N-Gram-Based User Behavioral Model for Continuous User Authentication

We posit that each of us is unique in our use of computer systems. It is this uniqueness that we leverage in this paper to “continuously authenticate users” while they use web software. We build an n-gram model of each user’s interactions with software. This probabilistic model essentially captures the sequences and sub-sequences of user actions, their orderings, and temporal relationships that make them unique. We therefore have a model of how each user typically behaves. We then continuously monitor each user during software operation; large deviations from “normal behavior” can indicate malicious behavior. We have implemented our approach in a system called Intruder Detector (ID) that models user actions as embodied in the web logs generated in response to the actions. Our experiments on a large fielded system with web logs of approximately 320 users show that (1) our model is indeed able to discriminate between different user types and (2) we are able to successfully identify deviations from normal behavior. Keywords–behavioral modeling; continuous authentication; software security; n-grams.