Combining user behavioural information at the feature level to enhance continuous authentication systems

Abstract

The scientific and business communities are proposing new authentication methods more robust than traditional solutions relying on a single security point such as passwords (i.e. “something you know”). User and Entity Behavior Analysis (UEBA) has postulated as an excellent solution to improve authentication systems by performing continuous authentication to extend the authentication process over time. UEBA is based on detecting anomalies in the intrinsic behaviour of each user or entity (i.e. it is based on “something you are/do”). This paper presents a method for performing continuous authentication using UEBA techniques that allows combining information from multiple sources at the feature level. This combination is achieved through a novel Symbolic Aggregate approximation (SAX) using Random Trees Embeddings for each information source, producing a sequence of symbols. Then, these sequences of symbols are combined into a single sequence using temporal information. The resulting sequence of symbols feeds a density-based clustering model that uses a distance based on DNA sequence alignment techniques to extract behavioural cores. Finally, new samples are compared against these cores to detect anomalies using a risk model that evaluates if a behaviour is anomalous (suspected user impersonation). The model has been extensively tested and evaluated against well-known state-of-the-art datasets.