An important problem in computer security is verifying that people using computing devices are authorized to use them, not just when they first sign on to the device but during the whole time they are using them. Most existing continuous authentication schemes impose burdens on users, for instance, when systems quickly log users out and require frequent re-entry of passwords. This project will build and evaluate FIRMA, a user-transparent, continuous authentication software framework that collects usage data, targeted at corporate security contexts where such monitoring can be done. To the extent that people have unique but recurrent patterns of use -- itself an interesting research question -- FIRMA can estimate the likelihood that the current user is still an authorized, authenticated user based on how current use patterns compare to historical ones. Doing this might both reduce the burden of frequent re-authentication and provide early warning signs of malicious activity by malware or insider attacks. Further, by leveraging the unique way people use computers, FIRMA will be diverse by design -- adversaries will not be able to predict how specific individuals use their devices and their attacks will fail in many devices -- thereby "herd-protecting" security by making it difficult for malware to automatically spread across many devices. If successful, the project could have real impact on corporate security, reducing data breaches and downtime while improving the usability of these systems. The work will also have educational and training impacts through interdisciplinary collaboration and education between computer engineering and psychology, involvement of undergraduate researchers, and efforts to recruit female and minority students to participate in the project.
FIRMA will be composed of a kernel module, which will continuously record at the operating system level all events related to user activities: user events (mouse clicks, keystrokes, and timestamps), processes, and the files and network events created as a consequence of user-driven activity. These events, recorded during a training period that represents a user's typical computer usage, will be applied to create a user profile using a novel Generative Adversarial Network (GAN)-based deep learning approach called AttenGAN/P-GAN, which will be composed of a user profile generator and a runtime classifier. AttenGAN/P-GAN will both provide new deep learning tools for processing sequences of unknown length as well as improved ability to train classifiers for anomaly detection without negative samples. The runtime classifier will continuously observe events generated by FIRMA's extractor, leverage the user profile to classify the current window of events being observed as normal or anomalous, and update the current user confidence score. This classifier will be resilient to benign profile changes caused by fluctuations in a user's activity pattern caused by external factors, such as travel (change of time zone) or change of groups or projects. FIRMA's evaluation will comprise four-week captures of natural computer usage data from recruited computer users. This evaluation will consider usability, classification accuracy, and false positives in the presence of various types of anomalies.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.