SaTC: CORE: Small: FIRMA: Personalized Cross-Layer Continuous Authentication

SaTC：核心：小型：FIRMA：个性化跨层连续身份验证

• 批准号: 1814557
• 负责人: Renato Figueiredo
• 金额: $ 50万
• 依托单位: University of Florida
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-15 至 2022-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1814557&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; FIRMA; Personalized

An important problem in computer security is verifying that people using computing devices are authorized to use them, not just when they first sign on to the device but during the whole time they are using them. Most existing continuous authentication schemes impose burdens on users, for instance, when systems quickly log users out and require frequent re-entry of passwords. This project will build and evaluate FIRMA, a user-transparent, continuous authentication software framework that collects usage data, targeted at corporate security contexts where such monitoring can be done. To the extent that people have unique but recurrent patterns of use -- itself an interesting research question -- FIRMA can estimate the likelihood that the current user is still an authorized, authenticated user based on how current use patterns compare to historical ones. Doing this might both reduce the burden of frequent re-authentication and provide early warning signs of malicious activity by malware or insider attacks. Further, by leveraging the unique way people use computers, FIRMA will be diverse by design -- adversaries will not be able to predict how specific individuals use their devices and their attacks will fail in many devices -- thereby "herd-protecting" security by making it difficult for malware to automatically spread across many devices. If successful, the project could have real impact on corporate security, reducing data breaches and downtime while improving the usability of these systems. The work will also have educational and training impacts through interdisciplinary collaboration and education between computer engineering and psychology, involvement of undergraduate researchers, and efforts to recruit female and minority students to participate in the project. FIRMA will be composed of a kernel module, which will continuously record at the operating system level all events related to user activities: user events (mouse clicks, keystrokes, and timestamps), processes, and the files and network events created as a consequence of user-driven activity. These events, recorded during a training period that represents a user's typical computer usage, will be applied to create a user profile using a novel Generative Adversarial Network (GAN)-based deep learning approach called AttenGAN/P-GAN, which will be composed of a user profile generator and a runtime classifier. AttenGAN/P-GAN will both provide new deep learning tools for processing sequences of unknown length as well as improved ability to train classifiers for anomaly detection without negative samples. The runtime classifier will continuously observe events generated by FIRMA's extractor, leverage the user profile to classify the current window of events being observed as normal or anomalous, and update the current user confidence score. This classifier will be resilient to benign profile changes caused by fluctuations in a user's activity pattern caused by external factors, such as travel (change of time zone) or change of groups or projects. FIRMA's evaluation will comprise four-week captures of natural computer usage data from recruited computer users. This evaluation will consider usability, classification accuracy, and false positives in the presence of various types of anomalies.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

计算机安全中的一个重要问题是验证使用计算设备的人是否有权使用它们，不仅是在他们第一次登录设备时，而且是在他们使用设备的整个时间内。例如，当系统快速注销用户并要求频繁重新输入密码时，大多数现有的连续身份验证方案会给用户带来负担。该项目将建立和评估Firma，这是一个对用户透明的、持续的认证软件框架，它收集使用数据，目标是可以进行这种监测的公司安全环境。在某种程度上，人们有独特但重复的使用模式--这本身就是一个有趣的研究问题--Firma可以根据当前使用模式与历史使用模式的比较来估计当前用户仍然是授权的、经过身份验证的用户的可能性。这样做既可以减少频繁重新身份验证的负担，又可以通过恶意软件或内部攻击提供恶意活动的早期预警信号。此外，通过利用人们使用计算机的独特方式，Firma在设计上将是多样化的--对手将无法预测特定个人如何使用他们的设备，他们的攻击将在许多设备上失败--从而通过使恶意软件难以在许多设备上自动传播来“羊群保护”安全。如果成功，该项目可能会对企业安全产生真正的影响，减少数据泄露和停机时间，同时提高这些系统的可用性。这项工作还将通过计算机工程和心理学之间的跨学科合作和教育，本科生研究人员的参与，以及努力招募女性和少数族裔学生参与该项目，产生教育和培训效果。Firma将由一个内核模块组成，该模块将在操作系统级别持续记录与用户活动相关的所有事件：用户事件(鼠标点击、击键和时间戳)、进程以及作为用户驱动活动的结果而创建的文件和网络事件。在代表用户典型计算机使用的训练期间记录的这些事件将被应用于使用称为AttenGAN/P-GAN的基于生成性对抗性网络(GAN)的新型深度学习方法来创建用户简档，该方法将由用户简档生成器和运行时分类器组成。AttenGAN/P-GAN将为处理未知长度的序列提供新的深度学习工具，并改进训练分类器的能力，以便在没有负样本的情况下进行异常检测。运行时分类器将持续观察由Firma的提取程序生成的事件，利用用户配置文件将正在观察的事件的当前窗口分类为正常或异常，并更新当前用户置信度分数。该分类器将对由外部因素引起的用户活动模式的波动引起的良性简档变化具有弹性，例如旅行(时区改变)或小组或项目的改变。Firma的评估将包括从招募的计算机用户那里获取为期四周的自然计算机使用数据。这项评估将考虑可用性、分类准确性和在存在各种类型异常的情况下的误报。该奖项反映了NSF的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

A Novel Criterion of Reconstruction-based Anomaly Detection for Sparse-binary Data

• DOI: 10.1109/globecom42002.2020.9322452
• 发表时间: 2020-12
• 期刊: GLOBECOM 2020 - 2020 IEEE Global Communications Conference
• 作者: Heng Qiao;D. Oliveira;Dapeng Oliver Wu