As of today, ensuring cybersecurity for critical infrastructure facilities, whose functions are directly tied to technological processes and/or services essential for national security, is a strategic priority for any nation.
Given that many cyber threat methods, including various types of cyberattacks-such as phishing, viruses, spyware, "man-in-the-middle" attacks, software vulnerabilities, and social engineering-share the objective of gaining unauthorized access to critical infrastructure information systems (IS), the task of ensuring data confidentiality, availability, and integrity is particularly crucial.
Access control and user differentiation systems are typically responsible for countering unauthorized access, especially during authentication, when the claimed identity of a user is verified for further authorization [1][2][3]. However, current authentication methods often fall short in effectively safeguarding IS from cyber threats, as evidenced by numerous recent incidents of security breaches [4][5][6]. This is primarily due to attackers' evolving strategies, which necessitate new authentication methods and solutions for IS users.
An analysis of relevant literature [2,3,[7][8][9] reveals that one of the most effective ways to prevent unauthorized access to IS resources is through access control and user differentiation systems based on analyzing users' behavioral biometric characteristics at the authentication stage, as they are practically impossible to fake. This approach involves identifying users based on their subconscious sensory and motor skills throughout their interaction with the IS, allowing the detection of the substitution of an already authorized user.
In IS, the most common practice for analyzing behavioral biometric characteristics at the authentication stage is through keyboard handwriting (KH), assessing typing indicators such as speed, rhythm, pressure, press duration, and time between key presses during password entry or typing of arbitrary text [2,3,[7][8][9].
This highlights the need for further research to improve user authentication effectiveness in critical infrastructure IS based on KH.
In most scientific works [8,[10][11][12][13] focused on developing keyboard handwriting biometric models, the task of formalizing the uniqueness (individual subconscious characteristics) of users is constrained by a limited feature space in keyboard handwriting (typing speed, rhythm, key pressure, key press duration, and time between key presses). This limitation prevents these models from achieving adequate representation and, consequently, high accuracy in the authentication process. Therefore, this article examines a keyboard handwriting biometric model for users in critical infrastructure information systems, as proposed in [3,7], which allows for expanding the keyboard handwriting feature space through feature engineering, using fuzzy logic to generate additional features.
The construction of this keyboard handwriting biometric model involves the following stages.
The initial keyboard handwriting feature space, denoted as π , whose features include (1): π -typing dynamics -the time between key presses and the duration of key presses; π‘ -typing speed -the number of keystrokes divided by the typing duration.
= {π, π‘ }.
(1)
It is evident that the features selected in the previous stage do not sufficiently capture the uniqueness of information system (IS) users. Thus, following the approach proposed in [3,7], new features are generated by defining behavioral patterns (templates) from a statistical dataset of keyboard handwriting during control text (password) input. Specifically, the duration of key presses by the user, denoted as βπ‘ , (where i is the key identifier), is considered. This indicator is chosen due to its minimal variability for each user compared to other indicators. For example, the duration between key presses reflects the time required for the user's hand to move across the keyboard, which inherently displays excessive variability.
Behavioral patterns are established through statistical analysis of the βπ‘ indicator by repeatedly entering the control text. This is then represented as a variation curve on a graph. Figure 1 presents the behavioral pattern function of the first author's keyboard handwriting, plotted at 12 points while entering their own 12-character password. This curve describes the rate of change (the geometric interpretation of differentiation), which can be approximated by trigonometric functions to engineer new features. In line with [3,7], a subset of new keyboard handwriting features for the IS user is defined to create the final feature space for the keyboard handwriting biometric model π . Consequently, the presented curve is segmented into equal-length time windows π‘ , which form a new subset of keyboard handwriting features π (Fig. 2). To ensure minimal variability in the keyboard handwriting pattern values, the control text should be practiced thoroughly until it becomes automatic. Without this level of familiarity, the analysis of arbitrary text input loses its effectiveness for identifying a behavioral pattern in keyboard handwriting, which is difficult to falsify.
Since the values of a user's keyboard handwriting features exhibit some variability, the task of authenticating an IS user is essentially a process of iteratively assessing the degree of correspondence between their keyboard handwriting and the biometric model π using fuzzy logic methods [14,15]. Here, the input linguistic variables are elements from the subsets. π and π . However, each time window π‘ contains a different number of segments (piecewise-linear functions) π π’π of the curve that describes the keyboard handwriting behavioral pattern. Consequently, the expanded feature space can be represented analytically (3).
To describe the features π using fuzzy linguistic terms, we propose an approach that automatically determines the number of linguistic terms without requiring expert input, based on the statistical Silhouette method (4). This method calculates the optimal number of terms ππ , β¦ , ππ , π = 1, π , where ππ represents a triangular-shaped fuzzy linguistic term [16], and π is the number of terms.
The optimal number of terms ππ is selected to maximize the silhouette indicator (4):
where π (π) -silhouette value of π for term π; π(π) -the average value of intra-term distance; π(π) -distance between terms in features π, π‘ .
To describe the features π using fuzzy linguistic terms, we calculate the angle for each segment of the curve obtained by determining the value in degrees between the horizontal axis and the segment, using the cosine theorem (5) [7].
After calculating the angle value, it is matched to the corresponding fuzzy term on a scale for fuzzy term determination (Fig. 4), with increments of 15 degrees. ο· decreasing curve β (very high, high, above average, medium, below average, low) -ranging from 90 Β° to 180 Β°.
Figure 5 shows the final feature space of the proposed keyboard handwriting biometric model for information system users. To ensure effective model training, it is recommended that during the user registration phase, the user repeatedly enters the control text at least twice as many times as the number of features.
In contrast to the approach proposed in [3,7], which constructs a keyboard handwriting biometric model based on a common feature space for all users in the system, this work proposes allowing the cybersecurity administrator to select the type of feature space for the keyboard handwriting biometric model during the configuration of the user access control and segregation system in the information system (IS). The options include a common feature space for all users or a personalized feature space for individual users. Furthermore, the use of a common feature space introduces additional computational overhead. This is because, during the description of the time windows π‘ derived from the decomposition of the user's keyboard handwriting curve, it is necessary to formalize not only the varying number of upward and downward trends within each π‘ but also to maintain their precise sequence.
Additionally, when each system user is represented as a point in an nnn-dimensional common feature space, this space is often not linearly separable, as keyboard handwriting patterns of different individuals may intersect at certain points. This, in turn, can negatively impact model accuracy [7].
Therefore, it is recommended to construct the keyboard handwriting biometric model for critical infrastructure system users using a personalized feature space.
Over time, the effectiveness of the keyboard handwriting biometric model for IS users may decline, as typing speed tends to change with age or experience [7,17]. Thus, the task of detecting data driftthe change in statistical properties of data over time [18,19] -becomes essential to allow timely retraining of models with updated datasets. This involves applying methods to identify when model updates are necessary.
In this stage, the difference or similarity between the distributions of the model's training dataset π(π₯) (historical data) and the new (accumulated) dataset π(π₯) is calculated using the Kullback-Leibler divergence [17]. The Kullback-Leibler divergence (or relative entropy) measures the difference between two probability distributions, indicating how much the information entropy of one distribution differs from another. This asymmetric measure ranges from 0 to infinity, where 0 indicates identical distributions. The Kullback-Leibler divergence is calculated for distribution π relative to P using the following analytical expression (6):
It is advisable to periodically analyze the divergence values obtained between the training dataset and the accumulated statistics at least once every six months. This ensures the adaptation of the proposed keystroke biometric model to changes in the characteristics of information system (IS) users. If constant values of πΎπΏ(π||π) > 0, are obtained, it is necessary to initiate the retraining of the keystroke biometric models for IS users.
During attempts to access information system (IS) resources, users present a personalized identifier, which is authenticated using a password.
The next step involves periodic additional authentication of the IS user π’ β π throughout the entire session, based on the proposed approach to keyboard usage. The user recognition procedure for π’ among all system users π consists of evaluating the expression (7): π’ = {π, π‘ , π‘ = {π π’π , . . , π π’π }, β¦ , π‘ = {π π’π , . . , π π’π }}.
With a specific periodicity or an event-based scheme configured by the administrator, the identified user π’ β π may be blocked from accessing the IS, prompting them to enter a control text to verify the authenticity of their claimed personalized identifier. The event-based scheme responds to any keyboard or mouse activity if the user has been inactive for more than 5 minutes. If no actions are performed with the respective devices during this time, the user is not prompted for control text. However, if an event occurs after the specified interval, the user will be asked to enter the control text. The allowable variability in the specific keyboard characteristics of the user is monitored through ranges defined by linguistic terms within the keyboard handwriting biometric model.
If there is a mismatch between the characteristics of the claimed personalized identifier and the keyboard handwriting biometric model of user π’ β π, he current session will be terminated, and an appropriate message will be sent to the IS security system.
To assess the effectiveness of authentication systems, metrics for first and second kind errors are employed: the False Rejection Rate (FRR)-the probability of incorrectly rejecting a registered userand the False Acceptance Rate (FAR)-the probability of granting access to an unregistered user [20][21][22]. These metrics are calculated as follows:
where FN (False Negative) -the number of times a registered user has been denied access; TP (True Positive) -the number of times a registered user has been granted access; FP (False Positive) -the number of times an unregistered user was granted access; TN (True Negative) -the number of times an unregistered user was denied access.
The effectiveness of access control and segregation systems is greater when the values of πΉπ π and πΉπ΄π are minimized. Typically, one of these metrics is prioritized; specifically, prohibiting access to illegitimate users is considered more critical. To achieve this, it is essential to minimize the πΉπ΄π . By reducing the False Acceptance Rate (πΉπ΄π ), the system can effectively thwart unauthorized access attempts, prioritizing security measures that maintain the integrity and confidentiality of the information system. This focus on minimizing πΉπ΄π highlights the necessity of stringent authentication protocols to reduce the risk of unauthorized access and potential security breaches.
In commercial biometric authentication systems, the maximum acceptable value of πΉπ΄π typically ranges from 10 -3 to 10 -6 . In systems with a large user base and a high level of security, this value can drop to as low as 10 -9 . Meanwhile, the πΉπ π may vary between 0.025 and 0.01; for systems with many users, this rate should not exceed 0.001 to 0.0001. These thresholds provide benchmarks for evaluating the performance and reliability of biometric authentication systems, ensuring they meet stringent security requirements while balancing user convenience and system efficiency [23,24].
The analysis of the results demonstrates the practicality of the proposed solutions for user authentication in information systems. Specifically, the developed methodology enhances the reliability of information system authentication by reducing the FRR (type II error) by 2-3% compared to research results where the FAR (type I error) equals zero, and by 10-15% compared to research results where the FAR is greater than zero. This achievement aligns with the objectives of this work. A comparative analysis of the calculations based on the results of user authentication in information systems using the proposed approach versus existing methods [24] is presented in Table 1, focusing on the FAR and FRR metrics.
In summary, the findings underscore the effectiveness of utilizing users' dynamic biometric traits for authentication, providing a robust safeguard for information security. Authentication decisions in these systems hinge on comparing the user's biometric model with data collected during the authentication process. The user's biometric model is developed through an analysis of specific individual characteristics, making systems that leverage keyboard handwriting recognition particularly valuable.
A biometric model of keyboard handwriting for users in critical infrastructure information systems has been proposed. This model expands the feature space of keyboard handwriting by analyzing behavioral patterns within a statistical dataset, generating new features, and describing them using fuzzy linguistic terms.
Additionally, the proposed model includes the detection of drift in users' keyboard handwriting characteristics using Kullback-Leibler divergence. This ensures timely adaptation of the biometric model to the dynamics of user behavior.
The practical application of the improved biometric model of keyboard handwriting patterns has demonstrated its effectiveness in recognizing users within access control and segregation systems in critical infrastructure facilities. This model enhances the reliability of user authentication in information systems by reducing the false rejection rate (FRR) by 2-3% compared to previous research results where the false acceptance rate (FAR) is zero, and by 10-15% compared to studies where the FAR exceeds zero.