Betrayed by the keyboard: How what you type can give you away

Conference:  Defcon 26



The presentation discusses a study on using keystroke dynamics to link cyber attacks to the same attacker.
  • The study involved configuring two virtual machines with vulnerabilities and recording keystrokes of volunteers who attempted to exploit them.
  • Behavioral domains of navigation, enumeration, and exploitation were identified and used to classify linked and unlinked offenses.
  • The study found that the behavioral domains were able to classify linked and unlinked offenses with a high level of accuracy.
  • Future research could include looking at the effect of expertise, temporal proximity, and scenario diversity.
  • Automating the process of linking cyber attacks could be beneficial for investigators and privacy.
  • The study had limitations such as a small sample size and only looking at one scenario.
The presenter used a bot called insightful robot that ran famous quotes through Google Translate 13 times and tweeted the result every day at 10:00 a.m. to illustrate how badly Google Translate can mangle text.


Attribution is hard. Typically, the most useful identifiers—IP addresses, email address, domains, and so on—are also the easiest things to spoof, obfuscate, or anonymise. Whilst more advanced techniques, such as correlating malicious activity with timezones, or linking attacks through the use of similar techniques or malware, can be useful, they tend to take investigators further away from the individuals responsible; at best, some inference about the country or specific actor group/collective can be made. In this talk, I present a method for linking incidents to individual attackers with a high degree of accuracy, based on extremely fine-grained behavioural characteristics. This involves an investigatory technique known as "case linkage analysis" (CLA), which uses granular aspects of crime scene behaviours to link common offenders together through statistical comparison. It's been applied to some crime types before, but never to cyber attacks. I'll cover how CLA works, its advantages and disadvantages, and how it has previously been applied to a range of crimes, from burglary to homicide. I'll place it within the context of personality psychology, biometrics, forensic criminology, offender profiling, and forensic linguistics; and will walk through applying it practically. I'll then show the results of a novel experiment I conducted applying CLA to network intrusion attacks, which involved logging the keystrokes of volunteer attackers across different simulated intrusions, breaking these down into specific behaviours and syntax, and using these to link individuals to their offences. The end result: the way you type commands, including your choice and order of syntax, switches, and options, can form distinctive behavioural signatures, which can be used to link attackers together. Linking accuracy rates as high as 99% were achieved. Finally, I'll talk about the implications for both defenders and everyone else (particularly focusing on the privacy implications), explore ways in which these techniques could be defeated, and outline some ideas for future research in these areas.