This project combines user modelling with intrusion detection. If we capture the typical behaviour of an individual as they interact with the computer, network etc., we can use this 'normal' behaviour model to continually reauthenticate the user as they work. This gives a tool for discovering intruders who are masquering as a real user.
We have looked at a number of different characteristics so far and have classed them into two major types:
- behavioural biometric - becoming common in the literature and easy to measure
- psychometric - the user's decisions, choices, habits. Not common in the literature
- formal language use - commands used in command line
- informal language use - prose style
- preferred tools (webpages, editors)
We found earlier that combining characteristics gives more effective detection. We are currently working on a comparison between formal and informal language use to see whether either are effective for intrusion detection and which is best.
A couple of 2010 papers describe the early work so far on this project (Pannell and Ashman, see the publications page).