DF Bantz, L Koved
IBM Thomas J. Watson Research Center IBM Research Division P.O.Box 218 Yorktown Heights, N.Y. 10598
This invention concerns the immediate detection of a security breach, where the attacker possesses information necessary to authenticate himself or herself to the system. The attacker could come into possession of this information by stealing a password, for example. We attempt to reduce the interval between first use of the system by an unauthorized masquerader to the detection of the masquerade.
Applications (e.g. Microsoft Word 97) now routinely track user behavior with the objective of suggesting better ways of doing an operation. We extend the use of this tracking to determine atypical user behavior: that is, behavior at variance with that observed in the past. Behavior might be judged atypical if, for example, the pattern of misspellings changed. User behavior in the authentication application (when entering a password) might be determined by measuring the keying cadence, as has been previously disclosed. Atypical behavior would be detected by a marked change in this keying cadence.
In the invention, all applications with the capability of detecting atypical behavior report to a monitor, called "The Detective." The Detective aggregates the observations of all applications that track atypical behavior and it computes a measure of consensus atypical behavior. This computation may include information from the state of the computing system as a whole: for example, if a spurt of atypical behavior immediately follows a mobile computer's emergence from suspend mode. The Detective is free to weight the contributions of the individual reporting applications differently.
The Detective's extimate of a behavior discontinuity can be used in various ways. The most typical would be a request to re-authenticate the user to the system. Possibly alternate methods of authentication would be invoked. For example, if authentication was performed by Smard Card, an alternate method of authentication would ask the user to enter his or her mother's maiden name. The invention is useful generally in environments where authentication is performed through something that the end user possesses or knows, rather than something that the end user can do (e.g. sign his or her name). It is especially useful in home or public-access environments.
Other solutions to the problem posed are intrusive and damaging to the usability of the system. Solutions include frequent re-authentication, requiring that the user lock the workstation, or complex re-authentication procedures. The invention works because of individual differences that are hard to imitate.