Abstract:
This paper presents a description of the LUS method for creating models (signatures) of computer users from datastreams that characterize users' interactions with computers, and the results of initial experiments with this method. By applying the models to new user activities, the system can detect an imposter, or verify a user’s legitimate activity. In this research, original datastreams are lists of records extracted from the operating system’s process table. The learned user signatures (LUS) are primarily in the reported results in the form of sets of multistate templates (MTs), each characterizing one pattern in the user’s behavior. Advantages of the method include the significant expressive power of the representation (a single template can characterize a large number of different user behaviors) and the ease of their interpretation, which makes possible their editing or enhancement by an expert. Presented initial results show a great promise and power of the method.
