Rather than rely on something people provide to gain access to computer systems and networks, a Pentagon research agency is beginning an effort that enables computers to figure out who is on the system to make it harder for cyber adversaries to hack their way onto a network.
The Defense Advanced Research Projects Agency (DARPA) plans to release either a Broad Agency Announcement or Research Announcement later this month or in early December for its Active Authentication program, which will initiate a basic research effort in software biometrics to identify people rather than rely on things such as passwords, user IDs and physical biometrics.
DARPA plans to award contracts for between six and eight studies early next year for phase one of the Active Authentication program. The contracts will be for less than $500,000 each and last between three and six months.
This is “a ‘cognitive fingerprint’ that we’re trying to get to,” Richard Guidorizzi, program manager within DARPA’s Information Innovation Office, says at an Industry Day last week to kick off the program. “A fingerprint of who you are. Just like the fingerprint from your finger leaves a trace behind, there’s a trace left behind of how you think and how you behave that we’re trying to capture in these aspects of who you are.”
Ultimately the computer “understands who is sitting at the console and tracks who is there and allows you to have access to what you’re supposed to have access to because it knows who is sitting there at the computer,” Guidorizzi says. “I want to make the machine aware of the operator so it know who is there and make it harder for adversaries to break in and pretend to be you.”
Mouse tracking, that is the way a person moves his mouse, is one way to possibly begin to establish the cognitive fingerprint, Guidorizzi says. This technique is already in use by Google [GOOG] to better help a person with a search, he says.
Another example of software biometrics is forensic authorship, which applies statistical analysis to things like average word length, unique words and other patterns that can be found in a document to potentially help identify a user, Guidorizzi says.
Ultimately, “I want a range of different aspects that make up you so that while you’re working, based on what you’re doing, the system is tracking who you are,” he says. “It goes back and forth so the adversary doesn’t know what to look for at what time.
Guidorizzi says that using multiple layers of software biometrics, such as combining mouse tracking with forensic analysis, increases the fidelity about the individual to relatively quickly authenticate a user. Increasing the number of samples decreases the number of false positives, he says.
In phase one in 2012 DARPA will be looking at new authentication modalities and pushing research forward in each of these, Guidorizzi says. The authentication framework for connecting the different modalities and moving into an operating mode won’t happen until 2013 and beyond, he says.
A third component to the program is system testing and validation of the new modalities as they are being developed. This will involve “Red Teaming” while new modalities are being developed “so that the adversarial people are there” to make sure vulnerabilities are found early, Guidorizzi says.
The problem with current methods of logical access is that they can be more easily compromised by adversaries, Guidorizzi says. Physical biometrics can be replicated and bypassed. Passwords created by users are typically based on easy to decipher patterns, which then creates a weak link in security, he says.
Eventually active authentication can be applied to other areas such as tactical uses, command and control, physical security, mobile technologies and more, Guidorizzi says. For now though the effort is focused on the desktop computer user in an office environment.