Description
This detector identifies deviations in the physical way a person interacts with their keyboard and mouse, compared to their established individual baseline. Every person develops a characteristic input signature over time - the pace at which they type, the timing between individual key presses, how long each key is held, and the way they move a cursor across the screen. These patterns are stable enough to distinguish between two different people operating the same device.
When these patterns shift, or when they are absent entirely, it indicates that either a different person is operating the device, or that input is being injected or relayed rather than generated by a human physically present at the machine.
Typing and mouse signals are partially available through the browser at the moment of a session. Full baseline comparison and drift detection over time require the deployed agent.
Key Indicators
Typing speed and cadence
The average rate at which a person types, and the rhythm of pauses between words or sentences. Most people have a consistent typing speed that varies within a narrow range. An abrupt change in pace - significantly faster, slower, or perfectly uniform - is a notable deviation.
Inter-key timing
The time between individual key presses varies in a person-specific way. A user who consistently presses certain key pairs (for example, e followed by r) with a characteristic interval will deviate noticeably when replaced by a different person, even at a similar overall speed. Automated input produces unnaturally regular inter-key intervals.
Key hold duration
How long each physical key is held down before release varies between individuals based on typing style, keyboard hardware, and muscle memory. Remote-injected input, such as from KVM-over-IP hardware or remote control software, produces characteristically different duration distributions compared to a physically present typist.
Mouse movement trajectory and noise
Physical mice produce slightly curved, organically noisy movement with natural overshoot and micro-corrections. Remote or programmatically generated input tends toward more linear trajectories, uniform speed, or exhibits a latency floor reflecting network round-trip time between the operator and the device.
Cursor report rate
Physical mice at high polling rates (500–1000 Hz) generate significantly more movement events per animation frame than remote-controlled or emulated devices (typically 125 Hz). This difference is detectable passively in the browser, without requiring any permissions, and is a reliable indicator of whether input is physically local or remotely relayed.
Relevance to Social Engineering Attacks
Input pattern anomalies expose the scenario where a different person is operating a device, regardless of whether credentials, identity documents, or other materials match. Unlike technical fingerprints that an attacker can research and replicate, physical interaction patterns require the actual individual to be present.
Key attack-related scenarios include:
Device takeover by a remote operator
When an attacker connects to an employee's device through remote control software, their own typing and mouse patterns replace those of the legitimate user. The input arriving at the application reflects the remote operator's habits, not the employee's baseline.
KVM and hardware-level remote access
Devices operated via KVM-over-IP hardware inject input at the USB HID layer, producing timing patterns characteristic of network-relayed input rather than a local typist. Key hold durations, inter-key timing, and mouse event rates all reflect the intermediary hardware.
Impostor operating a legitimate device
When a fraudulent employee operates a device under a fabricated identity, their input patterns cannot match any previously established baseline. Early interactions establish a baseline; deviations appear if a different person takes over the account.
Scripted and automated interactions
Automation frameworks that simulate human input produce unnaturally uniform inter-key timing and perfectly smooth cursor trajectories. Even stealth plugins designed to obscure automation artifacts rarely reproduce the full organic variability of a real human typist.
Examples of Detected Techniques and Scenarios
This detector is effective against:
Remote desktop and KVM-over-IP tools
AnyDesk, TeamViewer, RustDesk, RDP, VNC, piKVM, and similar hardware or software remote access platforms that relay input over a network.
Browser automation frameworks
Selenium, Playwright, Puppeteer, and stealth variants that inject synthetic keyboard and mouse events into the browser runtime.
Physical impostor access
A different person physically sitting at the legitimate employee's workstation, identifiable by deviation from the established individual input signature.