A method of detecting information security incidents based on anomalies in the user’s biometric behavioral characteristics

Nowadays a significant amount of attacks on information systems are multi-stage attacks. In many cases the key subjects of attacks are insiders. The actions of an insider differ from the activity of a legitimate user, so it is possible for the latter to form a model of his behavior. Then the differences from the specified model can be classified as information security events or incidents. Existing approaches to anomaly detection in user activity use separate characteristics of user behavior, without taking into account their interdependencies and dependencies on various factors. The task of the study is to form a comprehensive characteristic of the user`s behavior when using a computer — a “digital pattern” for detecting information security events and incidents. The essence of the method is in the formation of a digital pattern of the user’s activity by analyzing his behavioral characteristics and their dependencies selected as predictors. The developed method involves the formation of a model through unsupervised machine learning. The following algorithms were considered: one-class support vector machine, isolating forest and elliptic envelope. The Matthews correlation coefficient was chosen as the main metric for the quality of the models, but other indicators were also taken into consideration. According to the selected quality metrics, a comparative analysis of algorithms with different parameters was conducted. An experiment was carried out to evaluate the developed method and compare its effectiveness with the closest analogue. Real data on the behavior of 138 users was used to train and evaluate models within the studied methods. According to the results of the comparative analysis, the proposed method showed great performance for all the considered metrics, including an increase in the Matthews correlation coefficient by 0.6125 compared to the anomaly detection method by keystroke dynamics. The proposed method can be used for continuous user authentication from unauthorized access and identifying information security incidents related to the actions of insiders.

1. Siddiqi M.A., Mugheri A., Oad K. Advance persistent threat defense techniques: A review. Pakistan Journal of Computer and Information Systems, 2016, vol. 1, no. 2, pp. 53–65.

2. Al-Zewairi M., Almajali S., Ayyash M. Unknown security attack detection using shallow and deep ANN classifiers. Electronics, 2020, vol. 9, no. 12, pp. 2006. https://doi.org/10.3390/electronics9122006

3. Aparicio-Navarro F.J., Kyriakopoulos K.G., Gong Y., Parish D.J., Chambers J.A. Using pattern-of-life as contextual information for anomaly-based intrusion detection systems. IEEE Access, 2017, vol. 5, pp. 22177–22193. https://doi.org/10.1109/ACCESS.2017.2762162

4. Aparicio-Navarro F.J., Chambers J.A., Kyriakopoulos K., Gong Y., Parish D. Using the pattern-of-life in networks to improve the effectiveness of intrusion detection systems. Proc. of the 2017 IEEE International Conference on Communications (ICC), 2017, pp. 7997374. https://doi.org/10.1109/ICC.2017.7997374

5. Aparicio-Navarro F.J., Kyriakopoulos K.G., Ghafir I., Lambotharan S., Chambers J.A. Multi-stage attack detection using contextual information. Proc. of the IEEE Military Communications Conference (MILCOM), 2018, pp. 920–925. https://doi.org/10.1109/MILCOM.2018.8599708

6. Aparicio-Navarro F.J., Chadza T.A., Kyriakopoulos K.G., Ghafir I., Lambotharan S., Assadhan B. Addressing multi-stage attacks using expert knowledge and contextual information. Proc. of the 22nd Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN), 2019, pp. 188–194. https://doi.org/10.1109/ICIN.2019.8685841

7. Budiarto R., Alqarni A.A., Alzahrani M.Y., Pasha M.F., Firdhous M.F.M., Stiawan D. User behavior traffic analysis using a simplified memory-prediction framework. Computers, Materials and Continua, 2022, vol. 70, no. 2, pp. 2679–2698. https://doi.org/10.32604/cmc.2022.019847

8. Quraishi S.J., Bedi S.S. Keystroke dynamics biometrics, a tool for user authentication–review. Proc. of the 7th International Conference on System Modeling and Advancement in Research Trends (SMART), 2018, pp. 248–254. https://doi.org/10.1109/SYSMART.2018.8746932

9. Xiaofeng L., Shengfei Z., Shengwei Y. Continuous authentication by free-text keystroke based on CNN plus RNN. Procedia Computer Science, 2019, vol. 147, pp. 314–318. https://doi.org/10.1016/j.procs.2019.01.270

10. Druijff-van de Woestijne G.B., McConchie H., de Kort Y., Licitra G., Zhang C., Overeem S., Smolders K.C.H.J. Behavioural biometrics: Using smartphone keyboard activity as a proxy for rest–activity patterns. Journal of Sleep Research, 2021, vol. 30, no. 5, pp. e13285. https://doi.org/10.1111/jsr.13285

11. Krutohvostov D., Khitsenko V. Password authentication and continuous authentication by keystroke dynamics using mathematical statistics. Voprosy kiberbezopasnosti, no. 5(24), pp. 91–99. (in Russian). https://doi.org/10.21681/2311-3456-2017-5-91-99

12. Sjarif N.N.A., Chuprat S., Mahrin M.N., Ahmad N.A., Senan F.M., Zamani N.A., Saupi A. Endpoint detection and response: Why use machine learning? Proc. of the 10th International Conference on Information and Communication Technology Convergence (ICTC), 2019, pp. 283–288. https://doi.org/10.1109/ICTC46691.2019.8939836

13. Kumar Singh Gautam R., Doegar E.A. An ensemble approach for intrusion detection system using machine learning algorithms. Proc. of the 8th Confluence International Conference on Cloud Computing, Data Science and Engineering, 2018, pp. 61–64. https://doi.org/10.1109/CONFLUENCE.2018.8442693

14. Alqudah N., Yaseen Q. Machine learning for traffic analysis: a review. Procedia Computer Science, 2020, vol. 170, pp. 911–916. https://doi.org/10.1016/j.procs.2020.03.111

15. Lampert C.H. Kernel methods in computer vision. Foundations and Trends in Computer Graphics and Vision, 2009, vol. 4, no. 3, pp. 193–285. http://dx.doi.org/10.1561/0600000027

16. Bounsiar A., Madden M.G. One-class support vector machines revisited. Proc. of the 5th International Conference on Information Science & Applications (ICISA), 2014, pp. 6847442. https://doi.org/10.1109/ICISA.2014.6847442

17. Tax D.M.J., Duin R.P.W. Support vector data description. Machine Learning, 2004, vol. 54, no. 1, pp. 45–66. https://doi.org/10.1023/B:MACH.0000008084.60811.49

18. Liu F.T., Ting K.M., Zhou Z.H. Isolation forest. Proc. of the 8th IEEE International Conference on Data Mining (ICDM), 2008, pp. 413–422. https://doi.org/10.1109/ICDM.2008.17

19. Ji Y., Wang Q., Li X., Liu J. A survey on tensor techniques and applications in machine learning. IEEE Access, 2019, vol. 7, pp. 162950–162990. https://doi.org/10.1109/ACCESS.2019.2949814

20. Howard S. The Elliptical Envelope. arXiv, 2007, arXiv:math/0703048. https://doi.org/10.48550/arXiv.math/0703048

21. Ashrafuzzaman M., Das S., Jillepalli A.A., Chakhchoukh Y., Sheldon F.T. Elliptic envelope based detection of stealthy false data injection attacks in smart grid control systems. Proc. of the 2020 IEEE Symposium Series on Computational Intelligence (SSCI), 2020, pp. 1131–1137. https://doi.org/10.1109/SSCI47803.2020.9308523

22. Pedregosa F., Varoquaux G., Gramfort A., Michel V., Thirion B., Grisel O., Blondel M., Prettenhofer P., Weiss R., Dubourg V., Vanderplas J., Passos A., Cournapeau D., Brucher M., Perrot M., Duchesnay É. Scikit-learn: Machine learning in Python. Journal of Machine Learning Research, 2011, vol. 12, pp. 2825–2830.

23. Saranya T., Sridevi S., Deisy C., Chung T.D., Khane M.K.A.A. Performance analysis of machine learning algorithms in intrusion detection system: A review. Procedia Computer Science, 2020, vol. 171, pp. 1251–1260. https://doi.org/10.1016/j.procs.2020.04.133

24. Chicco D., Jurman G. The advantages of the Matthews correlation coefficient (MCC) over F1 score and accuracy in binary classification evaluation. BMC Genomics, 2020, vol. 21, no. 1, pp. 1–13. https://doi.org/10.1186/s12864-019-6413-7