The increasing reliance of modern societies and economies on computing infrastructures raises the needs of highly secure and dependable computing technologies. Recent widely publicized security incidents such as the slammer worn have established how vulnerable several critical aspects of our social and economical life have become because of increased computerization.
Computer security has also become increasingly important because of the large number of security breaches in individual businesses, and the cost of those breaches to the businesses. In a recent survey (2003), it was reported that the total annual financial losses to the respondents were $201,797,340. This figure could actually be worse since only 251 out of the 530 participants (47%) reported their losses. The survey also shows other compelling statistics: 92% of the respondents detected attacks during the last 12 months while 75% of the respondents acknowledged financial losses due to security breaches. As mentioned above, only 47% reported their losses.
Many organizations address security from three different perspectives: prevention, detection, and reaction. Apparently, 99% of the respondents to a survey use a mixture of various technologies to protect their systems. For example, more than 90% use prevention technologies such as firewall, access control, and physical security. Also, 73% use intrusion detection systems.
One form of protection is password protection. It is a well-established fact that traditional passwords are not safe anymore. Passwords may be stolen or may be cracked using the so-called dictionary attack.
Another technology used by corporations to protect their networks is firewalls. Firewall technology has been used to protect and isolate segments of networks from untrusted networks by filtering out harmful traffic. There are several limitations to firewall technologies that result in them being relatively poor choices for strong network protection. There have been several widely publicized exploits whereby hackers have gained access to sensitive data by tunneling through authorized protocols. In order to provide a higher level of security, most organizations combine firewalls with a range of security monitoring tools called intrusion detection systems (IDS).
Intrusion Detection
The role of IDS is to monitor and detect computer and network intrusions in order to take appropriate measures that would prevent or avoid the consequences. The Internet is a wild zone, where new forms of security attacks are developed and executed daily. Hence, the main challenge currently faced by IDS technology is to be able to detect new forms of attacks.
An intrusion is described as a violation of the security policy of the system. It is also described as any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource.
There are three types of intrusion detection systems, anomaly intrusion detection, misuse intrusion detection, and specification based detection. Anomaly detection refers to intrusions that can be detected based on anomalous activity and use of resources. Misuse detection refers to intrusions that follow well defined patterns of attack. Specification-based detection approaches consider that all well-behaved system executions shall conform precisely to programs specifications
Existing anomaly detection techniques attempt to establish normal activity profile using statistical modeling. Statistical profile-based detection uses a set of metrics to compute some measurements of user activity, and compares them against a set of values that characterize normal user activity. Any discrepancy between the computed values and the expected ones is considered an intrusion. Anomaly detection techniques to date rely upon a measured activity. These tend to be an activity in response to an input and therefore rely very heavily upon the constancy of the input. For example, the number of emails opened in a day may be measured. This, of course is highly dependent upon the number of emails received.
Anomaly detection techniques assume that all intrusive activities are necessarily anomalous. This means that if we could establish a normal activity profile for a system, we could, in theory, flag all system states varying from the established profile by statistically significant amounts as intrusion attempts. However, if we consider that the set of intrusive activities only intersects the set of anomalous activities instead of being exactly the same, we will find the following possibilities:                1. Anomalous activities that are not intrusive are flagged as intrusive. (false positives); and        2. Intrusive activities that are not anomalous (false negatives)        
False negatives are considered very dangerous, and are far more serious than the issue raised by false positives.
The main issues in existing anomaly detection systems are the selection of threshold levels so that neither of the above two problems is unreasonably magnified, and the selection of available features to monitor. The features should effectively discriminate between intrusive and non intrusive behaviors. The existing anomaly detection systems are also computationally expensive because of the overhead of keeping track of, and possibly updating several system profile metrics.
The concept behind misuse detection schemes is that there are ways to represent attacks in the form of a pattern or a signature so that even variations of the same attack can be detected. Misuse detection systems can detect many or all known attack patterns, but they are of little use for as yet unknown attack methods.
Specification-based intrusion detection consists of checking whether a certain execution sequence violates the specification of programs that may affect the system protection state. Specification-based detection has the potential to detect unknown attacks, however it is still in its infancy.
Existing intrusion detectors are characterized by significantly high false alarm rates. This is mainly a result of the low accuracy of the profiles computed. For example, some anomaly detectors base users' profiles on metrics such as the average number of files opened or emails sent daily. It is easy to find several users sharing the same habits. Further, it is easy for any user to change his habits and adopts the usage pattern of other users!
Biometrics Systems:
Different types of biometrics identification systems are currently available in the market, and are widely used in various security applications. Biometrics can be classified into two categories, “physiological biometrics” and “behavioral biometrics”. Physiological biometrics, including finger-scan, iris-scan, retina-scan, hand-scan, and facial-scan uses measurements from the human body. Behavioral biometrics, such as signature or keystroke dynamics, uses measurements based on human actions. Published benchmark testing data for existing technologies shows that false rejection rates vary from 6% for face recognition to 0.25% for iris scan, whereas false acceptance rates vary from 6% for face recognition to 0.0001% for iris scan. Behavioral biometrics systems have experienced less success when compared to physiological systems because of variability in the measured parameter over time. However, either system provides improvements over the traditional intrusion detection systems.
Traditional intrusion detection systems focus on the actions conducted by the user. Biometrics-based systems focus on the identity of the user, hence such systems are able to detect the type of intrusion where an attacker gains access to the resources and starts to perform normal non-intrusive procedures, causing information leakage or any other vulnerabilities. Differences in usage pattern cannot be detected by traditional intrusion detection systems if the attacker knows the operation sequences and his access limits. Such an attack, however, can be uncovered if the detection is based on biometrics information.
In recent years there has been increasing interest in biometrics systems. The Oxford dictionary definition of biometrics is “application of statistical analysis to biological data”. In the field of computer security, biometrics is defined as the automated use of a collection of factors describing human behavioral or physiological characteristics to establish or verify a precise.
Biometrics systems operate in two modes, the enrollment mode and the verification/identification mode. In the first mode, biometrics data is acquired using a user interface or a capturing device, such as a fingerprints scanner. Raw biometrics data is then processed to extract the biometrics features representing the characteristics that can be used to distinguish between different users. This conversion process produces a processed biometrics identification sample, that is stored in a database for future identification/verification needs. Enrolled data should be free of noise and any other defects that can affect its comparison to other samples. In the second mode, biometrics data is captured, processed and compared against the stored enrolled sample. According to the type of application, a verification or identification process will be conducted on the processed sample.
The verification process conducts one-to-one matching by comparing the processed sample against the enrolled sample of the same user. For example, a user is authenticated at login by declaring his identity by entering his login name. He then confirms his identity by providing a password and biometrics information, such as his signature, voice password, or fingerprint. To verify the identity, the system will compare the user's biometrics data against his record in the database, resulting with a match or non-match. The identification process matches the processed sample against a large number of enrolled samples by conducting a 1 to N matching to identify the user resulting in an identified user or a non-match.
Regardless of the biometrics system employed, the following metrics must be computed to determine the accuracy of the system:                1. False Acceptance Rate (FAR), the ratio between the number of occurrences of accepting a non-authorized user compared to the number of access trials.        2. False Rejection Rate (FRR), the ratio between the number of false alarms caused by rejecting an authorized user compared to the number of access trials.        3. Failure to Enroll (FTE), the ratio characterizing the number of times the system is not able to enroll a user's biometrics features; this failure is caused by poor quality samples during enrollment mode.        4. Failure to Capture (FTC), the ratio characterizing the number of times the system is not able to process the captured raw biometrics data and extract features from it; this occurs when the captured data does not contain sufficient information to be processed.        
FAR and FRR values can vary significantly depending on the sensitivity of the biometrics data comparison algorithm used in the verification/identification mode; FTE and FTC represent the sensitivity of the raw data processing module.
In order to tune the accuracy of the system to its optimum value, it is important to study the effect of each factor on the other. FIG. 1 shows the relation between FAR and FRR for a typical biometrics system. If the system is designed to minimize FAR to make the system more secure, FRR will increase. On the other hand, if the system is designed to decrease FRR by increasing the tolerance to input variations and noise, FAR will increase. For the system indicated in FIG. 1, the point E where FAR and FRR reach approximately low equal values, represents the optimum tuning for this system.
The utilization of biometrics technology has been limited to identity verification in authentication and access control systems. Hence, important security applications such as intrusion detection systems have been left out of this technology. There are two reasons for this. First, most biometrics systems require special hardware device for biometrics data collection and this restricts their use to networks segments that provide them. This makes the systems irrelevant for a significant number of remote users, who operate outside of these network segments. Second, most biometrics systems require active involvement of the user who is asked to provide data samples that can be used to verify h is id entity. This excludes the possibility of passive monitoring, which is essential for intrusion detection. There are also a number of secondary obstacles to the use of biometrics for intrusion detection such as whether the technology allows dynamic monitoring, or real-time detection.
Keystroke Dynamic Biometrics:
A popular biometrics system that escapes some of the limitations of behavioral biometrics is keystroke dynamics biometrics. Keystroke dynamics doesn't require special hardware for data collection (a regular keyboard is enough). Under certain circumstances it can be used for dynamic monitoring. The traditional keystroke technology, however, doesn't allow passive monitoring as the user is required to type a predefined word or set of words that is used to identify him. The dwell time and the flight time for keyboard actions is then measured. Thereafter, a set of so-called digraphs, tri-graphs or n-graphs is constructed and analyzed to produce a distinctive pattern. User authentication and classification are the most suitable applications for such technology.
Mouse Dynamic Biometrics:
Previous work on mouse dynamics have, so far, been limited to user interface design improvement. Studies have been conducted to establish the applicability of Fitts' law in predicting the duration of a movement to a target based on the size of the target and the distance from the starting point to the target. According to Fitts' law, the mean movement time for a movement with distance A to a target with width W is as follows:
MT=a+b(log2(2A/W)) where a and b are empirically determined parameters.
In experiments focused on graphical user interface design mouse cursor movements were measured to assess psychological responses in patients. A specific user interface was used to force the user to do specific movements. The user was asked to move the mouse from specific point approaching a specific object located at a certain distance. The study took into consideration the effect of movement direction and the object size. The study allowed the understanding of several user interface properties related to the shape, size, location, and preferred angle of approach of the target object.
It is an objective of the invention to overcome the deficiencies of the prior art.