CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

A Rules Based Statistical Algorithm for Keystroke Detection

Paul Kidwell - Purdue University

Jan 21, 2009

Size: 358.8MB

Download: Video Icon MP4 Video  
Watch in your Browser   Watch on Youtube Watch on YouTube


A rules-based statistical algorithm (RBSA) identifies packets in any TCP connection that are client keystrokes of an ssh login. The input data of the algorithm are the packet arrival times and TCP/IP headers of the connection packets at a point along the path of the connection.

The algorithm is applied to all connections seen by a network monitor; ssh port 22 connections are classified as client-keystrokes or scp file transfers, and ssh keystroke connections are discovered for all other
ports. This forms a network login database that can be further analyzed for network security monitoring and forensics. One application is to an "inside'' network in which the monitor sees all connections between
the inside and outside.

The model --- which uses the packet sizes, flags, and interarrival times --- first goes through the packets identifying epochs of different activities, and then goes back and uses more detailed information for
the classification. Performance from three types of packet traces is excellent.

Previous work has proceeded by forming connection summary statistics from the headers and timestamps, and classifying the connection as one with keystrokes or not using the statistics. The RBSA takes on a much
more ambitious task of classifying each packet as a client keystroke packet or not, but in the end the classification of the connection has extremely low false positives and false negatives.

One important property of the RBSA is that it does not employ packet payload, as is done in some connection-level surveillance methods, so it
cannot be defeated by an attacker through payload encryption. A second important property is that the inside network can be a large enterprise,
allowing monitoring and forensics across a very large number of hosts from a single device."

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...


The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.