Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.


  1. Advanced Patent Search
Publication numberUS20040221171 A1
Publication typeApplication
Application numberUS 10/427,810
Publication dateNov 4, 2004
Filing dateMay 2, 2003
Priority dateMay 2, 2003
Also published asCA2535542A1, US8230232, US20060224898, WO2004097601A1
Publication number10427810, 427810, US 2004/0221171 A1, US 2004/221171 A1, US 20040221171 A1, US 20040221171A1, US 2004221171 A1, US 2004221171A1, US-A1-20040221171, US-A1-2004221171, US2004/0221171A1, US2004/221171A1, US20040221171 A1, US20040221171A1, US2004221171 A1, US2004221171A1
InventorsAhmed Awad Ahmed, Issa Traore
Original AssigneeAhmed Ahmed Awad E., Issa Traore
Export CitationBiBTeX, EndNote, RefMan
External Links: USPTO, USPTO Assignment, Espacenet
Intrusion detector based on mouse dynamics analysis
US 20040221171 A1
A biometric intrusion detection system based on mouse dynamics analysis, the analysis of mouse dynamics for a specific user generates a number of factors (Mouse Dynamics Signature) which can be used to ensure the identity of the user, an intelligent detection technique is developed to recognize differences in behaviors and detect intrusion.
Previous page
Next page
1. By monitoring and analyzing mouse dynamics for a specific user over a period of time it is possible to produce what is called a ‘Mouse Dynamics Signature’, Mouse Dynamics Signature is a set of curves describing the monitored behavior and characterizing the mouse dynamics of the user over that period of time.
2. By continuously monitoring mouse dynamics on an active workstation, and comparing the calculated mouse dynamics signature over a period of time to the stored mouse signature of the user who is logged in to the workstation it is possible to detect intrusion.

[0001] The main focus of this research is the development of an intelligent intrusion detection system that utilizes user biometric information in the identification and verification processes.

[0002] Biometric based detectors are considered of the most fast and accurate detectors, in this patent we introduce a new biometric detector, mouse dynamics detector. The detector functionality is to observe the user behavior, acquire input data, and analyze it in order to produce a list of factors characterizing the user behavior.


[0003] By monitoring mouse dynamics information, and analyzing the characteristics of this input over different sessions it is possible to calculate a user identification signature that can be used to ensure the user identity and detect any possible intrusion or misuse of the system.


[0004]FIG. 1 illustrates the generation of a mouse dynamics signature.

[0005]FIG. 2a shows a comparison of two mouse dynamics signatures for the same user.

[0006]FIG. 2b shows a comparison of mouse dynamics signatures for two different users.


[0007] 1. Mouse Movement Analysis

[0008] In this detector mouse actions are recorded and processed on a real time basis, movement characteristics being analyzed to produce a set of factors characterizing the behavior, the aim of the research work in this area is to produce what is called a mouse dynamics signature for each registered user.

[0009] This signature is constructed from a set of factors describing the user behavior, using this signature the system will be able to detect if unauthorized user is using the system.

[0010] 2. Classification of Actions

[0011] Mouse input actions can be classified as follows:

[0012] Movement (General Movement)

[0013] Drag and Drop (the action starts with mouse button down, movement, then mouse button up)

[0014] Point & Click (mouse movement followed by a click or double click)

[0015] Silence (No Movement)

[0016] From the above mentioned classification, the analysis can be divided into two categories, movement analysis, and silence analysis; different approaches are used in each category to collect the factors characterizing it.

[0017] Following are some examples on the type of factors collected from each analysis.

[0018] Movement Analysis Examples:

[0019] Calculating the average speed compared to the traveled distance, this produces three graphs for the 3 types of movement actions

[0020] Calculating average speed compared to the movement direction, 8 different directions are considered

[0021] Calculating the average traveled distance for a specific period of time, with regards to different movement directions; from this data we can build a pattern for the use of different directions.

[0022] Silence Analysis Examples:

[0023] Calculating the average of silence periods between movements

[0024] Calculating amount of silence in a period of time

[0025] Comparing the percentage of the silence time to movement time in a period of time

[0026] Determining weights for different movement directions to answer the following questions:

[0027] What is the major movement direction to start movement after a silence period

[0028] What is the major movement direction to end with before a silence period

[0029] Factors collected from the above mentioned analysis are passed to a detection unit which uses neural networks to compare the collected input data against a pre analyzed heuristic information, produce what we call ‘suspicious ratio’, and apply a decision making algorithm to propose the proper action.

[0030] An example of the mouse dynamics signature is the traveled distance/movement speed curve (FIG. 1), a neural network is used to model this curve, the network is trained with the collected raw data, mouse dynamics signature is a curve generated from the output (movement speed) of the trained network against an input presenting the full spectrum of the traveled distances.

[0031] A learning/tuning algorithm is used to improve the efficiency of the system for a reliable and accurate detection, and decrease the false acceptance/rejection ratios.

[0032]FIG. 2 shows an example of the comparison process for two different cases, FIG. 2a shows a recorded mouse dynamics signature compared to reference signature of the same user, and FIG. 2b shows a recorded mouse dynamics signature of an intruder compared to reference signature of the logged in user.

[0033] Intrusion is detected if the difference between the curves is over a pre calculated threshold limit.

Referenced by
Citing PatentFiling datePublication dateApplicantTitle
US7555774Aug 2, 2004Jun 30, 2009Cisco Technology, Inc.Inline intrusion detection using a single physical port
US7562389Jul 30, 2004Jul 14, 2009Cisco Technology, Inc.Method and system for network security
US7725938Jan 20, 2005May 25, 2010Cisco Technology, Inc.Inline intrusion detection
US8209758Dec 21, 2011Jun 26, 2012Kaspersky Lab ZaoSystem and method for classifying users of antivirus software based on their level of expertise in the field of computer security
US8214904Dec 21, 2011Jul 3, 2012Kaspersky Lab ZaoSystem and method for detecting computer security threats based on verdicts of computer users
US8214905Dec 21, 2011Jul 3, 2012Kaspersky Lab ZaoSystem and method for dynamically allocating computing resources for processing security information
US8230232May 3, 2004Jul 24, 2012Uvic Industry Partnerships Inc.System and method for determining a computer user profile from a motion-based input device
US8443443Oct 4, 2007May 14, 2013Behaviometrics AbSecurity system and method for detecting intrusion in a computerized system
US8898758Nov 22, 2013Nov 25, 2014Microsoft CorporationPassive security enforcement
US9009830May 19, 2010Apr 14, 2015Cisco Technology, Inc.Inline intrusion detection
EP2069993A2 *Oct 4, 2007Jun 17, 2009Behaviometrics ABSecurity system and method for detecting intrusion in a computerized system
EP2069993A4 *Oct 4, 2007May 18, 2011Behaviometrics AbSecurity system and method for detecting intrusion in a computerized system
EP2382736A2 *Jan 12, 2010Nov 2, 2011Microsoft CorporationPassive security enforcement
EP2584488A1Jul 4, 2012Apr 24, 2013Kaspersky Lab ZaoSystem and method for detecting computer security threats based on verdicts of computer users
U.S. Classification726/23
International ClassificationG06F21/00
Cooperative ClassificationG06F21/36, G06F21/316
European ClassificationG06F21/31B, G06F21/36