behaviometrie biometrie amprenta digitala lucrare de licenta
TRANSCRIPT
-
8/16/2019 Behaviometrie biometrie amprenta digitala lucrare de licenta
1/121
White Paper
BehavioMetrics
A Paradigm Shift in Computer Security
-
8/16/2019 Behaviometrie biometrie amprenta digitala lucrare de licenta
2/122
AbstractBehaviometrics, or behavioral biometrics, is
a measurable behavior used to recognize or
verify the identity of a person. Behaviometrics
focuses on behavioral patterns rather than
physical attributes. Almost all interaction
with a computer is carried out via a keyboard
and a mouse for input, and with the display
for visual feedback. Behaviometrics utilizes
the characteristics of the users’ input and
how they navigate through the interface to
create virtual ngerprints of their behavior.
Behaviometrics can eciently prevent intrusions
on laptops or workstations by continuously
verifying that it is the authorized user that
is accessing the computer. Behaviometrics
can continuously monitor the user during the
whole working session to create an ongoing
authentication process. The behavioral pattern
which is the base for the ongoing verication
of the user prole is complex mix of mouse
dynamics, keystroke dynamics, the users GUI
interaction and advanced behavioral algorithms.
A human behavioral pattern consists of a variety
of dierent unique “semi-behaviors”; all mixed
together into a larger an utterly more unique
prole. Since every persons unique Behaviometric
pattern is formed not only by biometric features,
like the way you move your hand, but is also
inuenced by more social and psychological
means, like if you are native in the language you
write, it is just about impossible to copy or imitate
somebody else’s behavior in front of the computer.
By continuously comparing dierent aspects
of the current input stream with a previously
stored user prole, Behaviometrics can detect
anomalies in the user’s behavior within seconds
and stop intrusions while they are happening.
In this paper we explore the basic concept
of Behaviometrics in information security aswell as take a deeper look into how it works
in an Ongoing Authentication Solution.
-
8/16/2019 Behaviometrie biometrie amprenta digitala lucrare de licenta
3/123
Contents Abstract 2
A changing market 4
Behaviometrics – a paradigm shift in information security 4The denition of Behaviometrics 4
Can a behavioral pattern be stolen? 4
The fourth factor - (de)authentication 5
A new layer of IT security 5
Protection against both crimes and accidents 5
Increasing need for ecient IT security worldwide 5
Finance 6Healthcare 6
Governmental organizations 6
Private Enterprises 6
Behavio – the rst Behaviometric solution 7
Features 7
Behavio behind the scenes 8
Bootstrapping the initial authentication 8
The behavioral prole 8
Evaluating the output 9
Deploying Behavio into the company network 9
Administration 9
Architecture 9
About BehavioSec 10
Discovering the potential of the human behavior 10
A new and innovative company 10
Thoughts about a future security market 10
-
8/16/2019 Behaviometrie biometrie amprenta digitala lucrare de licenta
4/124
A changing marketMore and more voices strongly declare that
the password is no longer a reliable IT security
measure and must be replaced by more ecient
systems for protecting the computer contents.
At the same time, laptops are getting more
mobile by the year with increasing thefts asa result. The ways of accessing condential
information has also increased with for example
increasing use of web access and advanced
mobile phones. Statistics also show that
the amount of targeted attacks and planned
nancial frauds are increasing globally.
The IT security business is ooded with dierent
solutions, both technical and organizational, for
securing the information in computers. Regarding
the technological development, most eorts havebeen developing and designing security solutions
that are focused on increasing the eciency of
the authentication phase, rather than increasing
the security of the actual
usage of the computer.
BehavioSec is the rst company to present a
Behaviometric solution that eciently secures the
entire period after authentication from intrusions.
It is a patent pending IT-security software solution
that blends high-tech technology with the
users own unique behavioral pattern to create
a new security token, the human behavior.
Behaviometrics – a paradigmshift in information securityBehaviometrics oers a new generation of
information security solutions simply by using
the individual itself as its core asset. An asset
that is extremely hard to replicate which makesit the ultimate solution against identity theft.
By covering the previously unprotected
period of time between login and logout,
Behaviometrics becomes a very powerful
weapon in the ght against computer intrusions.
Any unauthorized user that previously could
access a computer with condential information,
either by hacking the password, logging in
with stolen credentials or accessing a logged
on computer, can now be stopped and theintrusion is prevented while it is happening.
The denition of Behaviometrics
The word “Behaviometrics” derives from
the terms “behavioral” and “biometrics”.
“Behavioral” refers to the way a human person
behaves and “biometrics”, in an information
security context, refers to technologies
and methods that measure and analyzes
biological characteristics of the human body
for authentication purposes - for examplengerprints, eye retina and voice patterns.
In other words Behaviometrics, or behavioral
biometrics, is a measurable behavior used to
recognize or verify the identity of a person.
Behaviometrics focuses on behavioral
patterns rather than physical attributes.
Behaviometrics is measuring human
behavior in order to recognize or
verify the identity of a person.
Can a behavioral pattern be stolen?
A human behavioral pattern consists of a variety
of dierent unique “semi-behaviors”; all mixed
together into a larger an utterly more unique
prole. Since every persons unique Behaviometric
pattern is formed not only by biometric features,
like the way you move your hand, but is also
inuenced by more social and psychological
means, like if you are native in the language you
write, it is just about impossible to copy or imitatesomebody else’s behavior in front of the computer.
“47% of computer
security professionals
surveyed reported a
laptop theft over the
past twelve months”
- FBI & CSI’s annual
Computer Crime and
Security Survey, 2006
-
8/16/2019 Behaviometrie biometrie amprenta digitala lucrare de licenta
5/125
The fourth factor - (de)authenticationWhy settle with “strong authentication” when
Behaviometrics goes beyond? Behaviometrics
adds a new security factor that protects not
only the beginning, but the time throughoutthe entire working session, which is a leap
forward in protecting condential information.
Initial Authenticationby password, smartcardsor biometric solutions.
Login
Continuous Authenticationwith behaviometric software
LogoutComputer in use
Behaviometrics can eciently prevent intrusions
on laptops or workstations by continuously
verifying that it is, in fact, the authorized user that
is accessing the computer. And from the user’s
point of view, this security factor makes the daily
work more ecient since there is no need to
change the way user’s work to protect the
workstation from abuse.
A new layer of IT securitySecuring information in companies and
enterprises can be done in many dierent steps
or “layers”, all depending on the closeness
to the condential information that must be
secured. The actions can vary from physically
shutting out intruders with fences, creating
dierent security zones for employees, to having
ecient rewalls and routines for changing
your password every month. Up until today,
most security solutions can be dened aspart of one of the following security layers:
• Physical safety – alarms, entry cards, cameras
etc...
• Network protection – rewalls etc
• Access management – password, smartcards,
biometrical solutions
Behaviometric security adds another layer,
even closer to the condential information
than access management, the human itself.
To get through this new layer of security, the
intruders have to copy another person’s behavioral
pattern, which has proven to be impossible. The
closer unauthorized persons come to the
information inside the computers, the more likely
they are to succeed. With the Behaviometric layerthat sets any intruders at a denitive halt.
Protection against both crimes andaccidents
One of the advantages with Behaviometrics is that
the intrusion detection software is unaected by
factors like whether the intruder is an insider or
an “outsider”, whether the initial authentication
has been hacked or not and whether the
computer is standing in your oce or at home.
All that really matters is that the behavior of
the person using the computer corresponds to
the behavioral prole of the logged-in user.
Here are some examples of incidents that can
be secured with a Behaviometric solution:
• Having your credentials stolen
• Losing your laptop
• Forgetting to logout
• Having your children accidently deleting
information on your work computer
Increasing need for ecient ITsecurity worldwideThe drivers for more ecient IT security are
somewhat dierent depending on business
segment, which all has their own way of working
together with unique possibilities and threats.
Below is a short description of the dierent
segments that all has the need to add an extra
layer of protection into their IT-security.
-
8/16/2019 Behaviometrie biometrie amprenta digitala lucrare de licenta
6/126
Finance
Banks and other nancial institutions that store
monetary assets has always been a target for
intrusions. Loss of information that derives
from these intrusions can be devastating and
have a long term impact on customer trust.
Additionally, bank personnel have the meansto access and execute changes to their clients’
accounts, thus make it crucial to verify that it
is the correct user accessing the system.
A recent incident in Sweden, where an
unauthorized user remotely hijacked a
computer that was left unattended and started
transferring money, shows the vulnerability of
today’s security systems. Luckily, the intrusion
was disrupted when an employee saw the
mouse being moved on the screen althoughno one were present and pulled the plug at
the last second which stopped the attempt.
Healthcare
Hospitals and other care related institutions store
private information about its clients in journals,
registers and records. This information can be
very sensitive and access is only given to the
persons responsible for the patient. The last
years have provided lots of examples of integrity
violations when condential information suchas medical records, has ended up in media
and newspapers. Meanwhile, public debates
have been widespread and the demands for
both legal actions and other ways of protecting
personal integrity have been raised.
An example of this was when Swedish foreign
minister Anna Lindh died in hospital after
being attacked in central Stockholm, in 2003.
Media afterwards published condential
information that derived from her medicalrecords. Later it was established that a large
number of employees not involved with the
direct care had been accessing condential
records through another user’s account.
Governmental organizations
Keeping the nation state’s information intact
from abuse and intrusions is crucial to be
able to protect its borders and citizens. The
attempts of intrusions are most likely to be
the subject for espionage and the kind of
organizations that this segment consists of
varies from defense to political parties.
During the election in Sweden 2006 a
representative of a political party gained
access to its counterpart’s information system
through stolen credentials. Having access totheir opponent’s strategy and action plan, this
information was later used in the campaign
to counteract their oppositionist’s.
Private Enterprises
Protecting company information is of the highest
importance to all private enterprises. There is a
great deal of responsibility as to how sensitive
information and communication should be
handled to protect intellectual property assets
such as pharmaceutical research, softwaredevelopment, launch plans and other key
resources. A large amount of external resources
can also often access critical and sensible
information, for examples accountants has direct
often access to their customers’ nancial data
which is only intended for the auditing. This
information can easily be acquired by stealing
a laptop and then accessing the sensitive
content through known or hacked credentials.
Recently, the problem of insider abuse has beenaccelerating in companies where workstations
can be accessed by non authorized users inside
the premises of the organization. An insider can
gain access to a user account either at a logged
on computer or through known passwords or
stolen credentials. Also, since 2002, regulatory
compliance for public companies has stressed
security as a key issue for the company’s liability.
-
8/16/2019 Behaviometrie biometrie amprenta digitala lucrare de licenta
7/127
Behavio – the rst Behaviometric solutionBehavio is a patent pending IT-security so
that enables a new layer of protection against
insider abuse, data- and identity theft by
guaranteeing that is the correct user accessing
the data at all times. The solution has no impact
on usability nor requires any extra tokens.
After a user is veried with traditional security
measures, such as passwords, Behavio
continuously monitor the user during the
whole working session to create an ongoing
authentication process. Behavio identies
unauthorized users within seconds by detecting
anomalies in how they interact with a computer’s
keyboard, mouse and graphical user interface,
thereby avoiding information theft. Intrusions
can then be stopped while they are happening.
The behavioral pattern which is the base
for the ongoing verication of the user
prole is complex mix of mouse dynamics,
keystroke dynamics, the users GUI interaction
and advanced behavioral algorithms.
Behavio enhances the current protection of all
workstations, such as laptops and desktops, even
after the user has logged into the system. It does
not interfere with the normal work ow. Simply by
using the computer in the everyday work makes
the software increasingly more ecient and the
condential information more secure. It doesn’t
matter if you are working from home or if you are
outsourcing, Behavio ensures it is the correct user
handling your company’s information. Behavio
will show that companies put information security
foremost and that they are regulatory compliant.
Features
Behavio is created to be invisible to the eye
for the user sitting in front of the computer. It
does not aect the daily use of the computer,
it actually benets from all the work the userperforms. Here are the main features:
• Continuous – It continuously protects the data
after access authentication.
• Adaptive – It continuously learns the behavior
of the user and improves the user’s behavioral
prole.
• Transparent – The users cannot see or
manipulate the software
• Non intrusive – The software respects the users
integrity, it does not register what the user are
doing, it only veries how the user is working• Easy to manage – The software requires
minimal central conguration and administration
• Easy to integrate – The software requires no
additional hardware
An attempt from an authorized user to access a
computer can be monitored and analyzed via the
Behavio Log Analyzer. The picture below illustrates
what happens when an unauthorized user starts
using the computer. Immediately after the start
of the unauthorized usage, the Behavio softwaredetects the intruder and drops the authentication
grade below the accepted level. The opposite
occurs when the authorized user returns to the
computer and starts to use it, the authentication
grade instantly returns to normal levels.
-
8/16/2019 Behaviometrie biometrie amprenta digitala lucrare de licenta
8/128
Behavio behind the scenes
By continuously studying dierent aspects of
the user’s input Behavio will detect anomalies
in the user’s behavior. The main principle is to
generate a statistical block and then compare
it to the user prole. While each aspect of the
behavior will generate its own conclusions theresults are summarized into a single similarity
ratio. If the ratio drops below the threshold
then the user is considered to be an imposer.
Behavio consists of a monitor, behavioral prole,
detection engine and validation engine. The
monitor is the eye of the software, tracking
how the user is interacting with the computer.
The behavioral prole is the virtual ngerprint
of the expected behavior and the detection
engine is the heart of the software. Thevalidation draw conclusions whether it is the
correct user or not and signals for action.
The detection engine consists of multiple
specialized detection engines. When the user
is using the computer the monitor will lter the
data and store it in dierent buers. When one
or more of the buers are lled the software
will signal the appropriate detection engines to
start working. As specialized detection engines
only calculates a specic aspect of the user’s
behavior when it is needed it helps keeping the
system resource overhead at a minimum level.
User Profile
Monitor
E1
E2
E3
E4
E5
E6
Filter
D e t e c t i o n
N e t
w o r k
E ii=1
n
E ii=1
n
+ (1 E i )i=1
n
Behavio allows the individual detection engines
to execute independently of each other. The gain
from doing so is that it allows for evaluation of
the dierent behavioral aspects asynchronously.
By running a detection routine as soon as there
is sucient data for that specic trial makes the
system more responsive and in the end it leadsto better protection against unauthorized usage.
Bootstrapping the initial authentication
During the operating system boot process
Behavio is launched as a background process and
starts to monitor user space for new sessions.
When a user has logged in Behavio will spawn
another process and hook it on to the newly
started session. It will now start to extractinformation such as username and load the
user prole associated with that account.
When the behavioral prole is loaded it will start to
authenticate the user by continuously comparing
it against the current input from the user.
System Desktop
Start
Behaviometric
Wait for new
sessionLogin
Close Logout
T i m e
Monitor
threadSession
Hook
Data stream
The behavioral prole
At the beginning the prole will be empty
and Behavio has to learn the behavior of
the user. At this early stage it is dicult tell
the dierence between friend and imposer
and does initially assume that it is the
correct user handling the computer.
In order to handle the evolution of the
user’s behavior the system has to tolerate
small shifts and gradually make the
necessary changes in the prole.
-
8/16/2019 Behaviometrie biometrie amprenta digitala lucrare de licenta
9/129
To make sure that a potential imposer, that has the
login credentials, cannot take advantage of it and
taint the prole with his or hers behavior the new
data has to be stored in quarantine until it goes
into the prole. The principle is that if an
unauthorized user is detected, the data in thequarantine will be emptied. If the user is
determined to be the correct user, the system will
automatically update the user prole with the data
stored in the quarantine.
Evaluating the output
To illustrate the evaluation of the detection
engine output let’s assume a setup with
7 separate detection engines. Where
the current outputs could be:
Engine 1
[E1]
Engine 2
[E2]
Engine 3
[E3]
Engine 4
[E4]
Engine 5
[E5]
Engine 6
[E6]
62% 78% 64% 52% 48% 51%
The results above indicate the probability that it is
the correct user from each detection engines point
of view. All results over 50% mean that it is most
likely the correct user while everything below 50%
is most likely to be an intruder. At exactly 50%
the system indicates that it could be either one.
The administrator can set a detection threshold
that allows the up’s and down’s in the everyday
behavior. The benet is that false rejects and false
accepts is directly associated with the threshold
level and allows for explicitly dened individual
risk mitigation. Let’s say that the threshold is
set to 60% which means that the probability
that it is the correct user has to be at least 60%
in order to not be detected as an imposer.
In order to combine the output from
the detection engines we use Bayes’
theorem produce a similarity ratio.
The similarity ratio is calculated as A / (A+B) where:
A is the probability that it is the correct userB is the probability that it is not the correct user
A = 0.62 × 0.78 × 0.64 × 0.52 ×0.48 × 0.51 = 0.0393986212
B = (1-0.62) × (1-0.78) × (1-0.64) × (1-0.52)× (1-0.48) × (1-0.51) = 0.00368086118
As we can see in this example, the chancethat it is the correct user (A) is greaterrather than that it is an imposer (B).
Similarity ratio = 0.0393986212 / (0.0393986212+ 0.00368086118) = 0.914556513
The result in this case shows that the
probability for it being correct user is closeto 91.5% and it is above the set threshold
the user is accepted. If otherwise the
system would have signaled detection.
By amplifying the special characteristics of the
user’s behavior the accuracy is increased. By
amplifying that specic behavioral aspect it will
have a larger impact on the nal evaluation.
We can for example amplify the test if a certain
aspect is especially accurate for a specic
user - as if the user was writing with almost
exactly the same rhythm the entire time.
-
8/16/2019 Behaviometrie biometrie amprenta digitala lucrare de licenta
10/1210
Deploying Behavio into the company networkThe Behavio solution consists of a client in
each workstation and a central management
system. While each client has a local behavioral
prole cache the server stores all the users’
proles in a central prole repository.
By being able to synchronize the proles
between the server and the clients it increases
the mobility of the users. As long as you
have an internet connection and the Behavio
client installed, the software will automatically
synchronize with the server in order to get the
latest proles and settings. If the server cannot
be reached, the client will continue with the last
known settings and a cached user prole.
AdministrationThe Behavio Management Server is
administrated through a web interface which
is with any modern browser. Users and groups
can be imported from LDAP sources.
Architecture
Behavio Management Server is built on
Linux, Apache, PostgreSQL and PHP. This
conguration is similar to the LAMP architecture
which is widely used and tested amongstweb hotels as well as large companies.
The architecture which is open in its nature can
easily be customized to run on other operating
systems, web servers and database systems.
-
8/16/2019 Behaviometrie biometrie amprenta digitala lucrare de licenta
11/1211
About BehavioSecDiscovering the potential of the humanbehavior
In 2004, the founders of BehavioSec started
to look into the data security market in order
to nd an interesting angle for their master’sthesis at Luleå University of Technology, in the
north of Sweden. What they found out was that
most economical and developmental eorts at
that time were focused on either strengthening
the physical safety systems or rening login
procedures for access authentication. They also
found out that there was no software products on
the market were targeting the time after login.
There was a gigantic security gap between
the time of login and the time of logout from asoftware point of view. This insight led the two
researchers to focus on the characteristics of
this period in order to nd the key asset to new
data protection software. And what they found
was the potential of the human behavior!
A new and innovative company
The Swedish company BehavioSec was
established 2006 at the Aurorum Science Park in
Luleå. The company and its products are a direct
result from scientic research made by studentsfrom Luleå University of Technology in 2004.
BehavioSec are since the start a member of
the Aurorum Business Incubator. The business
idea has been awarded several international
innovation prizes. The organizations that have
nancially supported the development of
Behavio are the Luleå University of Technology
combined with other seed capital funding.
Thoughts about a future securitymarket
While the technology evolution continues at a
rapid rate, the workplace also continues to move
outside the physical boundaries of the company.
This is a natural progress since it could raise
the eectiveness of a business organization.
We believe that the entry point for attackers will
shift, from as of today through the networks,
towards attacking the company from the
devices that are outside the companies physicaldefenses. By stealing the credentials of an
authorized user the attacker will be able to reach
the information easier then by attacking the well
defended networks. The attackers are likely to
focus on stealing legitimate users’ credentials
and exploiting them at the mobile devices
such as laptops, cell phones and company
intranet, thus accessing endpoints that are
not secured by the company’s walls. Smart
cards will in these cases be ineective sincethey will be out in the wild. Can you trust that
it is the right person carrying the smart card
and the smart card reader? What if they were
stolen from your employee’s home last night?
Behaviometrics is soon going to be a natural
part of forensics, especially when it comes to
insider abuse. With a close to 100% certainty,
the authorities can claim that it was a certain
user that was using the computer at a given
time. Insider abuse could then be part of history
preventing the possibility for insiders to say;
“someone else accessed my account”. With the
concept of ongoing authentication, BehavioSec
can deliver a full security solution which will cover
everything from workstations, laptops, mobile
phones and web/intranets from unauthorized
access. That is how we want to contribute to a
more secure and thus more peaceful IT business.
Peder Nordström,
Founder and Chief Technology Ofcer
-
8/16/2019 Behaviometrie biometrie amprenta digitala lucrare de licenta
12/12
For more information
please contact sales at
BehavioSec
Jakobs torg 3
SE-111 52 Stockholm, Sweden
Phn. +46(0)920-75045
Fax. +46(0)920-75010
www.behaviosec.com
BehavioSec is a
registered trademark