Mouse and Keystroke Dynamics Data Processing and Results

We recorded the X and Y coordinates of the mouse position on the screen, the mouse and keyboard event (drag, click, move, key press), and the event time-stamp in milliseconds (ms). We analyzed the data by feeding the file to our feature extraction algorithm to extract useful features that represent the user behavior and can be used for detecting malicious insiders. We sample the raw data into a 10-second time frame (epoch), each time frame represents one feature vector. We extracted all possible

Table 11.12 Results for detecting malicious activities from activities performed under stress

Classifier

Number of Participants

Accuracy

TP Rate

FP Rate

F-Measure

SVM

25

72.35

0.72

0.29

0.71

Random Forest

25

78.39

0.78

0.23

0.78

k-NN

25

69.38

0.69

0.32

0.69

SVM

10’

67.74

0.68

0.32

0.67

Random Forest

10’

73.65

0.74

0.26

0.74

k-NN

10’

67.46

0.67

0.32

0.67

SVM

15

75.42

0.75

0.27

0.74

Random Forest

15

81.55

0.82

0.21

0.81

k-NN

15

70.66

0.71

0.32

0.70

Participants who wore eyeglasses during the experiments.

mouse and keystrokes dynamic features that include spatial and temporal mouse movement features, mouse click features, and keystroke features. To calculate the mouse movement speed, we measured the length of the mouse path by adding the total distances between all adjacent path coordinates and dividing by the total time the mouse path took (the summation of the time-stamps in the path). As our experiment does not record the mouse and keystroke actions regarding stimuli, and it is entirely free (participants can move the mouse and press the keyboard keys freely during the experiment), we do not have a predefined start and end point to the mouse movement path. To address that, we choose our start and end points by the value of the movement event’s time-stamp. We use 800 ms as our threshold to identify the start and end points. A mouse movement event with a value of 800 ms or above is considered as the stop position, and the next movement event would be the start point for the next path. We also calculate the mouse movement distance or the length of the mouse movement path and subtract that from the direct distance (the Euclidean distance between the first point in the path and the last point) to extract the mouse travel distance feature. In addition, we calculate the mouse left click duration and keystroke duration. We also consider the direction of the mouse movements, the backspace, the numeric keypad usage, and the frequency of direction change.

After completing the experiments for all participants, we analyze the recorded mouse and keystroke data for each participant separately. Then, we sample the data into a 10-second time frame (each time frame represents one sample). We extract the features and in order to investigate which features are more valuable and useful in detecting the malicious intent among the extracted features, we run the statistical analysis over the mouse and keystroke extracted features and investigate each feature separately. We calculate the mean for each feature among the group of our participants for each task. We evaluate our results by dividing our experiment into three different tasks: the benign tasks, the benign under stress tasks, and the malicious tasks. Of all the features we tested, four features show statistically significant differences between the mean value of the tasks, namely the mouse movement speed, the mouse travel distance, the left mouse click duration, and the keystroke duration. As shown in Table 11.13, the malicious tasks were associated with mouse movement speed at a mean of 0.97 (pixels/ms) (SD 0.34). By comparison, the benign tasks and the benign under stress tasks were associated with slower mouse movement speed at a mean of 0.75 (pixels/ms) (SD 0.26) for the benign tasks, and a mean of 0.82 (pixels/ms) (SD 0.42) for the benign under stress tasks. To test the hypothesis that there is a statistically significant difference between mouse movement speed of malicious tasks and the benign tasks, a related r-test was performed. The related r-test shows a statistically significant effect on /»-value = 0.0000316. Thus, the malicious tasks were associated with significantly larger mean than the benign tasks. We also run the related i-test between the mean of the mouse movement

Table 11.13 Results of the mouse and keystroke dynamics

Benign Under

Benign Stress Malicious

Features

Mean

SD

Mean

SD

Mean

SD

Mouse movement speed

0.75

0.26

0.82

0.42

0.97

0.34

Mouse distance travel

145.93

44.75

146.57

61.53

181.13

72.10

Mouse left clicks duration

167.63

69.60

226.69

224.20

293.01

152.32

Keystroke duration

218.52

463.96

506.65

937.79

469.32

792.49

speed for the malicious casks and the benign under stress tasks. The results show that there is a statistically significant difference with /»-value = 0.034. These results suggest that users will move the mouse at a relatively higher speed when performing a malicious act than performing a benign act even when they are involved in stressful conditions.

On the other hand, the participants performing the malicious tasks show longer travel distances than the other two tasks. As shown in the table, the malicious tasks were associated with the longest mouse movement distance among all the tasks with a mean of 181.13 pixels (SD 72.10).

To ensure these differences are statistically significant, we performed the related r-test over the malicious and benign tasks, and the /»-value was about 0.000832. We repeated the same test over the malicious and benign under stress tasks, and the /»-value was about 0.00114. From these results, we can conclude that users performing a malicious act will tend to make longer mouse movement paths than their normal patterns even when they experience stressful conditions.

T he mouse left click duration feature also showed interesting results. As shown in the table, the mouse left click duration for the malicious tasks were the longest among all the tasks with a mean of 293.01 ms (SD 152), while the benign tasks show the shortest mouse left click duration with a mean of 167.63 ms (SD 69.60). We performed the related i-test over the two tasks, and the results show there was a statistically significant effect with /»-value = 0.000015. The related /-test was also applied to test the difference between the mean of the mouse left click duration on both the malicious tasks and benign under stress tasks, and the /»-value was about 0.0451. These results indicate that individuals will click the mouse (left click) at a slower speed when they perform a malicious act than their normal click patterns. However, individuals experiencing stressful conditions will also click the mouse (left click) at a slower speed than normal but this speed is still faster than performing a malicious act.

For the keystroke part, the benign tinder stress tasks showed the highest keystroke duration with a mean of 506.65 ms (SD 937). However, the results of the malicious tasks were very close to the benign under stress tasks with a mean of 469.32 ms (SD 792) and were much longer than the benign tasks. We performed the related /-test over the malicious and benign tasks, and the results show the differences were statistically significant with /»-value = 0.0385. However, there was no statistically significant difference between the benign under stress, and the malicious tasks - the /»-value = 0.418571. Thus, users experiencing stressful conditions and users performing malicious acts may have similar keystroke duration and slower than their regular patterns. In addition, looking at this feature participants were varied on their keystroke speed as they came from different backgrounds and different computer skills which can be seen clearly from the high standard deviation value.

In conclusion, participants show different mouse movements and keystroke behavior patterns when they perform malicious acts than their normal behavior pattern. These changes in behavior include high-speed and high-distance mouse movements, and long-lasting left clicks and keystroke duration. Participants performing malicious tasks showed faster speed and longer mouse movements, and long-lasting click and keystroke duration than the benign tasks.

 
Source
< Prev   CONTENTS   Source   Next >