Developing of keystroke dynamics analyzing systems using a presentation based on state contexts

This aim of the article is to discusses the main static and dynamic user identification methods by keystroke dynamics. As part of the research, a generalized way of representing the process of typing on the keyboard based on the sequential change of the keyboard state was proposed. The definition of the keyboard state context, which is the basis for the dynamic identification procedure, is formulated. The proposed approach will make it possible to apply a variety of static identification methods, significantly expanding the set of methods used for dynamic user identification by keystroke dynamics.


INTRODUCTION
Today, the problems of preventing unauthorized access to confidential and personal information, its illegal distribution, as well as preventing illegal actions on behalf of another user are urgent tasks in the field of information security. Traditionally, cryptographic means and means of authentication based on knowledge (passphrase or answer to a specific question) or attribute (smart-card, key) are used to protect information systems. In addition, there is a class of biometric identification and authentication methods that are used both as stand-alone solutions and as a strengthening of traditional security tools. Biometric methods have a number of advantages over other methods based on knowledge or an attribute: the source of biometric data is always with the user, cannot be lost. Besides compromising and copying a biometric image is often extremely difficult. However, the main disadvantage of biometric methods can be attributed to changes in the initial biometric image of the user due to age-related changes, the psychophysical state of a person or the presence of injuries. This aspect may impede the identification procedure or make it completely impossible. In addition, biometric analysis often requires additional and often expensive equipment.
Among the biometric characteristics, static (fingerprint, iris or vein pattern) and behavioral (handwriting, gait, voice) can be distinguished. The analysis of static characteristics assumes single identification only at the moment of user login to the system. While the behavioral characteristics suitable for continuous identification procedure over a period of time. Many of them provide the ability to perform this procedure hidden from the user.
To perform both static and dynamic identification, standard PC input devices can be used: keyboard and mouse. This paper describes issue of dynamic user identification based on the unique characteristics of typing on the keyboard -keystroke dynamics. The main advantage of this approach, in addition to hidden and dynamic identification, is the absence of the need for additional equipment, since today almost every personal computer is equipped with this input device.
Static analysis of a user's keystroke dynamics assumes an identification procedure by entering a predetermined sequence of characters: a passphrase. A typical area of application of this type of analysis is to conduct a user authorization procedure when logging into the system using the user's login and password, which, in combination with the analysis of keystroke dynamics, increases the security of the system in the event of their compromise. To build an image of the keystroke dynamics for each user, several samples of entering a passphrase are enough, which, as a rule, does not require time.
Dynamic analysis, in turn, allows you to identify the user regardless of the text he is typing. This approach allows not only to discern the user during login, but also to perform continuous analysis of the keystroke dynamics throughout the entire session in order to recognize the change of the active user. In addition, this method makes it possible to execute the identification procedure not by a previously known password, but by entering a small piece of free text, thereby relieving the user and the system from the need to store passwords. This type of analysis requires a longer training period for the system to generate the most complete and accurate biometric image.

MATERIALD AND METHODS
Initially, methods of static analysis were developed in the field of keystroke dynamics analysis. In the 1980s, the National Science Foundation and the US National Bureau of Standards conducted a series of studies that concluded that typing patterns contain unique characteristics that can be identified. The researchers explained the psychological basis for using keystroke dynamics to give researchers a basic understanding of the various processes involved in typing process (Gaines et al., 1980). Extensive research shows that a person's typing is a behavioral characteristic that develops over a period of time and therefore cannot be shared, lost or forgotten. This parameter shows quite legible information that can be used for identification and authentication.
Today there are many classes of methods for static analysis of user keystroke dynamics. One of these classes is a variety of statistical methods, which are based on a statistical assessment of the main timing parameters of keyboard events: mean, median, standard deviation, probability density, and others. These methods were used both in early works on the study of keystroke dynamics, and in modern research.
So, in the first works in this area, works by R. Joyce and G. Gupta (1990), F. Monrose and A. Rubin (1997), D. Song, P. Venable, and A. Perrig (1997), methods based on statistical estimation of the distance between vectors of delays between keyboard events.
Statistical methods also include probabilistic methods, the main position of which is that the temporal characteristics of the keystroke dynamics correspond to the Gaussian distribution, which was considered in . Also, this class of probabilistic statistical methods includes algorithms based on hidden Markov models (Ali et al., 2016), estimates of probability density, weighted probability (Bryukhomitsky, 2010).
Clustering methods can also be distinguished, which consist in combining similar vectors of characteristics into clusters. The purpose of algorithms of this type is to form clusters with the closest characteristics of the elements within the cluster, but the most different parameters of the elements between the clusters. Within the framework of the clustering method, the k-means method or methods of fuzzy sets are used (Mandujano & Soto, 2004). To estimate the distance between vectors in various studies, many estimates are used: Euclidean distance (Sidorkina & Savinov, 2013), Manhattan distance (Killourhy & Maxion, 2009), Mahalonobis distance (Killourhy & Maxion, 2008), a measure of disorder (Plank, 2016).
Another class of keystroke dynamics analysis methods are machine learning methods, which are often used in classification, pattern recognition, and clustering problems.
Among them, approach based on neural networks can be highlighted. A feature of the approach based on neural networks is the need for a large number of alien images to train the model. In addition, adding, deleting, or updating a biometric image in a database will generally lead to retraining of neural networks. To solve the problem of user identification by keystroke dynamics, various types of neural networks are used: direct propagation (Pavaday et al., 2007), multilayer neural networks (Pavaday & Soyjaudah, 2008), recurrent networks (Kobojek & Saeed, 2016) and self-organizing maps (Loy et al., 2007).
Decision trees also belong to the class of pattern recognition methods based on neural networks. In studies devoted to the analysis of keystroke dynamics, approaches based on different variants of the use of decision trees are used: a random forest and parallel decision trees (Sheng et al., 2005).
Also, the support vector machine learning approach should be noted. This method generates the smallest regions that cover the largest number of features of a certain class. This method maps an input vector into a multidimensional feature space using a kernel function (linear, polynomial, sigmoidal, or radial basis function). The algorithm will find a hyperplane that will divide the space of features in such a way that on one side there will be as many features of the image of "users" and as few features of "impostors" as possible, and correspondingly as many features of "impostors" and fewer of "users" the other side. As a result, the function will build a more complex decision boundary than linear methods. The use of the support vector machine in the problem of user identification by keystroke dynamics is considered in (Bhatia & Hanmandlu, 2017).
In the field of continuous identification, the methods used for static analysis, in the general case, cannot be applied. A different set of methods and algorithms are used to implement continuous analysis.
Research in the field of dynamic of keystroke dynamics analysis was first published in 1995 by Shepherd, who showed the possibility of user identification by keystroke dynamics in the process (Shepherd, 1995).
In addition, Dowland used digraph, trigraph, and word spacing in his study as a distance-based classifier and achieved an FAR of 4.9% and an FRR of 0% based on testing on 35 users .
In the works of Gunetti, a method for analyzing keystroke dynamics based on free text using a measure of randomness of intervals, presented in the form of digraphs, is considered. This approach made it possible to achieve 3.16% FAR and 0.02% FRR for 40 users classified as "user" and 165 users as "impostors" .
In the field of dynamic analysis, there are several classes of methods that in many ways duplicate the methods for static analysis, but taking into account the peculiarities of the parameters of continuous analysis. Many statistical methods, machine learning methods and bioinspired algorithms are also used to solve this problem. In contrast to static analysis, in which the main parameter is a fixed-length feature vector, which depends on the analyzed characteristics and the length of the passphrase, in dynamic analysis, in most cases, digraphs, trigraphs, and other ngraphs consisting of 2, 3 or several feature sequences are used. Thus, in the case of dynamic user identification, it is not a fixed expression as a whole that is analyzed, but a sequence of n-graphs that are formed on the basis of an arbitrary text.
In addition, the study by Daniele Gunetti and Claudia Picardi (2005) examined the statistical characteristics of combinations of two, three or four consecutive characters, taking into account only specific combinations of characters for each individual user. A similar study is reflected in a series of articles by Fernel, in which the characteristics of two or three keys were analyzed in this way using not only statistical analysis, but also using neural networks Dowland et al., 2002;.
So, in the work of Bours, Patrick and Mondal, Soumik (Bours & Mondal, 2015) for dynamic user recognition, a weighted estimate of the Euclidean distances between digraphs was used in combination with an ensemble of classifiers consisting of a feedforward neural network, a recurrent neural network and a support vector machine. A genetic algorithm was used to optimize the weights in the ensemble.
Thus, there is an extremely wide range of static identification methods that are used to analyze the temporal characteristics of the keystroke dynamics, presented mainly in the form of intervals between different types of events. These intervals can be calculated both between two successive events, such as, for example, the time between keystrokes or the time of holding the keys, and between a sequence of several successive events, forming digraphs or, in general, n-graphs. Let's designate this view model as an event model. Dynamic analysis of keystroke dynamics is complicated by the fact that, unlike static identification, it is impossible to generate a feature vector of a fixed length. In this case, a continuous sequence of events and their time parameters are subjected to the identification procedure. This type of biometric identification has a slightly more limited set of methods and, as a rule, each of them develops its own way of representing the biometric image of the keystroke dynamics, which is most appropriate for a particular analysis method. Based on this, a new way of representing the biometric image of the keystroke dynamics is proposed, which will be a more universal form of representing the biometric image, and which can serve as the basis for both static identification and dynamic methods. This model is based on the concept of the state of the keyboard. Let's call it a state-based model.

Basic timing of keystroke dynamics
The data received from the keyboard is a sequence of events occurring at a specific time. Each event is a tuple of three parameters: Where i -is the index of the event, n -is the number of characters in the typed text.
The basic metrics for keyboard typing are the timestamps of two types of events: a key press and a key release. Let's denote (Timestamp) as the event of pressing the i key at time t and (Timestamp)as the event of releasing the i key at time t.
Based on these events, a number of features can be distinguished that can be the basis for the analysis of keystroke dynamics.
The primary features are the time intervals between a pair of events of different types. These intervals include: key hold time, delay, and time between keystrokes. The dwell time of the i key can be defined as the interval between releasing and pressing the same key: Keystroke interval is defined as the interval between successive keystroke events (flight time): In turn, define the delay as the interval between lowering the previous key and pressing the next one (latency time): If the key holding time is crossed, this sign will have a negative value. The described events and primary signs can be graphically represented as shown in Figure 1.

Figure 1. Primary features of keystroke dynamics
Based on the combination of the considered primary features, composite features can be formed: digraphs, trigraphs, etc. The specific type of the composite feature depends on the method used for analyzing the keystroke dynamics (Pashchenko et al., 2018).

Format representation of keyboard state
To form a generalized keyboard model, we represent it as a fixed set of keys, each of which at any moment of time can be in one of two states: pressed or released. Depending on the specific keyboard, the number of keys may vary. To build the model, we will restrict the set of keys only to those that, as a rule, are involved in typing. These keys include: character and number keys ( where i is the key number.
Since the proposed model has 58 elements, each of which can be in one of two states, the total number of possible states of the model is 2 ^ 58, which is more than a quadrillion states. Obviously, handling so many states is nearly impossible, and the vast majority of states will never arise. Therefore, to simplify the model and reduce the number of possible states, we introduce a limitation on the number of keys that are simultaneously pressed to two. This limitation allows us to almost completely describe the process of typing text on the keyboard. The exception is the use of control combinations, which involve the simultaneous pressing of three or more keys. These combinations can be excluded from the model or considered separately as additional features. Thus, taking into account the described limitation, the number of possible states can be calculated as one initial state, when all keys are released, the number of possible states when one key is pressed and the number of states with two simultaneously pressed keys becomes equal to 1712, which is a more acceptable number for constructing models of keystroke dynamics.
Thus, this approach allows us to represent the process of typing on the keyboard not as a sequence of events of pressing or releasing an arbitrary key, but as a sequential change in the states of the keyboard, represented as vectors of a fixed size, each of which is associated with a time stamp. The time intervals between two consecutive states are features on the basis of which a biometric image of the keystroke dynamics can be built. This feature combines the concepts of the interval between keystrokes (FT) and the key holding time (DT).
In this paper, we propose a different approach that would take into account the described models of sequences of keystrokes. For example, consider a keyboard model consisting of only two keys: A and B. Based on this, we present the state matrix for this model, which is shown in Table I. Columns A and B indicate the state of the key: 0 -released, 1 -pressed. The set of states of the individual keys is designated as the state. In this case, the sequence of states for two consecutive keystrokes without intersection will be as Graphically, this process can be represented as shown in Figure 2.

Figure 2. State sequence for a model without intersections
For the second model with incomplete overlap, the sequence will be as follows: 0 This process is shown graphically in Figure 3.  With a sequential change of states, which corresponds to the process of typing on the keyboard, the final state of each 0 model in the selected template is the initial state for the next block of states. Therefore, it is proposed to define the context of the chain of states, which contains 4 consecutive states, between which three of time intervals are calculated. This approach will allow us not only to extract the primary features of the keystroke dynamics, but also to separate them depending on the used model of the sequence of keystrokes, which were considered earlier. In addition, the presentation of the biometric image of the keystroke dynamics in the form of a state context allows using a single feature space that combines FT, DT and their derivatives. It is assumed that this method will help with building the most complete and accurate model of user keystroke dynamics.

Algorithm for the building of state contexts
As described earlier, the keyboard generates events of the form:

(Timestamp)
A sequence of events of this kind is converted into a sequence of state contexts according to the following algorithm.
Let's define a tuple: = ( 1 , 2 , 3 , 4 ) (4) Where = (Timestamp) is the number of consecutive events stored in the tuple corresponds to the number of events in the context. At the initial moment, this tuple is empty. Each time an event occurs, it is placed in a tuple. Time intervals are calculated between successive events in a tuple and stored in a separate tuple T: = (∆ 2;1 , ∆ 3;2 , ∆ 4;3 ) After each insertion to the tuple, the content is parsed. If the number of events in a tuple is four, the tuples M and T are transformed into a context of the form = {{ , , , }; {∆ , ∆ , ∆ }} and transmitted for further processing. If the tuple already contains four elements when the event is raised, the elements are shifted to the left, removing the first element. The new event is placed in place of the last item. A similar procedure is performed for a tuple of intervals between events.

Benefits of state-based representation of keystroke dynamics
On the basis of the described representation of typing text process, it is possible to describe the feature vector, which will be the basis for the static analysis of the keystroke dynamics.
Regardless of which set of features is used to build the feature vector, they can be described as a sequential change of the keyboard state. That is, this approach is a universal way of representing various temporal characteristics of keystroke dynamics: intervals between keystrokes, key holding times, n-graphs or their derivatives.
This format can be used as a basis for static identification. For example, if the vector of intervals between keystrokes is used as the basis of the identification method, then the process of typing a passphrase can be described as a pair of tuples of the following form: = ( 1 , 2 , … , … , ), ∄ = 0 (7) = ( 2 1 , 3 2 … , −1 ), where N is the number of characters in the passphrase, S is a sequential tuple of states that does not contain zero states, T is a tuple of intervals between the corresponding events.
Thus, the set of methods and approaches of static analysis, which was considered earlier, can be adapted for a universal representation based on the representation based on the state of the keyboard, regardless of what set of features was initially selected for a particular method.
In addition, the described method of representing the keystroke dynamics in the form of a sequential change of keyboard states can be used to perform a dynamic analysis of the keystroke dynamics. For this purpose, the concept of a state context was introduced, which represents four sequential states and the time intervals between them. As noted earlier, four sequential states allow us to fully describe the pressing of two key sequences, taking into account all the described intersection patterns. Within the framework of this study devoted to the development of a for keystroke dynamics analysis system, it is proposed to consider the continuous process of typing text on the keyboard during the entire user session in the form of a sequential change in state contexts. In this case, the state context is used as an independent vector, for each of which an identification procedure is executed using one or more static identification methods. Thus, in this approach, it is proposed to analyze the time window for the sequence as a passphrase, after which the sequence of classification decisions for each individual context is aggregated into a common identification solution.

CONCLUSION
Thus, this article has shown that ensuring information security using biometric identification methods, both as an independent means and as a strengthening of existing security systems, is a complex and urgent task.
The existing methods and algorithms for keystroke dynamics analysis were considered, both based on a fixed passphrase and continuous analysis throughout the entire user session. The