Sep 10, 2014 - (private) cloud hosted enterprise applications. Medvet, Bartoli ..... Data capture system generates an ev
Continuous and Non-Intrusive Reauthentication of Web Sessions based on Mouse Dynamics Eric Medvet
Alberto Bartoli
Francesca Boem
Fabiano Tarlao
Department of Engineering and Architecture University of Trieste Italy
September 10th, 2014
http://machinelearning.inginf.units.it
Scenario and motivation
Table of Contents
1
Scenario and motivation
2
Our contribution )
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
11 / 22
Our contribution
) C requests resources mentioned in d js
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
11 / 22
Our contribution
) C requests resources mentioned in d js : our js comes from O (rather than S) via P
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
11 / 22
Our contribution
) C requests resources mentioned in d js : our js comes from O (rather than S) via P our js on C sends mouse events data to /obs, i.e., O
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
11 / 22
Our contribution
Data capture system
Data capture system
fully transparent to both user and web sites, requires only to set the proxy redirection of /obs/* traffic allows to circumvent Same Origin Policy low bandwidth usage (≈ 2.5 kB s−1 ) can work with HTTPS (w/ self-signed certificate)
1
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
12 / 22
Our contribution
Data capture system
Data capture system
fully transparent to both user and web sites, requires only to set the proxy redirection of /obs/* traffic allows to circumvent Same Origin Policy low bandwidth usage (≈ 2.5 kB s−1 ) can work with HTTPS (w/ self-signed certificate) could be used also for other purposes: web app testing1 , web app misuse detection, . . .
1 Bartoli, Medvet, Mauri, Recording and Replaying Navigations on AJAX Web Sites, Int. Conf. on Web Engineering (ICWE), 2012 Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
12 / 22
Our contribution
Reauthentication by mouse dynamics
Procedure: overview
Data capture system generates an event e = (x, y , t) every ≈ 25 ms, then we: 1
split sequence of events on pauses ≥ 500 ms and consider the last 10 events before a pause (trajectory)
2
transform a trajectory T into a vector f(T ) ∈ R39
3
classify f(T ) as anomalous/normal, w.r.t. current authenticated user
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
13 / 22
Our contribution
Reauthentication by mouse dynamics
Features
f(T ) includes: directions and direction changes speeds accelerations x- and y -extents
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
14 / 22
Our contribution
Reauthentication by mouse dynamics
Classification
Two phases: training actual classification
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
15 / 22
Our contribution
Reauthentication by mouse dynamics
Classification
Two phases: (U − is the authenticated user) training based on trajectories of U − and other users U1+ , U2+ , . . . actual classification
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
15 / 22
Our contribution
Reauthentication by mouse dynamics
Classification
Two phases: (U − is the authenticated user) training based on trajectories of U − and other users U1+ , U2+ , . . . actual classification based on trajectories of current unknown user U claiming to be U −
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
15 / 22
Our contribution
Reauthentication by mouse dynamics
Training phase
Once, at the beginning: 1
train a SVMU − on the training set
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
16 / 22
Our contribution
Reauthentication by mouse dynamics
Actual classification phase
For each T trajectory of U: 1
apply SVMU − to f(T )
2
consider last w trajectories and. . .
3
. . . if too many positives, raise an alert
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
17 / 22
Our contribution
Reauthentication by mouse dynamics
Last w trajectories
Aggregation of several classifier outcomes: often used with mouse dynamics the higher w , the higher the accuracy and the longer the Time to Detection (TtD)
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
18 / 22
Experimental evaluation
Table of Contents
1
Scenario and motivation
2
Our contribution Data capture system Reauthentication by mouse dynamics
3
Experimental evaluation Dataset Results
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
19 / 22
Experimental evaluation
Dataset
Dataset
Two groups of users, each observed for several working days: 6 users, with different hardware equipment 18 users, with homogeneous hardware
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
20 / 22
Experimental evaluation
Results
Results
w 50 100 200 350 500
TtD (min) 13.5 27.1 54.1 94.7 135.3
Medvet, Bartoli, Boem, Tarlao (UniTs)
Dataset Acc. FAR 83.3 16.6 88.5 12.8 93.5 9.2 95.6 7.9 96.5 6.1
1 FRR 16.7 10.2 3.8 1.0 0.8
Dataset Acc. FAR 76.4 21.8 81.4 17.5 86.6 13.5 90.6 10.8 92.2 9.5
Web Reauthentication by Mouse Dynamics
2 FRR 25.4 19.6 13.3 8.0 6.1
September 10th, 2014
21 / 22
Experimental evaluation
Results
Results
w 50 100 200 350 500
TtD (min) 13.5 27.1 54.1 94.7 135.3
Dataset Acc. FAR 83.3 16.6 88.5 12.8 93.5 9.2 95.6 7.9 96.5 6.1
1 FRR 16.7 10.2 3.8 1.0 0.8
Dataset Acc. FAR 76.4 21.8 81.4 17.5 86.6 13.5 90.6 10.8 92.2 9.5
2 FRR 25.4 19.6 13.3 8.0 6.1
accuracy up to 96%
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
21 / 22
Experimental evaluation
Results
Results
w 50 100 200 350 500
TtD (min) 13.5 27.1 54.1 94.7 135.3
Dataset Acc. FAR 83.3 16.6 88.5 12.8 93.5 9.2 95.6 7.9 96.5 6.1
1 FRR 16.7 10.2 3.8 1.0 0.8
Dataset Acc. FAR 76.4 21.8 81.4 17.5 86.6 13.5 90.6 10.8 92.2 9.5
2 FRR 25.4 19.6 13.3 8.0 6.1
accuracy up to 96% works better if attacker uses different hardware
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
21 / 22
Experimental evaluation
Results
Results
w 50 100 200 350 500
TtD (min) 13.5 27.1 54.1 94.7 135.3
Dataset Acc. FAR 83.3 16.6 88.5 12.8 93.5 9.2 95.6 7.9 96.5 6.1
1 FRR 16.7 10.2 3.8 1.0 0.8
Dataset Acc. FAR 76.4 21.8 81.4 17.5 86.6 13.5 90.6 10.8 92.2 9.5
2 FRR 25.4 19.6 13.3 8.0 6.1
accuracy up to 96% works better if attacker uses different hardware time to detection of tens of minutes
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
21 / 22
Experimental evaluation
Results
Time to detection
Time to detection of tens of minutes: is it practical? fits the threat model we can only monitor web usage (browser) user could unfocus the browser for minutes we consider sessions without pauses ≥ 10 minutes
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
22 / 22
Experimental evaluation
Results
Thanks!
Medvet, Bartoli, Boem, Tarlao (UniTs)
Web Reauthentication by Mouse Dynamics
September 10th, 2014
22 / 22
