Introduction
User authentication is a fundamental component of basic cybersecurity hygiene and the popular zero-trust network access (ZTNA) model. However, widespread user authentication methods are not without weaknesses.
The challenge is that there is little way to tell the difference between a legitimate user and an intruder once access is gained. If they are remoting into an approved machine to gain network access, using approved credentials, and / or masking geolocation with a VPN, how is one to tell the difference between an intruder and a legitimate user? This may explain the popularity of both credential theft and documented instances of users who sell their credentials or offer paid remote access into their computers on the black market.
Further, a number of Insider Risk professionals and advisors have relayed to the Teramind team in private conversations an uptick in 3rd party vendors who share their login credentials with subcontractors in outsourcing schemes designed to help them engage with more clients at once, increasing profits at the cost of introducing risk in their clients’ environments. No matter how they obtain login credentials, unapproved users entering the network and accessing sensitive digital assets pose a serious security threat – not to mention the breach of contract and good faith involved in secretly outsourcing their work.
Teramind Labs researchers posited a theory that using subconscious data, such as cursor movement and keyboard patterns, is a more reliable way to validate a user’s authenticity.
AI Model Performance Evaluation
The evaluation process involved training individual user models on one week’s worth of mouse cursor movement data. These trained models were then tested against 12-minute blocks of new user data to determine authenticity. A total of 250 user models were trained, with imposter scenarios created by randomly selecting 1 in 1250 other users’ data (Teramind Researchers, personal communication).
The model outputs an authentication score ranging from 0 to 1, with higher scores indicating a higher likelihood of the user being authentic. The score distributions from the test scenarios were heavily skewed towards 1, indicating a high degree of accuracy in correctly identifying legitimate users (see Figure 1). While the current threshold is set at 0.5 (scores below 0.5 are classified as imposters), this could be increased to 0.75 or higher to further enhance security, depending on the specific application requirements.
Surprising Early Results
During the testing of this model, researchers inadvertently uncovered a different work trend, as well: Activity Falsification. This is the practice of employing mechanical or application-based mouse movers and keyboard weights for the purpose of appearing busy, while in fact not working. This was not the intent of the model, but serves an indirect purpose in mitigating risk, as it points to employee disengagement and performance decline (two early indicators of potential insider threat).
Final Research Results
The proposed AI-powered Imposter Detection model demonstrated highly promising results in accurately identifying legitimate users and detecting imposters. Through extensive testing involving over 1 million scenarios, the model achieved an impressive 97.5% accuracy rate in correctly classifying authentic users versus imposters.
Comparison with Other Methods
Traditional user authentication methods, such as passwords and biometrics, have well-documented vulnerabilities and limitations (Wang, Zhang, and Zhang 2021). Passwords can be easily compromised through various attack vectors, while biometrics are susceptible to spoofing and replay attacks (Yu, W., et al 2023).
In contrast, the proposed AI-powered model leverages the inherent uniqueness of an individual’s mouse cursor movements and behavioral patterns, which are incredibly difficult to replicate or mimic. This approach provides a more robust and continuously adaptive authentication mechanism, eliminating the need for explicit user actions or dedicated hardware.
Uses for the AI-Powered Imposter Detection Model
While ZTNA and traditional authentication policies and practices are an important part of cyber hygiene, a more reliable method is needed to validate the identity of users who possess the correct credentials, and even the correct IP or known machine.
Use Case Scenarios
The AI-powered Imposter Detection model has numerous potential applications in enhancing cybersecurity and preventing fraudulent activities.
Two key use cases have currently been identified:
- Intruder Detection in Systems/Applications: By integrating the model with secure systems or applications, abnormal user behavior indicative of potential intruders can be detected in real-time. This could include scenarios where a user’s credentials have been compromised, or their machine has been remotely accessed by an unauthorized party.
- Shared Terminal Tracking: In environments with shared computers or terminals without individual logins, such as manufacturing plants, the model can be leveraged to identify specific users based on their unique mouse cursor patterns. This “reverse digital fingerprint matching” capability enables tracking inappropriate activities back to the responsible individuals. Reverse Digital Fingerprint matching can be especially valuable to manufacturers who are in the Department of Defense supply chain, as the smaller parts they build will eventually find their way into weaponry, airplanes, and more.
Discussion
Strengths and Advantages
The proposed AI-powered Imposter Detection model offers several key strengths and advantages over traditional authentication approaches:
- Continuous Authentication: Unlike one-time authentication methods, the model continuously monitors and verifies user identity based on their ongoing mouse cursor behavior, providing persistent protection against potential threats.
- Adaptability: As the model is trained on individual user data, it can adapt to and account for natural variations in a user’s behavior over time, minimizing false negatives.
- Scalability: The model can be easily scaled to accommodate a large number of users and extended to incorporate additional behavioral biometrics or data sources, further enhancing its accuracy and robustness.
Challenges for Outside Researchers
While the model has proven highly successful, organizations and individuals who seek to replicate this model in their own research need to address the following concerns. Each was addressed in Teramind Labs’ work, as noted in-line.
- Data Quality: The model’s performance heavily relies on the quality and quantity of training data available for each user. Insufficient or noisy data could lead to inaccurate user profiles and authentication errors. This is why granular User Behavior Analytics should be the key data source, as they are more accurate, more reliable, and easy / cost effective to collect.
- Concept Drift: User behavior patterns may evolve over time due to factors such as changes in hardware, software, or personal habits. This concept drift could potentially degrade the model’s performance if not accounted for through periodic retraining or adaptation mechanisms. Teramind Labs addresses this with continuous testing against voluminous, accurate datasets.
- Outliers and Noise: Certain user activities or scenarios (e.g., shared workstations) may introduce outliers or noise in the behavioral data, impacting comparable models’ accuracy. Robust data preprocessing and outlier detection techniques are required. Since these are built into the Teramind Labs processes, they actually fueled one key use case for the research in addressing shared workstation vulnerabilities or visibility gaps.
- Training Overhead: Collecting and processing large volumes of user data for training individual models can be computationally intensive and time-consuming, particularly for large-scale deployments or frequent model updates. Teramind Labs exists in a financially sustainable model, as the research arm of a well-established SaaS organization committed to forging a future and footprint in AI and predictive analytics. Other laboratory environments will do well to also ensure they are sustainable, or seek suitable partnerships.
Real-world Deployment
To pave the way for deploying the AI-powered Imposter Detection model in the real world, embedded within the Teramind platform, several key considerations have been addressed:
- Integration with Existing Systems: The model will be designed to seamlessly integrate with an organization’s existing security infrastructure, applications, and logging mechanisms. This is underway, transferring the model into a usable Feature set within the Teramind platform.
- Logging and Auditing: Comprehensive logging and auditing capabilities have already been implemented in the Teramind platform and Teramind Labs research processes to track authentication events, detect anomalies, and facilitate incident response and forensic investigations.
- User Onboarding and Training: A structured onboarding process was established to collect sufficient user data for initial model training in organizations or research settings that seek to build their own model, and they will also need to develop similar, ongoing mechanisms for updating and refining individual user models.
- Incident Response: Clear protocols and procedures should be defined for responding to potential authentication breaches or imposter detection events that occur in any organization employing this model, including user notification, account lockout, and escalation processes.
Conclusion
Summary of Findings
This research note has proposed and evaluated an AI-powered Imposter Detection model that leverages behavioral biometrics, specifically mouse cursor movements, to continuously authenticate users and detect potential imposters. The model demonstrated highly promising results, achieving an accuracy rate of 97.5% in extensive testing involving over 1 million scenarios.
The key strengths of the proposed approach include continuous authentication, adaptability to individual user behaviors, and scalability to incorporate additional data sources. Any organizations or researchers seeking to replicate the model should also address – as Teramind Labs has – the issues of data quality, concept drift, outliers, and training overhead.
Future Directions
Several potential avenues for future research and development can be explored to further enhance and extend the capabilities of the AI-powered Imposter Detection model:
- Multi-modal Biometrics: Incorporating additional behavioral biometrics, such as keystroke dynamics or application usage patterns, could improve the model’s accuracy and robustness.
- Transfer Learning: Investigating techniques for transferring knowledge from pre-trained models or leveraging shared representations across users could reduce the individual training data requirements and improve model performance.
- Federated Learning: Exploring federated learning approaches, where user data remains decentralized and models are trained collaboratively, could address privacy concerns and enable continuous model improvement without centralized data collection.
Recommendations
For organizations considering the implementation of an AI-powered Imposter Detection system, the following recommendations are provided:
- Conduct a thorough risk assessment and cost-benefit analysis to evaluate the potential impact and return on investment for detecting and stopping insider threats, as well as stemming profit losses due to contractor fraud.
- Engage stakeholders, including end-users, security teams, and legal/compliance departments, early in the process to address concerns and ensure buy-in.
- Develop a comprehensive data management and governance strategy, adhering to relevant regulations and best practices for data protection and privacy.
- Implement the system in a phased approach, starting with pilot deployments and gradually scaling up based on lessons learned and user feedback.
- Establish clear policies, procedures, and training programs to ensure the effective use and maintenance of the authentication system, as well as incident response protocols.
- Continuously monitor and evaluate the system’s performance, adapt to changing user behaviors and threats, and incorporate enhancements or updates as needed.
By adopting a responsible and well-planned approach, organizations can leverage the potential of AI-powered user authentication to significantly enhance their cybersecurity posture and protect against fraudulent activities, while preventing losses due to activity falsification, contractor outsourcing, and insider theft.
