User Behaviour Analytics

Transcription

1 User Behaviour Analytics How do they know its really you? White Paper Sept 2015 Ezmcom Inc Patrick Henry Drive BLDG 7, Santa Clara, CA, 95054, US

2 Executive Summary Authentication has traditionally relied on users producing one or more of something you know (such as a passwords or PIN), something you have (such as a number from an hard token key) or something you are (such as your fingerprints or face.). Behaviour-based biometrics, adds another factor to the mix: ( something you do ). DARPA of U.S. (the Defence Advanced Research Projects Agency) is currently working on the next generation authentication, which it calls Cognitive Authentication first phase of the active authentication program will focus on biometrics that can be captured through existing technology, such as analysing how the user handles a mouse or how they craft the language in an or document 1. If they're effective, cognitive fingerprints could offer significant advantages over existing forms of authentication. Unlike biometrics they don't require specialist hardware and unlike password authentication they don t rely on users being good at something they're naturally bad at. This technology is also known as User Behavior Analytics ("UBA"). UBA as defined by Gartner, is about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns - anomalies that indicate potential threats 2. The space is evolving pretty rapidly, and there are some fairly significant differences in approach from one solution provider to the other. But the fact that user activity and behavior are being increasingly paid attention to is being welcomed. While there are various types of User Behaviour Analytics tools e.g Cloud Security Analytics, Data Ex-Filtration Prevention, Insider Threat Analytics and so on, the scope of this white paper is to look into Keyboard Profiling UBA also referred to as Periodicity or Keystroke dynamics, It is a technology of mapping a user s keyboard typing behaviors. When users type their username and password, an algorithm can calculate how long it takes to type it, including how long each key is depressed (dwell time) and how long it takes to move from one key to another (gap time). This whitepaper aims to present Ezmcom s approach with Keystroke dynamics and how it is moving beyond simple password/id logins towards multi-modal solutions in an effort to bolster security.

3 The Technology & The Market Behavioral biometrics offers a tool, which may enhance the security of user authentication and intrusion detection applications, in some cases with very low impact on the system users. They are most useful in multimodal systems (those using more than one type of biometric at the same time) as a complement to more robust methods largely because most behavioral biometrics is highly sensitive to the means of implementation. E.g. keystroke dynamics depend on the keyboard hardware used, blinking behavior depends on illumination etc Some behavioral biometrics, require specialised and sometimes highly obtrusive equipment which may be off-putting to users, while other behavioral biometrics on the other hand offer a completely unobtrusive technique to identify or classify individuals. Such unobtrusiveness may be challenging from the point of view of collecting user consent, as required by law in many jurisdictions. According to a Gartner research paper Market Guide for UBA over the past decade, the UBA market has evolved into three main phases as vendors from different corners of the market largely the security, fraud, business intelligence and database space started solving fraud and security problems with big data analytics. Phase 1 (10 years ago): The first vendors to emerge in this space more than 10 years ago were those that enabled entity link analysis or social network analysis across structured data. In Phase 2: (past 3 to 7 years ago), UBA vendors started packaging more canned intelligence for repeatable use cases, mainly to solve fraud in many of the areas tackled in Phase 1 (e.g., credit card bust-out, account takeover, new account fraud, loan origination, insurance claims, healthcare fraud, tax refund fraud, government benefit programs and more). In Phase 3:(past two years), vendors continue to refine their canned analytics for fraud use cases so that they are easier and faster to implement. In the scope of this paper, User Behaviour Analytics has been addressed in the context of Keyboard Dynamics. Profiling users or other entities under this method essentially means building up a history of the user or entity (such as a peer group or application) by monitoring each relevant action taken and then summarizing those actions so that the profile system knows what constitutes normal or typical behavior for that user or entity. Profiling is also referred to as "baselining," which is the same activity of creating a baseline for a user or other entity, which represents its normal or typical behavior. So far UBA has been successfully deployed for three main purposes: finding the "bad guys," improving alert management and streamlining alert investigations.

4 What is Keystroke dynamics? Keystroke rhythm is a natural choice for computer security. This concept stems from observations that similar neurophysiological factors that make written signatures unique are also exhibited in a user s typing pattern. When a person types, the latencies between successive keystrokes, keystroke durations, finger placement and applied pressure on the keys can be used to construct a unique signature (i.e., profile) for that individual. For well-known, regularly typed strings, such signatures can be quite consistent. Furthermore, recognition based on typing rhythm is not intrusive, making it quite applicable to computer access security as users will be typing at the keyboard anyway. Application of such technology not only can be used in authenticating users but also to revolutionize insider-threat detection. Insiders accessing backdoors, using shared accounts, or masquerading as other users would be exposed by their unique typing rhythms. Sequence Time Time History of Keystroke Dynamics Keystroke-dynamics research was inspired by much older work that distinguished telegraph operators by their keying rhythms. This capability was allegedly quite useful during World War II for identifying radio operators and tracking troop movements. Keyboard typing rhythms were first considered as a means of distinguishing typists in the mid 1970s. Spillane (1975) suggested in an IBM technical bulletin that typing rhythms might be used for identifying the user at a computer keyboard. That bulletin described keystroke dynamics in concept. Much of the work on in-session authentication has been done by Bergadano et al. (2002, 2003) and Gunetti and Picardi (2005). They developed an algorithm for comparing the similarity of two typing samples based on the typing times. The algorithm compared the relative speeds at which different digraphs were typed. Flight Time Time Press Time Time Press Flight Sequence Score Synthesize Times

5 Privacy - Keystroke dynamics: not what you type, but how you type Keystroke dynamics is the process of analysing the way a user types at a terminal by monitoring the keyboard inputs thousands of times per second in an attempt to identify users based on habitual typing rhythm patterns. Moreover, unlike other biometric systems, which may be expensive to implement, keystroke dynamics is extremely cost effective the only hardware required is the keyboard. However because the system monitors all the events, keeps log of the time stamp data, there are concerns of privacy with Keystroke dynamics. With such a scheme, during an authentication, the technology verifies two issues: (i) are the credential correct? (ii) is the way of typing it similar? this In turn raises privacy questions such as, are the user s username and password being stored during authentication? Second more importantly, is the user s keystroke behaviour i.e chronological data of user s time stamp of keystrokes, which could translate to his behaviour, also stored during the session? Only waiting to fall in wrong hands defeating the purpose of this technology. EZMCOM s Keystroke Dynamic Authentication Introduction: Customers embrace online banking and online shopping because of their convenience factor. Adding security hardware such as card readers for twofactor authentication provides a frustrating barrier to an otherwise smooth transaction process. Behavioural biometrics appeals to conveniencefocused banking and retail consumers, as it sits in the background of technology devices, rather than proactively asking the user to pass through any additional authentication processes. Understanding Risks associated with User Behavior: Man-in-the-Browser Detection of Aggregators and Bots at login New Account Set-up and e- commerce Fraud Detection Detection of Account Takeover Fraud at Login While the risks are obvious and increasing, failed login attempts, especially with 2-factor authentication can result in frustrated customers. Inconvenience and consistent frustrations might force customers, now, to expensive mediums such as phone call or going to a branch. Sometime, these events might result in loss of customer to another convenient bank, offering better experience.

6 UBA Business Drivers Reduce Operation Costs while increasing revenue: Customers adopt digital channels for ease of use. Growing competitions do not inhibit customers to switch if banks and e-commerce companies do not keep up pace with technology advancement. While increasing revenues, the firms should balance customer convenience with appropriate security measures. A right authentication solution would reduce the tussle associated with failed authentication and increase end user satisfaction and drive customer base growth, retention and high conversion rates. An acceptable customer satisfaction can, also, reduce customer support calls (A single customer call can cost as much as $4). Cost of Sales: Banks and retail players can fulfill a transaction through multiple sale channels. Banks can leverage right from online payment to calling a bank support executive to address a need of a customer. Similarly, retail firms can allow their customers to shop online to walk in and buy from brick and mortar shops. Time has proven, now, that online medium serves a better and costeffective medium compared to conventional mediums of sales. Cost of Hack: Hacking can have disastrous effect on the reputation and business of a firm Target breach resulted in loss of money, reputation and people in the form of employees and partner firms. Business Drivers ROI Cost of Sales Cost of Hack

7 EZMCOM Solution Ezmcom UBA biometric analysis is transparent to the user. It requires a simple user enrollment and the, instead of secondary passwords and extra verification codes, UBA engine transparently authenticates the user by verifying that the current session behavior matches up with the established user profile created earlier. By comparing a login behavior in a current session with that of the registered one earlier, Ezmcom assess the likelihood of a login originating from a specific user with a certain threshold of acceptance. Ezmcom can behaviorally authenticate user logins, which drives down the number of failed step-up authentications, declined transactions and manual reviews, thereby, eliminating the need for users struggling to login or transact online to contact call centers. Additionally, we enable our customers increase their end user satisfaction which helps retain and grow the customer base. Ezmcom is at the cutting edge of the technology innovation and relies on the user specific subconscious patterns of behavior that emerge through repetitive human actions such as total sequence time (time it takes for the user to key in the whole string), flight times (time elapsed between 2 key downs) and key depressed times (time elapsed between key down and key up). With a reliable set of data to use and an acceptable threshold as a standard for each user, Ezmcom can then detect unusual behavior and identify it as a security risk. Relying on sophisticated machine learning and security algorithms, the Ezmcom technology builds up a unique profile of the user based on how they key in their passwords on the web. Now, user authentication attempts that fall outside established behavior patterns can be denied or stepped up to Two-Factor authentication. Conclusion Simple security solutions such as passwords will always be undermined by simple hacking techniques. As such it s important that industries and in particular the financial and ecommerce industry take a layer on top of solutions such as passwords with additional security yet user convenient solutions such as behavioral biometrics. By adding innovative security layers, banks and e-commerce firms can reduce risks. Finding the right balance between sophisticated security and ease of use for the customer would be key to the growing trend of consumers banking and shopping online.

8 Some Data Points 1. The HP 2015 Cyber Risk Report finds that 86 percent of web applications tested had serious issues with authentication, access control, and confidentiality, an increase over the previous year s rate of 72 percent. 2. Gartner s Online Fraud Detection Market Guide states that by 2017 Passive Biometrics will become a standard feature for fraud detection. 3. NuData observed over 270 million fraudulent or high-risk behavior events by analyzing about 191 million IP addresses, 388 million addresses, 9.3 billion clicks, and 32.8 billion keystrokes between May, 2015 and July, References: EZMCOM is a security access provider for innovative and easy-to-use technology that can be deployed to protect users, data, and applications from credential theft, account takeover and breaches. EZMCOM is working with companies worldwide to change the way we authenticate and authorize across mobile devices, servers, workstations within enterprise and cloud services. If you have questions, or would like a demo of EZMCOM s authentication solutions, talk to an EZMCOM representative today! U.S : +1 (510) Malaysia : +60 (0) l India : I Australia :