to implement it using various membership functions.

Table 16.1 Comparison of various anomaly detectors and their error rates [4]

3 Design

Fuzzy logic is a form of many-valued logic or probabilistic logic; it deals with reasoning that is approximate rather than fixed and exact. In contrast with traditional logic theory, where binary sets have two-valued logic: true or false, fuzzy logic variables may have a truth value that ranges in degree between 0 and 1. Every element requires a degree of membership to determine how strongly it belongs to a certain class. Degree of membership is calculated by a Membership Function. Of the many membership functions for fuzzy logic we have selected three membership functions for our study:

• Triangle

• Trapezoidal

• Gaussian

3.1 Formation of Intervals

A dedicated software module was designed to collect the features of 35 volunteers. Data collected from these volunteers were stored in a database and used to form the intervals of various classes; where each class represents different typing speeds. Different classes of typing speed that we decided for our project are: Very Fast, Fast, Moderate, Slow and Very Fast.

Based on the sample collected, the intervals for the three membership function mentioned before were designed as follows. (Figs. 16.1, 16.2, 16.3, 16.4).

Fig. 16.1

Fuzzy sets for triangle membership function

Fig. 16.2

Fuzzy sets for trapezoidal membership function

Fig. 16.3

Fuzzy sets for Gaussian membership function

Fig. 16.4

Snapshots of software used to collect keystroke samples and the associated database

3.1.1 Triangle Membership Function

$$ \begin{aligned} \begin{array}{llll}\Uplambda ({\text{u}}{:}\alpha ,\beta ,\gamma ) & = 0 &{\text{ u}} < \alpha \qquad \,{\text{Where}} &\;\alpha - {\text{ Lower Bound Value}} \\ & = ({\text{u}} - \alpha )/ \, (\beta - \alpha ) & \alpha < = {\text{u}} < = \beta &\beta - {\text{ Modal Value}} \\ & = (\alpha - {\text{ u}})/ (\beta - \alpha ) & \beta < = {\text{u}} < = \gamma & \Upgamma - {\text{ Higher Bound Value}} \\ & = 0 & {\text{ u}} > \gamma & \end{array}\end{aligned} $$

(16.1)

3.1.2 Trapezoidal Membership Function

$$ \begin{array}{llll} {\text{F}}\left( {{\text{x}},{\text{ a}},{\text{ b}},{\text{ c}},{\text{ d}}} \right) &= 0 &{\text{when x }} < {\text{ a and x }} > {\text{ d}} \\ &= \left( {{\text{x }} - {\text{ a}}} \right) / \left( {{\text{b }} - {\text{ a}}} \right) & {\text{when a }} < = {\text{ x }} < = {\text{ b}} \\& = { 1 }& {\text{when b }} < = {\text{ x }} < = {\text{ c}} \\& = \left( {{\text{d }} - {\text{ x}}} \right) / \left( {{\text{d }} - {\text{ c}}} \right) & {\text{when c }} < = {\text{ x }} < = {\text{ d}} \end{array} $$

(16.2)

3.1.3 Gaussian Membership Function

$$ {\text{G }}({\text{u}}:{\text{ m}},\sigma ) \, = { \exp }[ - \{ \left( {{\text{u}} - {\text{m}}} \right)/\surd 2\sigma \} { 2}]\quad {\text{Where m---Mean Value}}$$

(16.3)

4 Implementation

4.1 Sample Collection and Signature Formation

Inter-key delays were collected using dedicated software and the samples were stored in a simple database.

Once sufficient samples were collected, a minimum of 15 samples for each user were collected, intervals generated and algorithms for each of the three membership functions are generated. An example of a simple algorithm [2] implementing the triangle membership function as an anomaly detector is shown below. Similar algorithms were developed by us for the other two membership functions.

• If (Input < LowerBound OR Input > UpperBound)

  • Then 0

• Else If (Input < Midvalue)

  • Then (Input − LowerBound)/(Midvalue − LowerBound)

• Else If (Input = Midvalue)

  • Then 1

• Else (UpperBound − Input)/(UpperBound − Midvalue)

The Feature Sets used for our study are listed below in Table 16.2. We included the SHIFT and the CAPS LOCK key in the feature sets of our fuzzy logic. It is often observed that the tendency to use the RIGHT_SHIFT or the LEFT_SHIFT or CAPS LOCK to type special characters and upper-case letters differ from user to user [3]. This variation can thus be used as an additional parameter to validate legitimate users from imposters.

Table 16.2 Feature sets

A membership function calculates the degree of membership to each class for each inter-key delay (KeyUp–KeyUp) given as input.

Based on the input a signature for a particular user is determined. One such signature formed is shown in Table 16.3.

Table 16.3 Signature formation and comparison

4.2 Signature Comparison

In the working phase the real time signature of a user is compared with the stored signature. If both signatures match up to a certain limit (in this case it is up to 70 %) then the user is verified as the genuine user and granted access; else they are not granted access.

5 Testing

To increase the confidence in the correctness (accuracy) of specified membership function of Triangular, Trapezoidal and Gaussians, we conducted testing by supplying typical test inputs (request) and subsequently checking test output (responses) against expected ones to enhance the correctness of specified algorithm (Fig. 16.5)

Fig. 16.5

Snapshots showing the experimental results generated, stored and evaluated

As we can see from Table 16.4, comparison of the FAR and FRR of all the three membership function shows that Gaussian function yields the best results as compared to the other two membership functions.

Table 16.4 Performance measure of membership functions

6 Conclusion and Future Scope

We believe keystroke dynamics can be used effectively to safeguard against unauthorized access of computer as well as mobile resources [2]. When implemented in conjunction with traditional schemes, it allows for the design of more robust authentication systems than traditional password based alternatives alone.

In this project we compared triangular, trapezoidal and Gaussian membership functions of fuzzy logic to authenticate users based on their typing speed and proved that among the three, Gaussian membership function is the most effective means of implementing an intrusion detection system using Fuzzy logic. To implement such a system, the code developed by us in Java could be used as a plug-in for intrusion detection, once the database has been created for the authentic users.

The approach of using keystroke dynamics in our project was limited only to passwords. This can be extended to include all the text typed by a user during his work. This way, not only will there be monitoring at the login stage but also during the entire active session for a particular user.