U.S. patent application number 10/427810 was filed with the patent office on 2004-11-04 for intrusion detector based on mouse dynamics analysis.
Invention is credited to Ahmed, Ahmed Awad E., Traore, Issa.
Application Number | 20040221171 10/427810 |
Document ID | / |
Family ID | 33310267 |
Filed Date | 2004-11-04 |
United States Patent
Application |
20040221171 |
Kind Code |
A1 |
Ahmed, Ahmed Awad E. ; et
al. |
November 4, 2004 |
Intrusion detector based on mouse dynamics analysis
Abstract
A biometric intrusion detection system based on mouse dynamics
analysis, the analysis of mouse dynamics for a specific user
generates a number of factors (Mouse Dynamics Signature) which can
be used to ensure the identity of the user, an intelligent
detection technique is developed to recognize differences in
behaviors and detect intrusion.
Inventors: |
Ahmed, Ahmed Awad E.;
(Victoria, CA) ; Traore, Issa; (Victoria,
CA) |
Correspondence
Address: |
Ahmed Awad E. Ahmed
Department of Electerical and Computer Engineering
University of Victoria
PO Box 3055
Victoria
BC
V8W 3P6
CA
|
Family ID: |
33310267 |
Appl. No.: |
10/427810 |
Filed: |
May 2, 2003 |
Current U.S.
Class: |
726/23 |
Current CPC
Class: |
G06F 21/316 20130101;
G06F 21/36 20130101 |
Class at
Publication: |
713/200 |
International
Class: |
G06F 011/30 |
Claims
1. By monitoring and analyzing mouse dynamics for a specific user
over a period of time it is possible to produce what is called a
`Mouse Dynamics Signature`, Mouse Dynamics Signature is a set of
curves describing the monitored behavior and characterizing the
mouse dynamics of the user over that period of time.
2. By continuously monitoring mouse dynamics on an active
workstation, and comparing the calculated mouse dynamics signature
over a period of time to the stored mouse signature of the user who
is logged in to the workstation it is possible to detect intrusion.
Description
BACKGROUND OF THE INVENTION
[0001] The main focus of this research is the development of an
intelligent intrusion detection system that utilizes user biometric
information in the identification and verification processes.
[0002] Biometric based detectors are considered of the most fast
and accurate detectors, in this patent we introduce a new biometric
detector, mouse dynamics detector. The detector functionality is to
observe the user behavior, acquire input data, and analyze it in
order to produce a list of factors characterizing the user
behavior.
BRIEF SUMMARY OF THE INVENTION
[0003] By monitoring mouse dynamics information, and analyzing the
characteristics of this input over different sessions it is
possible to calculate a user identification signature that can be
used to ensure the user identity and detect any possible intrusion
or misuse of the system.
BRIEF DESCRIPTION OF THE DRAWINGS
[0004] FIG. 1 illustrates the generation of a mouse dynamics
signature.
[0005] FIG. 2a shows a comparison of two mouse dynamics signatures
for the same user.
[0006] FIG. 2b shows a comparison of mouse dynamics signatures for
two different users.
DETAILED DESCRIPTION OF THE INVENTION
[0007] 1. Mouse Movement Analysis
[0008] In this detector mouse actions are recorded and processed on
a real time basis, movement characteristics being analyzed to
produce a set of factors characterizing the behavior, the aim of
the research work in this area is to produce what is called a mouse
dynamics signature for each registered user.
[0009] This signature is constructed from a set of factors
describing the user behavior, using this signature the system will
be able to detect if unauthorized user is using the system.
[0010] 2. Classification of Actions
[0011] Mouse input actions can be classified as follows:
[0012] Movement (General Movement)
[0013] Drag and Drop (the action starts with mouse button down,
movement, then mouse button up)
[0014] Point & Click (mouse movement followed by a click or
double click)
[0015] Silence (No Movement)
[0016] From the above mentioned classification, the analysis can be
divided into two categories, movement analysis, and silence
analysis; different approaches are used in each category to collect
the factors characterizing it.
[0017] Following are some examples on the type of factors collected
from each analysis.
[0018] Movement Analysis Examples:
[0019] Calculating the average speed compared to the traveled
distance, this produces three graphs for the 3 types of movement
actions
[0020] Calculating average speed compared to the movement
direction, 8 different directions are considered
[0021] Calculating the average traveled distance for a specific
period of time, with regards to different movement directions; from
this data we can build a pattern for the use of different
directions.
[0022] Silence Analysis Examples:
[0023] Calculating the average of silence periods between
movements
[0024] Calculating amount of silence in a period of time
[0025] Comparing the percentage of the silence time to movement
time in a period of time
[0026] Determining weights for different movement directions to
answer the following questions:
[0027] What is the major movement direction to start movement after
a silence period
[0028] What is the major movement direction to end with before a
silence period
[0029] Factors collected from the above mentioned analysis are
passed to a detection unit which uses neural networks to compare
the collected input data against a pre analyzed heuristic
information, produce what we call `suspicious ratio`, and apply a
decision making algorithm to propose the proper action.
[0030] An example of the mouse dynamics signature is the traveled
distance/movement speed curve (FIG. 1), a neural network is used to
model this curve, the network is trained with the collected raw
data, mouse dynamics signature is a curve generated from the output
(movement speed) of the trained network against an input presenting
the full spectrum of the traveled distances.
[0031] A learning/tuning algorithm is used to improve the
efficiency of the system for a reliable and accurate detection, and
decrease the false acceptance/rejection ratios.
[0032] FIG. 2 shows an example of the comparison process for two
different cases, FIG. 2a shows a recorded mouse dynamics signature
compared to reference signature of the same user, and FIG. 2b shows
a recorded mouse dynamics signature of an intruder compared to
reference signature of the logged in user.
[0033] Intrusion is detected if the difference between the curves
is over a pre calculated threshold limit.
* * * * *