White Paper

BehavioMetrics
A Paradigm Shift in Computer Security

Abstract
Behaviometrics, or behavioral biometrics, is
a measurable behavior used to recognize or
verify the identity of a person. Behaviometrics
focuses on behavioral patterns rather than
physical attributes. Almost all interaction
with a computer is carried out via a keyboard
and a mouse for input, and with the display
for visual feedback. Behaviometrics utilizes
the characteristics of the users input and
how they navigate through the interface to
create virtual fingerprints of their behavior.
Behaviometrics can efficiently prevent intrusions
on laptops or workstations by continuously
verifying that it is the authorized user that
is accessing the computer. Behaviometrics
can continuously monitor the user during the
whole working session to create an ongoing
authentication process. The behavioral pattern
which is the base for the ongoing verification
of the user profile is complex mix of mouse
dynamics, keystroke dynamics, the users GUI
interaction and advanced behavioral algorithms.

A human behavioral pattern consists of a variety

of different unique semi-behaviors; all mixed
together into a larger an utterly more unique
profile. Since every persons unique Behaviometric
pattern is formed not only by biometric features,
like the way you move your hand, but is also
influenced by more social and psychological
means, like if you are native in the language you
write, it is just about impossible to copy or imitate
somebody elses behavior in front of the computer.
By continuously comparing different aspects
of the current input stream with a previously
stored user profile, Behaviometrics can detect
anomalies in the users behavior within seconds
and stop intrusions while they are happening.
In this paper we explore the basic concept
of Behaviometrics in information security as
well as take a deeper look into how it works
in an Ongoing Authentication Solution.

Contents
Abstract 2
A changing market

Behaviometrics a paradigm shift in information security

The definition of Behaviometrics

Can a behavioral pattern be stolen?

The fourth factor - (de)authentication

A new layer of IT security

Protection against both crimes and accidents

Increasing need for efficient IT security worldwide

Finance 6
Healthcare

Governmental organizations

Private Enterprises

Behavio the first Behaviometric solution

Features

Behavio behind the scenes

Bootstrapping the initial authentication

The behavioral profile

Evaluating the output

Deploying Behavio into the company network

Administration 9
Architecture 9
About BehavioSec

10

Discovering the potential of the human behavior

10

A new and innovative company

10

Thoughts about a future security market

10

A changing market
More and more voices strongly declare that
the password is no longer a reliable IT security
measure and must be replaced by more efficient
systems for protecting the computer contents.
At the same time, laptops are getting more
mobile by the year with increasing thefts as
a result. The ways of accessing confidential
information has also increased with for example
increasing use of web access and advanced
mobile phones. Statistics also show that
the amount of targeted attacks and planned
financial frauds are increasing globally.
The IT security business is flooded with different
solutions, both technical and organizational, for
securing the information in computers. Regarding
the technological development, most efforts have
been developing and designing security solutions
that are focused on increasing the efficiency of
the authentication phase, rather than increasing
the security of the actual
usage of the computer.
47% of computer
security professionals
surveyed reported a
laptop theft over the
past twelve months

- FBI & CSIs annual

Computer Crime and
Security Survey, 2006

Behaviometrics a paradigm
shift in information security
Behaviometrics offers a new generation of
information security solutions simply by using
the individual itself as its core asset. An asset
that is extremely hard to replicate which makes
it the ultimate solution against identity theft.
By covering the previously unprotected
period of time between login and logout,
Behaviometrics becomes a very powerful
weapon in the fight against computer intrusions.
Any unauthorized user that previously could
access a computer with confidential information,
either by hacking the password, logging in
with stolen credentials or accessing a logged
on computer, can now be stopped and the
intrusion is prevented while it is happening.

The definition of Behaviometrics

The word Behaviometrics derives from
the terms behavioral and biometrics.
Behavioral refers to the way a human person
behaves and biometrics, in an information
security context, refers to technologies
and methods that measure and analyzes
biological characteristics of the human body
for authentication purposes - for example
fingerprints, eye retina and voice patterns.
In other words Behaviometrics, or behavioral
biometrics, is a measurable behavior used to
recognize or verify the identity of a person.
Behaviometrics focuses on behavioral
patterns rather than physical attributes.

BehavioSec is the first company to present a

Behaviometric solution that efficiently secures the
entire period after authentication from intrusions.
It is a patent pending IT-security software solution
that blends high-tech technology with the
users own unique behavioral pattern to create
a new security token, the human behavior.

Behaviometrics is measuring human

behavior in order to recognize or
verify the identity of a person.

Can a behavioral pattern be stolen?

A human behavioral pattern consists of a variety
of different unique semi-behaviors; all mixed
together into a larger an utterly more unique
profile. Since every persons unique Behaviometric
pattern is formed not only by biometric features,
like the way you move your hand, but is also
influenced by more social and psychological
means, like if you are native in the language you
write, it is just about impossible to copy or imitate
somebody elses behavior in front of the computer.

The fourth factor - (de)

authentication
Why settle with strong authentication when
Behaviometrics goes beyond? Behaviometrics
adds a new security factor that protects not
only the beginning, but the time throughout
the entire working session, which is a leap
forward in protecting confidential information.

Login

Computer in use

Initial Authentication
by password, smartcards
or biometric solutions.

Logout

Continuous Authentication
with behaviometric software

Behaviometrics can efficiently prevent intrusions

on laptops or workstations by continuously
verifying that it is, in fact, the authorized user that
is accessing the computer. And from the users
point of view, this security factor makes the daily
work more efficient since there is no need to
change the way users work to protect the
workstation from abuse.

A new layer of IT security

Securing information in companies and
enterprises can be done in many different steps
or layers, all depending on the closeness
to the confidential information that must be
secured. The actions can vary from physically
shutting out intruders with fences, creating
different security zones for employees, to having
efficient firewalls and routines for changing
your password every month. Up until today,
most security solutions can be defined as
part of one of the following security layers:
Physical safety alarms, entry cards, cameras
etc...
Network protection firewalls etc
Access management password, smartcards,
biometrical solutions
Behaviometric security adds another layer,
even closer to the confidential information
than access management, the human itself.

To get through this new layer of security, the

intruders have to copy another persons behavioral
pattern, which has proven to be impossible. The
closer unauthorized persons come to the
information inside the computers, the more likely
they are to succeed. With the Behaviometric layer
that sets any intruders at a definitive halt.

Protection against both crimes and

accidents
One of the advantages with Behaviometrics is that
the intrusion detection software is unaffected by
factors like whether the intruder is an insider or
an outsider, whether the initial authentication
has been hacked or not and whether the
computer is standing in your office or at home.
All that really matters is that the behavior of
the person using the computer corresponds to
the behavioral profile of the logged-in user.
Here are some examples of incidents that can
be secured with a Behaviometric solution:
Having your credentials stolen
Losing your laptop
Forgetting to logout
Having your children accidently deleting
information on your work computer

Increasing need for efficient IT

security worldwide
The drivers for more efficient IT security are
somewhat different depending on business
segment, which all has their own way of working
together with unique possibilities and threats.
Below is a short description of the different
segments that all has the need to add an extra
layer of protection into their IT-security.

Finance
Banks and other financial institutions that store
monetary assets has always been a target for
intrusions. Loss of information that derives
from these intrusions can be devastating and
have a long term impact on customer trust.
Additionally, bank personnel have the means
to access and execute changes to their clients
accounts, thus make it crucial to verify that it
is the correct user accessing the system.
A recent incident in Sweden, where an
unauthorized user remotely hijacked a
computer that was left unattended and started
transferring money, shows the vulnerability of
todays security systems. Luckily, the intrusion
was disrupted when an employee saw the
mouse being moved on the screen although
no one were present and pulled the plug at
the last second which stopped the attempt.

Healthcare
Hospitals and other care related institutions store
private information about its clients in journals,
registers and records. This information can be
very sensitive and access is only given to the
persons responsible for the patient. The last
years have provided lots of examples of integrity
violations when confidential information such
as medical records, has ended up in media
and newspapers. Meanwhile, public debates
have been widespread and the demands for
both legal actions and other ways of protecting
personal integrity have been raised.
An example of this was when Swedish foreign
minister Anna Lindh died in hospital after
being attacked in central Stockholm, in 2003.
Media afterwards published confidential
information that derived from her medical
records. Later it was established that a large
number of employees not involved with the
direct care had been accessing confidential
records through another users account.

Governmental organizations
Keeping the nation states information intact
from abuse and intrusions is crucial to be
able to protect its borders and citizens. The
attempts of intrusions are most likely to be

the subject for espionage and the kind of

organizations that this segment consists of
varies from defense to political parties.
During the election in Sweden 2006 a
representative of a political party gained
access to its counterparts information system
through stolen credentials. Having access to
their opponents strategy and action plan, this
information was later used in the campaign
to counteract their oppositionists.

Private Enterprises
Protecting company information is of the highest
importance to all private enterprises. There is a
great deal of responsibility as to how sensitive
information and communication should be
handled to protect intellectual property assets
such as pharmaceutical research, software
development, launch plans and other key
resources. A large amount of external resources
can also often access critical and sensible
information, for examples accountants has direct
often access to their customers financial data
which is only intended for the auditing. This
information can easily be acquired by stealing
a laptop and then accessing the sensitive
content through known or hacked credentials.
Recently, the problem of insider abuse has been
accelerating in companies where workstations
can be accessed by non authorized users inside
the premises of the organization. An insider can
gain access to a user account either at a logged
on computer or through known passwords or
stolen credentials. Also, since 2002, regulatory
compliance for public companies has stressed
security as a key issue for the companys liability.

Behavio the first Behaviometric solution

Behavio is a patent pending IT-security so
that enables a new layer of protection against
insider abuse, data- and identity theft by
guaranteeing that is the correct user accessing
the data at all times. The solution has no impact
on usability nor requires any extra tokens.

Features

After a user is verified with traditional security

measures, such as passwords, Behavio
continuously monitor the user during the
whole working session to create an ongoing
authentication process. Behavio identifies
unauthorized users within seconds by detecting
anomalies in how they interact with a computers
keyboard, mouse and graphical user interface,
thereby avoiding information theft. Intrusions
can then be stopped while they are happening.

Continuous It continuously protects the data

after access authentication.
Adaptive It continuously learns the behavior
of the user and improves the users behavioral
profile.
Transparent The users cannot see or
manipulate the software
Non intrusive The software respects the users
integrity, it does not register what the user are
doing, it only verifies how the user is working
Easy to manage The software requires
minimal central configuration and administration
Easy to integrate The software requires no
additional hardware

The behavioral pattern which is the base

for the ongoing verification of the user
profile is complex mix of mouse dynamics,
keystroke dynamics, the users GUI interaction
and advanced behavioral algorithms.

Behavio is created to be invisible to the eye

for the user sitting in front of the computer. It
does not affect the daily use of the computer,
it actually benefits from all the work the user
performs. Here are the main features:

An attempt from an authorized user to access a

computer can be monitored and analyzed via the
Behavio Log Analyzer. The picture below illustrates
what happens when an unauthorized user starts
using the computer. Immediately after the start
of the unauthorized usage, the Behavio software
detects the intruder and drops the authentication
grade below the accepted level. The opposite
occurs when the authorized user returns to the
computer and starts to use it, the authentication
grade instantly returns to normal levels.

Behavio enhances the current protection of all

workstations, such as laptops and desktops, even
after the user has logged into the system. It does
not interfere with the normal work flow. Simply by
using the computer in the everyday work makes
the software increasingly more efficient and the
confidential information more secure. It doesnt
matter if you are working from home or if you are
outsourcing, Behavio ensures it is the correct user
handling your companys information. Behavio
will show that companies put information security
foremost and that they are regulatory compliant.

Behavio behind the scenes

Bootstrapping the initial authentication

By continuously studying different aspects of

the users input Behavio will detect anomalies
in the users behavior. The main principle is to
generate a statistical block and then compare
it to the user profile. While each aspect of the
behavior will generate its own conclusions the
results are summarized into a single similarity
ratio. If the ratio drops below the threshold
then the user is considered to be an imposer.

During the operating system boot process

Behavio is launched as a background process and
starts to monitor user space for new sessions.

The detection engine consists of multiple

specialized detection engines. When the user
is using the computer the monitor will filter the
data and store it in different buffers. When one
or more of the buffers are filled the software
will signal the appropriate detection engines to
start working. As specialized detection engines
only calculates a specific aspect of the users
behavior when it is needed it helps keeping the
system resource overhead at a minimum level.

Filter
User Profile

E4
E5

Detection
Network

E1

E3

n
n

E +
i=1 i

i=1

Ei
n

i=1

(1 Ei )

E6

Behavio allows the individual detection engines

to execute independently of each other. The gain
from doing so is that it allows for evaluation of
the different behavioral aspects asynchronously.
By running a detection routine as soon as there
is sufficient data for that specific trial makes the
system more responsive and in the end it leads
to better protection against unauthorized usage.

System

Desktop

Start
Behaviometric
Wait for new
session

Login

Hook
Monitor
thread

Session
Data stream

Close

Logout

The behavioral profile

At the beginning the profile will be empty
and Behavio has to learn the behavior of
the user. At this early stage it is difficult tell
the difference between friend and imposer
and does initially assume that it is the
correct user handling the computer.

Monitor

E2

When the behavioral profile is loaded it will start to

authenticate the user by continuously comparing
it against the current input from the user.

Time

Behavio consists of a monitor, behavioral profile,

detection engine and validation engine. The
monitor is the eye of the software, tracking
how the user is interacting with the computer.
The behavioral profile is the virtual fingerprint
of the expected behavior and the detection
engine is the heart of the software. The
validation draw conclusions whether it is the
correct user or not and signals for action.

When a user has logged in Behavio will spawn

another process and hook it on to the newly
started session. It will now start to extract
information such as username and load the
user profile associated with that account.

In order to handle the evolution of the

users behavior the system has to tolerate
small shifts and gradually make the
necessary changes in the profile.

In order to combine the output from

the detection engines we use Bayes
theorem produce a similarity ratio.
The similarity ratio is calculated as A / (A+B) where:
A is the probability that it is the correct user
B is the probability that it is not the correct user
A = 0.62 0.78 0.64 0.52
0.48 0.51 = 0.0393986212
B = (1-0.62) (1-0.78) (1-0.64) (1-0.52)
(1-0.48) (1-0.51) = 0.00368086118

To make sure that a potential imposer, that has the

login credentials, cannot take advantage of it and
taint the profile with his or hers behavior the new
data has to be stored in quarantine until it goes
into the profile. The principle is that if an
unauthorized user is detected, the data in the
quarantine will be emptied. If the user is
determined to be the correct user, the system will
automatically update the user profile with the data
stored in the quarantine.

Evaluating the output

To illustrate the evaluation of the detection
engine output lets assume a setup with
7 separate detection engines. Where
the current outputs could be:
Engine 1 Engine 2 Engine 3 Engine 4 Engine 5 Engine 6
[E1]

[E2]

[E3]

[E4]

[E5]

[E6]

62%

78%

64%

52%

48%

51%

As we can see in this example, the chance

that it is the correct user (A) is greater
rather than that it is an imposer (B).
Similarity ratio = 0.0393986212 / (0.0393986212
+ 0.00368086118) = 0.914556513

The result in this case shows that the

probability for it being correct user is close
to 91.5% and it is above the set threshold
the user is accepted. If otherwise the
system would have signaled detection.
By amplifying the special characteristics of the
users behavior the accuracy is increased. By
amplifying that specific behavioral aspect it will
have a larger impact on the final evaluation.
We can for example amplify the test if a certain
aspect is especially accurate for a specific
user - as if the user was writing with almost
exactly the same rhythm the entire time.

The results above indicate the probability that it is

the correct user from each detection engines point
of view. All results over 50% mean that it is most
likely the correct user while everything below 50%
is most likely to be an intruder. At exactly 50%
the system indicates that it could be either one.
The administrator can set a detection threshold
that allows the ups and downs in the everyday
behavior. The benefit is that false rejects and false
accepts is directly associated with the threshold
level and allows for explicitly defined individual
risk mitigation. Lets say that the threshold is
set to 60% which means that the probability
that it is the correct user has to be at least 60%
in order to not be detected as an imposer.

Deploying Behavio into the company network

The Behavio solution consists of a client in
each workstation and a central management
system. While each client has a local behavioral
profile cache the server stores all the users
profiles in a central profile repository.

synchronize with the server in order to get the

latest profiles and settings. If the server cannot
be reached, the client will continue with the last
known settings and a cached user profile.

Administration
The Behavio Management Server is
administrated through a web interface which
is with any modern browser. Users and groups
can be imported from LDAP sources.

Architecture

By being able to synchronize the profiles

between the server and the clients it increases
the mobility of the users. As long as you
have an internet connection and the Behavio
client installed, the software will automatically

10

Behavio Management Server is built on

Linux, Apache, PostgreSQL and PHP. This
configuration is similar to the LAMP architecture
which is widely used and tested amongst
web hotels as well as large companies.
The architecture which is open in its nature can
easily be customized to run on other operating
systems, web servers and database systems.

About BehavioSec
Discovering the potential of the human
behavior
In 2004, the founders of BehavioSec started
to look into the data security market in order
to find an interesting angle for their masters
thesis at Lule University of Technology, in the
north of Sweden. What they found out was that
most economical and developmental efforts at
that time were focused on either strengthening
the physical safety systems or refining login
procedures for access authentication. They also
found out that there was no software products on
the market were targeting the time after login.
There was a gigantic security gap between
the time of login and the time of logout from a
software point of view. This insight led the two
researchers to focus on the characteristics of
this period in order to find the key asset to new
data protection software. And what they found
was the potential of the human behavior!

A new and innovative company

The Swedish company BehavioSec was
established 2006 at the Aurorum Science Park in
Lule. The company and its products are a direct
result from scientific research made by students
from Lule University of Technology in 2004.
BehavioSec are since the start a member of
the Aurorum Business Incubator. The business
idea has been awarded several international
innovation prizes. The organizations that have
financially supported the development of
Behavio are the Lule University of Technology
combined with other seed capital funding.

Thoughts about a future security

market

This is a natural progress since it could raise

the effectiveness of a business organization.
We believe that the entry point for attackers will
shift, from as of today through the networks,
towards attacking the company from the
devices that are outside the companies physical
defenses. By stealing the credentials of an
authorized user the attacker will be able to reach
the information easier then by attacking the well
defended networks. The attackers are likely to
focus on stealing legitimate users credentials
and exploiting them at the mobile devices
such as laptops, cell phones and company
intranet, thus accessing endpoints that are
not secured by the companys walls. Smart
cards will in these cases be ineffective since
they will be out in the wild. Can you trust that
it is the right person carrying the smart card
and the smart card reader? What if they were
stolen from your employees home last night?
Behaviometrics is soon going to be a natural
part of forensics, especially when it comes to
insider abuse. With a close to 100% certainty,
the authorities can claim that it was a certain
user that was using the computer at a given
time. Insider abuse could then be part of history
preventing the possibility for insiders to say;
someone else accessed my account. With the
concept of ongoing authentication, BehavioSec
can deliver a full security solution which will cover
everything from workstations, laptops, mobile
phones and web/intranets from unauthorized
access. That is how we want to contribute to a
more secure and thus more peaceful IT business.
Peder Nordstrm,
Founder and Chief Technology Officer

While the technology evolution continues at a

rapid rate, the workplace also continues to move
outside the physical boundaries of the company.

11

For more information

please contact sales at
BehavioSec
Jakobs torg 3
SE-111 52 Stockholm, Sweden
Phn. +46(0)920-75045
Fax. +46(0)920-75010
contact@behaviosec.com
www.behaviosec.com

BehavioSec is a
registered trademark

12