PhD Proposal: User Behavioral Modeling of Web-based Systems for Continuous User Authentication
AVW 4172
Authentication plays an important role in how we interact with computers, mobile devices, the web, etc. The idea of authentication is to uniquely identify a user before granting access to system privileges. For example, in recent years more corporate information and applications have been accessible via the Internet and Intranet. Many employees are working from remote locations and need access to secure corporate files. During this time, it is possible for malicious or unauthorized users to gain access to the system. For this reason, it is logical to have some mechanism in place to detect whether the logged-in user is the same user in control of the keyboard. Therefore, highly secure authentication methods must be used.
I posit that each of us is unique in our use of computer systems. It is this uniqueness that is leveraged to "continuously authenticate users" while they use web software. In order to monitor user behavior, n-gram models are used to capture user interactions with web-based software. This probabilistic model essentially captures the sequences and sub-sequences of user actions, their orderings, and temporal relationships that make them unique by providing a model of how each user typically behaves. Users are then continuously monitored during software operation. When there are large deviations from "normal behavior", this possibly indicates malicious or unintended behavior. This anomaly based detection system builds a model of normal behavior, compares it with new behavioral sequences and raises alerts when deviations are detected. In my preliminary work, this approach is implemented in a system called Intruder Detector (ID) that models user actions as embodied in web logs generated in response to the actions. I performed experiments on a large fielded system with logs of approximately 320 users. For these experiments, I used two categorization techniques to classify users; binary and multi-class categorization. Preliminary results show Intruder Detector can achieve 73% accuracy in identifying legitimate users and 78% accuracy when detecting various user types.
The remaining work includes improving the accuracy of ID by analyzing other forms of user behavior within web applications (i.e., database logs and Graphical User Interface (GUI) interactions) and combining these interactions with the current web log data, understand and evaluate model-specific differences of users based on their role, experiment with various smoothing techniques, and provide various protection mechanisms against an adversary that knows the n-gram defense. In addition, I will compare my n-gram approach to another anomaly detection based approach (e.g., Hidden Markov Model) using various datasets. These extensions will lead to a more secure web application that will protect the system from malicious or unintended use. In addition to web applications, the proposed approach can be used with other user-based systems such as mobile devices and the analysis of network traffic.
Examining Committee:
Committee Chair: - Dr. Atif Memon
Dept's Representative - Dr. Ashok Agrawala
Committee Member: - Dr. Alan Sussman