In the context of enhancing the protection of critical infrastructure information systems against unauthorized access, this work considers the user authentication procedure based on an improved keyboard handwriting biometric model grounded in fuzzy logic. A primary prerequisite for the development of the proposed biometric model is the need to expand the formalization of user uniqueness within information systems during the registration stage. The limited feature space of existing biometric models, which arises from the constraints of ordinary keyboard properties, negatively impacts the reliability of the authentication procedure. The construction of the biometric model relies on engineering behavioral patterns within a statistical dataset of keyboard handwriting, followed by the generation of new features and their description using fuzzy linguistic terms. During the configuration of the access control and user differentiation system in the information system, users are given the option to select the type of feature space for the keyboard handwriting biometric model: either a shared space for all users or a personalized one. Furthermore, it is planned to detect any drift in the values of the user's keyboard handwriting features based on Kullback-Leibler divergence to ensure timely adaptation of the biometric model to the dynamics of the user's behavior. A comparative analysis of the results from user authentication experiments based on the proposed approach and existing authentication methods is also presented.
As of today, ensuring cybersecurity for critical infrastructure facilities, whose functions are directly tied to technological processes and/or services essential for national security, is a strategic priority for any nation.
Given that many cyber threat methods, including various types of cyberattacks—such as phishing, viruses, spyware, "man-in-the-middle" attacks, software vulnerabilities, and social engineering—share the objective of gaining unauthorized access to critical infrastructure information systems (IS), the task of ensuring data confidentiality, availability, and integrity is particularly crucial.
Access control and user differentiation systems are typically responsible for countering
unauthorized access, especially during authentication, when the claimed identity of a user is verified
for further authorization [
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
typing of arbitrary text [
An analysis of relevant literature [
In IS, the most common practice for analyzing behavioral biometric characteristics at the authentication stage is through keyboard handwriting (KH), assessing typing indicators such as speed, rhythm, pressure, press duration, and time between key presses during password entry or
This highlights the need for further research to improve user authentication effectiveness in
In most scientific works [
The construction of this keyboard handwriting biometric model involves the following stages.
The initial keyboard handwriting feature space, denoted as , whose features include (1): – typing dynamics – the time between key presses and the duration of key presses; – typing speed – the number of keystrokes divided by the typing duration.
= { , }.
It is evident that the features selected in the previous stage do not sufficiently capture the
uniqueness of information system (IS) users. Thus, following the approach proposed in [
Behavioral patterns are established through statistical analysis of the ∆ indicator by repeatedly entering the control text. This is then represented as a variation curve on a graph. Figure 1 presents the behavioral pattern function of the first author's keyboard handwriting, plotted at 12 points while entering their own 12-character password. (1)
This curve describes the rate of change (the geometric interpretation of differentiation), which can
be approximated by trigonometric functions to engineer new features. In line with [
Blue dots represent key presses, while red dots mark the intersections of the ∆ curve with the time window boundaries. This yields a new subset of features, (2) where each feature corresponds to a specific time window . The number of windows is chosen based on the average time required to enter passwords of 8 to 15 characters.
= { , , … , }. (2) curves show a high degree of similarity, enabling the identification of a unique keyboard handwriting is presented in the form of curves
To ensure minimal variability in the keyboard handwriting pattern values, the control text should be practiced thoroughly until it becomes automatic. Without this level of familiarity, the analysis of arbitrary text input loses its effectiveness for identifying a behavioral pattern in keyboard handwriting, which is difficult to falsify.
Since the values of a user's keyboard handwriting features exhibit some variability, the task of
authenticating an IS user is essentially a process of iteratively assessing the degree of correspondence
between their keyboard handwriting and the biometric model
using fuzzy logic methods [
Here, the input linguistic variables are elements from the subsets. and . However, each time window contains a different number of segments (piecewise-linear functions) of the curve that describes the keyboard handwriting behavioral pattern. Consequently, the expanded feature space can be represented analytically (3).
= ( ∪ ) → { , , = { , . . , }, … , = { 1, , where terms.
To describe the features
using fuzzy linguistic terms, we propose an approach that automatically determines the number of linguistic terms without requiring expert input, based on the statistical Silhouette method (4). This method calculates the optimal number of terms , … , , = represents a triangular-shaped fuzzy linguistic term [16], and is the number of
is selected to maximize the silhouette indicator (4): where ( ) – silhouette value of for term ; ( ) – the average value of intra-term distance; ( ) – distance between terms in features , .
To describe the features
using fuzzy linguistic terms, we calculate the angle for each segment
of the curve obtained by determining the value in degrees between the horizontal axis and the
segment, using the cosine theorem (5) [
( ) =
( ) − ( ) { ( ), ( )}
, cos = + 2 −
After calculating the angle value, it is matched to the corresponding fuzzy term on a scale for fuzzy term determination (Fig. 4), with increments of 15 degrees.
Using this scale (Fig. 4) enables the description of: (4) (5) information system users.
increasing curve ↑ (very high, high, above average, medium, below average, low) – ranging decreasing curve ↓ (very high, high, above average, medium, below average, low) – ranging
To ensure effective model training, it is recommended that during the user registration phase, the user repeatedly enters the control text at least twice as many times as the number of features.
In contrast to the approach proposed in [
Additionally, when each system user is represented as a point in an nnn-dimensional common
feature space, this space is often not linearly separable, as keyboard handwriting patterns of different
individuals may intersect at certain points. This, in turn, can negatively impact model accuracy [
Therefore, it is recommended to construct the keyboard handwriting biometric model for critical infrastructure system users using a personalized feature space.
Over time, the effectiveness of the keyboard handwriting biometric model for IS users may decline,
as typing speed tends to change with age or experience [
In this stage, the difference or similarity between the distributions of the model’s training dataset ( ) (historical data) and the new (accumulated) dataset ( ) is calculated using the Kullback-Leibler divergence [17]. The Kullback-Leibler divergence (or relative entropy) measures the difference between two probability distributions, indicating how much the information entropy of one distribution differs from another. This asymmetric measure ranges from 0 to infinity, where 0 indicates identical distributions. The Kullback-Leibler divergence is calculated for distribution relative to P using the following analytical expression (6): ( ∥ ) = ( ) ( ) ( )
It is advisable to periodically analyze the divergence values obtained between the training dataset and the accumulated statistics at least once every six months. This ensures the adaptation of the proposed keystroke biometric model to changes in the characteristics of information system (IS) users. If constant values of
( || ) > 0, are obtained, it is necessary to initiate the retraining of the keystroke biometric models for IS users.
During attempts to access information system (IS) resources, users present a personalized identifier, which is authenticated using a password.
The next step involves periodic additional authentication of the IS user ∈ throughout the entire session, based on the proposed approach to keyboard usage. The user recognition procedure for among all system users consists of evaluating the expression (7): = { , , = { , . . , }, … , = {
may be blocked from accessing the IS, prompting them to enter a control text to verify the authenticity of their claimed personalized identifier. The event-based scheme responds to any keyboard or mouse activity if the user has been inactive for more than 5 minutes. If no actions are performed with the respective devices during this time, the user is not prompted for control text. However, if an event occurs after the specified interval, the user will be asked to enter the control text. The allowable variability in the specific keyboard characteristics of the user is monitored through ranges defined by linguistic terms within the keyboard handwriting biometric model.
If there is a mismatch between the characteristics of the claimed personalized identifier and the keyboard handwriting biometric model of user ∈ , he current session will be terminated, and an appropriate message will be sent to the IS security system.
To assess the effectiveness of authentication systems, metrics for first and second kind errors are employed: the False Rejection Rate (FRR)—the probability of incorrectly rejecting a registered user— and the False Acceptance Rate (FAR)—the probability of granting access to an unregistered user [2022]. These metrics are calculated as follows: , , where FN (False Negative) – the number of times a registered user has been denied access; TP (True Positive) – the number of times a registered user has been granted access; FP (False Positive) – the number of times an unregistered user was granted access; TN (True Negative) – the number of times an unregistered user was denied access.
The effectiveness of access control and segregation systems is greater when the values of
are minimized. Typically, one of these metrics is prioritized; specifically, prohibiting access to illegitimate users is considered more critical. To achieve this, it is essential to minimize the (8) (9) and . By reducing the False Acceptance Rate ( ), the system can effectively thwart unauthorized access attempts, prioritizing security measures that maintain the integrity and confidentiality of the information system. This focus on minimizing highlights the necessity of stringent authentication protocols to reduce the risk of unauthorized access and potential security breaches.
In commercial biometric authentication systems, the maximum acceptable value of typically ranges from 10-3 to 10-6. In systems with a large user base and a high level of security, this value can drop to as low as 10-9. Meanwhile, the may vary between 0.025 and 0.01; for systems with many users, this rate should not exceed 0.001 to 0.0001. These thresholds provide benchmarks for evaluating the performance and reliability of biometric authentication systems, ensuring they meet stringent security requirements while balancing user convenience and system efficiency [23, 24].
The analysis of the results demonstrates the practicality of the proposed solutions for user authentication in information systems. Specifically, the developed methodology enhances the reliability of information system authentication by reducing the FRR (type II error) by 2-3% compared to research results where the FAR (type I error) equals zero, and by 10-15% compared to research results where the FAR is greater than zero. This achievement aligns with the objectives of this work. A comparative analysis of the calculations based on the results of user authentication in information systems using the proposed approach versus existing methods [24] is presented in Table 1, focusing on the FAR and FRR metrics.
In summary, the findings underscore the effectiveness of utilizing users' dynamic biometric traits for authentication, providing a robust safeguard for information security. Authentication decisions in these systems hinge on comparing the user's biometric model with data collected during the authentication process. The user's biometric model is developed through an analysis of specific individual characteristics, making systems that leverage keyboard handwriting recognition particularly valuable.
A biometric model of keyboard handwriting for users in critical infrastructure information systems has been proposed. This model expands the feature space of keyboard handwriting by analyzing behavioral patterns within a statistical dataset, generating new features, and describing them using fuzzy linguistic terms.
Additionally, the proposed model includes the detection of drift in users' keyboard handwriting characteristics using Kullback-Leibler divergence. This ensures timely adaptation of the biometric model to the dynamics of user behavior.
The practical application of the improved biometric model of keyboard handwriting patterns has demonstrated its effectiveness in recognizing users within access control and segregation systems in critical infrastructure facilities. This model enhances the reliability of user authentication in information systems by reducing the false rejection rate (FRR) by 2-3% compared to previous research results where the false acceptance rate (FAR) is zero, and by 10-15% compared to studies where the FAR exceeds zero. [16] Fesokha V. V., Subach I. Y., Kubrak V. O., Mykytiuk A. V., Korotaiev S. O. Zero-day polymorphic cyberattacks detection using fuzzy inference system. Austrian Journal of Technical and Natural Sciences. 2020. № 5–6. P. 8–13. [17] Fesokha N. O. Determining the necessity of data drift of the biometric model of keyboard handwriting of users of military information systems based on the Kullback-Leibler distance. InterConf : Proceedings of the 2nd International Scientific and Practical Conference «Science and Education in Progress», Dublin, 16–18 June 2023. 2023. P. 353–354. [18] MLOps c Python-библиотекой Evidently: обнаружение дрейфа данных в ML-моделях. URL: https://medium.com (дата звернення: 22.08.2022). [19] Zheng, Shihao, et al. "Labelless concept drift detection and explanation." NeurIPS 2019 Workshop on Robust AI in Financial Services: Data, Fairness, Explainability, Trustworthiness, and Privacy. 2019. [20] Increasing the reliability of user authentication based on protected electronic key and behavioral biometrics / O. V. Saliieva et al. Visnyk of vinnytsia politechnical institute. 2023. Vol. 167, no. 2.
P. 102–111. [21] M. Sivaram, M. Ahamed, D. Yuvaraj, G. Megala, V. Porkodi, M. Kandasamy, Biometric Security and Performance Metrics: FAR, FER, CER, FRR, in: Proceedings of 2019 International Conference on Computational Intelligence and Knowledge Economy, ICCIKE, IEEE, Dubai, United Arab Emirates, 2019. doi: 10.1109/iccike47802.2019.9004275. [22] D. Thakkar, False acceptance rate (FAR) and false recognition rate (FRR), 2020.
URL: https://www.bayometric.com/false-acceptance-rate-far-false-recognition-rate-frr/ [23] Shih N., Shakleina I. Analysis of biometric user identification methods in controlled access systems. Bulletin of the National University of Water Management and Nature Management", series "Technical Sciences".2016. № 3(75). P. 120–130. [24] Alshehri A., Coenen F., Bollegala D. Keyboard usage authentication using time series analysis. Big data analytics and knowledge discovery. Cham, 2016. P. 239–252.