1. Ned Bakelman Advisor: Dr. Charles Tappert Research Experiment Design Sprint: Keystroke Biometric Intrusion Detection

2. Problem Statement Using Keystroke Biometrics, how quickly and accurately can the unauthorized use of a computer be determined? In other words, how quickly and accurately can the unauthorized use of a computer by an intruder be detected using Keystroke Biometrics?

3. Background DARPA (Defense Advanced Research Projects Agency) through their Cyber Genome Program is funding research in computer intrusion detection This includes the use of keystroke analysis DARPA, Cyber Genome Program, DARPA-BAA-10-36, 2010 Pace University has developed a keystroke biometrics system for text input Studies have shown that 300 keystrokes provides good accuracy CNN.com, Lawrence, Chris, http://www.cnn.com/2011/10/10/us/military-drones- virus/index.html?eref=rss_politics&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+rss%2Fcnn_all politics+%28RSS%3A+Politics%29&utm_content=Google+Feedfetcher, last updated: October 10, 2011http://www.cnn.com/2011/10/10/us/military-drones- virus/index.html?eref=rss_politics&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+rss%2Fcnn_all politics+%28RSS%3A+Politics%29&utm_content=Google+Feedfetcher Foxnews.com, Chiaramonte, Perry, http://www.foxnews.com/scitech/2011/10/07/us-military-drones-infected-with- mysterious-computer-virus, last updated: October 7, 2011 http://www.foxnews.com/scitech/2011/10/07/us-military-drones-infected-with- mysterious-computer-virus The Pace Keystroke Biometric System (PKBS) has been updated to handle completely free (application independent) keystroke samples

4. Methodology Monitor each computer and continuously authenticate the user from their keystroke input Assume one authorized user per computer An intruder is defined as someone other than the authorized user Each authentication event is viewed as a window which can occur several times within a short period of time. We want to detect an intruder during each passing of a window.

5. Intruder Scenarios User Bob leaves his office for lunch with his computer running and unlocked Intruder Trudy sits down at Bob’s desk and uses the computer while Bob is at lunch Trudy may perform less malicious activities such as using the computer to type documents, surf the web, check her Facebook account, etc. Trudy may perform very malicious activities such as sending emails impersonating Bob, entering fake claims in an expense tracking system, attempting to steal passwords or account info that Bob may have saved on his computer to gain access to personal or company bank accounts, etc.

6. Research Experiment Design Sprint Design experiments to investigate the problem statement regarding the intruder scenarios Ideas What unique keywords or commands might an intruder key in to detect passwords, accounts, etc? What mouse behavior or web activity (searches, etc.) might an intruder perform? These would be activities not typical of a true user Also Keystroke entry is a time series event How would you simulate the time series keystroke data of an authentic user with intruder data?

7. Normal User versus Intruder User What is normal or typical user activity Email, word processing, spreadsheet entry, web surfing, etc. What is intruder activity Are there special characteristics? Can they be distinguishable from normal activity? Can special characteristics of intruder data be used to assist with intruder detection? If so, how?