SaTC: CORE: Small: FIRMA: Personalized Cross-Layer Continuous Authentication

SaTC：核心：小型：FIRMA：个性化跨层连续身份验证

• 批准号: 1814557
• 负责人: Renato Figueiredo
• 金额: $ 50万
• 依托单位: University of Florida
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-15 至 2022-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1814557&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; FIRMA; Personalized

An important problem in computer security is verifying that people using computing devices are authorized to use them, not just when they first sign on to the device but during the whole time they are using them. Most existing continuous authentication schemes impose burdens on users, for instance, when systems quickly log users out and require frequent re-entry of passwords. This project will build and evaluate FIRMA, a user-transparent, continuous authentication software framework that collects usage data, targeted at corporate security contexts where such monitoring can be done. To the extent that people have unique but recurrent patterns of use -- itself an interesting research question -- FIRMA can estimate the likelihood that the current user is still an authorized, authenticated user based on how current use patterns compare to historical ones. Doing this might both reduce the burden of frequent re-authentication and provide early warning signs of malicious activity by malware or insider attacks. Further, by leveraging the unique way people use computers, FIRMA will be diverse by design -- adversaries will not be able to predict how specific individuals use their devices and their attacks will fail in many devices -- thereby "herd-protecting" security by making it difficult for malware to automatically spread across many devices. If successful, the project could have real impact on corporate security, reducing data breaches and downtime while improving the usability of these systems. The work will also have educational and training impacts through interdisciplinary collaboration and education between computer engineering and psychology, involvement of undergraduate researchers, and efforts to recruit female and minority students to participate in the project. FIRMA will be composed of a kernel module, which will continuously record at the operating system level all events related to user activities: user events (mouse clicks, keystrokes, and timestamps), processes, and the files and network events created as a consequence of user-driven activity. These events, recorded during a training period that represents a user's typical computer usage, will be applied to create a user profile using a novel Generative Adversarial Network (GAN)-based deep learning approach called AttenGAN/P-GAN, which will be composed of a user profile generator and a runtime classifier. AttenGAN/P-GAN will both provide new deep learning tools for processing sequences of unknown length as well as improved ability to train classifiers for anomaly detection without negative samples. The runtime classifier will continuously observe events generated by FIRMA's extractor, leverage the user profile to classify the current window of events being observed as normal or anomalous, and update the current user confidence score. This classifier will be resilient to benign profile changes caused by fluctuations in a user's activity pattern caused by external factors, such as travel (change of time zone) or change of groups or projects. FIRMA's evaluation will comprise four-week captures of natural computer usage data from recruited computer users. This evaluation will consider usability, classification accuracy, and false positives in the presence of various types of anomalies.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

计算机安全性的一个重要问题是验证使用使用计算设备的人员被授权使用它们，不仅是他们首次登录设备时，而且在整个过程中使用它们。 例如，大多数现有的连续身份验证方案会对用户施加负担，例如，当系统快速登录用户并需要频繁重新输入密码时。 该项目将构建和评估Firma，这是一个用户透明的，连续的身份验证软件框架，该框架收集使用数据，该框架针对的是可以进行此类监视的公司安全环境。 在人们具有独特但经常性的使用模式的范围内，这本身就是一个有趣的研究问题 - Firma可以根据当前的使用模式与历史模式相比，当前用户仍然是当前用户仍然是授权，经过认证的用户的可能性。 这样做可能会减轻频繁重新认证的负担，并通过恶意软件或内部攻击提供恶意活动的预警信号。 此外，通过利用人们使用计算机的独特方式，Firma将通过设计而多样化 - 对手将无法预测特定个人如何使用其设备和攻击在许多设备中会发生故障 - 从而使恶意软件难以自动散布在许多设备上。 如果成功，该项目可能会对公司安全产生真正的影响，减少数据泄露和停机时间，同时改善这些系统的可用性。 这项工作还将通过计算机工程和心理学之间的跨学科合作和教育，本科研究人员的参与以及招募女性和少数族裔学生参加该项目的努力，从而产生教育和培训的影响。 Firma将由内核模块组成，该模块将在操作系统级别连续记录所有与用户活动相关的事件：用户事件（鼠标点击，击键和时间戳），流程以及由于用户驱动的活动而创建的文件和网络事件。这些事件将在代表用户典型计算机使用情况的培训期间记录，将应用于使用新颖的生成对抗网络（GAN）的深度学习方法来创建用户配置文件，称为Attengan/P-GAN，该方法将由用户配置文件生成器和运行时分类器组成。 Attengan/p-gan都将提供新的深度学习工具，用于处理未知长度的序列，以及提高能力训练分类器以进行异常检测而没有负样本。运行时分类器将不断观察由Firma提取器生成的事件，利用用户配置文件将被观察到正常或异常的事件的当前窗口进行分类，并更新当前的用户置信度得分。该分类器将对由用户活动模式的波动引起的良性概况变化具有弹性，例如旅行（时区的变化）或组或项目的变化。 Firma的评估将包括招聘计算机用户的自然计算机使用数据的四个星期捕获。该评估将考虑在存在各种异常情况下的可用性，分类准确性和误报。该奖项反映了NSF的法定任务，并且使用基金会的知识分子优点和更广泛的影响审查标准，被认为值得通过评估来提供支持。

项目成果

A Novel Criterion of Reconstruction-based Anomaly Detection for Sparse-binary Data

• DOI: 10.1109/globecom42002.2020.9322452
• 发表时间: 2020-12
• 期刊: GLOBECOM 2020 - 2020 IEEE Global Communications Conference
• 作者: Heng Qiao;D. Oliveira;Dapeng Oliver Wu