Behaviometrie biometrie amprenta digitala lucrare de licenta

8/16/2019 Behaviometrie biometrie amprenta digitala lucrare de licenta

1/121

White Paper

BehavioMetrics

A Paradigm Shift in Computer Security


2/122

AbstractBehaviometrics, or behavioral biometrics, is

a measurable behavior used to recognize or

verify the identity of a person. Behaviometrics

focuses on behavioral patterns rather than

physical attributes. Almost all interaction

with a computer is carried out via a keyboard

and a mouse for input, and with the display

for visual feedback. Behaviometrics utilizes

the characteristics of the users’ input and

how they navigate through the interface to

create virtual ngerprints of their behavior.

Behaviometrics can eciently prevent intrusions

on laptops or workstations by continuously

verifying that it is the authorized user that

is accessing the computer. Behaviometrics

can continuously monitor the user during the

whole working session to create an ongoing

authentication process. The behavioral pattern

which is the base for the ongoing verication

of the user prole is complex mix of mouse

dynamics, keystroke dynamics, the users GUI

interaction and advanced behavioral algorithms.

A human behavioral pattern consists of a variety

of dierent unique “semi-behaviors”; all mixed

together into a larger an utterly more unique

prole. Since every persons unique Behaviometric

pattern is formed not only by biometric features,

like the way you move your hand, but is also

inuenced by more social and psychological

means, like if you are native in the language you

write, it is just about impossible to copy or imitate

somebody else’s behavior in front of the computer.

By continuously comparing dierent aspects

of the current input stream with a previously

stored user prole, Behaviometrics can detect

anomalies in the user’s behavior within seconds

and stop intrusions while they are happening.

In this paper we explore the basic concept

of Behaviometrics in information security aswell as take a deeper look into how it works

in an Ongoing Authentication Solution.


3/123

Contents Abstract 2

A changing market 4

Behaviometrics – a paradigm shift in information security 4The denition of Behaviometrics 4

Can a behavioral pattern be stolen? 4

The fourth factor - (de)authentication 5

A new layer of IT security 5

Protection against both crimes and accidents 5

Increasing need for ecient IT security worldwide 5

Finance 6Healthcare 6

Governmental organizations 6

Private Enterprises 6

Behavio – the rst Behaviometric solution 7

Features 7

Behavio behind the scenes 8

Bootstrapping the initial authentication 8

The behavioral prole 8

Evaluating the output 9

Deploying Behavio into the company network 9

Administration 9

Architecture 9

About BehavioSec 10

Discovering the potential of the human behavior 10

A new and innovative company 10

Thoughts about a future security market 10


4/124

A changing marketMore and more voices strongly declare that

the password is no longer a reliable IT security

measure and must be replaced by more ecient

systems for protecting the computer contents.

At the same time, laptops are getting more

mobile by the year with increasing thefts asa result. The ways of accessing condential

information has also increased with for example

increasing use of web access and advanced

mobile phones. Statistics also show that

the amount of targeted attacks and planned

nancial frauds are increasing globally.

The IT security business is ooded with dierent

solutions, both technical and organizational, for

securing the information in computers. Regarding

the technological development, most eorts havebeen developing and designing security solutions

that are focused on increasing the eciency of

the authentication phase, rather than increasing

the security of the actual

usage of the computer.

BehavioSec is the rst company to present a

Behaviometric solution that eciently secures the

entire period after authentication from intrusions.

It is a patent pending IT-security software solution

that blends high-tech technology with the

users own unique behavioral pattern to create

a new security token, the human behavior.

Behaviometrics – a paradigmshift in information securityBehaviometrics oers a new generation of

information security solutions simply by using

the individual itself as its core asset. An asset

that is extremely hard to replicate which makesit the ultimate solution against identity theft.

By covering the previously unprotected

period of time between login and logout,

Behaviometrics becomes a very powerful

weapon in the ght against computer intrusions.

Any unauthorized user that previously could

access a computer with condential information,

either by hacking the password, logging in

with stolen credentials or accessing a logged

on computer, can now be stopped and theintrusion is prevented while it is happening.

The denition of Behaviometrics

The word “Behaviometrics” derives from

the terms “behavioral” and “biometrics”.

“Behavioral” refers to the way a human person

behaves and “biometrics”, in an information

security context, refers to technologies

and methods that measure and analyzes

biological characteristics of the human body

for authentication purposes - for examplengerprints, eye retina and voice patterns.

In other words Behaviometrics, or behavioral

biometrics, is a measurable behavior used to

recognize or verify the identity of a person.

Behaviometrics focuses on behavioral

patterns rather than physical attributes.

Behaviometrics is measuring human

behavior in order to recognize or

verify the identity of a person.

Can a behavioral pattern be stolen?

A human behavioral pattern consists of a variety

of dierent unique “semi-behaviors”; all mixed

together into a larger an utterly more unique

prole. Since every persons unique Behaviometric

pattern is formed not only by biometric features,

like the way you move your hand, but is also

inuenced by more social and psychological

means, like if you are native in the language you

write, it is just about impossible to copy or imitatesomebody else’s behavior in front of the computer.

“47% of computer

security professionals

surveyed reported a

laptop theft over the

past twelve months”

- FBI & CSI’s annual

Computer Crime and

Security Survey, 2006


5/125

The fourth factor - (de)authenticationWhy settle with “strong authentication” when

Behaviometrics goes beyond? Behaviometrics

adds a new security factor that protects not

only the beginning, but the time throughoutthe entire working session, which is a leap

forward in protecting condential information.

Initial Authenticationby password, smartcardsor biometric solutions.

Login

Continuous Authenticationwith behaviometric software

LogoutComputer in use

Behaviometrics can eciently prevent intrusions

on laptops or workstations by continuously

verifying that it is, in fact, the authorized user that

is accessing the computer. And from the user’s

point of view, this security factor makes the daily

work more ecient since there is no need to

change the way user’s work to protect the

workstation from abuse.

A new layer of IT securitySecuring information in companies and

enterprises can be done in many dierent steps

or “layers”, all depending on the closeness

to the condential information that must be

secured. The actions can vary from physically

shutting out intruders with fences, creating

dierent security zones for employees, to having

ecient rewalls and routines for changing

your password every month. Up until today,

most security solutions can be dened aspart of one of the following security layers:

• Physical safety – alarms, entry cards, cameras

etc...

• Network protection – rewalls etc

• Access management – password, smartcards,

biometrical solutions

Behaviometric security adds another layer,

even closer to the condential information

than access management, the human itself.

To get through this new layer of security, the

intruders have to copy another person’s behavioral

pattern, which has proven to be impossible. The

closer unauthorized persons come to the

information inside the computers, the more likely

they are to succeed. With the Behaviometric layerthat sets any intruders at a denitive halt.

Protection against both crimes andaccidents

One of the advantages with Behaviometrics is that

the intrusion detection software is unaected by

factors like whether the intruder is an insider or

an “outsider”, whether the initial authentication

has been hacked or not and whether the

computer is standing in your oce or at home.

All that really matters is that the behavior of

the person using the computer corresponds to

the behavioral prole of the logged-in user.

Here are some examples of incidents that can

be secured with a Behaviometric solution:

• Having your credentials stolen

• Losing your laptop

• Forgetting to logout

• Having your children accidently deleting

information on your work computer

Increasing need for ecient ITsecurity worldwideThe drivers for more ecient IT security are

somewhat dierent depending on business

segment, which all has their own way of working

together with unique possibilities and threats.

Below is a short description of the dierent

segments that all has the need to add an extra

layer of protection into their IT-security.


6/126

Finance

Banks and other nancial institutions that store

monetary assets has always been a target for

intrusions. Loss of information that derives

from these intrusions can be devastating and

have a long term impact on customer trust.

Additionally, bank personnel have the meansto access and execute changes to their clients’

accounts, thus make it crucial to verify that it

is the correct user accessing the system.

A recent incident in Sweden, where an

unauthorized user remotely hijacked a

computer that was left unattended and started

transferring money, shows the vulnerability of

today’s security systems. Luckily, the intrusion

was disrupted when an employee saw the

mouse being moved on the screen althoughno one were present and pulled the plug at

the last second which stopped the attempt.

Healthcare

Hospitals and other care related institutions store

private information about its clients in journals,

registers and records. This information can be

very sensitive and access is only given to the

persons responsible for the patient. The last

years have provided lots of examples of integrity

violations when condential information suchas medical records, has ended up in media

and newspapers. Meanwhile, public debates

have been widespread and the demands for

both legal actions and other ways of protecting

personal integrity have been raised.

An example of this was when Swedish foreign

minister Anna Lindh died in hospital after

being attacked in central Stockholm, in 2003.

Media afterwards published condential

information that derived from her medicalrecords. Later it was established that a large

number of employees not involved with the

direct care had been accessing condential

records through another user’s account.

Governmental organizations

Keeping the nation state’s information intact

from abuse and intrusions is crucial to be

able to protect its borders and citizens. The

attempts of intrusions are most likely to be

the subject for espionage and the kind of

organizations that this segment consists of

varies from defense to political parties.

During the election in Sweden 2006 a

representative of a political party gained

access to its counterpart’s information system

through stolen credentials. Having access totheir opponent’s strategy and action plan, this

information was later used in the campaign

to counteract their oppositionist’s.

Private Enterprises

Protecting company information is of the highest

importance to all private enterprises. There is a

great deal of responsibility as to how sensitive

information and communication should be

handled to protect intellectual property assets

such as pharmaceutical research, softwaredevelopment, launch plans and other key

resources. A large amount of external resources

can also often access critical and sensible

information, for examples accountants has direct

often access to their customers’ nancial data

which is only intended for the auditing. This

information can easily be acquired by stealing

a laptop and then accessing the sensitive

content through known or hacked credentials.

Recently, the problem of insider abuse has beenaccelerating in companies where workstations

can be accessed by non authorized users inside

the premises of the organization. An insider can

gain access to a user account either at a logged

on computer or through known passwords or

stolen credentials. Also, since 2002, regulatory

compliance for public companies has stressed

security as a key issue for the company’s liability.


7/127

Behavio – the rst Behaviometric solutionBehavio is a patent pending IT-security so

that enables a new layer of protection against

insider abuse, data- and identity theft by

guaranteeing that is the correct user accessing

the data at all times. The solution has no impact

on usability nor requires any extra tokens.

After a user is veried with traditional security

measures, such as passwords, Behavio

continuously monitor the user during the

whole working session to create an ongoing

authentication process. Behavio identies

unauthorized users within seconds by detecting

anomalies in how they interact with a computer’s

keyboard, mouse and graphical user interface,

thereby avoiding information theft. Intrusions

can then be stopped while they are happening.

The behavioral pattern which is the base

for the ongoing verication of the user

prole is complex mix of mouse dynamics,

keystroke dynamics, the users GUI interaction

and advanced behavioral algorithms.

Behavio enhances the current protection of all

workstations, such as laptops and desktops, even

after the user has logged into the system. It does

not interfere with the normal work ow. Simply by

using the computer in the everyday work makes

the software increasingly more ecient and the

condential information more secure. It doesn’t

matter if you are working from home or if you are

outsourcing, Behavio ensures it is the correct user

handling your company’s information. Behavio

will show that companies put information security

foremost and that they are regulatory compliant.

Features

Behavio is created to be invisible to the eye

for the user sitting in front of the computer. It

does not aect the daily use of the computer,

it actually benets from all the work the userperforms. Here are the main features:

• Continuous – It continuously protects the data

after access authentication.

• Adaptive – It continuously learns the behavior

of the user and improves the user’s behavioral

prole.

• Transparent – The users cannot see or

manipulate the software

• Non intrusive – The software respects the users

integrity, it does not register what the user are

doing, it only veries how the user is working• Easy to manage – The software requires

minimal central conguration and administration

• Easy to integrate – The software requires no

additional hardware

An attempt from an authorized user to access a

computer can be monitored and analyzed via the

Behavio Log Analyzer. The picture below illustrates

what happens when an unauthorized user starts

using the computer. Immediately after the start

of the unauthorized usage, the Behavio softwaredetects the intruder and drops the authentication

grade below the accepted level. The opposite

occurs when the authorized user returns to the

computer and starts to use it, the authentication

grade instantly returns to normal levels.


8/128

Behavio behind the scenes

By continuously studying dierent aspects of

the user’s input Behavio will detect anomalies

in the user’s behavior. The main principle is to

generate a statistical block and then compare

it to the user prole. While each aspect of the

behavior will generate its own conclusions theresults are summarized into a single similarity

ratio. If the ratio drops below the threshold

then the user is considered to be an imposer.

Behavio consists of a monitor, behavioral prole,

detection engine and validation engine. The

monitor is the eye of the software, tracking

how the user is interacting with the computer.

The behavioral prole is the virtual ngerprint

of the expected behavior and the detection

engine is the heart of the software. Thevalidation draw conclusions whether it is the

correct user or not and signals for action.

The detection engine consists of multiple

specialized detection engines. When the user

is using the computer the monitor will lter the

data and store it in dierent buers. When one

or more of the buers are lled the software

will signal the appropriate detection engines to

start working. As specialized detection engines

only calculates a specic aspect of the user’s

behavior when it is needed it helps keeping the

system resource overhead at a minimum level.

User Profile

Monitor

E1

E2

E3

E4

E5

E6

Filter

D e t e c t i o n

N e t

w o r k

E ii=1

n

E ii=1

n

+ (1 E i )i=1

n

Behavio allows the individual detection engines

to execute independently of each other. The gain

from doing so is that it allows for evaluation of

the dierent behavioral aspects asynchronously.

By running a detection routine as soon as there

is sucient data for that specic trial makes the

system more responsive and in the end it leadsto better protection against unauthorized usage.

Bootstrapping the initial authentication

During the operating system boot process

Behavio is launched as a background process and

starts to monitor user space for new sessions.

When a user has logged in Behavio will spawn

another process and hook it on to the newly

started session. It will now start to extractinformation such as username and load the

user prole associated with that account.

When the behavioral prole is loaded it will start to

authenticate the user by continuously comparing

it against the current input from the user.

System Desktop

Start

Behaviometric

Wait for new

sessionLogin

Close Logout

T i m e

Monitor

threadSession

Hook

Data stream

The behavioral prole

At the beginning the prole will be empty

and Behavio has to learn the behavior of

the user. At this early stage it is dicult tell

the dierence between friend and imposer

and does initially assume that it is the

correct user handling the computer.

In order to handle the evolution of the

user’s behavior the system has to tolerate

small shifts and gradually make the

necessary changes in the prole.


9/129

To make sure that a potential imposer, that has the

login credentials, cannot take advantage of it and

taint the prole with his or hers behavior the new

data has to be stored in quarantine until it goes

into the prole. The principle is that if an

unauthorized user is detected, the data in thequarantine will be emptied. If the user is

determined to be the correct user, the system will

automatically update the user prole with the data

stored in the quarantine.

Evaluating the output

To illustrate the evaluation of the detection

engine output let’s assume a setup with

7 separate detection engines. Where

the current outputs could be:

Engine 1

[E1]

Engine 2

[E2]

Engine 3

[E3]

Engine 4

[E4]

Engine 5

[E5]

Engine 6

[E6]

62% 78% 64% 52% 48% 51%

The results above indicate the probability that it is

the correct user from each detection engines point

of view. All results over 50% mean that it is most

likely the correct user while everything below 50%

is most likely to be an intruder. At exactly 50%

the system indicates that it could be either one.

The administrator can set a detection threshold

that allows the up’s and down’s in the everyday

behavior. The benet is that false rejects and false

accepts is directly associated with the threshold

level and allows for explicitly dened individual

risk mitigation. Let’s say that the threshold is

set to 60% which means that the probability

that it is the correct user has to be at least 60%

in order to not be detected as an imposer.

In order to combine the output from

the detection engines we use Bayes’

theorem produce a similarity ratio.

The similarity ratio is calculated as A / (A+B) where:

A is the probability that it is the correct userB is the probability that it is not the correct user

A = 0.62 × 0.78 × 0.64 × 0.52 ×0.48 × 0.51 = 0.0393986212

B = (1-0.62) × (1-0.78) × (1-0.64) × (1-0.52)× (1-0.48) × (1-0.51) = 0.00368086118

As we can see in this example, the chancethat it is the correct user (A) is greaterrather than that it is an imposer (B).

Similarity ratio = 0.0393986212 / (0.0393986212+ 0.00368086118) = 0.914556513

The result in this case shows that the

probability for it being correct user is closeto 91.5% and it is above the set threshold

the user is accepted. If otherwise the

system would have signaled detection.

By amplifying the special characteristics of the

user’s behavior the accuracy is increased. By

amplifying that specic behavioral aspect it will

have a larger impact on the nal evaluation.

We can for example amplify the test if a certain

aspect is especially accurate for a specic

user - as if the user was writing with almost

exactly the same rhythm the entire time.


10/1210

Deploying Behavio into the company networkThe Behavio solution consists of a client in

each workstation and a central management

system. While each client has a local behavioral

prole cache the server stores all the users’

proles in a central prole repository.

By being able to synchronize the proles

between the server and the clients it increases

the mobility of the users. As long as you

have an internet connection and the Behavio

client installed, the software will automatically

synchronize with the server in order to get the

latest proles and settings. If the server cannot

be reached, the client will continue with the last

known settings and a cached user prole.

AdministrationThe Behavio Management Server is

administrated through a web interface which

is with any modern browser. Users and groups

can be imported from LDAP sources.

Architecture

Behavio Management Server is built on

Linux, Apache, PostgreSQL and PHP. This

conguration is similar to the LAMP architecture

which is widely used and tested amongstweb hotels as well as large companies.

The architecture which is open in its nature can

easily be customized to run on other operating

systems, web servers and database systems.


11/1211

About BehavioSecDiscovering the potential of the humanbehavior

In 2004, the founders of BehavioSec started

to look into the data security market in order

to nd an interesting angle for their master’sthesis at Luleå University of Technology, in the

north of Sweden. What they found out was that

most economical and developmental eorts at

that time were focused on either strengthening

the physical safety systems or rening login

procedures for access authentication. They also

found out that there was no software products on

the market were targeting the time after login.

There was a gigantic security gap between

the time of login and the time of logout from asoftware point of view. This insight led the two

researchers to focus on the characteristics of

this period in order to nd the key asset to new

data protection software. And what they found

was the potential of the human behavior!

A new and innovative company

The Swedish company BehavioSec was

established 2006 at the Aurorum Science Park in

Luleå. The company and its products are a direct

result from scientic research made by studentsfrom Luleå University of Technology in 2004.

BehavioSec are since the start a member of

the Aurorum Business Incubator. The business

idea has been awarded several international

innovation prizes. The organizations that have

nancially supported the development of

Behavio are the Luleå University of Technology

combined with other seed capital funding.

Thoughts about a future securitymarket

While the technology evolution continues at a

rapid rate, the workplace also continues to move

outside the physical boundaries of the company.

This is a natural progress since it could raise

the eectiveness of a business organization.

We believe that the entry point for attackers will

shift, from as of today through the networks,

towards attacking the company from the

devices that are outside the companies physicaldefenses. By stealing the credentials of an

authorized user the attacker will be able to reach

the information easier then by attacking the well

defended networks. The attackers are likely to

focus on stealing legitimate users’ credentials

and exploiting them at the mobile devices

such as laptops, cell phones and company

intranet, thus accessing endpoints that are

not secured by the company’s walls. Smart

cards will in these cases be ineective sincethey will be out in the wild. Can you trust that

it is the right person carrying the smart card

and the smart card reader? What if they were

stolen from your employee’s home last night?

Behaviometrics is soon going to be a natural

part of forensics, especially when it comes to

insider abuse. With a close to 100% certainty,

the authorities can claim that it was a certain

user that was using the computer at a given

time. Insider abuse could then be part of history

preventing the possibility for insiders to say;

“someone else accessed my account”. With the

concept of ongoing authentication, BehavioSec

can deliver a full security solution which will cover

everything from workstations, laptops, mobile

phones and web/intranets from unauthorized

access. That is how we want to contribute to a

more secure and thus more peaceful IT business.

Peder Nordström,

Founder and Chief Technology Ofcer


12/12

For more information

please contact sales at

BehavioSec

Jakobs torg 3

SE-111 52 Stockholm, Sweden

Phn. +46(0)920-75045

Fax. +46(0)920-75010

[email protected]

www.behaviosec.com

BehavioSec is a

registered trademark

Documents

Behaviometrie biometrie amprenta digitala lucrare de licenta