The Power of Behavioral Fingerprinting

A big data application of online behavior detection is well suited for antifraud protection

Big Data Evangelist, IBM

On the cloud, it’s actually not true that people don’t know you’re a dog.

The big data–driven cloud applications know lots of stuff about end users, even information they may think is a personal secret, as the whole Edward Snowden imbroglio has demonstrated. If you are of canine heritage, it probably senses that you’re habitually pressing down on your iPad in a manner that indicates several things about you.

For starters, the cloud probably detects that you have extremely small, oddly shaped hands that don’t seem to coordinate with each other. It probably notices that your typing skills may be poor or nonexistent. It suspects that you may not be literate, since you’ve never once entered a single word into any dialog box, even when prompted. In addition, you don’t seem to understand the concept of Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) because you’ve never passed a single such test. Last but not least, you press the screen very insistently every time an image of a sirloin steak, fire hydrant, or letter carrier displays. To borrow a phrase from Jeff Foxworthy, you just might be a Redbone Coonhound.


Nothing is sacred

All joking aside, cloud-based behavioral analytics can also sense a lot of things about human beings as well. Subconscious behavioral patterns tell plenty of stories about you and me, some of them quite subtle. If others are paying close attention to a person’s online behavior, they may be able to identify that person with a high degree of confidence. In this case, others refers to machine-learning models processing the gobs of unstructured data generated by those online behaviors, and identify refers to the person’s species—that’s assumed. But it also refers to who specifically the person is—by name, Social Security number, and so on. And online behavior refers not just to the way he or she manipulates the keyboard, but more importantly, it introduces the possibility that the person is misbehaving—for example, attempting through fraud to rob someone blind.

Some call this big data application behavioral fingerprinting,1 and that’s a good name for it. Behavioral patterns are the core of our unique personalities, and they are how everybody else senses who we are deep down as people. Just as your family and intimate friends are attuned to minute anomalies in your behavior—which might signal that you’re sick, impaired, or just “not yourself today”—behavioral analytics models can also sense these kinds of signs. In particular, they can sense that the typical you that’s accessing your bank account online is in fact the you that’s currently doing so—or not. If we’re not ourselves today, as evidenced by our online behavior, a criminal impersonating us is a more likely scenario than our suddenly developing a split personality.


Online behavior detection

Online fraud identification is a big data application in which behavioral fingerprinting makes great sense. Recently, IBM announced that it has patented a behavioral fingerprinting technique2 to enable nonintrusive, strong authentication in web- and cloud-based applications. Think of it as yet another authentication factor that can be invoked automatically in a web browsing session if and when anomalous end-user behaviors signal the possible presence of fraudulent activities in progress.

The invention, called user-browser interaction-based fraud detection system,3 is grounded in the fact that individual people exhibit unique online behavioral patterns. For example, any given end user visiting an online banking or shopping site may habitually click certain links more often than others. He or she may tend to use the keyboard’s up and down arrow keys rather than on-screen graphical features to navigate within pages. The end user may tend to insert a stray letter e or k at least once when entering free text into online forms. He or she may be inclined to tap or swipe a tablet touch screen one way, and a smartphone in a very different way—you get the idea.

Leveraging this fraud-detection invention, a web or cloud application, when it detects a change in end-user behavior, triggers a secondary authentication challenge, such as a security question, for the end user in question. This secondary challenge helps businesses and website operators avoid burdening all end users—regardless of risk profile—with the need to respond to this extra authentication factor. This condition is important in a world where online retailers, banks, and other businesses compete on the basis of customer experience. It’s also vital in an environment in which customers are not averse to churning to competitors when a website’s end-user experience is not up to snuff.

Non-obstructive behavioral fingerprinting, as implemented by this invention, is a possible alternative to the obtrusive and ubiquitous CAPTCHA. To the extent that CAPTCHA’s vulnerabilities are starting to show,4 this invention’s usefulness also derives from a single point. Building bots that impersonate someone’s entire online behavioral profile in a manner similar enough to not trigger the secondary challenge, but different enough to avoid flagging that it’s simply mechanically replaying the end user’s previous browsing sessions, is extremely problematic.

In other words, real humans exhibit self-similar behavior, but they are not robotic. The true power of behavioral fingerprinting on the web is that it can easily tell the difference. It’s a fraud-busting technology par excellence.

Please share any thoughts or questions in the comments.

1Big Identity? Social Graphs Enable Behavioral Fingerprinting,” by James Kobielus, Big Data Integration group, LinkedIn, May 2013.
2Made in IBM Labs: Patented IBM Invention Helps Eliminate Fraudulent Behavior in the Cloud,” IBM press release, IBM, May 2014.
3 User-browser interaction-based fraud detection system, US Patent and Trademark Office (USPTO), February 2014.
4Big Identity? The Fragile Foundation of CAPTCHA in the Era of Online Image Analytics,” by James Kobielus, Advanced Business Analytics, Data Mining, and Predictive Modeling group blog, LinkedIn, November 2013.


[followbutton username='jameskobielus' count='false' lang='en' theme='light']
[followbutton username='IBMdatamag' count='false' lang='en' theme='light']