SaTC: CORE: Small: FIRMA: Personalized Cross-Layer Continuous Authentication

SaTC：核心：小型：FIRMA：个性化跨层连续身份验证

• 批准号: 1814557
• 负责人: Renato Figueiredo
• 金额: $ 50万
• 依托单位: University of Florida
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-15 至 2022-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1814557&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; FIRMA; Personalized

An important problem in computer security is verifying that people using computing devices are authorized to use them, not just when they first sign on to the device but during the whole time they are using them. Most existing continuous authentication schemes impose burdens on users, for instance, when systems quickly log users out and require frequent re-entry of passwords. This project will build and evaluate FIRMA, a user-transparent, continuous authentication software framework that collects usage data, targeted at corporate security contexts where such monitoring can be done. To the extent that people have unique but recurrent patterns of use -- itself an interesting research question -- FIRMA can estimate the likelihood that the current user is still an authorized, authenticated user based on how current use patterns compare to historical ones. Doing this might both reduce the burden of frequent re-authentication and provide early warning signs of malicious activity by malware or insider attacks. Further, by leveraging the unique way people use computers, FIRMA will be diverse by design -- adversaries will not be able to predict how specific individuals use their devices and their attacks will fail in many devices -- thereby "herd-protecting" security by making it difficult for malware to automatically spread across many devices. If successful, the project could have real impact on corporate security, reducing data breaches and downtime while improving the usability of these systems. The work will also have educational and training impacts through interdisciplinary collaboration and education between computer engineering and psychology, involvement of undergraduate researchers, and efforts to recruit female and minority students to participate in the project. FIRMA will be composed of a kernel module, which will continuously record at the operating system level all events related to user activities: user events (mouse clicks, keystrokes, and timestamps), processes, and the files and network events created as a consequence of user-driven activity. These events, recorded during a training period that represents a user's typical computer usage, will be applied to create a user profile using a novel Generative Adversarial Network (GAN)-based deep learning approach called AttenGAN/P-GAN, which will be composed of a user profile generator and a runtime classifier. AttenGAN/P-GAN will both provide new deep learning tools for processing sequences of unknown length as well as improved ability to train classifiers for anomaly detection without negative samples. The runtime classifier will continuously observe events generated by FIRMA's extractor, leverage the user profile to classify the current window of events being observed as normal or anomalous, and update the current user confidence score. This classifier will be resilient to benign profile changes caused by fluctuations in a user's activity pattern caused by external factors, such as travel (change of time zone) or change of groups or projects. FIRMA's evaluation will comprise four-week captures of natural computer usage data from recruited computer users. This evaluation will consider usability, classification accuracy, and false positives in the presence of various types of anomalies.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

计算机安全中的一个重要问题是验证使用计算设备的人是否有权使用它们，不仅是在他们第一次登录设备时，而是在他们使用设备的整个过程中。 大多数现有的连续身份验证方案都会给用户带来负担，例如，当系统快速注销用户并需要频繁重新输入密码时。 该项目将构建和评估 FIRMA，这是一个用户透明的持续身份验证软件框架，用于收集使用数据，针对可以进行此类监控的企业安全环境。 就人们具有独特但反复出现的使用模式而言（这本身就是一个有趣的研究问题），FIRMA 可以根据当前使用模式与历史使用模式的比较来估计当前用户仍然是授权、经过身份验证的用户的可能性。 这样做既可以减轻频繁重新身份验证的负担，又可以提供恶意软件或内部攻击的恶意活动的早期预警信号。 此外，通过利用人们使用计算机的独特方式，FIRMA 的设计将变得多样化——对手将无法预测特定个人如何使用其设备，并且他们的攻击将在许多设备中失败——从而通过以下方式“群体保护”安全：使得恶意软件很难在许多设备上自动传播。 如果成功，该项目可能会对企业安全产生真正的影响，减少数据泄露和停机时间，同时提高这些系统的可用性。 这项工作还将通过计算机工程和心理学之间的跨学科合作和教育、本科生研究人员的参与以及努力招募女性和少数民族学生参与该项目来产生教育和培训影响。 FIRMA 将由一个内核模块组成，该模块将在操作系统级别连续记录与用户活动相关的所有事件：用户事件（鼠标单击、击键和时间戳）、进程以及由此创建的文件和网络事件。用户驱动的活动。这些事件在训练期间记录，代表用户的典型计算机使用情况，将用于使用一种名为 AttenGAN/P-GAN 的新颖的基于生成对抗网络 (GAN) 的深度学习方法创建用户配置文件，该方法将由以下部分组成：用户配置文件生成器和运行时分类器。 AttenGAN/P-GAN 将提供新的深度学习工具来处理未知长度的序列，并提高训练分类器进行无负样本异常检测的能力。运行时分类器将持续观察 FIRMA 提取器生成的事件，利用用户配置文件将当前观察到的事件窗口分类为正常或异常，并更新当前用户置信度得分。该分类器将能够适应由外部因素（例如旅行（时区的变化）或组或项目的变化）引起的用户活动模式波动所引起的良性配置文件变化。 FIRMA 的评估将包括从招募的计算机用户中采集为期四个星期的自然计算机使用数据。该评估将考虑可用性、分类准确性和存在各种类型异常情况下的误报。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力优点和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

A Novel Criterion of Reconstruction-based Anomaly Detection for Sparse-binary Data

稀疏二进制数据基于重构的异常检测的新准则

• DOI: 10.1109/globecom42002.2020.9322452
• 发表时间: 2020-12-01
• 期刊: GLOBECOM 2020 - 2020 IEEE Global Communications Conference
• 作者: Heng Qiao;D. Oliveira;Dapeng Oliver Wu
• 通讯作者: Dapeng Oliver Wu