G. Martín, AlejandroMartín de Diego, IsaacFernández-Isabel, AlbertoBeltrán, MartaR. Fernández, Rubén2023-09-202023-09-202022Alejandro G. Martín, Isaac Martín de Diego, Alberto Fernández-Isabel, Marta Beltrán, Rubén R. Fernández, Combining user behavioural information at the feature level to enhance continuous authentication systems, Knowledge-Based Systems, Volume 244, 2022, 108544, ISSN 0950-7051, https://doi.org/10.1016/j.knosys.2022.1085440950-7051https://hdl.handle.net/10115/24413Research supported by grants from Madrid Autonomous Community, Spain (ref: IND2019/TIC-17169); and from the Spanish Ministry of Economy and Competitiveness, Spain under the Retos-Investigación program: MODAS-IN (ref: RTI-2018-094269-B-I00); and donation of the Titan V GPU by NVIDIA Corporation, Spain; and by grants from Rey Juan Carlos University, Spain (Ref: C1PREDOC2020)The scientific and business communities are proposing new authentication methods more robust than traditional solutions relying on a single security point such as passwords (i.e. ‘‘something you know’’). User and Entity Behavior Analysis (UEBA) has postulated as an excellent solution to improve authentication systems by performing continuous authentication to extend the authentication process over time. UEBA is based on detecting anomalies in the intrinsic behaviour of each user or entity (i.e. it is based on ‘‘something you are/do’’). This paper presents a method for performing continuous authentication using UEBA techniques that allows combining information from multiple sources at the feature level. This combination is achieved through a novel Symbolic Aggregate approximation (SAX) using Random Trees Embeddings for each information source, producing a sequence of symbols. Then, these sequences of symbols are combined into a single sequence using temporal information. The resulting sequence of symbols feeds a density-based clustering model that uses a distance based on DNA sequence alignment techniques to extract behavioural cores. Finally, new samples are compared against these cores to detect anomalies using a risk model that evaluates if a behaviour is anomalous (suspected user impersonation). The model has been extensively tested and evaluated against well-known state-of-the-art datasets.engAttribution-NonCommercial-NoDerivatives 4.0 Internacionalhttp://creativecommons.org/licenses/by-nc-nd/4.0/Anomaly detectionBehavioural information combinationContinuous authenticationUser and Entity Behaviour AnalyticsCombining user behavioural information at the feature level to enhance continuous authentication systemsinfo:eu-repo/semantics/article10.1016/j.knosys.2022.108544info:eu-repo/semantics/openAccess