Autenticação contínua de usuários utilizando contadores de desempenho do sistema operacional

Abstract

The personal and corporative computers predominantly use accounts credentials (for example: login and password) as an authentication method, also known as statistic methods. A problem with this approach is that the user can leave the computer without logout or lock the access and allowing an intruder to access the available resources. Therefore, recently searches are directing its efforts into continuing authentication solutions, based on the user’s behavioral models. Most of the approaches uses authentication models built from information that are extracted from user’s interactions with the devices, such as, mouse movements or dynamic text typing or speech recognition. Different form the existing approaches, this work has the propose to make use of static information related to the use of the hardware and software, which are obtained from the performance’s counter from the operational systems to generate authentication models. The idea is to take the information related to the usage of computers sources by the user over time as the use of memory, processor, network, storage and application, to create a profile that can be used to authenticate the user. The advantage to use those attributes is that they can be collected in a transparent way without interfering on the user’s activity. Be sides, the main operational systems (for example, Linux and Windows) have already made available native collectors, not requiring the development of specific collection software. To generate de automation models, we used a hybrid deep network architecture, composed by convolution layers and by recurrence layer. The convolution layers perform the automatic extraction of the characteristics (in this case, the correlation between the data from the performance counter) and the recurrence layer are used to computed temporal characteristic from the data processed by the convolution layers. Furthermore, this work employs a trust model that avoids blocking genuine users and prevents an imposter from spending too much time undetected. The results obtained in three evaluation scenarios show that the proposed method can detect 100% of imposter users in up to 15 seconds. These results prove the feasibility of using performance counters in the definition of continuous authentication models.