US 20040221171 A1
A biometric intrusion detection system based on mouse dynamics analysis, the analysis of mouse dynamics for a specific user generates a number of factors (Mouse Dynamics Signature) which can be used to ensure the identity of the user, an intelligent detection technique is developed to recognize differences in behaviors and detect intrusion.
1. By monitoring and analyzing mouse dynamics for a specific user over a period of time it is possible to produce what is called a ‘Mouse Dynamics Signature’, Mouse Dynamics Signature is a set of curves describing the monitored behavior and characterizing the mouse dynamics of the user over that period of time.
2. By continuously monitoring mouse dynamics on an active workstation, and comparing the calculated mouse dynamics signature over a period of time to the stored mouse signature of the user who is logged in to the workstation it is possible to detect intrusion.
 The main focus of this research is the development of an intelligent intrusion detection system that utilizes user biometric information in the identification and verification processes.
 Biometric based detectors are considered of the most fast and accurate detectors, in this patent we introduce a new biometric detector, mouse dynamics detector. The detector functionality is to observe the user behavior, acquire input data, and analyze it in order to produce a list of factors characterizing the user behavior.
 By monitoring mouse dynamics information, and analyzing the characteristics of this input over different sessions it is possible to calculate a user identification signature that can be used to ensure the user identity and detect any possible intrusion or misuse of the system.
FIG. 1 illustrates the generation of a mouse dynamics signature.
FIG. 2a shows a comparison of two mouse dynamics signatures for the same user.
FIG. 2b shows a comparison of mouse dynamics signatures for two different users.
 1. Mouse Movement Analysis
 In this detector mouse actions are recorded and processed on a real time basis, movement characteristics being analyzed to produce a set of factors characterizing the behavior, the aim of the research work in this area is to produce what is called a mouse dynamics signature for each registered user.
 This signature is constructed from a set of factors describing the user behavior, using this signature the system will be able to detect if unauthorized user is using the system.
 2. Classification of Actions
 Mouse input actions can be classified as follows:
 Movement (General Movement)
 Drag and Drop (the action starts with mouse button down, movement, then mouse button up)
 Point & Click (mouse movement followed by a click or double click)
 Silence (No Movement)
 From the above mentioned classification, the analysis can be divided into two categories, movement analysis, and silence analysis; different approaches are used in each category to collect the factors characterizing it.
 Following are some examples on the type of factors collected from each analysis.
 Movement Analysis Examples:
 Calculating the average speed compared to the traveled distance, this produces three graphs for the 3 types of movement actions
 Calculating average speed compared to the movement direction, 8 different directions are considered
 Calculating the average traveled distance for a specific period of time, with regards to different movement directions; from this data we can build a pattern for the use of different directions.
 Silence Analysis Examples:
 Calculating the average of silence periods between movements
 Calculating amount of silence in a period of time
 Comparing the percentage of the silence time to movement time in a period of time
 Determining weights for different movement directions to answer the following questions:
 What is the major movement direction to start movement after a silence period
 What is the major movement direction to end with before a silence period
 Factors collected from the above mentioned analysis are passed to a detection unit which uses neural networks to compare the collected input data against a pre analyzed heuristic information, produce what we call ‘suspicious ratio’, and apply a decision making algorithm to propose the proper action.
 An example of the mouse dynamics signature is the traveled distance/movement speed curve (FIG. 1), a neural network is used to model this curve, the network is trained with the collected raw data, mouse dynamics signature is a curve generated from the output (movement speed) of the trained network against an input presenting the full spectrum of the traveled distances.
 A learning/tuning algorithm is used to improve the efficiency of the system for a reliable and accurate detection, and decrease the false acceptance/rejection ratios.
FIG. 2 shows an example of the comparison process for two different cases, FIG. 2a shows a recorded mouse dynamics signature compared to reference signature of the same user, and FIG. 2b shows a recorded mouse dynamics signature of an intruder compared to reference signature of the logged in user.
 Intrusion is detected if the difference between the curves is over a pre calculated threshold limit.