U.S. patent application number 16/691637 was filed with the patent office on 2020-05-28 for automated detection method for insider threat.
The applicant listed for this patent is THE ARIZONA BOARD OF REGENTS ON BEHALF OF THE UNIVERSITY OF ARIZONA. Invention is credited to Jeffrey L. Jenkins, Joseph S. Valacich.
Application Number | 20200163605 16/691637 |
Document ID | / |
Family ID | 52105254 |
Filed Date | 2020-05-28 |
View All Diagrams
United States Patent
Application |
20200163605 |
Kind Code |
A1 |
Valacich; Joseph S. ; et
al. |
May 28, 2020 |
AUTOMATED DETECTION METHOD FOR INSIDER THREAT
Abstract
The present invention provides a system and a method for
eliciting information to sensitive questions and reliably detecting
whether one is being deceptive, concealing information, or
experiencing a heightened emotional response to the question. In
particular, the system and the method of the invention are based on
analyzing the user behavioral biometric of using one or more input
device(s).
Inventors: |
Valacich; Joseph S.;
(Tucson, AZ) ; Jenkins; Jeffrey L.; (Provo,
UT) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
THE ARIZONA BOARD OF REGENTS ON BEHALF OF THE UNIVERSITY OF
ARIZONA |
Tucson |
AZ |
US |
|
|
Family ID: |
52105254 |
Appl. No.: |
16/691637 |
Filed: |
November 22, 2019 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
14899865 |
Dec 18, 2015 |
10524713 |
|
|
PCT/US14/43057 |
Jun 18, 2014 |
|
|
|
16691637 |
|
|
|
|
61837153 |
Jun 19, 2013 |
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06F 21/32 20130101;
G06F 21/316 20130101; G06F 21/40 20130101; A61B 5/164 20130101 |
International
Class: |
A61B 5/16 20060101
A61B005/16; G06F 21/32 20060101 G06F021/32; G06F 21/31 20060101
G06F021/31; G06F 21/40 20060101 G06F021/40 |
Claims
1-14. (canceled)
15. A method for analyzing behavior comprising: receiving, from a
subject, behavioral biometric information comprised of an input
device usage characteristic; translating the behavioral biometric
information into representative data; comparing the representative
data against reference behavioral biometric data, wherein the
reference behavioral biometric data is comprised of the subject's
behavioral biometric data and the behavioral biometric data of a
plurality of non-subjects; and outputting a result associated with
the subject's deceptive intent.
16. The method of claim 15, wherein the input device usage
characteristic is received from a pointing device.
17. The method of claim 16, wherein the pointing device is a mouse,
a joystick, a stylus, a trackball, a touch screen, or a touch
pad.
18. The method of claim 15, wherein the input device characteristic
is finger movement, precise timing, or applied pressure between an
initial position of a pointer and a second position associated with
an input selected by the subject.
19. The method of claim 15, further comprising requesting a second
input from the subject based on the result associated with the
subject's deceptive intent.
20. The method of claim 17, wherein the second input is selected
using a decision tree structure.
21. The method of claim 16, wherein the input device usage
characteristic is detected 20 to 100 milliseconds after a signal is
generated by the pointing device.
22. The method of claim 15, wherein the representative data is
averaged into fixed time intervals.
23. The method of claim 15, wherein the comparison of
representative data against reference behavioral biometric data
occurs at a remote server.
24. The method of claim 15, wherein the result associated with the
subject's deceptive intent is searchable on a management dashboard
application.
25. The method of claim 15, wherein the behavioral biometric
information is a number of times the subject changes an answer to a
query.
26. The method of claim 15, wherein the behavioral biometric
information is a total response time associated with the
subject.
27. The method of claim 15, wherein the behavioral biometric
information is an additional distance traveled by a cursor on the
screen relative to an idealized response trajectory for said
cursor.
28. The method of claim 15, wherein the behavioral biometric
information is an amount of time between key presses.
29. The method of claim 16, wherein the behavioral biometric
information is an average overall speed of the pointing device.
30. A non-transitory computer-readable medium that stores a program
for analyzing behavior that, when executed, causes a processor to:
receive, from a subject, behavioral biometric information comprised
of an input device usage characteristic; translate the behavioral
biometric information into representative data; compare the
representative data against reference behavioral biometric data,
wherein the reference behavioral biometric data is comprised of the
subject's behavioral biometric data and the behavioral biometric
data of a plurality of non-subjects; and output a result associated
with the subject's deceptive intent.
31. The non-transitory computer-readable medium of claim 30,
wherein the input device usage characteristic is received from a
pointing device.
32. The non-transitory computer-readable medium of claim 31,
wherein the pointing device is a mouse, a joystick, a stylus, a
trackball, a touch screen, or a touch pad.
33. The non-transitory computer-readable medium of claim 30,
wherein the input device characteristic is finger movement, precise
timing, or applied pressure between an initial position of a
pointer and a second position associated with an input selected by
the subject.
34. The non-transitory computer-readable medium of claim 30,
wherein the program, when executed, further requests a second input
from the subject based on the result associated with the subject's
deceptive intent.
35. The non-transitory computer-readable medium of claim 34,
wherein the second input is selected using a decision tree
structure.
36. The non-transitory computer-readable medium of claim 31,
wherein the input device usage characteristic is detected 20 to 100
milliseconds after a signal is generated by the pointing
device.
37. The non-transitory computer-readable medium of claim 30,
wherein the representative data is averaged into fixed time
intervals.
38. The non-transitory computer-readable medium of claim 30,
wherein the program, when executed, transmits the representative
data to a remote server for comparison against reference behavioral
biometric data.
39. The non-transitory computer-readable medium of claim 30,
wherein the result associated with the subject's deceptive intent
is searchable on a management dashboard application.
40. The non-transitory computer-readable medium of claim 30,
wherein the behavioral biometric information is a number of times
the subject changes an answer to a query.
41. The non-transitory computer-readable medium of claim 30,
wherein the behavioral biometric information is a total response
time associated with the subject.
42. The non-transitory computer-readable medium of claim 30,
wherein the behavioral biometric information is an additional
distance traveled by a cursor on the screen relative to an
idealized response trajectory for said cursor.
43. The non-transitory computer-readable medium of claim 30,
wherein the behavioral biometric information is an amount of time
between key presses.
44. The non-transitory computer-readable medium of claim 31,
wherein the behavioral biometric information is an average overall
speed of the pointing device.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application claims the priority benefit of U.S.
Provisional Application No. 61/837,153, filed Jun. 19, 2013, which
is incorporated herein by reference in its entirety.
FIELD OF THE INVENTION
[0002] The present invention relates to a system and a method for
eliciting information to sensitive questions that require use of an
input device (e.g., keyboard and/or pointing device, etc.) and
reliably detects whether one is being deceptive, concealing
information, or experiencing a heightened emotional or cognitive
response to the question by analyzing the input device usage
characteristic. In particular, the system and the method of the
invention are based on analyzing the user behavioral biometric of
using one or more input device(s).
BACKGROUND OF THE INVENTION
[0003] The threat of malicious insiders is a top concern for
government and corporate agencies. Insider threats--a trusted
adversary who operates within an organization's boundaries--are a
significant danger to both private and public sectors, and are
often cited as the greatest threat to an organization. Insider
threats include disgruntled employees or ex-employees, potential
employees, contractors, business partners, and auditors. The damage
caused by an insider threat can take many forms, including
workplace violence; the introduction of malware into corporate
networks; the theft of information, corporate secrets, or money;
the corruption or deletion of data; and so on. According to a
recent survey, it takes on average 416 days to contain an insider
attack (HP Cyber Risk Report, 2012), and insider threats have been
estimated to result in "tens, if not hundreds of billions of
dollars" in damages. The identification process of insider threats
is heightened in very large organizations. For instance,
identifying a small number of potential insider threats within an
organization with thousands of employees is a literal "needle in
the haystack" problem.
[0004] Therefore, there is a need for a system and a method for
determining whether a particular personnel poses an insider
threat.
SUMMARY OF THE INVENTION
[0005] Some aspects of the invention address the insider threat
challenge by providing a system and a method called ADMIT (i.e.,
Automated Detection Method for Insider Threat). In some
embodiments, ADMIT is a web-based survey tool that elicits
information to sensitive questions that requires an input device
usage (e.g., keyboard, and/or a pointing device, etc.) and reliably
detects whether one is being deceptive, concealing information, or
experiencing a heightened emotional or cognitive response to the
question by analyzing the input device usage characteristic.
[0006] Prior research on deception has established that humans
guilty of acts known to be immoral, criminal, or unethical have
uncontrolled physiological changes that can be detected as
observable behavioral changes when responding to questions
regarding such events. Similar to the way a polygraph (i.e., lie
detector) detects physiological changes in the body based on
uncontrolled responses when answering sensitive questions. The
present inventors have discovered that such responses can be
detected through monitoring a person's input device usage, (e.g.,
mouse and keystroke behavior) when a person is guilty of actions
known to be wrong. Abnormal behavior that is indicative of insider
threat can then be highlighted or alerted to specified individuals
in the organization for review and further investigation. ADMIT
operates like well-known web-based survey tools like
SURVEYMONKEY.RTM. or QUALTRICS.RTM., and thus can be mass deployed
to an entire organization simultaneously.
[0007] In one embodiment, the system and the method are based on a
subject's behavioral biometrics. The approach consists of
establishing distinctive behavioral biometrics for a subject based
on characteristic(s) of the subject's input device usage. The usage
characteristic comprises how and the way the user uses the input
device.
[0008] Some of the variables for how the user uses the input device
include, but are not limited to, input device dynamics. For
example, when the input device is a keyboard, the keyboard (i.e.,
input device) dynamics include, but are not limited to, the dwell
time (the length of time a key is held down), transition time (the
time to move from one key to another) and rollover time for
keyboard actions. After these measurements are collected, the
collected actions are translated and analyzed in order to determine
the truthfulness of the subject's answer to a particular
questionnaire. An algorithm can be used to generate a Keystroke
Dynamics Signature (KDS), which is used as a reference profile for
the subject using non-threatening or seemingly innocuous or
harmless questions. In some embodiments, the KDS is constructed
using a key oriented neural network based approach, where a neural
network is trained for each keyboard key to best simulate its usage
dynamics with reference to other keys.
[0009] When the input device is a pointing device such as a mouse,
the pointing device dynamics include, but are not limited to,
comparing selected pointing device actions generated by the subject
as a result of subject's answer to an on-screen question or
interaction with a graphical user interface (GUI) or any other
display shown on the display screen. The data obtained from these
actions are then processed in order to analyze the behavior of the
user. Pointing device actions include general pointing device
movement, drag and drop, point and click, and silence (i.e., no
movement). The behavioral analysis utilizes neural networks and
statistical approaches to generate a number of factors from the
captured set of actions; these factors are used to construct what
is called a Pointing Device Dynamics Signature (PDDS), a unique set
of values characterizing the subject's behavior during both seeming
innocuous or harmless questions and during a more direct
question-and-answer sessions. Some of the factors consist of
calculating the speed, total distance traveled, initial direction
of movement, total response time, change in direction on the
x-axis, change in direction on the y-axis, idle time, area under
the curve, amount of deviation, reaction time, applied pressure,
changes in angle, the pattern of a users' acceleration or
deceleration during a movement, the precision of movements, the
click latency, click pressure, or a combination of two or more
thereof
[0010] The detection algorithm for an input device calculates the
significance of each factor with respect to the other factors, i.e.
KDS, PDDS or other input device usage characteristics are weighted
since certain actions are more prone to revealing truthfulness of
the subject.
[0011] One particular aspect of the invention provides systems and
methods for detecting deception in a subject. In one embodiment,
this deception detection system (sometimes referred herein as ADMIT
or "Automated Detection Method for Insider Threat") is a web-based
survey tool that elicits information to sensitive questions and
reliably detects whether one is being deceptive, concealing
information, or experiencing a heightened emotional response to the
question.
[0012] As discussed above, systems and methods of the invention can
also include eliciting information from the subject on
non-sensitive, benign, innocuous or seemingly harmless questions
(i.e., control questions) to establish reference input device usage
characteristics of the subject. Control questions can be presented
at the beginning of the session or it can be interdispersed with
sensitive questions to establish the reference input device usage
characteristics of the subject. For example, the system and method
can include randomly inserting or presenting to the subject control
questions to determine the reference (or baseline) input device
usage characteristic.
[0013] Alternatively, the reference input device usage
characteristics can be based on the average input device usage
characteristics of a plurality of subjects for a particular
question. In this manner, the subject's input device usage
characteristics (i.e., behavioral biometrics) can be compared to
the "baseline" or the "reference input device usage
characteristics" that consists of average or range of input device
usage characteristic of a plurality of individual to the same
question. Accordingly, the baseline or the reference input device
usage characteristics can be based on the subject's own behavior
biometrics during non-sensitive or non-threatening questionnaire
session or it can be based on the input device usage
characteristics of a plurality of subjects' input device usage
characteristics for the same or similar question, or a combination
of both.
[0014] In general, ADMIT is based on the discovery that humans
guilty of acts known to be immoral, criminal, or unethical have
uncontrolled physiological changes that can be detected as
observable behavioral changes when responding to questions
regarding such events. Similar to the way a polygraph (lie
detector) detects physiological changes in the body based on
uncontrolled responses when answering sensitive questions when a
person is guilty of actions known to be wrong, the present
inventors have discovered that such responses can be detected
through use of an input device such as by monitoring mouse or other
pointing device usage characteristics and/or keystroke usage
characteristics. Abnormal behavior that is indicative of insider
threat can then be highlighted or alerted to specific individuals
in the organization for review and further investigation.
[0015] One particular aspect of the invention provides a behavioral
biometric-based deception analysis system and/or method for
determining whether a subject is truthful or deceptive to a
question of interest (i.e., a sensitive question or key question).
Such systems typically include displaying the question (e.g., on a
computer screen or projecting the question on a display). The
subject is then allowed to select or input subject's answer to the
question presented using one or more input device. The system
includes a data interception unit that is configured to intercept
input from the subject who is directed to a question presented on a
display screen. The data interception unit is configured to
passively collect an input device (e.g., a pointing device, such as
a mouse, a touch screen, a touch pad, a stylus, a track ball, etc.)
usage characteristic. The system also includes a behavior analysis
unit operatively connected to said data interception unit to
receive the passively collected input device usage characteristic;
and a behavior comparison unit operatively connected to said
behavior analysis unit. In some embodiments, the system dynamically
monitors and passively collects behavioral biometric information
(i.e., input device usage characteristics), and translates the
behavioral biometric information into representative data, stores
and compares results, and outputs a result associated with
truthfulness or deception to the question of interest presented on
the display screen.
[0016] In some embodiments, said behavior comparison unit is
operatively connected to an application or program that presents a
question on the display screen such that said behavior comparison
unit influences the next question presented on the display screen
by the application using a decision tree structure based on the
result. Thus, for example, if the subject's behavior biometrics is
ambiguous or inconclusive, a follow-up type of question can be
displayed to further analyze the subject's behavior biometrics to a
particular sensitive question.
[0017] Yet in other embodiments, the input device usage
characteristics comprise pointing (e.g., mouse, joystick, stylus,
trackball, etc.) device usage characteristics. In some instances,
the pointing device usage characteristics comprise movement of said
pointing device between the starting position of said pointing
device and the answer selected by the subject on the display
screen, the elapsed time between presentation of the question on
the display screen and the a selection of the answer by the
subject, the speed, total distance traveled, initial direction of
movement, total response time, change in direction on the x-axis,
change in direction on the y-axis, idle time, area under the curve,
amount of deviation, reaction time, applied pressure, changes in
angle, acceleration, the precision of movements, the click latency,
click pressure, or a combination of two or more thereof.
[0018] When the pointing device is a touch screen or a touch pad,
the usage characteristic can include finger movement, precise
timing, and applied pressure between the initial position of a
pointer and the answer on the display screen selected by the
subject. In addition or alternatively, the input device usage
characteristic can include characteristic can include speed, total
distance traveled, initial direction of movement, total response
time, change in direction on the x-axis, change in direction on the
y-axis, idle time, area under the curve, amount of deviation,
reaction time, applied pressure, changes in angle, the pattern of a
users' acceleration or deceleration during a movement, the
precision of movements, the click latency, click pressure, or a
combination of two or more thereof. The term "area under the curve"
refers to the area formed by the total distance or actual direction
traveled by the user starting from the starting position of the
pointer (x.sub.1, y.sub.1) to the answer selected by the subject
(x.sub.2, y.sub.2), and the distance between y.sub.1 and y.sub.2
(i.e., absolute value of y.sub.1-y.sub.2) and the distance between
x.sub.1 and x.sub.2. (i.e., absolute value of x.sub.1-x.sub.2).
[0019] Still in other embodiments, said input device (e.g.,
pointing device such as mouse) usage characteristic is based on the
speed, total distance traveled, initial direction of movement,
total response time, change in direction on the x-axis, change in
direction on the y-axis, idle time, area under the curve, amount of
deviation, reaction time, applied pressure, changes in angle, the
pattern of a users' acceleration or deceleration during a movement,
the precision of movements, the click latency, click pressure, or a
combination of two or more thereof
[0020] Yet in other embodiments, the behavior comparison unit
compares the result of the subject's behavioral biometric to a
reference behavioral biometric. In some instances, the reference
behavioral biometric comprises the subject's behavioral biometric
to a non-interested or non-sensitive question. In other
embodiments, the reference behavioral biometric comprises
behavioral biometric of a plurality of subjects based on the same
non-interested or non-sensitive question. Still alternatively, the
reference behavioral biometric can comprise behavioral biometric of
a plurality of subjects who answered truthfully on the same
sensitive question or who answered non-truthfully on the same
sensitive question. It should be noted in this case, the reference
behavioral biometric can comprise an average of behavioral
biometric obtained from the plurality of subjects. Alternative, the
reference behavioral biometric can be based on a desired confidence
limit (e.g., 95%) under the standard curve. In this latter
reference behavioral biometric, the subject's behavioral biometric
is analyzed to determine whether it is within the desired
confidence limit range.
[0021] In one particular embodiment, said reference behavioral
biometric comprises an average behavioral biometric to the same
question presented on the display screen of a plurality of
subjects.
[0022] Yet in other embodiments, said behavioral biometric-based
deception analysis system is suitably configured for real-time
deception analysis.
[0023] Still in other embodiments, said data interception unit is
further configured to passively collect keyboard usage
characteristic of the subject. In some instances, said keyboard
usage characteristic comprises what key was pressed, what time
(e.g., elapsed time between presenting the question on the display
screen and the time) a key was pressed, what time it was released,
or a combination thereof. Moreover, said keyboard usage
characteristic can be based on or includes at least one of speed,
transition time, dwell time, pressure of key pressed, or a
combination thereof.
[0024] Yet another aspect of the invention provides a method for
determining whether a subject is truthful or deceptive to a
question of interest, said method comprising: [0025] (a) presenting
a question of interest and a plurality of answers on a display
screen that requires use of an input device; [0026] (b) allowing a
subject to select an answer using the input device (e.g., a
pointing device, a keypad, a touch pad, or a touch screen); [0027]
(c) passively collecting subject's input device usage
characteristic; [0028] (d) comparing subject's input device
characteristic with a reference input device usage characteristic
to determine whether the subject is truthful or deceptive to the
question of interest; and [0029] (e) optionally repeating steps
(a)-(d) with a different question.
[0030] The different question can be a non-sensitive question to
further establish the subject's reference behavior biometrics. It
can also be another sensitive question or a follow-up question to
further establish the truthfulness of the subject.
[0031] In some embodiments, such a method can further comprise the
steps of: [0032] (a) presenting a benign or control question and a
plurality of answers on a display screen that requires use of the
input device; [0033] (b) allowing the subject to select an answer
using the input device; [0034] (c) passively collecting input
device usage characteristic of the subject; [0035] (d) storing
passively collected input device usage characteristic of the
subject as the reference input device usage characteristic (i.e.,
reference behavior biometrics); and [0036] (e) optionally repeating
steps (a)-(d) with a different question.
[0037] Still in other embodiments, said reference input device
usage characteristic is an average input device usage
characteristic of a plurality of subjects for the same question of
interest. It should be noted that such reference input device usage
characteristics can be either of those subjects who have truthfully
answered the question or input device usage characteristics of
those subjects who did not truthfully answer the question.
Alternatively, the method can compare to both of these subjects to
determine which reference input device usage characteristics more
closely resembles the subject's input device usage
characteristics.
[0038] Yet in other embodiments, said input device usage
characteristic comprises input device movement between the starting
position of input device and the answer selected by the subject on
the display screen.
[0039] In other embodiments, said input device usage characteristic
is based on at least one of speed, total distance traveled, initial
direction of movement, total response time, change in direction on
the x-axis, change in direction on the y-axis, acceleration, idle
time, area under the curve, amount of deviation, reaction time,
applied pressure, and changes in angle.
BRIEF DESCRIPTION OF THE DRAWINGS
[0040] FIG. 1 is a schematic representation showing combined mouse
movement resulting when multiple answers catch a respondent's
attention.
[0041] FIG. 2 is an example of insider threat question.
[0042] FIG. 3 is an example of one particular embodiment of ADMIT
response analysis framework.
[0043] FIG. 4 is a graph of X-location by real time for guilty
participants in a simulated ADMIT test.
[0044] FIG. 5 is a graph of X-locations by normalized time for
guilty participants in a simulated ADMIT test.
[0045] FIG. 6 is a graph of Y-locations by real time for guilty
participants in a simulated ADMIT test.
[0046] FIG. 7 is a graph of Y-locations by normalized time for
guilty participants in a simulated ADMIT test.
[0047] FIG. 8 is a graph of velocity by real time for guilty
participants.
[0048] FIG. 9 is a bar graph showing mean velocity for guilty
participants on control vs. key questions.
[0049] FIG. 10 is a graph showing angles by real time for guilty
participants.
[0050] FIG. 11 is a graph of X-locations by normalized time for key
items.
[0051] FIG. 12 is a graph of Y-locations by normalized time for key
items.
[0052] FIG. 13 is a graph of X-location by normalized time for
control items.
[0053] FIG. 14 is a graph of Y-location by normalized time for
control items.
DETAILED DESCRIPTION OF THE INVENTION
[0054] The present inventors have discovered that input device
(e.g., mouse and/or keyboard, other input devices known to one
skilled in the art, an other input devices that are developed)
usage features or characteristics are diagnostic of insider threats
in sensitive questions (i.e., questions about insider threat
activities or other key or security questions) administered on a
computer. Some aspects of the invention are based on the discovery
by the present inventors that when people see two or more answers
to a question that catch or draw their attention (e.g., a truthful
answer and a deceptive answer that the person will ultimately
choose), the mind automatically starts to program motor movements
toward both answers simultaneously. To eliminate one of the motor
movements (e.g., eliminate the movement towards confessing to an
insider threat activity), the mind begins an inhibition process so
that the target movement can emerge. Inhibition is not immediate,
however, but rather occurs over a short period of time depending on
the degree both answers catch the respondents attention (up to -750
milliseconds or more). If movement begins before inhibition is
complete, the movement trajectory is a product of motor programming
to both answers. See FIG. 1. Thus, in an ADMIT survey, when people
are asked a question about an insider threat activity and the
incriminating answer catches their attention, their mouse
trajectory is biased toward this incriminating answer (measured on
an x, y axis) on its way toward the non-incriminating (e.g.,
deceptive) answer. For innocent people, the incriminating answer
generally does not catch their attention to the same degree, and
thus inhibition occurs more quickly and their mouse movements is
less biased toward the opposite response.
[0055] In addition, being deceptive normally causes an increase in
arousal and stress. Such arousal and stress causes neuromotor noise
that interferes with people's fine motor skills (e.g., using the
hand and fingers to move a mouse or use a touch screen to answer a
question). As a result, the precision of mouse movements decreases
when people are being deceptive, ceteris paribus. To reach the
intended target (e.g., a deceptive answer in the ADMIT survey),
people automatically and subconsciously compensate for this
decrease in precision through reducing speed and creating more
adjustments to their movement trajectories based on continuous
perceptual input. Thus, in ADMIT surveys, the present inventors
have found that people exhibit slower velocity, more adjustments (x
and y flips), greater distance, and more hesitancy when being
deceptive compared to when telling the truth.
[0056] As another example, the present inventors have found that
people guilty of insider threat activities display different mouse
movements on non-incriminating questions compare to innocent
people. In anticipation of a question that might incriminate them,
guilty people show a task-induced search bias: before answering a
question, they take a fraction of a second longer to evaluate the
question. After seeing that the question is not relevant, they then
move more quickly to the truthful answer than innocent respondents.
Table 1 summarizes examples of mousing features that can be used to
differentiate between how guilty insiders and innocent respondents
respond to ADMIT questions. In some embodiments at least four or
more, typically at least eight or more, often at least ten or more,
still more often at least fifteen or more, and most often at least
twenty or more of these characteristics are determined and
analyzed. Still in other embodiments, all of the input device usage
characteristics in Table 1 are determined and analyzed.
TABLE-US-00001 TABLE 1 Examples of features that distinguish an
insider threat (exemplary features monitored) Statistic Description
X The X coordinates for each movement Y The Y coordinates for each
movement Z The Z coordinate for each movement Pressure The pressure
for each movement Rescaled X The X coordinates for the interaction
normalized for screen resolution Rescaled Y The Y coordinates for
the interaction normalized for screen resolution X Average The X
coordinates averaged in buckets of 75 ms Y Average The Y
coordinates averaged in buckets of 75 ms X Norm The X coordinates
time normalized Y Norm The Y coordinates time normalized Pressure
The pressure applied to the mouse for every raw recording
Timestamps The timestamp for every raw recording Click Direction
Whether the mouse button was pushed down (d) or released (u) for
every time an action occurred with the mouse button Click X The X
coordinates for each mouse click event Click Y The Y coordinates
for each mouse click event Click Rescaled X The X coordinates for
each mouse click event normalized for screen resolution Click
Rescaled Y The Y coordinates for each mouse click event normalized
for screen resolution Click Pressure The pressure applied to the
mouse for every raw recording Click timestamps The timestamp for
every mouse click event Acceleration The average acceleration for
each 75 ms Angle The average angle for each 75 ms Area Under the
Curve The geometric area between the actual mouse trajectory and
the (AUC) idealized response trajectory (i.e., straight lines
between users' mouse clicks); it is a measure of total deviation
from the idealized trajectory. Additional AUC The AUC minimum the
minimum AUC Overall Distance The total distance traveled by the
mouse trajectory Additional Distance The distance a users' mouse
cursor traveled on the screen minus the distance that it would have
required to traveling along the idealized response trajectory (i.e.
straight lines between users' mouse clicks), Distance Buckets
Distance traveled for each 75 ms X Flips The number of reversals on
the x axis Y Flips The number of reversals on the y axis Maximum
Deviation The largest perpendicular deviation between the actual
trajectory and its idealized response trajectory (i.e., straight
lines between users' mouse clicks), Speed Buckets Average speed for
each 75 ms Overall Speed Average overall speed Idle Time if there
is a change in time greater than 200 ms but no movement, this is
counted as idle time Idle Time on Same If there is a change in time
but not a change in location, this mean an Location event other
than movement triggered a recording (e.g., such as leaving the
page, and other things). The time in this event is summed. Idle
Time On 100 If there is a change in distance greater than 100
between two points, Distance this may indicate that someone left
the screen and came back in another area Total Time Total response
time Click Mean Speed The mean speed of users click Click Median
Speed The median speed of users click Click Mean Latency The mean
time between when a user clicks down and releases the click Click
Median Latency The median time between when a user clicks down and
releases the click Answer Changes The number of times an answer was
selected; if over 1, the person changed answers Hover Changes The
number of times an answer was hovered; if over 1, the person
hovered over answers they didn't chose Hover Region The amount of
time a person overs over a region Return Sum The number of times a
person returns to a region after leaving it Dwell The measurement
of how long a key is held down Transition Time between key presses
Rollover The time between when one key is released and the
subsequent key is pushed
[0057] System Implementation:
[0058] ADMIT asks specially designed questions on a computer about
illicit behavior and requires respondents to answer by admitting to
or denying the behavior by dragging a button on the bottom of the
screen to `yes` or `no`. Following polygraph techniques (the
concealed information test, control question test, comparative
questions test, etc.) survey items are normally crafted to conform
to at least two categories: benign questions that can be used to
establish baseline behavioral data, and sensitive questions that
the organization is interested in the answer to. Responses are
analyzed with both with-in subject comparisons as well as by
comparing responses with the aggregate responses of other
employees. For instance, FIG. 2 is an example of an insider threat
question--"have you stolen any classified information?" In this
example, the respondent must move the mouse from the lower middle
of the screen to the "No" answer to deny stealing classified
information or to "Yes" to confess. Mouse movements are captured
while the respondent is answering the question and compared to an
individual baseline (how the individual moves the mouse on truthful
responses) and/or to a population baseline (how other people
normally move the mouse on this question) to detect deception.
[0059] Survey items (e.g., questions) have acceptable and
non-acceptable ranges of responses. See FIG. 3. These acceptable
response ranges will be determined by the individual organization
involved in the survey. For example, if the question were asked "A
crime was committed in our organization. If you committed the
crime, you will know what act was performed. Did you perform any of
the following crimes?" The system would then list 6 options (e.g.,
unauthorized disclosure of classified information, theft of credit
card numbers, theft of hardware, etc.). For the key item (the item
of interest), a threshold is set on abnormal mouse movements; any
abnormal mouse movements above this threshold is deemed as
unacceptable (and anything below, acceptable). By observing both
the answer provided by the user and using the mouse and keyboard
behavior to detect changes in emotional response, one can make four
potential observations about a response to a survey item using
ADMIT (FIG. 3): (i) Lower Left Quadrant: Answer was within
acceptable range with normal emotional response (i.e., no action is
necessary); (ii) Upper Left Quadrant: Answer is outside acceptable
range with normal emotional response (i.e., an HR problem and alert
needs to be generated); (iii) Upper Right Quadrant: Answer is
outside acceptable range with elevated emotional response (i.e., an
HR problem and alert needs to be generated); and (iv) Lower Right
Quadrant: Answer was within acceptable range, however, with an
elevated emotional response (i.e., a deceptive answer; an
investigation needs to be launched).
[0060] Several functionalities can be implemented in the ADMIT
system to facilitate accurate and reliable analysis of mouse
movements. For example, (i) Data is time-normalized (e.g., all
trajectories are evenly split into 101 equal buckets) to compare
trajectories between respondents for detecting deception; (ii) Data
is averaged into 75 ms duration intervals to account for
differences in computers speeds and mouse characteristics within
subjects; (iii) Data is rescaled to a standard scale to account for
the trajectories of respondents who used different screen
resolutions; (iv) Respondents are required to start moving their
mouse or finger before an answer is shown, so that a respondent's
initial movements can be captured as soon as they see the answer;
(v) If respondents stop moving their mouse or finger or stop
dragging an answer, an error is shown; (vi) To help respondents get
use to the testing format and improve the performance of the
evaluation, a tutorial and practice test can be provided; (vii) All
items (sensitive and control items) can be pilot tested to make
sure innocent people respond as intended; (viii) A tree-like
questioning framework can be implemented to ask follow-up questions
when deception is detected or suspected; (ix) All input device
usage characteristics (such as mousing data) can be sent to a
server data server via a web service to be analyzed for deception.
This reduces the likelihood that data can be tampered with during
the analysis; (x) A secure management dashboard can be implemented
to visualize (e.g., in real-time) the results and execute
policy-driven responses to threats; (xi) Probabilities of deception
can be calculated based on multi-tiered testing; and/or (xii)
Different features of deception are extracted for different devices
(desktop, iPad, etc.).
[0061] ADMIT system introduces a lightweight and easily deployable
system for quickly identifying potential threats. Many agencies go
to significant lengths, and at great expense, to identify potential
threats. Unfortunately, current techniques used to identify
potential threats are labor intensive, laden with bias, and
frequently miss potential threats. For instance, polygraphs are
often used for employee initial and ongoing screening, but are
extremely problematic for widespread deployment. A single polygraph
test requires hours of pre-planning, pre-test interviewing,
testing, and post-testing reviews, costing hours of productive time
and thousands of dollars per administration. Other methods such as
conducting face-to-face interviews (that must be done individually
and at great expense) or traditional surveys (which are cheap to
deploy but easy to subvert) are equally constrained. ADMIT can be
deployed simultaneously to thousands of employees at minimal
expense. Additionally, by eliminating humans and creating an
objective methodology for identifying possible insider threats,
ADMIT is not subject to the same biases that more conventional
methods may fall victim to. Thus, ADMIT improves upon previous
methods in at minimum the following ways: (i) Easy and inexpensive
to deploy to a large number of employees simultaneously; (ii) A
data capture process runs in the background during survey
administration, while analysis can take place on a separate and
secure remote system; (iii) Behavioral sensing data (e.g., keyboard
and mouse usage) is gathered in an unobtrusive manner with no
adverse effect to the user; (iv) Users need not be aware of the
data collection that is taking place; (v) Unlike systems that rely
on linguistic features, the system's behavioral analysis approach
is language agnostic (i.e., the detection methodology will work
with English, Spanish, Arabic, etc.) because it relies on system
usage patterns rather than message content; (vi) Survey items or
questions are specifically constructed to identify behaviors of
interest; i.e., ADMIT can be deployed in a broad range of contexts,
e.g., employment applications, healthcare (doctor or insurance),
life insurance, loan application, ongoing employment screening,
financial disclosure, etc.; (vii) The system is not easily fooled,
as heightened emotions that would trigger anomalous event typically
manifests itself as subtle differences in typing or mouse movement
behavior that occurs between 20 and 100 milliseconds. Attempts to
modify one's keystroke or mouse use can be flagged as abnormal,
thus identifying individuals attempting to fool the system; and
(viii) The system is not subject to biases that are common in
face-to-face investigations.
[0062] ADMIT can be used to confirm the individuals that are
operating within a given acceptable range of behavior and system
usage. It also provides a powerful tool for management to
proactively identify and investigate those individuals who respond
abnormally to targeted questions. ADMIT provides unprecedented and
innovative capabilities to identify those individuals that are
potentially a threat to the effective operation of an
organization.
[0063] Additional objects, advantages, and novel features of this
invention will become apparent to those skilled in the art upon
examination of the following examples thereof, which are not
intended to be limiting. In the Examples, procedures that are
constructively reduced to practice are described in the present
tense, and procedures that have been carried out in the laboratory
are set forth in the past tense.
EXAMPLES
[0064] Below is an example study conducted to validate ADMIT. This
is only an example. In other types of assessments, the same or
different factors may or may not be significant.
[0065] A mock theft study was conducted using a multi-level
experiment design (2). Half of the participants were randomly
assigned to commit an insider threat activity (steal sensitive
information). All participants--both innocent and guilty--then
completed a computer-based screening test (an ADMIT test) that
asked questions about the insider threat activity (i.e., key
questions) and benign questions not related to the activity (i.e.,
control questions).
TABLE-US-00002 TABLE 2 Multi-level experiment design Level 1
Committed the insider Did not commit the insider threat activity
threat activity Level 2 Key questions Control Key questions Control
questions questions
[0066] Participants:
[0067] A total of 75 people were recruited for the experiment from
an undergraduate business course for extra credit. Of these, 5 of
the participants in the guilty treatment refused to perform the
mock insider threat theft. Four others confessed to committing the
theft during the screening. This resulted in useable data from 66
participants (30 in the insider threat treatment and 36 in the
innocent treatment). 59% of participants were female and the
average age was 21.8. The average number of years of college
education was 3.1. The most represented nationalities were American
(69%), Chinese (11%), and Mexican (9%). Twenty-nine percent of
students were business management majors, 27% accounting, 20%
marketing, 15% finance, and 9% management information systems.
[0068] Procedures:
[0069] A task was designed to mimic a realistic insider threat
scenario. Although the task was sanctioned (i.e., participants were
told to perform the elicit act and appear innocent), it was
conducted to solicit suspicion and anxiety. Participants registered
for an appointment online and were randomly assigned to an innocent
or guilty condition. Upon arriving at the experiment, the
participant was given a consent form to review and sign.
[0070] Guilty Condition:
[0071] Participants in the guilty condition were given a folded
piece of paper and a jump drive. They were instructed to go in the
elevator (on the first floor), press the button to the fourth
floor, and only then read the paper. The instructions on the paper
are shown in Table 3. In summary, the instructions asked
participants to go to the Management Information Systems
department, login to a computer in the front office using a set of
credentials, and steal a file containing department credit card
numbers. Participants were instructed to lie if confronted about
the theft.
[0072] Guilty participants then were instructed to go back to the
room on the first floor. Upon arriving at the room, an experiment
facilitator explained that a theft occurred and the participant was
a suspect for that theft. The participant was then asked to take an
investigation screening (an ADMIT test).
[0073] Innocent Participants:
[0074] Participants in the innocent condition were also given a
folded piece of paper. They were instructed to go in the elevator
(on the first floor), press the button to the fourth floor, and
then read the paper. Similar to the guilty participants, the paper
asked participants to go to the Management Information Systems
department. However, rather than stealing information, innocent
participants were asked to pick up a piece of paper (a news
article) at the front desk and then go back to the room on the
first floor. Upon arriving at the room, an experiment facilitator
explained that a theft occurred and the participant was a suspect
for that theft. The participant was then asked to take an
investigation screening (ADMIT test described below).
[0075] ADMIT Test:
[0076] The ADMIT test consisted of a concealed information test
(CIT) adapted to the ADMIT format and then several follow-up
questions. All questioning was presented on a computer. The CIT is
the most scientifically validated polygraph questioning technique
(Ben-Shakhar and Elaad 2003; Council 2003; Fiedler et al. 2002).
The objective of the CIT is to detect if a person has `inside` or
`concealed` knowledge of an activity (e.g., stealing the credit
card numbers) (Ben-Shakhar and Elaad 2003). In a standard CIT, the
person being interviewed is presented a question or a stimulus
about a specific target (e.g., a crime). In a face-to-face CIT, the
interviewer verbally asks the interviewee a question such as, "Very
important information was stolen today from a computer. If you
committed the theft, you will know what was stolen. Did you steal
any of the following information today?" The interview then recites
five to six plausible answers. For example, the interviewer might
recite: `passwords`, `credit card numbers`, `exam key, `social
security numbers`, `health records`, or `encryption codes`.
Usually, the interviewee is asked to verbally repeat the possible
answer and then respond `yes` or `no`. One of the plausible answers
should relate directly to the target under investigation. This is
referred to as the key item. For example, if the CIT is
investigating theft of `credit card numbers`, this answer must be
included in the set of answers accompanied by several other
plausible yet unrelated answers (Krapohl et al. 2009). An innocent
person with no insider knowledge' should exhibit the same amount of
arousal for each answer. However, a guilty person should experience
a detectable psychophysiological change--an orienting
response--when presented the key item.
[0077] In designing the CIT for ADMIT in this experiment, all of
the items (key and control items) were pilot tested to make sure
that an innocent person will respond similarly to each item without
unintended psychophysiological responses. Next, prior to
administering the CIT, each participant was familiarized with the
format of the CIT through a practice test. In the practice test,
the program required the respondent to move the mouse within the
first second, or displayed an error. This helps ensure the
inhibition is not complete before movement occurs. This also
reduces the likelihood that an orienting response would occur due
to the novel format of the test and therefore confound the results
(Krapohl et al. 2009). CIT was then administered to investigate the
theft of the credit card numbers. The CIT was administered by a
computer, rather than by a human facilitator. Screenshots and
explanations of the CIT are shown in Table 4.
[0078] Measures:
[0079] Mouse and electrodermal data were collected from each
subject. The electrodermal response data is typically used in CIT
polygraph testing. It was used here to compare to and validate the
procedure for detecting insider threats based on mouse
movements.
[0080] Mousing:
[0081] ADMIT performs several transformations and computations to
facilitate analysis as follows: (i) Space rescaling--All mouse
trajectory data were rescaled to a standard coordinate space (a
2.times.1.5 rectangle that is compatible with the aspect ratio of
the computer screen). The top left corner of the screen corresponds
to -1, 1.5, and the bottom right corner of the screen corresponds
to 1,0. Thus the starting position is at position 0, 0; (ii)
Remapping--All data were remapped so the mouse started at position
0,0. Although the user must click a button at the middle-bottom of
the screen to see the next item, the button's size allows
variations to exist (e.g., someone might actually click on the
right side of the button). Thus, the trajectories are remapped for
comparison; (iii) Time normalization--Time normalization was
required for analysis of spatial attraction/curvature and
complexity such as maximum deviation (maximum perpendicular
deviation between the straight line trajectory), area under the
curve (geometric area difference between the actual trajectory and
the straight line), and x-flips and y-flips. The rational for time
normalization is that recorded trajectories tend to have different
lengths. For example, a trial that lasts 800 ms will contain 56 x,
y coordinate pairs. However, a trial that last 1600 ms will contain
112 x,y coordinate pairs. Using linear interpolation, trials with
different numbers of x, y coordinate pairs is divided up into 101
time-steps for average and comparison across multiple trials and
computation of the aforementioned features; and (iv) Raw time
analysis--For other analyses (velocity, acceleration, angle), the
x, y location were analyzed for raw time (not normalized time) for
the first 1500 ms. The x, y locations were averaged in intervals of
75 ms to account for the computers limitations of capturing
movements at about 70 hz. Only the first 1500 ms were analyzed
because most people take at least 1500 ms to respond.
[0082] Electrodermal Responses:
[0083] Using a polygraph machine, electrodermal responses were also
captured using two sensors on the pointer and ring fingers of the
participant's non-dominant hand (the hand not used to move the
mouse). 12 seconds were allowed between each question/item for an
individual's electrodermal activity to react and then to level out
before asking the next question (Gamer et al. 2006).
[0084] Pilot Tests:
[0085] This test builds on 7 exploratory pilot studies with
approximately 1293 participants to understand the dynamics of
capturing mouse movements to detect deception, to validate that the
items do not inherently cause an unanticipated response for an
innocent person, and to discover what features to extract and
analyze to detect deception and facilitate hypothesis creation. The
specific scenario used in this experiment, was pilot tested with an
additional 6 people to make final adjustments to the experiment
protocol and tests.
[0086] Analysis:
[0087] Analysis were divided into three relevant areas to detect
insider threats: (i) Area 1 examined what features differentiated
how a guilty person answers a key question versus a control
question (a within-subject analysis). This is a typical analysis
done in polygraph administration; (ii) Area 2 examined what
features differentiated between how a guilty person answers a key
question versus how an innocent person answers a key question (a
between-subject analysis); and (iii) Area 3 examined what features
differentiated between how a guilty person answers a control
question versus how an innocent person answers a control question
(a between subject-analysis).
[0088] Other possible areas of analysis were excluded at least in
part for the following reasons: (i) Confessing to an act, whether
truthfully or deceptively, will always flag the response for
follow-up questioning. Hence, this eliminates the need to create a
model to predict: a) when guilty people are being deceptive on a
control question (falsely confessing), b) when deceptive people are
being truthful on a key question (confessing), and c) when innocent
people are being deceptive on either a key question or control
question (falsely confessing); and (ii) Important for the validity
of the CIT, innocent people should experience no systematic
difference in how they response to key and control questions. This
was confirmed through pilot testing. Hence, a model differentiating
between the two types of questions for innocent people was not
needed.
[0089] Table 5 summarizes the areas of analysis. The analysis
proceeded as follows. For each area, determination was made to see
if there was a difference in electrodermal response as done in
traditional polygraph testing. Determination was also made to see
if differences in mousing behavior also existed.
TABLE-US-00003 TABLE 5 Summary of areas of analysis Area 1: Guilty
key vs. control questions Area 2: Key questions Control Questions
Guilty control Guilty key Innocent Guilty Innocent Guilty control
questions questions key questions key questions control questions
questions (truthful (deceptive (truthful (deceptive (truthful
response) (truthful response) response) response) response)
response)
[0090] Guilty Key Vs. Control Items:
[0091] First, whether differences can be detected was investigated
in how guilty individuals (n=30) answer control vs. key questions
in the ADMIT test. The assumption of the CIT for ADMIT was that a
difference can be detected via electrodermal responses. This
assumption was cross-validated, and then the test was also analyzed
to see whether mouse movements can also be predictive of
deception.
[0092] Electrodermal Response:
[0093] The polygraph is based on the assumption that a guilty
person will experience a heightened electrodermal response (caused
by arousal and stress) when answering key questions deceptively
compared to answering control questions truthfully (Krapohl et al.
2009). Results of ADMIT experiment confirmed that this effect was
present in this experiment. A linear mixed model predicting
deception (control vs. key item) was specified based on
electrodermal responses nested within each participant. In other
words, this experiment examined deviations from individual
electrodermal baselines by examining z-scores. Thus, participants
were only compared to their own electrodermal baseline to detect
anomalies.
[0094] It was found that the peak electrodermal response was a
significant predictor of key items (p<0.05, z=1.911, n=30,
one-tailed). In other words, after controlling for individual
differences, people were significantly more likely to experience a
higher electrodermal response on the key items than on the control
item. Similarly, it was found that the minimum electrodermal
responses were significant predictors of control items (p<0.05,
z=-1.743, n=30, one-tailed). In other words, after controlling for
individual differences, people were more likely to experience a
lower electrodermal response on the control questions compared to
the key questions.
[0095] Mousing Behavior:
[0096] Complementing the electrodermal responses, it was also found
that several significant mousing differences existed in how guilty
participants answered key vs. control questions. Linear mixed
models was used to predict deception (key vs. control item) based
on mousing behavior nested within each participant. In other words,
models were constructed at each time interval to find deviations
from individual mousing baselines through examining z-scores. Thus,
participants were only compared to their own mousing baseline to
detect anomalies. The results are described below.
[0097] First, participants' mouse trajectories on key items
(deceptive responses) showed more attraction toward the opposite
answer than did their trajectories on control items (truthful
responses). This was apparent in both the x-location by raw-time
graph (FIG. 4) and the x-location by normalized time graph (FIG.
5). The raw-time graph for x-locations (FIG. 4) shows that
participants experienced an initial delay in moving horizontally on
key questions (.about.600 ms). After this delay, the rate at which
participants moved along the x-axis when lying was slower than when
telling the truth. For example, at time interval 526-600 ms, the
average difference between truthful and deceptive responses in
x-location was 0.0778 (on a transformed scale between 0 and 1); At
time interval 1426-1500 ms, however, the difference in x-location
was 0.2217; honest responses had traveled nearly twice as far on
the x-axis as the deceptive responses at this time interval.
[0098] To validate these observations, a linear mixed model was
specified at each time interval (.about.75 ms) to identify
anomalies--a total of 20 independent tests were conducted. The
results showed that the individuals' trajectories for key and
control questions were significantly different on the x-axis at a
p<0.1 level (z>1.282, n=30) for all time slots between 301
ms-1500 ms (16 sequential time slots). Furthermore, the
trajectories were significantly different at a p<0.05 level
(z>1.645, n=30) for a subset of these times slots between 901
ms-1500 ms (8 sequential time slots).
[0099] Running multiple independent tests as done in this study may
cause alpha slippage--i.e., something being significant due to
random chance. To determine the extent alpha-slippage might account
for the results, the probability were computed of having multiple
significant tests in a row. The probability of having 16 time slots
significant in a row at a p<0.1 level due to random chance is
0.1.times.10.sup.16 (p<0.0000000000000001). The probability of
having 8 time slots significant in a row at a p<0.05 level due
to random chance is 0.05.times.10.sup.8 (p<0.0000000000390625).
Hence, it can be concluded that for the 20 independent tests run,
the significant difference in the trajectories was likely not due
to alpha-slippage.
[0100] Next, by examining x-location by normalized time, the
present inventors were able to measure spatial attraction toward an
opposite choice. Similarly to the present inventors previous
analysis, a linear mixed model predicting deception (control vs.
key item) based on x-location was specified for each standardized
time slot (101 independent tests conducted). Complementing the
present inventors' previous findings, it was found that the
normalized trajectories were significantly different at a p<0.1
level (z>1.282, n=30) from time slots 45-48 (4 sequential time
slots), 55-69 (15 sequential time slots), and again in time slots
92-94 (3 sequential time slots).
[0101] On the y-axis, the mouse trajectories during key questions
(deceptive responses) showed increased hesitancy in moving upward.
This was apparent in both the y-location by raw-time graph (FIG. 6)
and the y-location by normalized time graph (FIG. 7). The raw-time
graph for y-locations (FIG. 6) revealed that participants started
moving upward at approximately the same time when deceiving as they
did when telling the truth. However, the rate of upward movement
was slower. For example, the difference at the 451-525 ms time slot
was 0.0675; whereas the difference at the 1426-1500 ms time slot
was 0.3472.
[0102] Specifying a linear mixed model for each time period (20
independent tests were conducted), whether individuals'
trajectories while being deceptive was significantly different from
their trajectories while being truthful was tested. It was found
that the key item (deceptive) trajectories were significantly
different at a p<0.1 level (z>1.282, n=30) from 451 ms to
1500 ms (15 sequential time slots); and within this time period,
the trajectories were different at a p<0.5 level (z>1.645,
n=30) from 826 ms to 1500 ms (9 sequential time slots).
[0103] Using the y-location by normalized time, vertical hesitancy
toward answering a key question deceptively was measured.
Specifying a linear mixed model for each time slot (101 independent
test runs), whether the deceptive and truthful trajectories were
significantly different was tested. It was found that the key item
trajectories were significantly different at a p<0.1 level
(z>1.282, n=30) from time slot 56-74 (19 sequential time slots)
and significantly different at a p<0.05 level (z>1.645, n=30)
from timeslot 64-70 (7 sequential time slots). The trajectories
were again different at a p<0.1 level (z>1.282, n=30) on the
y-axis near the end of the movement from time slot 88-92 (5
sequential time slots) and, within this, at a p<0.5 level
(z>1.645, n=30) from 89-90 (2 sequential time slots).
[0104] As the rates of movement along the x-axis and y-axis were
slower for deceptive responses than for truthful responses, not
surprisingly deceptive responses also had a slower overall
velocity. See FIG. 8. Specifying a linear mixed model for each time
slot (20 independent tests), it was found that deceptive responses
showed a significantly lower velocity at the peaks in FIG. 8 from
376 ms-675 ms (4 sequential time slots) and from 901 ms to 1200 ms
(4 sequential time slots) at a p<0.1 level (z>1.282, n=30).
When examining the mean velocity across the entire movement, guilty
participants showed significantly lower velocity on key question
(p>0.01, z=-2.494, n=30). See FIG. 9. Velocity on key questions
was nearly half.
[0105] Also in support that trajectories show attraction toward the
truthful answer while moving toward the deceptive answer, data
analysis showed that when guilty participants were deceptive, they
actually had movement toward the truthful answer for a short period
of time before moving toward the deceptive answer as shown in FIG.
10. In this figure, any value over 90 degrees indicates movement
along the x-axis in the opposite direction (going left toward the
truthful response). As seen in the chart, deceptive responses on
average move toward the truthful answer for a few hundred
milliseconds before totally committing to the deceptive answer.
Specifying a linear mixed model for each time period (20
independent tests), it was found that this difference is
significant from 601 ms to 1050 ms at a p<0.1 level (z>1.282,
n=30) (6 sequential time slots) and, within this time frame,
significant from 601 ms to 900 ms at a p<0.05 level (z>1.645,
n=30) (4 sequential time slots).
[0106] Guilty and Innocent Key Item Trajectories:
[0107] In this experiment, whether differences in mouse movement
can be detected between how guilty and innocent people answer key
items were tested. The first test was whether an electrodermal
response was present, next test was whether differences in mousing
behavior existed.
[0108] Electrodermal Response:
[0109] Typically, comparisons only within subject are made in a
polygraph examination because of individual differences. Hence, a
comparison of electrodermal activity in how guilty and innocent
people answer key questions is not normally conducted. This was
cross validated in the experiment by the present inventors and
found no differences in electrodermal responses between how
innocent and guilty people answered key questions.
[0110] Mousing Behavior:
[0111] Although electrodermal responses did not reveal differences,
it was found that mousing behavior did show a significant
diffference. Guilty individuals showed a more tentative commitment
toward the opposite answer (for the guilty individual, the truthful
answer) than did the innocent individuals on key items. FIG. 11 is
a graph of the x-location by normalized time slots for guilty and
innocent participants while answering the key questions. As can be
seen, guilty individuals' mouse trajectories were more biased
toward the opposite (i.e., the truthful) choice than those of
innocent individuals. Using a series oft-tests (e.g., Duran et al.
2010) for each normalized time slot (total of 101 independent
t-tests), it was found that the innocent and guilty participant
trajectories are significantly different at a p<0.1 level
(t>1.295, df=65) from time slots 1-9 (9 sequential time slots),
25-39 (15 sequential time slots), 72-101 (30 sequential time
slots). Within these intervals, the trajectories were significantly
different at a p<0.05 level (t>1.669, df=65) from time spots
1-2 (2 sequential time slots), 5-6 (2 sequential time slots), 28-36
(9 sequential time slots), and 73-101 (29 sequential time
slots).
[0112] FIG. 12 is a graph of the y-location by normalized time
slots for guilty and innocent participants while answering the key
questions. As can be seen, guilty individuals' mouse trajectories
also were more hesitant toward moving upward toward the deceptive
answer than were innocent participants moving upward toward the
truthful answer. Using a series oft-tests (e.g., Duran et al. 2010)
for each normalized time slot (total of 101 independent t-tests),
we found that the innocent and guilty participant trajectories are
significantly different at a p<0.1 level (t>1.295, df=65)
from time slots 74-92 (19 sequential time slots). Within these
intervals, the trajectories were significantly different at a
p<0.05 level (t>1.669, df=65) from time spots 80-85 (6
sequential time slots).
[0113] In the normal administration of the polygraph, an analysis
between how guilty and innocent people answer key items is not
normally done; as expected electrodermal was not able to
differentiate responses between the guilty and innocent. However,
mouse movements was able to significantly differentiate between the
guilty and innocent.
[0114] Guilty and Innocent Control Item:
[0115] Whether differences exist in how guilty and innocent people
answer control items was also tested. In this case, the difference
is believed to be due solely to the arousal associated with
committing the mock theft, and not due to being deceptive on a
question.
[0116] Electrodermal Response:
[0117] The polygraph assumes that no-significant electrodermal
difference will be found between innocent and guilty participants
when answering control questions. Supporting this assumption, our
analysis of electrodermal responses revealed no significant
differences between innocent and guilty participants when
responding to control items.
[0118] Mousing Behavior:
[0119] Although no differences were found in electrodermal data,
differences in mouse behavior were found that may be suggestive of
a task-induced search bias by guilty participants (a fundamentally
different cognitive response compared to being deceptive). FIG. 13
and FIG. 14 show the x,y-locations, respectively, by normalized
time slots for guilty and innocent responses to control questions.
As a reminder, each participant answered 4 control questions
regardless whether they were guilty or innocent. To test for
significant differences in trajectories, a linear mixed model was
conducted nesting participants' responses within each control item
(e.g., finding anomalies from the baseline within each of the 4
control items through examining z-scores).
[0120] The significant difference in x-locations took place at the
beginning of the mouse trajectory. FIG. 13. Trajectories between
guilty and innocent individuals were different at a p<0.1 level
(z>1.282, n=66) between time slots 12-31 (20 sequential time
slots) and, with in this, different at a p<0.05 level
(z>1.645, n=66) between slots 15-28 (14 sequential time slots)
at a p<0.05 level (z>1.645, n=66). Whereas the innocent
person started moving horizontally almost immediately to answer the
question, the guilty person had a small hesitancy before committing
to the answer. However, this difference only lasted a short while,
after which the guilty person had moved as far or further
horizontally along the x-axis than the innocent person.
[0121] Interestingly, when examining the y-location on a time
normalized scale, both guilty and innocent participants moved
upward at about the same rate prior to the `decision period` shown
on the x-location chart (a little before time slot 40). However,
immediately following this `decision period`, guilty participants'
progressed along the y-axis at a faster rate than innocent
participants. Thus, during the middle interval, guilty participants
are significantly further along the y-axis than innocent
participants. This difference is significant at a p<0.1 level
(z>1.282, n=66) from time slots 52-66 (15 sequential time slots)
and at a p<0.05 level (z>1.645, n=66) from time slots 53-64
(12 sequential time slots).
[0122] This mousing behavior is suggestive of a task-induced search
bias: Anticipating a question that will incriminate them, guilty
insiders take a fraction of a second longer to determine how to
respond (shown on the x-axis) rather than habitually responding as
innocent respondents do. Realizing that the question is irrelevant
to the crime, they make a quick and efficient move toward the
correct answer catching up to innocent participants on the x-axis
and passing them on the y-axis.
[0123] The foregoing discussion of the invention has been presented
for purposes of illustration and description. The foregoing is not
intended to limit the invention to the form or forms disclosed
herein. Although the description of the invention has included
description of one or more embodiments and certain variations and
modifications, other variations and modifications are within the
scope of the invention, e.g., as may be within the skill and
knowledge of those in the art, after understanding the present
disclosure. It is intended to obtain rights which include
alternative embodiments to the extent permitted, including
alternate, interchangeable and/or equivalent structures, functions,
ranges or steps to those claimed, whether or not such alternate,
interchangeable and/or equivalent structures, functions, ranges or
steps are disclosed herein, and without intending to publicly
dedicate any patentable subject matter. All references cited herein
are incorporated by reference in their entirety.
* * * * *