Host-based intrusion detection based on real time keystroke sequences

This paper presents an intrusion detection method based on the information obtained from real-time key sequences. By analyzing the keystroke characteristics and algorithms for keystroke identification with a large number of experiments, a weighted Bayesian method using stroke sequences of particular keys as data source is developed. The keystroke models of normal users are established first and then applied to match the keystroke sequences of all users in real-time to determine if intrusion taking place. This method can not only perform user authentication beyond login names and passwords, but also constantly monitor the dynamic behaviors of users' keystroke processes to prevent abusive usage of a particular account of the false users. The paper also discusses the key issues of system implementation and presents the detection results from a real system. Experiments on 1912 login keystroke sequences of 15 users show that the weighted Bayesian method can achieve a false negative ratio of 0.58% and a false positive ratio of 1.64% for user verification, in comparison with the traditional Bayesian method with the about ratios of 2.90% and 6.38%, respectively. The experiments are also performed to test the capability for monitoring the dynamic behaviors of users' keystroke processes. The results for 1147 keystroke sequences of the same 15 users show that authors' method is better with the false negative ratios of 2.61% and false positive 5.73% in comparison with 3.77% and 7.36% in traditional Bayesian method.