Faced with both identity theft and the theft of means of authentication, users of digital services are starting to look rather suspiciously at online systems. The behavior is made up of a series of observable actions of an Internet user and, taken as a whole, the most frequent of these actions amount to habit. Habit and reputation oer ways of recognizing the user. The introduction of an implicit means of authentication based upon the user's behavior allows web sites and businesses to rationalize the risks they take when authorizing access to critical functionalities. In this paper, we propose a new model for implicit authentication of web users based on extraction of closed patterns. On a data set of web navigation connection logs of 3;000 users over a six-month period we follow the experimental protocol described in [1] to compute performance of our model.
In order to achieve productivity gains, companies are encouraging their
customers to access their services via the Internet. It is accepted that on-line
services are more immediate and more user-friendly than accessing these services
via a brick and mortar agency, which involves going there and, more often than
not, waiting around [
This contribution is organized as follows: in section 2 we shall oer a
state-ofthe-art about implicit authentication and user’s prole in web browsing. Then
we propose a learning model for implicit authentication of web users we are
dealing with in section 3. In section 4, we compare several methods for building
proles of each user. We faithfully reproduce the experimental study conducted
in [
In his survey of implicit authentication for mobile devices ([
Implicit authentication systems were studied very quickly for mobile phones.
In [
Capturing
Method
Keyboard input
GPS, infrastruc- Implicit ture Software protocol Implicit (e.g. WireShark)
strangers
Shoulder Surng
Hardware device Mainly explicit, None implicit possible
The particular context of implicit authentication for web browsing was studied
in [
We propose an intuitive learning model architecture for user authentication. From a data set of web browsing logs we compute a set of own patterns for each user. A pattern is a set of frequently visited sites. The size of pattern may vary. Thanks to these proles we are able to provide an authentication for anonymous sessions. We then compute confusion matrices and we provide precisions of the models. In our present study, we compare performance of a naive Bayes classier to variations on k-nearest neighbors algorithms. More precisely, the studied parameters are selection process of user own patterns, computation process of user proles and distance functions computed for classication stage. Figure 1 outlines the framework of the machine learning process.
Behaviour
?
Prole - Score Computation
- AutheUnsteicration We call a session a set of visited web sites at a specic time by a given user ui such as i 2 [1;n] and n is the number of users. The size of a session is limited and equal to 10. The learning database of each user ui takes the form of a set of sessions denoted Sui and is built from log data3. We call S = Si Sui the whole set of sessions of the database.
We call Wui the whole set of web sites visited at least once by user ui and we call W = SiWui the whole set of visited sites. The order of visited web sites is not taken into account by this model.
Denition 1 (k-pattern). Let W be a set of visited web sites and S be a set of sessions on W . A subset P of W is called a k pattern where k is the size of P . A session S in S is said to contain a k pattern P if P S. Denition 2 (Support and relative support (lift)). We dene the support of a pattern P as the percentage of sessions in S containing P (by extension we give the support of a pattern in the set of sessions of a given user ui): supportS (P ) = jjfS 2 S j P
jjSjj
Sgjj supportSui (P ) = jjfS 2 Sui j P jjSui jj
Sgjj For a given user the relative strength of a pattern is equivalent to the lif t in a context of association rules (i.e. the support of the pattern within this user divided by the support of the pattern across all users). More formally: lif tSui S (P ) = supportSui (P ) supportS (P ) The support measures the strength of a pattern in behavioral description of a given user. The relative support mitigates support measure by considering the pattern’s support on the whole sessions set. The stronger the global support of a pattern, the lesser characteristic of a specic user.
The tf-idf is a numerical statistic that is intended to reect how relevant a word
is to a document in a corpus. The tf-idf value increases proportionally to the
number of times a word appears in the document, but is oset by the frequency
of the word in the whole corpus ([
Denition 3 ( tf idf ). Let P be a pattern, let U be a set of users and Up U such that 8ui 2 Up, supportSui (P ) 6= 0. Let Sui be a set of sessions of a given user ui and S a whole set of sessions. The normalized term frequency denoted tf (P ) is equal to supportSui (P ) and the inverse document frequency denoted idf (P ) is equal to log (jjU jj=jjUP jj). We have: tf idf (P ) = supportSui (P ) log jjU jj jjUP jj Denition 4 (Closure system). Let S be a collection of sessions on the set W of web sites. We denote Sc the closure under intersection of S. By adding W in Sc, Sc is called a closure system.
Denition 5 (Closure operator). Let W be a set, a map C: 2W a closure operator on W if for all sets A and B in W we have: A A B =) C(A) C(B) and C(C(A)) = C(A). ! 2W is
C(A), 2TWheboyre8mA 21.2WLe,tCSScc (bAe )a=clTosfuSre2sySsctejmAon SWg .isTahecnlotshueremoapperCatSocr doenneWd o4n. Denition 6 (Closed pattern 5). Let Sc be a closure system on W and CSc its corresponding closure operator. Let P be a pattern (i.e. a set of visited sites), we said that P is a closed pattern if CSc (P ) = P .
5 This denition is equivalent to a concept of the formal context K = (S;W;I) where
S is a set of objects, W a set of attributes and I a binary relation between S and
W [
The rst and most important step of our model, called own patterns selection
is to calculate the set of own patterns for each user ui. This set of patterns is
denoted Pui = fPi;1; Pi;2;:::; Pi;pg. In [
Algorithm 1 describes the process of H1 to select the 40 own patterns for a given user. With H1, the model performance is improved when p increases up to 40. p = 10 is the better choice for H2 and H3. The best results are from H1.
Algorithm 1: H1: 40 closed k patterns with the largest tf-idf values.
Data: Cui : the set of closed itemsets of user ui from Charm; p : the number of selected own patterns;
Result: Pui : the set of own patterns of user ui; 1 begin 2 Compute the tf idf for each pattern from Charm; 3 Sort the list of patterns in descending order according to the tf value; 4 Return the top p patterns; idf 3.3
User proles computation We dene and we denote Pall = Si Pui the whole set of own patterns. The set Pall allows us to dene a common space in which all users could be embedded. More formally, Pall denes a vector space V of size all = jjPalljj where a given user ui is represented as a vector Vui = (mi;1;mi;2;:::;mi;all).
The second step of our model, called user prole computation , is to compute, for
each user ui, a numerical value for each component mi;j of the vector Vui . i is
the user id, j 2 [1;all] is a pattern id and m stands for a given measure. In this
paper, we compare two measures proposed in [
Authentication stage In our model, the authentication step is based on the identication. For that purpose, our model guesses the user corresponding to an anonymous set of sessions, then it checks if the guessed identity corresponds to the real identity. From this set of sessions we have to build a test prole and to nd the nearest user prole dened during the learning step.
Test sessions Performance of our models are calculated on anonymous data sets of growing size.The more information available, the better the classication will be. The rst data set consists of only one session, the second consists of 10 sessions, the third one consists of 20 sessions, and the last one consists of 30 sessions. For the test phase, all sessions have the same size of 10 sites. Building test prole Let S be the whole set of sessions from the learning data set. Let Sut be an anonymous set of sessions and Vut = (mt;1;mt;2;:::;mt;all) its corresponding prole vector. We will compare two approaches to build the anonymous test prole, the support and the lift: 8i; mt;i = supportSut (Pi) and 8i; mt;i = lif tSut S = supportSut (Pi) supportS (Pi) Distance functions Let Vui = (mi;1;mi;2;:::;mi;all) and Vut = (mt;1;mt;2;:::;mt;all) be two proles. We denoted DisEuclidean(Vui ;Vut ) the Euclidean distance and we denote SimCosine(Vui ;Vut ) the cosine similarity function. We have: DisEuclidean(Vui ;Vut ) = sX(mt;j
mi;j)2 SimCosine(Vui ;Vut ) =
j
Pj(mt;j qPj(mt;j)2 mi;j) Pj(mi;j)2 4 4.1
Our data set is comprised of the web navigation connection logs of 3;000 users
over a six-month period. We have at our disposal the domain name visited and
each user ID. From the variables of day and time of connection we have
constructed connection sessions for each user. A session is therefore a set of web
sites visited. The number of visited web sites per session is limited and equal
to 10. For the relevance of our study we used Adblock 6 lters to remove all
domains regarded as advertising. The majority of users from this data set are not
suciently active to be of relevance. Therefore, as in [
7698 sessions
Size #sessions/users
Minimum Maximum Mean Standard deviation 10 10 10 0 101 733 257 289 Algorithm 2 (see appendix) describes our experimental protocol. The rst loop sets the size of the set of users among which a group of anonymous sessions will be classied. The second one sets the size of this sessions group. Finally, the third loop sets the number of iterations used to compute the average accuracy rate. The loop on line 10 computes the specic patterns of each user and establishes the proles vector. The loop on line 13 computes the vector’s components for each user. The nested loops on lines 16 and 18 classify test data and compute the accuracy rate. From own patterns of each user we compute the set Pall as the whole set of own patterns which denes the prole vector of each user. We use the support of a pattern as numerical value for each components (cf. section 3.3). Following Table 3 provides the size of the prole vector and the distribution of own patterns according to size for each heuristic. With 30 users and 10 own patterns per user, the maximal size of the prole is 300. 20 0 5 10
Comparative performance with [
The data of Table 4 highlight that the H1 heuristic allows rates that are
perceptibly better than those of the two models proposed in [
Charm H1 Bayes Support Lift Charm H1 Bayes Support Lift Charm H1 Bayes Support Lift Charm H1 Bayes Support Lift Charm H1 Bayes 1 65 67 72 85 40 41 49 67 27 29 37 54 19 21 30 43 16 17 26 39 10 89 90 98 99 74 78 90 96 66 64 83 91 55 58 76 87 53 54 72 83 20 95 97 99 73 83 86 95 56 79 77 92 51 68 68 86 48 64 64 83 46 cy 60 a r u c cA 40
20
Comparative performance of distance functions The last gure 4 shows the impact of distance function choice on performances of models.
80
Figure 4 illustrates the signicance of the distance function concerning the performance. Indeed, when used with Euclidean distance, the H1 method is a bit more precise than the lift one (about 3%). However, performances are improved by using the cosine similarity and their relative ranking is even reversed. H1 method’s performance are then better than lift by 10%. 5
In this study, we proposed a learning model for implicit authentication of web
users. We proposed an simple and original algorithm (cf. Algorithm 1) to get a set
of own patterns allowing to characterize each web user. The taken patterns have
dierent size and qualify as closed patterns from closure system generated by
the set of sessions (cf. Table 3). By reproducing experimental protocol described
in [
This study should be extended in order to improve the obtained results. For a very small sites ow, the results of the solution should be better than results from Bayes’ method. Another way to improve results will be to select other types of variable and to add them to our current dataset. The selection of data has an undeniable impact on the results. Appendix
Data: Si Sui : all sessions from n users; X : number of successive executions;
Result: The mean accuracy of select models; 1 begin 2 for (N = f2; 5; 10; 20; 30g) do 3 for (S = f1; 10; 20; 30g) do 4 for (z = 1; : : : ;X) do 5 Select N random users; 6 For each user, select SN = min(jSui j; i = 1; : : : ;N ); 7 Take the 23 of the SN sessions from each users to form the training set; Take the rest of SN sessions to form the validation set; Pakll ; (the global prole vector for each model k); for each (ui; i = 1; : : : ;N ) do
Compute the own patterns Puki (1 jPuki j 10);
Pakll Pakll [ Puki ; for each (ui; i = 1; : : : ;N ) do
Compute the vector Vuki with support or lift; 15 16 17 18 19 20 21
Initialize to 0 the confusion matrix M k of the method k; for each (ui; i = 1; : : : ;N do
Compute the test stream Tui (jT j is xed ; T 2 Tui ); while (Tui 6= ;) do
Take SW sessions from Tui to compute V k; T ua max(simil(Vuki ;VTk)) or min(dist(Vuki ;VTk));
M k[ui][ua] M k[ui][ua] + 1; Compute the mean accuracy of k from M k;