User Ideniy Verificaion via Mouse Dynamics Clin Feher, Yuval Elovici,, Rober Moskovich, Lior Rokach,, Alon Schclar Deusche Telekom Laboraories a Ben-Gurion Universiy, Ben-Gurion Universiy of he Negev, Beer-Sheva, 8405, Israel; {clin, elovici, robermo, liorrk, schclar} @ bgu.ac.il Deparmen of Informaion Sysems Engineering, Ben-Gurion Universiy of he Negev, Beer-Sheva, 8405, Israel; ABSTRACT Compuers and services such as ebanks and WebMails ha idenify users only a login via credenials are vulnerable o Ideniy Thef. Hackers perperae fraudulen aciviy under solen ideniies by using credenials, such as passwords and smarcards, unlawfully obained from legiimae users or by using logged-on compuers ha are lef unaended. User verificaion mehods provide an addiional securiy layer by coninuously confirming he ideniy of logged-on users based on heir physiological and behavioral characerisics. We inroduce a novel mehod ha coninuously verifies users according o characerisics of heir ineracion wih he poining device of he compuer e.g. mouse, ouch pad and sylus. The conribuion of his work is hree-fold: firs, user verificaion is derived by combining he classificaion resuls of each individual mouse acion, in conras o he hisogram approach in [] in which verificaion is based on aggregaions of mouse acions. Second, we propose a hierarchy of mouse acions from which he feaures are exraced. Third, we inroduce new feaures o characerize he mouse aciviy which are used in conjuncion wih feaures proposed in previous work. The proposed algorihm ouperforms curren sae-of-he-ar mehods by achieving higher verificaion accuracy while reducing he response ime of he sysem.. INTRODUCTION Currenly, mos compuer sysems and on-line websies idenify users solely by means of credenials such as passwords and PINs (personal idenificaion numbers). These sysems expose heir users o Ideniy Thefs a crime in which hackers impersonae legiimae users in order o commi fraudulen aciviy. Hackers exploi oher ideniies by sealing credenials or by using logged-on compuers ha are lef unaended.
According o he non-profi Ideniy Thef Resource Cener (ITRC), ideniy hef from a consumer perspecive is divided ino four caegories: (a) Financial ideniy hef in which solen ideniy is used o obain goods and services, for example a bank fraud; (b) Criminal ideniy hef in which a criminal impersonae a legiimae user when apprehended for a crime; (c) Ideniy cloning - using he informaion of anoher person o assume his or hers ideniy in daily life; and (d) Business/commercial ideniy hef - using a solen business name o obain credi. A major hrea o organizaions is ideniy hefs ha are commied by inernal users who belong o he organizaion. Usually, he hacker gains access o sensiive informaion which can be exploied for indusrial espionage, exorion, ec. The drawbacks of idenificaion mehods ha only rely on credenials lead o he inroducion of user verificaion echniques which are used in conjuncion wih credenialbased user idenificaion. Verificaion mehods confirm he ideniy of he users according o behavioral and physiological biomerics which are assumed o be relaively consan o each user, and harder o seal. The verificaion may be performed once during login or coninuously hroughou he session. In he laer case, biomeric measuremens of he user are aken a regular inervals while he user is logged-on and are compared wih measuremens ha were colleced in advance. Common behavioral biomerics include characerisics of he ineracion beween he user and inpu devices such as he mouse and keyboard. Physiological biomerics, on he oher hand, use fingerprins, iris paerns and oher physiological feaures ha are unique o each individual. Thus, sysems uilizing biomeric user verificaion require a hacker who wans o infilrae he sysem no only o seal he credenials of he user bu also o mimic he user's behavioral and physiological biomerics making ideniy hefs much harder. A major drawback of user verificaion mehods ha are based on physiological biomerics is ha hey require dedicaed hardware devices such as fingerprin sensors and reina scanners which are expensive and are no always available. Alhough fingerprin verificaion is becoming widespread in lapops, i is sill no popular enough and i canno be used in web applicaions. Furhermore, fingerprins can be copied. Behavioral biomerics [6[8], on he oher hand, do no require special designaed devices since hey use common hardware such as he mouse and keyboard.
Anoher major difference beween physiological and behavioral biomerics is he emporal aspec - behavioral biomerics may differ depending on he ime of day in which hey are capured. This makes hem harder o inercep and imiae bu also harder o uilize. Furhermore, several challenges [6], which will be elaboraed in Secions and 6, sill need o be overcome in order o make his approach fully operaional. Consequenly, behavioral biomerics was largely ignored for user verificaion in he pas. In his paper we propose a novel user coninuous verificaion echnique based on behavioral biomerics of mouse aciviy. The res of he paper is organized as follows: in Secion we describe various aspecs of behavioral biomerics verificaion sysems such as general archiecure and challenges inheren in heir consrucion. We also survey currenly available sae-of-he-ar echniques and give an in-deph descripion of mouse behavioral biomerics. The proposed algorihm is described in Secion 3. Experimenal resuls are presened in Secion 4. Finally, we conclude in Secion 5 and describe he various challenges and open problems ha need furher invesigaion in order o make his approach fully operaional. BEHAVIORAL BIOMETRICS SYSTEMS FOR USER VERIFICATION A biomeric-based user verificaion sysem Error! Reference source no found. is essenially a paern recogniion sysem ha acquires biomeric daa from an individual, exracs a feaure se o form a unique user signaure and consrucs a verificaion model by raining i on he se of signaures. User verificaion is achieved by applicaion of he model o on-line acquired signaures of he inspeced user ha are consruced using a process idenical o he one used during he model consrucion.. General archiecure Figure depics he ypical archiecure of a behavioral biomerics user verificaion sysem. Such sysems include he following componens: Feaure acquisiion capures he evens generaed by he various inpu devices used for he ineracion (e.g. keyboard, mouse)
Feaure exracion consrucs a signaure which characerizes he behavioral biomerics of he user. Classifier Consiss of an inducer (e.g. Suppor Vecor Machines, Arificial Neural Neworks, ec) ha is used o build he user verificaion model by raining on pas behavior, ofen given by samples. During verificaion, he induced model is used o classify new samples acquired from he user. Signaure daabase A daabase of behavioral signaures ha were used o rain he model. Upon enry of a username, he signaure of he user is rerieved for he verificaion process. Figure : A ypical framework of a behavioral biomeric idenificaion sysem.. Relaed work According o [6], mos common behavioral biomerics verificaion echniques are based on: (a) mouse dynamics, which are derived from he user-mouse ineracion and are he focus of his paper; (b) keysroke dynamics, which are derived from he keyboard aciviy; and (c) sofware ineracion, which include, for example, how feaures of a specific sofware ool are uilized. Behavioral mehods can also be characerized according o he learning approach ha hey employ. Explici learning mehods monior user aciviy while performing a predefined ask such as playing a memory game [0]. Implici learning echniques, on he oher hand, monior he user during his usual aciviy raher han while performing a specific ask. Implici learning is more challenging due o high inconsisency owed o he variey of he performed asks, mood changes and oher influencing facors. Neverheless, i is he bes way o learn unique user behavior characerisics such as frequenly performed acions. In he following, we lis curren available user verificaion sysems along wih heir performance evaluaions. Biomeric sysems are usually evaluaed according o False
Accepance Rae (FAR), False Rejecion Rae (FRR) and Equal Error Rae (ERR) which are described in Secion 4.. Mouse-based user verificaion mehods Gamboa e al [0] proposed o verify a user based on his ineracion wih a memory game. The user was required o idenify maching iles and was verified based on characerisics of he mouse-srokes performed in order o reveal he iles. A mouse-sroke was defined o be he se of raversed poins from one click o he nex and a se of one or more srokes was used in order o verify a user. Feaures such as curvaure and velociy, were used o characerize each mouse-sroke. The learning procedure employed maximum likelihood wih various disribuions such as he Weibull [7] and Parzan disribuion [7]s. Evaluaion was performed using 50 users wih a varying number of mouse-srokes having an average duraion of second. Equal error raes (ERRs) of 0.007 and 0.00 were achieved for 00 and 00 mouse-srokes, respecively. Ahmed e al [] moniored he mouse aciviy of users while hey performed heir daily asks wihin heir own chosen operaing condiions and applicaions. Feaures were exraced and aggregaed ino hisograms ha were used o characerize each user. Four acion ypes were defined: Mouse-Move (MM) General movemen beween wo poins. Drag-and-drop (DD) An acion composed of he following sequence: a mousebuon down even, a movemen and hen a mouse-buon up. Poin and Click (PC) Mouse-movemen beween wo poins followed by a click. Silence No movemen. Every acion is described by properies such as he duraion, raveled disance and he direcion of he movemen (he ravelling properies are excluded for silence acions). The general movemen angle is fied ino 8 equal size secors of he circle - each covering 45 degrees of he angle space as illusraed in Error! Reference source no found..
Figure : Angle space of movemen direcion: 8 equal-sized secors of he circle. Direcion represens angles beween 45 and 90. Direcion 5 represens angles beween 80 and 5. Examples of colleced acions are illusraed in Table. Type of acion Disance(pixels) Time(Seconds) Direcion MM 50 3 PC 37 3 4 PC 80 Silence - - Table Raw mouse aciviy daa. The firs acion was Mouse-move which ook second, ravelled in direcion 3 o a disance of 50 pixels. The second acion was a Poin and Click which ook 3 seconds and was o a disance of 37 pixels. A session is defined as a sequence of mouse aciviies performed by a user. The sequence is limied o a predefined number of acions and a period of ime. The user is characerized by a se of 7 hisograms ha are consruced from he raw user session daa. In order o form he hisograms, he daa are averaged across he session and discreisized in a manner similar o he fiing of movemen angle ino 8 direcions.. Traveled Disance Hisogram (TDH) The disribuion of he ravelled disance for every acion ype which is illusraed in Error! Reference source no found.(a). Only he firs wo feaures (disances 0-00 and 00-00 pixels) are used o represen he user.. Acion Type Hisogram (ATH) The relaive frequency of he MM, DD and PC acions wihin a session - illusraed in Figure 3(b). 3. Movemen Direcion Hisogram (MDH) The raio of acions performed in each one of he eigh direcions. This feaure is represened by 8 values and illusraed in Error! Reference source no found.(c). 4. Average Movemen speed per movemen Direcion (MDA) The average speed over all he acions performed in each one of he eigh direcions. This feaure is represened by 8 values and is illusraed in Error! Reference source no found.(d).
5. Average movemen speed per Types of Acions (ATA) The average speed of performing he MM, DD and PC acions. This feaure is represened by 3 feaures and illusraed in Error! Reference source no found.(e). 6. Movemen Speed compared o raveled Disance (MSD) Approximaion of he average raveling speed for a given raveling disance (derived via a Neural Nework). This feaure is represened by values sampled from he curve. This is illusraed in Error! Reference source no found.(f). 7. Movemen elapsed Time Hisogram (MTH) The ime disribuion for performing an acion. Represened by feaures and illusraed in Error! Reference source no found.(g). The hisograms are used o consruc a feaure vecor composed of 39 feaures which characerize each session of every user. Error! Reference source no found. summaries he exraced feaures. A binary neural nework model was buil for every user based on he feaure vecors drawn from he differen hisograms. The Neural Nework was rained via he back propagaion algorihm. Training consised of 5 sessions - each of which conained 000 acions (~3.55 minues). This experimen achieved FAR of.464% and FRR of.4649%. Shorer imes (abou 4 minues) produced resuls of less han 4% FRR and 4.6% FAR. Thus, in order o consruc accurae hisograms, i requires a significan amoun of mouse aciviies, moniored over a relaively long duraion of ime. Facors MSD MDA MDH ATA ATH TDH MTH Feaures 8 8 3 3 3 Table : 39 Feaures used in Ahmed e al [] o characerize mouse behavior biomerics. Pusara and Bordley [9] proposed a user verificaion scheme based on mouse movemens while paricipans browsed a predefined se of web pages using a web browser. Feaures such as he mean, sandard deviaion, hird momen of disance, angle and speed were exraced from a sequence of N evens. Three main evaluaions were performed: he goal of he firs was o check he behavior difference beween each pair of users. Resuls showed ha a relaively large number of users can be discriminaed from one anoher. In he second evaluaion, he discriminaion of each user x from he se of he remaining
users was esed. A binary model was creaed for each user x. An FAR of 7.5% and FRR of 3.06% was achieved on he average. The hird evaluaion was similar o he second bu used only (ou of he 8 ha paricipaed) users and also applied a smoohing filer o he daa. An FAR 0.43% and an FRR of.75% were achieved. Figure 3 Consruced hisograms from user aciviy session in []. (a) Traveled Disance Hisogram (TDH), (b) Acion Type Hisogram (ATH), (c) Movemen Direcion Hisogram (MDH), (d) Average Movemen speed per movemen Direcion (MDA), (e) Average movemen speed per Types of Acions (ATA), (f) Movemen Speed compared o raveled Disance (MSD), (g) Movemen elapsed Time Hisogram (MTH). Oher user verificaion approaches Alernaive approaches o user verificaion uilize keyboard dynamics and sofware ineracion characerisics. Keyboard dynamics feaures include, for example, laency beween consecuive keysrokes, fligh ime, dwell ime - all based on he key down/press/up evens. Keyboard-based mehods are divided ino mehods ha analyze he user behavior during an iniial login aemp and mehods ha coninuously verify he user hroughou he session. The former ypically consruc classificaion model according o feaure vecors ha are exraced while he users ype a predefined ex (usually shor)
[3,,,9,30,3]. Bergadano e al [3], exraced he yping duraions of wo (di-graph) and hree (ri-graph) consecuive characers from a sample and used o associae i o a user. The exraced graphs were ordered by heir duraion and heir relaive ordering was compared o he relaive order of he raining samples of oher users. Keyboard-based mehods for coninuous verificaion of users exrac feaure vecors while he user ypes free ex. Gunei e al. [4] exended he approach of [3] o also handle free ex. Furhermore, hey proposed anoher disance measure based on absolue imes. Curin e al [3] consruced a neares neighbor classifier ha was rained according o he duraion of common characers, ransiion imes of common di-graphs and he occurrence frequency of special keys Alhough being effecive, keyboard-based verificaion is less suiable for web browsers since hey are mosly ineraced wih via he mouse. Several ypes of sofware are suggesed in he lieraure o characerize behavioral biomerics of users. These include board games [3][4], email cliens [7][8][9], programming developmen ools [0][][], command line shells [7][8] and drawing applicaions [5][6]. These biomeric feaures may be parially incorporaed in user verificaion sysems. 3 THE PROPOSED METHOD We propose a novel verificaion mehod which verifies a user based on each individual mouse acion. This is in conras o he hisogram-based mehod in [] which requires he aggregaion of dozens of aciviies before accurae verificaion can be performed. Verificaion of each individual mouse acion increases he accuracy while reducing he ime ha is needed o verify he ideniy of he user since fewer acions are required o achieve a specific accuracy level, compared o he hisogram-based approach. In order o effecively characerize he mouse acions, we consruc a hierarchy of feaures whose lowes level consiss of fundamenal mouse evens while feaures a higher levels are composed of lower level ones. In general, high-level feaures characerize he mouse aciviy beer han low-level ones since hey convey more informaion regarding he ask inended by he user. The verificaion algorihm consrucs a classifier using vecors
composed of high level feaures, which will be described below. Some of he proposed feaures are new while ohers bare some resemblance o he ones used in [] and [0]. 3. A hierarchy of mouse acions All mouse aciviies are formed from five aomic mouse evens which consiue he lowes level (level 0) of he proposed hierarchy: (i) (ii) (iii) (iv) (v) Mouse-move Even (m) occurs when he user moves he mouse from one locaion o anoher. Many evens of his ype occur during he enire movemen heir quaniy depends on he mouse resoluion/sensiiviy, mouse driver and operaing sysem seings. Mouse Lef Buon Down Even (ld) - occurs when he lef mouse buon is pressed, Mouse Righ Buon Down Even (rd) - occurs when he righ mouse buon is pressed, Mouse Lef Buon Up Even (lu) - occurs afer he lef mouse buon is released, Mouse Righ Buon Up Even (ru) - occurs afer he righ mouse buon is released Daa describing each even is ypically colleced by a piece of hardware or sofware which may dispach i o an even handler for furher processing. Mouse evens are characerized by (a) heir ype; (b) he locaion of he mouse (x and y coordinaes); (c) he ime when he even ook place. Thus a mouse even is formally described by even-ype<x,y,>. In general, higher-level acions are formed from sequences of lower-level ones. Two consecuive mouse evens are considered par of a sequence if he ime duraion beween heir occurrences is below a given hreshold. We refer o hese hresholds as concaenaion ime-hresholds (CTT). Basic mouse acions (level ) This se of basic mouse acions is consruced based on a sequence of he aomic mouse evens m, ld, rd, lu and ru. In order o concaenae wo consecuive mouse evens we define he following CTTs: Moving CTT: Time hreshold for concaenaion of wo consecuive mouse move evens which is denoed by τ MM.
Mouse move o lef click CTT: The ime beween a mouse-move (m) even and a lef mouse-down (ld) even o be concaenaed ino an acion. The Mouse-move o Lef Click concaenaion ime is denoed by τ MLM. Mouse-move o righ click CTT: The ime beween a mouse-move (m) even and a righ mouse-down (rd) even o be concaenaed ino an acion. The Mouse-move o Righ Click concaenaion Time is denoed by τ MRM. Mouse-down o mouse-up CTT. The minimal ime duraion beween a mouse-down even (rd or ld) and a mouse-up even (ru or lu) even o be concaenaed ino an acion. Opional mouse-move evens (m) may ake place beween he mouse-down and mouse-up evens. The mouse-down o mouse-up concaenaion ime is denoed by τ DD. Given he above hresholds, we define he following basic (level ) mouse acions: Silence inerval is defined as a ime inerval ha separaes beween wo consecuive mouse evens in which no acion ook place. Formally, he following silence inerval are defined: (a) wo consecuive mouse-move evens separaed by a period of ime ha is greaer han τ MM seconds; (b) a mouse-move followed by a lef mouse-down even afer more han τ MLM seconds; and (c) a mouse-move followed by a righ mouse-down even separaed by more han τ MRM seconds. We denoe a silence inerval by σ. Lef Click (LC) refers o he acion of clicking on he lef mouse buon. This acion consiss of a lef buon down even followed by a lef buon up even aking place wihin τ LC seconds. Formally, LC n = ld [ m, m,..., m ], lu n, 3 n n τ LC and n denoe he ime poins a which he lef buon down and lef buon up evens ook place, respecively. The m, m,..., m ] refer o opional mouse move evens aking [ 3 n place beween he mouse down and mouse up evens. Righ Click (RC) denoed he acion of clicking on he righ mouse buon which is composed of a righ buon up even aking place afer a righ buon down even wihin τ RC seconds. Formally, RC n = rd,[ m, m 3,..., m ], ru n n n τ RC
Mouse-move Sequence (MMS) refers o acion of moving he mouse from one posiion o anoher. This acion is defined as a sequence of mouse-move evens in which he ime gap beween every consecuive pair of evens is less han τ MM. Formally, MMS = m, m,..., m k n : ( k+ τ n n k MM Drag-and-Drop (DD) denoes he acion in which he user presses one of he mouse buons, moves he mouse while he buon is being pressed and releases he buon a he end of he movemen. Using aomic evens, his acion begins wih a lef or righ mousedown even followed by a sequence of mouse-move evens and erminaes wih a lef or righ mouse-up even, respecively. The minimal ime beween he lef down even and lef up even exceeds τ DD. Formally: ) DD = d m, m,..., m, u n, 3 n n > τ DD where he duraion of he acion has o be greaer han he click ime, i.e. τ > τ and τ DD > τ RC, for lef buon and righ buon usage, respecively. The level mouse acions LC, RC, MMS and DD are illusraed in Figs. 4(a)-(d), respecively. Level mouse acions The nex level of mouse acions is composed of level acions and level 0 (aomic) evens: Mouse-move Acion (MM) A sequence of mouse-move evens followed by silence ime σ. Formally: MM= MMS,σ Double Click Acion (DC) is composed of a wo consecuive lef clicks in which he mouse-up of he firs click and he mouse-down of he second one occur wihin an inerval of τ I. Formally: DD LC DC c = LC c LC c c 3 c 3 τ I The level mouse acions DC and MM are illusraed in Figs. 4(e) and 4(f), respecively.
Level 3 mouse acions This is he highes level of mouse acions. The acions in his level are composed of level and level acions as follows: Mouse-move and Lef Click Acion (MM_LC) is composed of a sequence of mousemove evens followed by a lef click aking place a mos τ MLM seconds afer he las mouse-move even. Formally: MM n _ LC = MMS LC n n n τ MLM Mouse-move and Righ Click Acion (MM_RC) consiss of a sequence of mousemove evens and a righ click aking place a mos τ MRM seconds afer he las mouse move even. Formally: MM _ RC n = MMS RC n n n τ MRM Mouse-move and Double Click Acion (MM_DC) is defined as a sequence of mousemove evens which are followed by a double lef click. Formally: n MM τ c _ DC= MMS LCc LCc c n τ MLM, c3 c 3 I Mouse-move and Drag-and-drop Acion (MM_DD) is composed of a sequence of mouse-move evens, a lef/righ mouse-down even, anoher sequence of mouse-move evens and a lef/righ mouse-up even, respecively. Formally, MM _ DD m m+ m+ 3 m+ k m+ k+ where n = MMS d, m, m,..., m, u m+ n M, m+ k+ m+ τ > τ + d m+ denoes when he mouse down even ook place, even occurred and d d = ld, τ > τ C = rd, τ > τ C LC RC, τ, τ M M > τ > τ MLM MRM (for lef buon) (for righ buon) u m+k+ is when he mouse-up The level 3 mouse acions MM_LC, MM_RC, MM_DC and MM_DD are illusraed in Figs. 4(g)-(j), respecively. An overall view of he feaure hierarchy is depiced in Fig. 5. C
Figure 4: Schemaic descripion of he various mouse acions: (a) Lef click. (b) Righ click. (c) Mousemove sequence. (d) Drag-and-drop acion. (e) Double click. (f) Mouse-move. (g) Mouse-move followed by a lef click. (h) Mouse-move followed by a righ click. (i) Mouse-move followed by a double click. (j) Mouse-move followed by a drag-and-drop. Figure 5: The hierarchy of mouse acions ha are used o characerize he mouse aciviy.3. Acions feaures All acions, excep for LC, RC and DC, conain one or more sequences of mouse-move evens ogeher wih lower level acions. In he following we describe he feaures ha we use in order o characerize mouse movemen. We hen describe he feaures ha we associae wih each mouse acion. 3.. Movemen Feaures (MF) We adop a similar approach o he one proposed by Gamboa e al [0] in order o describe a mouse movemen acion. Formally, each mouse movemen is associaed wih he following hree vecors:
n { i} i= = - The sampling ime n { x i} i = x = - The horizonal coordinae sampled a ime i. n { y i} i = y = - The verical coordinae sampled a ime i. The lengh of he pah produced by he sequence of poins unil he i-h poin is defined as: S i = i k= δx k + δy k where δ xi = xi+ xi andδ yi = yi+ yi. A se of basic feaures, which are described in Table 3, was exraced in [0] from he vecors x, y and. 3 Feaure name Descripion Formal definiion i Angle of movemen Angle of he pah angen wih he δy θ = x-axis + i arcan* δx Curvaure Curvaure change rae The relaive angle change o he raveled disance 4 Horizonal Velociy Velociy wih respec o he x-axis 5 Verical Velociy Velociy wih respec o he y-axis δθ j j= δy i δθ + i = min δ arcan* kπ δxi δθ c = δ s δc c= δs δx V x = δ δ y V y = δ 6 Velociy V = δ V x + δv Acceleraion x y x V 7 V& δ = δ Jerk V 8 V& δ & = δ 9 Angular Velociy δθ w = δ Table 3: Basic mouse movemen feaures which were proposed in [0] and are used by he proposed approach in his paper. Based on he feaures in Table 3, Gamboa e al [0] consruc a se of higher-level feaures. In order o calculae some of hese feaures, he vecors x, y are firs inerpolaed and he inerpolaed resuls are denoed by x ', y ', respecively. The resul is used o obain he inerpolaed raveled disance which is denoed by s '. A subse of he higher-level feaures proposed in [0] which is uilized by he algorihm proposed in his paper, is given in Table 4.
Feaure name Descripion Number of feaures minimum, maximum, mean, The specified saisic 55 sandard deviaion and of (maximum-minimum) x ', y ', θ, c, c, V x, V, V, V&, V&& and w y Formal definiion Duraion of movemen n 3 Traveled disance S n- 4 Sraighness(S) ( x 5 Criical Poins (CP) 6 Jier(J) x n ) + ( y y n ) S n Criical Poins(CP) Table 4: Addiional exraced feaures based on x',y',s' and he basic feaures. if ci = 0^ ci > α π rad z i = for α > 0 oherwise 0 pixel S' S n n = i= z where i We inroduce a se of new feaures ha are used in conjuncion wih he feaures in Table 4. These feaures include:. Trajecory Cener of Mass (TCM) a single feaure ha measures he average ime for performing he movemen where he weighs are defined by he raveled disance: TCM = s n n i= i+ ( x i+ x ) i + ( y i+ y ). Scaering Coefficien (SC) measures he exen o which he movemen deviaes from he movemen cener of mass: i SC = S n n i= i+ ( x i+ x ) i + ( y i+ y i ) TCM 3. Third and Fourh Momen (M 3, M 4 ) n n i= k i+ M k = ( xi+ xi ) + ( yi+ yi ) where k=3,4. S 4. Trajecory Curvaure (TCrv) - The average of he following quaniy is aken over all he sampled poins: TCrv= xy &&& yx &&& & & ( x + y ) 3
5. Velociy Curvaure (VCrv). The average is aken as he feaure. VCrv= v&& ( + v& 3 ) Table summarizes he feaures which are used by he proposed algorihm in order o characerize mouse movemen acions. Facors x' y' θ c c V x V y V V & V & w n S n- S CP J TCM SC M k TCrv VCrv Feaures 5 5 5 5 5 5 5 5 5 5 5 3.. Mouse acion feaures Table 5: 66 feaures used o represen a movemen sequence. In order o describe he LC, RC, DC, DD, MM_LC, MM_RC and MM_DD mouse acions, addiional feaures are exraced depending on he acion ype a hand. Table 6 provides a deailed descripion of he feaures ha are used o characerize each of he acions. Acion Feaures Number of feaures Lef Click (LC) Click Time (CT) The ime beween he mouse down even and he mouse up even, which mus be less han τ LC. Traveled Disance during Click (TDC) The disance raveled beween he mouse down even and he mouse up even. Righ Click Click Time (CT) The ime beween he mouse down even and he mouse up even which (RC) is less han τ RC. Traveled Disance during Click (TDC) The disance raveled beween he mouse down even and he mouse up even. Drag and Drop The feaures of he movemen beween he mouse-down and mouse-up evens which are (DD) summarized in Table 6. 66 Double Click Firs Click Time (FCT) The ime beween he mouse- down and mouse-up evens, which (DC) is less han τ LC. Firs Click Disance (FCD) The disance raveled beween he mouse-down and mouseup evens of he firs click. Inerval Time (IT) The ime inerval beween he firs click and he second one, which is less han τ I. 6 Inerval Disance (ID) The disance raveled beween he firs click and he second one. Second Click Time (SCT) The ime beween he mouse-down and mouse-up evens, which is less han τ LC. Second Click Disance (SCD) The disance raveled beween he mouse-down and mouse-up evens of he second click. Mouse Move and Lef or Righ Click Acion (MM_LC) Mouse and Click Move Double Acion Mouse movemen feaures from he beginning of he acion unil he mouse down even (Table 6). Time o click (TC) The ime beween he mouse-move even immediaely preceding he mouse-down even and he mouse-down even iself. Disance o click (DC) The disance beween he mouse-move even immediaely preceding he mouse-down even and he mouse-down even iself. Click Time (CT) The ime beween he mouse-down and mouse-up evens, which is less han τ LC. Traveled Disance during Click (TDC) The disance raveled beween he mouse-down and he mouse-up evens. Mouse movemen feaures from he beginning of he acion unil he mouse down even (Table 6). Time o click (TC) The ime beween he mouse-move even immediaely preceding he 70 74
(MM_DC) mouse-down even and he mouse-down even iself. Disance o click (DC) The disance beween he mouse-move even immediaely preceding he mouse-down even and he mouse-down even iself. Firs Click Time (FCT) The ime beween he mouse-down and he mouse-up evens, which is less han τ LC. Firs Click Disance (FCD) The disance raveled beween he mouse-down and he mouse-up evens of he firs click. Inerval Time (IT) The ime inerval beween he firs click and he second, which is less han τ I. Second Click Time (SCT) The ime beween he mouse- down and he mouse-up evens, which is less han τ LC. Second Click Disance (SCD) The disance raveled beween he mouse-down and he mouse-up evens of he second click. Mouse Move Mouse movemen feaures from he beginning of he acion unil he mouse down even and Drag and (Table 6). Drop Acion Time o click (TC) The ime beween he mouse-move even immediaely preceding he (MM_DD) mouse-down even and he mouse-down even iself. Disance o click (DC) The disance beween he mouse-move even immediaely preceding he mouse-down even and he mouse-down even iself. Mouse movemen feaures describing he movemen beween he mouse-down and mouse-up evens of he drag-and-drop acion (Table 6). Table 6: Feaures of he mouse acions ha are used o describe he mouse aciviy. 34 3.3 The Proposed Verificaion Framework The framework is divided ino 3 pars: (a) Acquisiion, (b) Learning, and (c) Verificaion. A deailed descripion of hese pars is given in he nex secions. 3.3. Acquisiion The acquisiion par capures he mouse evens ha consiue he users' mouse aciviy and is illusraed in Figure 6. This par is composed of hree modules and an Acions daabase: A feaure acquisiion module - responsible for acquiring he evens ha are produced by he mouse. Each even is described as a quare <even ype, x coordinae, y coordinae, imesamp>. For example, he quare <MM,0,30,63355950674> represens a mouse-move even, a locaion X=0, Y=30 a ime 63355950674 milliseconds afer he year 970. An acion exracor module - ransforms he acquired evens ino he mouse acions defined in secion 3.. Each acion is exraced and associaed wih is evens in order o faciliae he exracion of he differen feaures proposed in Secion 3.. A feaure exracor module - derives feaures from he given acion. I is illusraed by muliple insances in Fig. 7 since differen feaure exracors are required for
differen ypes of acions. The exraced feaures are summarized in Table 7Error! Reference source no found.. An acions DB - sores he acions and heir associaed feaures of each user. This informaion is used o consruc he profiles of each user in he Learning process. Figure 6: The acquisiion process of mouse aciviy. 3.3. Learning In his par, classifiers are consruced for each acion ype. Training ses in he form of marices are consruced using he acions of he users ha are sored in he acions DB. Each marix holds he feaures ha belong o a specific acion ype. Specifically, each acion insance forms a row whose columns conain he feaures ha are associaed wih he acion and is label is given by he id of he user who performed he acion. A classifier is rained using he rows of one marix and he produced model is sored in a daabase (one model for each acion ype). We use he Random Fores [5] classifier which is a muli-class classifier, consruced from an ensemble of decision rees. Given a raining se consising of N insances, boosrap samples of size N are drawn from i. Each sample is used o consruc a decision ree. The classificaion of a paern is obained by a majoriy voing scheme applied o he resuls of he consruced rees. Figure illusraes he raining process.
Figure 7: The raining process for each of he acion ypes. 3.3.3 Verificaion The verificaion process is composed of he following seps:. Feaures are exraced from he acquired acions via a process ha is similar o he one employed by he acquisiion par.. The exraced feaures are sored in an Acion Collecor DB. 3. Once a sufficien number of (consecuive) acions are colleced (according o a predefined hreshold m) hey are sen o he appropriae classifier according o he acion ype. 4. The Classifier (Layer ) predics for each of he rained users, he probabiliy ha each of hem performed each of he m acions. 5. A layer decision module combines he probabiliies o derive a final resul. The process and is componens are illusraed in Fig. 8. Figure 8: User verificaion process. In he following, we give a formal descripion of he layer classifier and he layer decision module. Classifier (Layer ) As previously menioned, he classifier used o consruc he model for each acion ype is he Random Fores [5]. Each of he acions colleced by he Acion Collecor is passed o he appropriae classifier according o he ype of acion. Le =,, be he se of rained users and le =,, be a se of performed acions.
Each classifier (associaed wih acion ) esimaes for each rained user he probabiliy he performed acion. This probabiliy is denoed by. Le =,,, be he se of m ik raining insances of acion ype performed by user i. In many cases m ik may vary beween he users for each ype of acion. This may resul in a biased decision by he classifier. In order o overcome his problem, normalizaion is applied o he probabiliies. Specifically, he probabiliy ha an acion a j was performed by user is given by: where = = = and denoes he a-priori probabiliy derived by he raining sep. Decision (Layer ) The decision module provides a final decision regarding he performed acions. I combines he probabiliies given by he layer- classifiers and produces a final probabiliy,, ). The probabiliy ha he se of acions,, belongs o user is given by he following formula :,, )= The se of acions,, is associaed o user if he resuling probabiliy is above a hreshold λ i.e.,, )=,, ) h Probabiliy muliplicaion equivalen o Naïve Bayes wih Bayes formula was also esed, however due o poor resuls he experimens were performed using probabiliy summaion.
4 EXPERIMENTAL RESULTS In order o evaluae he proposed approach, we firs colleced an exensive and diverse daa from a wide variey of users and compuer configuraions. Given he daa, he proposed approach was evaluaed by performing he following experimens:. Comparison beween he proposed acion-based muli-class approach o he hisogram-based binary-class approach proposed by Ahmed e al [].. Comparison beween he proposed muli-class verificaion and a binary-class model uilizing he proposed approach in order o examine he effeciveness of using a muli-class model. 3. We esed he conribuion of he new feaures inroduced in Secion 3. o he verificaion accuracy. 4. Daa Collecion The feaure acquisiion described in secion Error! Reference source no found. was performed in 5 compuers which were used by males and 4 females. The compuers were chosen from a wide variey of brands and hardware configuraions. Specifically, he compuers included 3 deskops, lapops. The CPU speeds ranged from.86ghz o 3.Ghz and he poining devices included opical mice, ouch pads and syli. 4.. User groups definiion In general, differen users may inerac wih one or more compuer sysem. These users may be associaed wih he insiuion or company o which he compuer sysems belong or alernaively, hey may be exernal. Accordingly, he following wo groups of users were defined: (a) Inernal Users correspond o users ha belong o he insiuion or company. (b) Exernal Users users ha are exernal o he insiuion or company. One or more inernal users may be auhorized o inerac wih a paricular compuer sysem while he res of he users (inernal and exernal) are no. We refer o he former ineracion ype as an auhorized ineracion. I is assumed ha he number of auhorized ineracions performed by an inernal user is higher han he number of unauhorized ones since mos of he ime he legal users inerac wih heir compuer sysems. Moreover, he
number of unauhorized ineracions by exernal users is even smaller since hey are no supposed o have access o any of he compuers wihin he company. This assumpion is manifesed by he number of legal verificaion aemps, inernal aacks and exernal aacks ha are chosen in he evaluaion. 4.. Experimen configuraion The hresholds τ MM, τ MLM, τ MRM, τ LC, τ RC, τ I ha were used in order o consruc he acions defined in secion Error! Reference source no found. were empirically se o 500 milliseconds. The acion exracion incorporaed filraion similarly o he one used in [0]. Namely, calculaion of he movemen feaures associaed wih he differen acions such as speed, acceleraion and jerk, was only done if a minimal amoun of evens was a hand. Only movemens ha conained a leas 4 differen poins were considered. Evens whose ype and posiion were equal o hose of he even which preceded hem were ignored. Two-fold cross validaion was used in he experimens i.e. he daa colleced for each of he users was spli ino equal pariions: raining and esing. The profile of each user was consruced from he raining pariion and he esing pariion was used o generae legal verificaions and illegal aacks. On he average, he raining se consised of 5.494 hours of aciviy per user and he average acion duraion was approximaely.4 seconds. The se of all available users =,, was randomly divided in each fold ino a se of k inernal users =,,,, =,, and a se of exernal users =. Profiles were consruced for each of he inernal users in IU according o he raining aciviy ha belonged o all users in IU. Each of he users in IU was esed for auhorized and unauhorized access based on a varying number of consecuive acions. In each of he experimens he number of inernal users was se o IU = and he number of acions varied beween and 00 acions. All he experimens were conduced using he same esing insances o allow credible comparisons. Aacks by inernal and exernal users were simulaed and are referred o as inernal and exernal aacks, respecively. An inernal aack was simulaed by changing he user id of an aciviy ha belongs o an inernal user o an id of anoher inernal user. An exernal aack was simulaed by associaing acions of an exernal user wih an id of an inernal
user. Specifically, 4 inernal aacks were simulaed for each user in each of he wo folds, producing 48 inernal aacks per user and a oal of 48 * 5 = 00 inernal aacks. Six exernal aacks were simulaed for each user in each of he wo folds, producing exernal aacks per user and a oal of * 5 = 300 exernal aacks. In addiion o he aacks, 7 auhorized ineracions were checked for each user in each of he wo folds, simulaing a legiimae user working on a compuer sysem. This produced 44 legal verificaion aemps per user and 44 * 5 = 3600 verificaion aemps in oal. The raining and esing were performed on compuer wih 6GB RAM and an Inel(R) Xeon(R) CPU running a.5ghz which achieved all he execuion imes ha are specified below. 4. Evaluaion measures Since biomeric-based verificaion sysems are a special case of classifiers [], heir performance is evaluaed using similar measuremens. Specifically, he following measuremens were used: False Accepance Rae (FAR) measures he raio beween he number of aacks ha were erroneously labeled as auhenic ineracions and he oal number of aacks. False Rejecion Rae (FRR) measures he raio beween he number of legiimae ineracions ha were erroneously labeled as aacks and he oal number of legiimae ineracions. ROC Curve An ROC curve is a graphical represenaion of he radeoff beween he FAR and he FRR for every hreshold [4] [5]. The poin (0,0) represens perfec verificaion while he poin (, ) represens wrong verificaion for every insance. Area Under Curve (AUC) measures he area under he ROC curve. A lower AUC is sough afer since i corresponds o beer performance. Equal Error Rae (EER) The rae a which boh accepance and rejecion error raes are equal. Based on he above measuremens, addiional measuremens were defined. The INTERNAL_FAR was aained from he aacks performed by inernal users. The EXTERNAL_FAR was derived from he aacks performed by exernal users.
4.3 Comparison wih a hisogram-based approach The approach inroduced in [] uses hisograms in order o aggregae muliple acions and uilizes a binary model in order o represen each user. The firs experimen compares his approach wih he wo layer approach proposed in his work. In order o consruc hisograms from he feaures ha are used o characerize he mouse acions (Secion 3), discreizaion is firs employed o coninuous feaures. Specifically, one of he following mehods was applied o each feaure:. Disance discreizaion In mos cases, during click/double click no disance is raveled. Thus, in his case discreizaion was performed via wo binary feaures. The firs is se o if no disance was raveled; oherwise he second feaure is se o. This discreizaion was applied o he DC, FCD, ID, SCD and TDC feaures.. Criical Poins discreizaion The values observed for he CP feaure were 0,, and 3. Therefore, he discreizaion produced five binary feaures. A criical poin value of 0 would se he firs feaure o and he res o 0, a criical poin value of would se he second feaure o and he res o zero and so on. The las feaure would be se o if he number of criical poins is greaer han 3. This discreizaion was applied o he CP feaure. 3. Equal Frequency (EQF) The values of each feaure were separaed ino 5 equallyspaced inervals. This discreizaion was applied o he remaining feaures. The discreisized feaures were used by boh he proposed approach and he hisogrambased one. By performing aggregaion of he discreisized feaures of each acion, occurrence hisograms as in [] were creaed. The feaure average hisograms were creaed by averaging he remaining feaures. The feaures ha were used were described in Table 6. A verificaion aemp based on N acions was performed in he following manner: Each of he eigh ypes of acions was exraced from he N acions and was individually aggregaed. The aggregaed values were concaenaed o form a feaure vecor ha characerizes he user's aciviy. In addiion, he relaive occurrence of each acion was added o he feaure vecor.
In order o rain he model, he raining se daa was spli ino 5 equal pariions and each raining pariion was used o produce a single aggregaed vecor. Thus, each user was represened by 5 vecors. Error! Reference source no found.(a)-(b) presen he comparison resuls beween he aggregaion and he acion-based approaches. Error! Reference source no found.(a) depics he comparison beween he wo mehods in erms of he AUC measure incorporaing he ANOVA es wih 95% confidence inervals. I is eviden ha he acionbased mehod ouperforms he hisogram-based approach. (a) Figure 9: Comparison beween he acion-based mehod and he hisogram-based approach. (a) AUC measure comparison: he acion-based mehod clearly ouperforms he hisogram-based one. (b) EER evaluaion of he proposed mehod: he acion-based mehod is superior for any number of acions and produces EER of 8.53% and 7.5% for 30 and 00 acions, respecively, while he hisogram-based mehod produced EER of 9.78% and 3.77%. There is a sharp decrease in he EER in he acionbased mehod unil 30 acions are performed which becomes more moderae for a number of acions higher han 30. (b) Error! Reference source no found. shows he EER of he wo mehods for differen quaniies of acions. The acion-based mehod is superior for any quaniy of acions. Furhermore, a sharp decrease in he EER is observed in he acion-based mehod when he number of acions ha is used for verificaion ranges from (6.5% EER) o 30 acions (~8.53% EER). When he number of acions is beween 30 and 00, he decrease becomes more moderae and for 00 acions he EER is equal o 7.5%. The aggregaion approach produces 9.78% and 3.77% EER for 30 and 00 acions, respecively. As menioned above, he average duraion of an acion was less han.4 seconds. The consrucion of he verificaion vecor and esing ime per acion was approximaely 3ms. Thus, he required ime for verificaion based on 30 and 00 acions is approximaely 4 and.33, respecively. Consequenly, he approach proposed in his
paper provides a mehod for verifying he user in less han minues wih a maximal equal error rae of 0%. Error! Reference source no found. presens an ROC curve obained from verificaion based on 30 acions. The opimal poin on he ROC curve in which he accepance and rejecion errors are equal is obained for an inernal EER of 8.53% and a relaively high exernal FAR of 7.66%. The choice of he opimal poin may be alered according o securiy level ha is sough afer. For insance, a poin where he FAR is low and he FRR is high suis users ha have highly confidenial informaion on heir compuer sysem while a poin wih relaively low FRR and higher FAR may reduce he rae false alarms of legiimae access. I should be menioned ha while in [] a se of acions performed wihin a session produced a single insance in he raining and es ses, in our proposed mehod, every acion produces an insance. Consequenly, he number of insances is higher and hus requires a larger amoun of memory. Neverheless, his requiremen only affecs he raining phase. Figure 0: ROC curve for verificaion based on 30 acions. An inernal EER of 8.53% corresponds o an exernal FAR of approximaely 7.66%. 4.4 Comparison beween binary and muli-class models The purpose of he second experimen was o deermine wheher modeling users by a muli-class approach is superior o modeling he users by binary class models. In he laer, a binary model was consruced for every acion and user pair in he raining se in order o derive he probabiliy.
Figure : Comparison beween he binary-class models and he muli-class model approaches. (a) The binary-class approach ouperforms he muli-class in erms of AUC wih saisical significance. (b) The binary-class approach is superior o he muli-class approach in erms of EER for almos any number of acions beween and 00. (a) presens a comparison beween he wo modeling approaches in erms of he AUC using he ANOVA es wih 95% significance inervals. Resuls show saisically significan superioriy of he binary modeling approach over he muli-class modeling approach. Figure : Comparison beween he binary-class models and he muli-class model approaches. (a) The binary-class approach ouperforms he muli-class in erms of AUC wih saisical significance. compares beween he equal error raes of he muliclass and binary-class approaches for a number of acions ranging from o 00. The binary approach ouperforms he muli-class approach in erms of EER by.0% on he average for almos every number of acions. (b) (a) Figure : Comparison beween he binary-class models and he muli-class model approaches. (a) The binary-class approach ouperforms he muli-class in erms of AUC wih saisical significance. (b) The binary-class approach is superior o he muli-class approach in erms of EER for almos any number of acions beween and 00. (b)
A major drawback of he binary class modeling approach is is ime and space complexiies which are approximaely imes greaer han hose of he muli-class model approach where denoes he number of users which ake par in he raining. Specifically, binary models are consruced for every acion insead of a single muliclass model. For example, raining each muli class model required 8.896 on he average while esing required.7746. However, since raining in he binary-model approach requires he consrucion of an individual binary model for every user, he raining ime ook 7.03 ( ) = 84.37 minues and he esing ime ook.735 ( ) = 3.56. Thus, alhough he binary-class approach exhibis saisically significan performance superioriy over he muli-class approach, considering he ime and space complexiies ha are required for raining and esing may render i as unsuiable in ime-criical seings. Consequenly, choosing one of he approaches depends on he verificaion ime and accuracy which is required. The muli-class approach is suiable when relaively fas verificaion (a he expense of lower accuracy) is required while he binary class provides a beer choice in cases when higher accuracy is required a he expense of slower verificaion. 4.5 Conribuion of he new feaures The proposed approach inroduces new feaures o characerize mouse aciviy. These feaures are used in conjuncion wih feaures ha were adoped from [0]. In order o deermine he conribuion of he newly inroduced feaures wo experimens were conduced: he firs verified users based only on he feaures ha were adoped from [0] and he second experimen used he new feaures ogeher wih he ones from [0]. Figure (a) and (b) presen a comparison beween he resuls of he wo experimens in erms of he AUC. I is eviden ha he new feaures conribue o he accuracy of he model. Figure (a) shows ha using he addiional new feaures achieves a beer resul for any number of acions ha are used for he verificaion and he ANOVA es using 95% confidence inervals achieves similar findings which are illusraed in Figure (b).
Figure : Conribuion of he new addiional feaures ha were inroduced in Secion 3.. (a) The addiional feaures conribue o he verificaion accuracy for any number of acions ranging from o 00. (b) Conribuion in erms of he ANOVA es using 95% confidence inervals. 5 Conclusions and fuure work A novel mehod for user verificaion based on mouse aciviy was inroduced in his paper. Common mouse evens performed in a GUI environmen by he user were colleced and a hierarchy of mouse acions was defined based on he raw evens. In order o characerize each acion, feaures were exraced. New feaures were inroduced in addiion o feaures ha were adoped from [0]. A wo-layer verificaion sysem was proposed. The sysem employs a muli-class classifier in is firs layer and a decision module in he second one in order o verify he ideniy of a user. The proposed mehod was evaluaed using a daase ha was colleced from a variey of users and hardware configuraions. Resuls showed superioriy of he acion-based mehod proposed in his paper over he hisogram-based mehod proposed in []. Furhermore, evaluaion showed a significan improvemen in he verificaion accuracy when using he newly inroduced feaures. In he following we describe several issues ha need furher invesigaion in mouse-based verificaion mehods. The original acions inended by he user are logged neiher by sofware nor by observing he user while performing he acions. Accordingly, hey are heurisically reconsruced from he raw evens which may produce some non-credible acions. Addiionally, he obained acions may vary beween differen hardware configuraions (e.g. opical mouse, ouch pad). In order o obain a higher percenage of credible acions, he parameers ha define hem should be deermined by a more rigorous mehod.
Furhermore, he daa colleced from mouse devices may be parially unreliable due o noise. Specifically, lin clogging he moving pars of mechanical mice may affec he funcionaliy of he mouse. However, his ype of mice is becoming rare. Opical mice may inroduce noise due o heir inabiliy o rack movemen on glossy or ransparen surfaces. In some mice, fas movemens may be poorly capured. A significan drawback of mouse-based verificaion in comparison o keyboard-based verificaion is he variey of mice, mouse pads and sofware configuraions which may influence he performance of he verificaion. For example, a person using a lapop in wo differen places may use he ouch pad in one place and an exernal mouse in he oher - hus affecing he evens produced and, consequenly, he performance of any mousebased verificaion mehod. This problem does no exis in keyboard-based verificaion echniques since he keyboard is an inegral par of he lapop. In order o esablish well srucured research and evaluaion of mehods in he area of behavioral biomeric sysems, benchmark daa ses mus be available. In heir absence, i is impossible o compare he exising mehods (since each uses a differen daase, having unique characerisics). Moreover, each sudy has o sar by puing new effors in he consrucion of new daases. Generally, here are wo ypes of daases: (a) General aciviies of a user in an operaing sysem of a local compuer, in which all he evens are hooked a he operaing sysem level; or (b) Aciviies generaed from ineracion wih a web applicaion, in which all he evens ha are relaed o he web browser are moniored a he clien and sen o he server. The echnological aspec of such collecion ools is no an issue, bu raher he ways o collec large-scale auhenic daa, in which many users perform heir daily asks. The problem here is mainly o convince users o expose heir biomeric daa and o pu he ime and he effors for he daa collecion. Creaing a daase for coninuous verificaion is more challenging, since he daase should be diverse and reflec he daily asks of he users. Furhermore, he daase should reflec he differen physiological saes of he user during he day which migh influence heir behavioral biomerics and consequenly he verificaion accuracy. For example, some users are faser in he morning, while slower a nigh, or afer lunch. Moreover, user posures, such as siing (common), sanding or alking on he phone while ineracing wih he compuer, are expeced o influence he verificaion accuracy as well.
References []. P. Groher, and E. Tabassi, Performance of Biomeric Sample Qualiy Measures, Naional Insiue of Sandards and Technology, 006. []. A. A. E. Ahmed, and I. Traore, A New Biomeric Technology Based on Mouse Dynamics, IEEE Transacions on Dependable and Secure Compuing, Vol. 4, No. 3, pp. 65 79, July-Sepember 007. [3]. F. Bergadano, D. Gunei, and C. Picardi, User Auhenicaion hrough Keysroke Dynamics, ACM Transacions on Informaion and Sysem Securiy, Vol. 5, no. 4, pp. 367 397, 00. [4]. M. H. Zweig, and G. Campbell, Receiver-operaing characerisic (roc) plos: A fundamenal evaluaion ool in clinical medicine. Clin. Chem., Vol. 39, no. 4, pp. 56 577, 993. [5]. T. Fawce, An Inroducion o ROC Analysis, Paern Recogniion, Leers,, doi:0.06/j.parec.005.0.00, 006. [6]. R. V. Yampolskiy, Human Compuer Ineracion Based Inrusion Deecion, IEEE Compuer Sociey, In Proc. of he Inernaional Conference on Informaion Technology, pp. 837 84, 007. [7]. S. J. Solfo, S. Hershkop, K. Wang, O. Nimeskern, and C. W. Hu, A behavior-based approach o Securing Email Sysems, Mahemaical Mehods, Models and Archiecures for Compuer Neworks Securiy, Springer Verlag, 003. [8]. S. J.Solfo, C. W. Hu, W. J. Li, S. Hershkop, K. Wang, and O. Nimeskern, Combining Behavior Models o Secure Email Sysems, Technical Repor, Columbia Universiy, Available a: www.cs.columbia.edu/ids/publicaions/emt-weijen.pdf, 003. [9]. O. D. Vel, A. Anderson, M. Corney, and G. Mohay, Mining Email Conen for Auhor Idenificaion Forensics, SIGMOD: Special Secion on Daa Mining for Inrusion Deecion and Threa Analysis, 00. [0]. G. Franzeskou, S. Grizalis, and S. MacDonell, Source Code Auhorship Analysis for Supporing he Cybercrime Invesigaion Process, s Inernaional Conference on ebusiness and Telecommunicaion Neworks Securiy and Reliabiliy in Informaion Sysems and Neworks Track, pp. 85 9, 004.
[]. A. Gray, P. Sallis, and S. Macdonell, Sofware Forensics: Exending Auhorship Analysis Techniques o Compuer Programs, In Proc. 3 rd Biannual Conf. In. Assoc. of Forensic Linguiss (IAFL'97), 997. []. E. H. Spafford, and S. A. Weeber, Sofware Forensics: Can We Track Code o is Auhors? 5 h Naional Compuer Securiy Conference, pp. 64 650, 99. [3]. J. Ramon, and N. Jacobs, Opponen modeling by analyzing play, Proceedings of he Compuers and Games workshop on Agens in Compuer Games, 00. [4]. A. R. Jansen, D. L. Dowe, and G.E. Farr, Inducive Inference of Chess Player Sraegy, Proceedings of he 6 h Pacific Rim Inernaional Conference on Arificial Inelligence (PRICAI'000), pp. 6 7, 000. [5]. A. Bromme, and S. Al-Zubi, Mulifacor Biomeric Skech Auhenicaion, Proceedings of he BIOSIG 003, pp. 8 90, 003. [6]. S. Al-Zubi, A. Bromme, and K. Tonnies, Using an Acive Shape Srucural Model for Biomeric Skech Recogniion, In Proceedings of DAGM, pp. 87 95, 003. [7]. M. Schonlau, W. DuMouchel, H. Ju, A. F. Karr, M. Theus, and Y. Vardi, Compuer Inrusion: Deecing Masquerades, Saisical Science, 6, pp 7, 00. [8]. R. A. Maxion and T. N. Townsend, Masquerade deecion using runcaed command lines, In Inernaional Conference on Dependable Sysems and Neworks (DNS-0), IEEE Compuer Sociey Press, 00. [9]. M. Pusara, and C. E. Brodley, User Re-Auhenicaion via Mouse-movemens, Proc. of ACM Workshop Visualizaion and Daa Mining for Compuer Securiy, 004. [0]. H. Gamboa, and A. Fred, Behavioural Biomeric Sysem Based on Human Compuer Ineracion, Proc. of SPIE, vol. 5404, pp. 38 39, 004. []. S. Bleha, C. Slivinsky, and B. Hussein, Compuer-access securiy sysems using keysroke dynamics, IEEE Transacions on Paern Analysis and Machine Inelligence, vol., no., pp. 7, 999. []. S. Cho, C. Han, D.H. Han, and H.I. Kim. Web-Based Keysroke Dynamics Ideniy Verificaion Using Neural Nework, Journal of Organizaional Compuing and Elecronic Commerce, 0(4):95 307, 000. [3]. M. Curin, C. C. Tapper, M. Villani, G. Ngo, J. Simone, H. S. For, and S. Cha, Keysroke Biomeric Recogniion on Long Tex Inpu: A Feasibiliy Sudy, Proc. In. Workshop Sci Comp/Comp Sa, 006. [4]. D. Gunei, and C. Picardi, Keysroke analysis of free ex, ACM Trans. Inf. Sys. Secur., 8(3):3 347, 005.
[5]. L. Breiman, Random Foress, Machine Learning, 45(), pp. 5 3, 00. [6]. A. K. Jain, S. Pankani, S. Prabhakar, L. Hong and A. Ross, Biomerics: A grand challenge, Proc. In. Conf. on Paern Recogniion, vol., pp. 935 94, 004. [7]. R. B. Abernehy, The New Weibull Handbook, 00. [8]. R. V. Yampolskiy, V. Govindaraju, Behavioral Biomerics: a Survey and Classificaion, In. J. Biomerics, Vol., No., 008. [9]. K. Reve, P. S. Magalhães, and H. D. Sanos, Developing a keysroke dynamics based agen using rough ses, In IEEE/WIC/ACM Inernaional Join Conference on Web Inelligence and Inelligen Agen Technology. Universiy of Technology of Compiègne, 005. [30]. D. T. Lin, Compuer-access auhenicaion wih neural nework based keysroke ideniy verificaion, Neural Neworks,997. [3]. E. Lau, X. Liu, C. Xiao, and X. Yu, Enhanced User Auhenicaion Through Keysroke Biomerics, Technical repor, Massachuses Insiue of Technology, 004.