Mengqing Ji,Peihai Zhao,Mimi Wang,Chungang Yan,Zhong Li,Changjun Jiang

DOI: https://doi.org/10.18178/ijmlc.2017.7.2.613

2017-01-01

International Journal of Machine Learning and Computing

Abstract:Traditional authentication methods based on user browsing behaviors consider relatively one-snidely on user browsing habits.They mainly research on the relationships between the sequences of websites or contents without considering user habits comprehensively.So the accuracy when they distinguish different users' web browsing behaviors cannot ensure enough safety, which can be further optimized.This paper introduces a new method which studies from favorite websites, contents and periods of browsing time.It uses Apriori algorithm to mine user's frequent itemsets along with the text classification method and normal distribution to calculate access periods of time.Logic regression algorithm is applied onto user authentication.Experiment shows that detection rate can reach 92.7% while false alarm rate is 6.4%.

Peihai Zhao,Chungang Yan,Changjun Jiang

DOI: https://doi.org/10.1109/icdmw.2016.0054

2016-01-01

Abstract:With the number of users on the Web increasing sharply, how to effectively verify users' identities in order to prevent account theft as well as identity fraud is urging. In this paper, we utilize the web browsing sequences of users, which can directly reflect the logical trajectories of individuals in cyberspace, to depict the profile for each user. Based on these profiles, two approaches are proposed to authenticate the web user's identity. The first one is MSIA (Markov Sequence based Identity Authentication). In MSIA, we construct a behavioral Markov model to depict each user's logical behavior. The second one is SPIA (Sequence and Preference based Identity Authentication). In SPIA, two non-sequential features, i.e. the browsing time and the classes of web pages, are further included in MSIA to strengthen the modeling ability. In addition, both of these two approaches are user-friendly, which means the process of behavioral authenticating is running as daemons. The daemons verify user's identity continuously and invisibly during the whole browsing period, instead of one-time authentication at login stage. Based on the behavioral data of 1000 users collected from China Internet Network Information Center, we verify the proposed methods on 1,496,758 test sequences. The experimental results show that the average accuracy of both authentication methods is up to 90%.

Jiajia Li,Qian Yi,Shuping Yi,Pengxing Zhu

DOI: https://doi.org/10.21203/rs.3.rs-1792004/v1

2022-01-01

Abstract:Abstract Trustworthy interaction refers to the interaction process between human and network information systems that is believable and credible. In recent years, network security events frequently happened caused by human-web interaction lacking trustworthiness, which brings about some security risks such as private information leakage, resource abuse, property or reputation loss, etc. It is a significant network security concern threatening people. The problem is typically approached from the viewpoint of identifying the trustworthiness of the credentials submitted by interactors. There are little few studies that have addressed it in terms of the trustworthiness of the interaction behavior by interactors. We propose that the interaction behavior pattern of interactors on the website is a virtual fingerprint (VF) to discriminate the trustworthiness of the identity based on relevant psychological and behavioral theories. Using 481,838 weblog data from a travel service website, we demonstrate the effectiveness of the proposed VF. First, the individual differences in interaction behavior of interactors on the website are characterized by numerical analysis and statistical inference. Then, 15 interaction behavior features are constructed from weblogs to create a VF, which can discriminate the trustworthiness of the identity by identifying the interaction behaviors of the interactors on the website. Of these, a machine learning algorithm (i.e., the eXtreme gradient boosting) is applied to build the identification model for interaction behaviors. The results show that the VF proposed in this study has better discrimination of trustworthiness compared to those approaches that use other kinds of behavior features. And, the eXtreme gradient boosting used performs more efficiently than the algorithm of Decision Tree and Random Forest. Specifically, the errors of discriminating both untrustworthy and trustworthy identities are as low as 0.19% and 3.30%, respectively. Also, the accuracy of identifying interaction behaviors is as good as 99.63%.

Jiarong Wang,Junyi Liu,Tian Yan,Mingshan Xia,Jianshu Hong,Caiqiu Zhou

DOI: https://doi.org/10.3390/s22176471

IF: 3.9

2022-08-29

Sensors

Abstract:With the wide application of Internet of things (IoT) devices in enterprises, the traditional boundary defense mechanisms are difficult to satisfy the demands of the insider threats detection. IoT insider threat detection can be more challenging, since internal employees are born with the ability to escape the deployed information security mechanism, such as firewalls and endpoint protection. In order to detect internal attacks more accurately, we can analyze users' web browsing behaviors to identify abnormal users. The existing web browsing behavior anomaly detection methods ignore the dynamic change of the web browsing behavior of the target user and the behavior consistency of the target user in its peer group, which results in a complex modeling process, low system efficiency and low detection accuracy. Therefore, the paper respectively proposes the individual user behavior model and the peer-group behavior model to characterize the abnormal dynamic change of user browsing behavior and compare the mutual behavioral inconsistency among one peer-group. Furthermore, the fusion model is presented for insider threat detection which simultaneously considers individual behavioral abnormal dynamic changes and mutual behavioral dynamic inconsistency from peers. The experimental results show that the proposed fusion model can accurately detect insider threat based on the abnormal user web browsing behaviors in the enterprise networks.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Chao Shen,Yufei Chen,Xiaohong Guan,Roy A. Maxion

DOI: https://doi.org/10.1109/tdsc.2017.2771295

2017-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Analyzing mouse-interaction behaviors for implicitly identifying computer users has received growing interest from security and biometric researchers. This study presents a simple but efficient active user authentication system by modeling mouse-interaction behavior, which is accurate and competent for future deployments. A pattern-growth-based mining method is proposed to extract frequent behavior segments, in obtaining a stable and discriminative representation of mouse-interaction behavior. Then procedural features are extracted to provide an accurate and fine-grained characterization of the behavior segments. A SVM-based decision procedure using one-class learning techniques is applied to the feature space for performing authentication. Analyses are conducted using data from around 1,526,400 mouse operations of 159 participants, and the authentication performance is evaluated across various application scenarios and tasks. Our experimental results show that characteristics from frequent behavior segments are more stable and discriminative than those from holistic behavior, and the system achieves a practically useful level of performance with FAR of 0.09 percent and FRR of 1 percent. Additional experiments on usability to sample length, reliability to application task, scalability to user size, robustness to mimic attack, and response to behavior change are provided to further explore the applicability. We also compare the proposed approach with the state-of-the-art approaches for the collected data.

Marcos Oliveira,Junran Yang,Daniel Griffiths,Denis Bonnay,Juhi Kulshrestha

2024-06-14

Abstract:How easy is it to uniquely identify a person based solely on their web browsing behavior? Here we show that when people navigate the Web, their online traces produce fingerprints that identify them. Merely the four most visited web domains are enough to identify 95% of the individuals. These digital fingerprints are stable and render high re-identifiability. We demonstrate that we can re-identify 80% of the individuals in separate time slices of data. Such a privacy threat persists even with limited information about individuals' browsing behavior, reinforcing existing concerns around online privacy.

Computers and Society,Information Retrieval,Social and Information Networks,Physics and Society,Applications

Xiaodan Gu,Ming Yang,Jiaxuan Fei,Zhen Ling,Junzhou Luo

DOI: https://doi.org/10.1109/cbd.2015.44

2015-01-01

Abstract:Currently, people round the world daily use the Internet to access various services, such as, email and online shopping. However, the behavior-based tracking attacks have posed a considerable threat to users' privacy. Relying on characteristic patterns within the Internet activities, this attack can link a user's multiple sessions which are composed of a period of user's traffic. Once a user's personally identifiable information is disclosed in some session, the attacker can obtain the user's other network activities according to the linked sessions. In this paper, we investigate this behavior-based tracking attack and discuss the possible countermeasures. We preprocess the raw traffic data and then extract features ranging from lower layer network packets to high level application related traffic. Specifically, we focuses on four types of application-level traffic to infer users' habits, including HTTP, IM, Email, and P2P. A Multinomial Naive Bayes Classifier is employed to correlate users' sessions in distinct period. To evaluate the feasibility of our approach, we collect traffic in real-world environment to construct two distinct sizes of datasets. In the first dataset, we have 55 users' traffic during five weeks and the accuracy of our approach could reach 100%. To further illustrate the scalability of this approach, 509 users are selected from the second dataset in terms of the user's active degree. Finally, we can correctly correlate average 85.61% instances. Our extensive empirical experiments demonstrate the effectiveness and efficiency of our approach.

Yong Li,Zhongying Zhang,Jingpeng Wu,Qiang Zhang

DOI: https://doi.org/10.1007/978-981-16-9709-8_18

IF: 4.426

2022-01-01

Big Data

Abstract:Network security is not only related to social stability, but also an important guarantee for the digital intelligent society. However, in recent years, problems such as user account theft and information leakage have occurred frequently, which has greatly affected the security of users’ personal information and the public interest. Based on the massive user click behavior data and graph embedding technology, this paper proposes the Graph2Usersim (Gp2-US) to analyze the similarity between the user’s historical behavior characteristics and online behavior characteristics to accurately identify the user’s identity, and then distinguish the user’s abnormal online behavior. To be specific, firstly, based on the empirical click-stream data, the user’s historical behavior and online behavior are modeled as two attention flow networks respectively. Secondly, based on the Graph2vec method and drawing on the theory of molecular fingerprinting, the nodes of the attention flow network are characterized as atoms, and edges are characterized as chemical bonds, and the network is simplified using the structural features of compounds to generate feature vectors that can identify users’ historical and online behaviors. Finally, the behavior similarity algorithm Gp2-US proposed in this paper is used to accurately identify users. A large number of experiments show that the accuracy of the algorithm Gp2-US is much higher than that of the traditional algorithm. Based on 10 days of historical user behavior data, it can accurately identify its identity characteristics and accurately determine abnormal account behavior. The research conclusions of this paper have important theoretical value and practical significance in inferring abnormal user behaviors and monitoring public opinion.

computer science, theory & methods, interdisciplinary applications

Chen Xiaojun,Wei Zicheng,Pu Yiguo,Shi Jinqiao

DOI: https://doi.org/10.1016/j.procs.2013.05.111

2013-01-01

Procedia Computer Science

Abstract:Insider threat becomes a more and more serious problem to organizations. Identify theft is a common attack method among various attack methods from insider. And it is very hard to detection since the attacker acts as a legal identity. Existing researches focus on Human Computer Interaction (HCI) behavior such as keystroke dynamics or mouse dynamics to detection this kind of attack. Based on an obvious observable that different applications show different HCI behavioral patterns (rich-key-operations or rich-mice-operations), we demonstrate that single authentication method is not efficient always in full time work period. In this paper, we provide an ensemble re-authentication approach to detection identify theft in real time, which combine the classification of keystroke-classifier and mice-classifier to determine whether the current operations is produced by the real legitimate user or not. Our experiment proves this new approach is efficient and can provide consistent detection ability with high accuracy.

Shouhui Pan,Li Wang,Guoping Xia

2011-01-01

Journal of Computational Information Systems

Abstract:User profile that reflects the user's interests forms the basis of providing personalized information services, which plays an important role in the personalized information system. User's daily browsing behaviors can reflect the user's interests to some extent. User interest taxonomy tree is introduced to signify user's interests in this paper. A plug-in embedded into Internet Explorer is developed for capturing user's browsing behaviors. These browsing behaviors including browsing time, and the number of underlines, annotations, highlights, bolds and italics that are marked up in each browsed web document, are recorded and formalized by the behavior table. Thus, user's interests can be mined from these browsing behaviors. To make user profile can accurately reflect user's current interests, an adaptive user profile based on memory model which can be updated with time automatically is presented in this paper. An experiment is designed to verify our proposed approach. Experimental result indicates that user profile based on our approach can reflect user's interests accurately. © 2011 Binary Information Press December, 2011.

Qing Zhou,Dai Tang,Liang Ge,Hu Yue,Yong Wang

DOI: https://doi.org/10.1145/3369985.3370012

2019-01-01

Abstract:Internet surfing is one of the most frequent activities in our daily lives. Investigation of web user behaviors may help to disclose the Internet usage habits, the life-styles and even the personality of users. Previous studies on web user Behaviors mainly based on data collected from questionnaires or log files of a particular website and the extracted features are manually designed for a specific application. In this paper, we propose a two-stage feature extraction framework called InnerBehavior, which aims to reconstruct a general representation for web user behaviors from millions of access records. The proposed framework is employed to the detection of Internet addiction users. Experiment results demonstrate the effectiveness of the framework.

Qiongzan Ye,Yangbo Gao,Zhenhua Zhang,Yu Chen,Yupeng Li,Min Gao,Shutong Chen,Xin Wang,Yang Chen

DOI: https://doi.org/10.1109/ijcnn55064.2022.9892383

2022-01-01

Abstract:Online-to-Offline (O2O) e-commerce service platforms and their users are faced with various fraud risks. Among them, financial identity theft is a widely existing challenge. However, existing methods are insufficient to detect this type of fraud. In this paper, we address the financial identity theft detection problem in e-commerce services by leveraging access environment and behavior sequence. To explore the fraud patterns, we first make a detailed analysis using real cases of identity theft from Meituan, a leading O2O e-commerce platform in China. Our findings are twofold. First, fraudulent accounts sharing the same personal ID would have different access environments, such as devices and IP addresses. Second, a group of fraudulent accounts may have aggregations of devices, IP addresses, and delivery addresses. Based on these observations, we propose a hybrid method termed EnvIT to detect financial identity theft based on the heterogeneous graph and the behavior sequence. EnvIT is able to characterize the access environment and the historical behavior of the accounts. Furthermore, an attentive module is adopted to assign weights to different features automatically. We further evaluate EnvIT via extensive experiments using a real-world dataset from Meituan. Our experimental results demonstrate that EnvIt outperforms several baseline methods in fraudulent account detection and achieves an AUC of 0.9210.

Zebin Cai,Yankun Zhen,Mingrui He,Liuqing Chen,Lingyun Sun,Tingting Zhou,Yichun Du

DOI: https://doi.org/10.1007/978-3-031-20500-2_3

2022-01-01

Abstract:User behavior data has always been the key for e-commerce platforms to make decisions and improve experience, especially when predicting users' behavioral intent. Nowadays, the Product Recommendation Page (PRP) has played an increasingly significant role of e-commerce platforms with the popularity of recommendation systems. However, past research on predicting user behavioral intent across e-commerce platforms may not be applicable to PRPs, where users have different characteristics. In this research, users' browsing behavioral intent of PRPs is studied and predicted. A large amount of user data of PRPs is collected and processed, and the corresponding dataset is built. After that, a user interest analysis method is proposed while five browsing intent prediction models are applied and compared. The method distinguishes users with different browsing interest degrees, and the models can better predict users' browsing behavior intent within different interest groups. A validation experiment on the large-scale dataset shows that the proposed method can predict user browsing intent with a decent performance.

Weili Han,Ye Cao,Elisa Bertino,Jianming Yong

DOI: https://doi.org/10.1016/j.eswa.2012.02.020

IF: 8.5

2012-01-01

Expert Systems with Applications

Abstract:The theft attacks of web digital identities, e.g., phishing, and pharming, could result in severe loss to users and vendors, and even hold users back from using online services, e-business services, especially. In this paper, we propose an approach, referred to as automated individual white-list (AIWL), to protect user's web digital identities. AIWL leverages a Naive Bayesian classifier to automatically maintain an individual white-list of a user. If the user tries to submit his or her account information to a web site that does not match the white-list, AIWL will alert the user of the possible attack. Furthermore, AIWL keeps track of the features of login pages (e.g., IP addresses, document object model (DOM) paths of input widgets) in the individual white-list. By checking the legitimacy of these features, AIWL can efficiently defend users against hard attacks, especially pharming, and even dynamic pharming. Our experimental results and user studies show that AIWL is an efficient tool for protecting web digital identities. (C) 2012 Elsevier Ltd. All rights reserved.

Jiajia Li,Qian Yi,Shuping Yi,Shuping Xiong,Su Yang

DOI: https://doi.org/10.1007/978-981-13-2384-3_11

2018-01-01

Abstract:Nowadays, the Internet has penetrated into people’s daily life in many ways, and people usually use the form of web account to carry out web activities. However, the problem of user account being illegally occupied by others has become increasingly prominent, and the security of user account is not guaranteed. On the other side, the network’s advantage of recording data easily provides a valuable opportunity to comprehensively record a tremendous amount of human behaviors. Based upon the status and problems, we present an approach to distinguish genuine account owners from intruders. This study constructs a series of web behavior features based on web usage logs, and uses machine learning to identify users based on Bayesian theorem and structural risk minimization criterion. Experiments show that web behavior analysis is a feasible way for user verification.

Xiaodan Gu,Ming Yang,Junzhou Luo

DOI: https://doi.org/10.1109/CSCWD.2015.7230964

2015-01-01

Abstract:Website Fingerprinting (WF) attacks have posed a serious threat to users' privacy, which allow an adversary to infer the anonymous communication content by using traffic analysis. Recent studies have demonstrated the effectiveness of WF attacks through a large number of experiments. However, some researchers believe that the assumptions of WF attacks vastly simplify the problem and are critical in the practical scenarios. In this paper, we assess the threat model of WF and relax the assumptions about browsing behavior to improve the practical feasibility. To deal with the multi-tab browsing scenario, we propose a novel WF attack and identify webpages respectively. The main idea resides in the fact that the user visits the second page with a short delay after opening the first page due to the think time. We analyze the anonymous traffic transmitted in the delay and select fine-grained features to identify the first page. Furthermore, we exclude the first page's traffic and utilize coarse features to identify the second page. We deploy our attack in real word environment and the experiment lasts for two months. The Naive Bayes classifier is then applied on the collected datasets to classify the visited websites among 50 top ranked websites in Alexa. When the delay is set to 2 seconds, our attack can classify the first page with 75.9% accuracy, and the second page is 40.5%. The results show that the WF attack is still effective in the practical scenarios and we can't dismiss WF as a threat.

Zhongliu Zhuo,Yang Zhang,Zhi-li Zhang,Xiaosong Zhang,Jingzhong Zhang

DOI: https://doi.org/10.1109/tifs.2017.2762825

IF: 7.231

2017-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Website fingerprinting attacks can reveal the receiver in anonymous networks and cause a potential threat to users’ privacy. Previous studies focus more on identifying individual webpages. They also neglect the hyperlink transition information, because it induces extra “noise” to classify the original webpage. However, it is a common scenario that the users surf a website by clicking hyperlinks on the webpage. In this paper, we propose a website modeling method based on profile hidden Markov model (PHMM) which is widely used in bioinformatics for DNA sequencing analysis. Our technique explicitly accounts for possible hyperlink transitions made by users when fingerprinting a target website, and therefore can work in a more realistic environment than existing methods. Using SSH and Shadowsocks, we collect various data sets and conduct extensive evaluations. We also show that our approach could work both in webpage and website identification in a closed world setting. The experimental results demonstrate that our website fingerprinting is more accurate and robust than existing methods.

Cheng Wang,Bo Yang,Jipeng Cui,Chaodong Wang

DOI: https://doi.org/10.1109/tcss.2019.2917003

2019-01-01

IEEE Transactions on Computational Social Systems

Abstract:We aim at exploiting users' coarse behavioral records for identity theft detection in online services. We concentrate on this issue in online social networks (OSNs) that users' behavioral records usually consist of multiple dimensional behavior data. The behavioral records in each dimension are possibly coarse and insufficient for effectively modeling users' behavioral patterns. In this paper, we investigate whether there is a complementary effect among different dimensions of records for modeling users' behavioral patterns. We focus on three typical dimensions of behaviors in OSNs, i.e., offline check-ins, online tippostings, and social contacts. We devise the dedicated behavior models based on each dimension of data, i.e., users' behavioral projection models. Then, by examining all feasible logical combinations of them, we find the optimal ones for two real-world data sets: Foursquare and Yelp. Notably, we analyze the potential correlation between customized demand and optimal logical fusion scheme. As an insightful result, we find that the correlation is independent of the specific data. This study would give the cybersecurity community new insights into the possibility and methodology to achieve a customized identity theft detection in OSNs by integrating multiple behavioral projection models.

Yiming Yan,Haiyong Zhao,Haipeng Qu

DOI: https://doi.org/10.3390/electronics13142728

IF: 2.9

2024-01-01

Electronics

Abstract:Users encounter various threats, such as cross-site scripting attacks and session hijacking, when they perform login operations in the browser. These attacks pose significant risks to the integrity and confidentiality of personal data. The browser fingerprint, as an authentication technique, can effectively enhance user security. However, attackers can bypass browser fingerprint authentication through phishing attacks and other methods, leading to unauthorized logins. To address these issues, we propose a secure browser fingerprint authentication scheme that integrates the data of the browser cache side-channel into the traditional browser fingerprint. Consequently, it enhances the dynamics and non-determinism of the browser fingerprint and improves the anti-attack capabilities of the authentication process. Experimental results demonstrate that this scheme can effectively mitigate phishing attacks and man-in-the-middle attacks, achieving a 95.33% recognition rate for attackers and a 96.17% recall rate for authorized users.

Wei Li,Shuping Yi,Qian Yi,Jiajia Li,Shiquan Xiong

DOI: https://doi.org/10.1007/978-3-030-50309-3_39

2020-01-01

Abstract:With the increasingly prominent problem of information security, the research on user trustworthy authentication technology becomes more and more important. Identification and authentication methods based on user’s biological behavior characteristics have attracted widespread attention due to their low cost and difficulty in imitation, which represented by mouse dynamics. This study proposed an improved method for time-frequency joint analysis of mouse behaviors for trustworthy authentication of website users. We collected the behavior data of the user’s natural mouse operation under real website environment, and analyzed the timing and spatial characteristics of the user’s mouse movements. Based on extracting the time-frequency joint distribution characteristics and spatial distribution characteristics of the temporal signals of the user’s mouse movements, we used the random forest algorithm to establish a user’s trustworthy authentication model. Mouse behavior data of five users during twenty-eight months had been used as a case study to explore the effectiveness of this method in user trustworthy authentication. The results of case analysis showed that, comparing to the original research, the method proposed in this study significantly improved the accuracy of the website user trustworthy authentication.