Skip to content

Latest commit

 

History

History
289 lines (282 loc) · 31 KB

index.md.md

File metadata and controls

289 lines (282 loc) · 31 KB
<title>index.md</title>

Combining Keystroke and Mouse Dynamics for a Stronger and More Usable Authentication Mechanism.

Index

  1. Introduction
  2. A Survey of Related Works
    2.1 The Landscape
    2.2 Algorithmic works
    2.3 Systems and Integration
  3. Our Contribution
  4. Approach and Model
    4.1 Data Acquisition
    4.2 Design
    4.3 Performance Measurement
  5. Results

Project Timeline:

Title- Combining Keystroke and Mouse Dynamics for a Stronger and More Usable Authentication Mechanism.
Proposal- April, 2018.
Break- June-August, 2018.
Literature Review/ Proposal Corrections- Sep-November 15, 2018.
Development/ Testing/ Results- November 15- December 15, 2018.
Publication Drafts Deadline- January 15, 2019.
Beta-Deployment Deadline- January 30, 2019.
Hard-Deadline for Final Submission- May, 2019.

1. Introduction

Since as early as the late 70s, researchers and organizations alike have been concerned about user authentication and verification to prevent unauthorized access to computer systems [Meissner] [FIPS 1977]. Followed by the unprecedented and almost a sudden proliferation of computers and world-wide web services, authentication has become a daily chore for all of us. Even though authentication techniques come in different forms and flavors, the majority of them are still using a text-based authentication system.

Owing to its simplicity, text-based authentication techniques have their own distinctive appeal. Like any other information science component, however, it too is not perfect and there are a range of well-known exploits. Likewise, researchers have tried to make the text-based authentication systems more resilient by enhancing it with different additional techniques. Thorough and critical works ranging from better security policy designs [Shay] to very difficult to exploit Multi-Factor Authentication (MFA) mechanisms[Weber] to federal publications for security frameworks [NIST].

Aware of the observations that showed that each telegraph operator had a distinct pattern of keying [Bryan & Harter] and that typing is motor-programmed skill which is organized in advance of its actual execution [Shaffer] , [Leggett et al.] proposed one of the earliest identity verification scheme based on keystroke characteristics. Since keystroke dyanamics are personal characteristics of authenticators, they can easily serve as a biometric. Traditionally, biometric methods such as fingerprints and physical tokens have been associated with additional security but they also come with an additional price. With access to keystroke dynamics, existing computing systems can be extended with this new biometric for almost no additional cost. [Monrose] proposed such a password hardening scheme using keystroke dynamics.

As mouse based Graphical User Interfaces started becoming common place, similar observations were made for mouse dynamics as well [Ahmed]. Additionally, there are proposals for systems which combine both keystroke and mouse dynamics [Mondal & Bours] [Traore et al.]. In the Related Works section, we discuss various works in the field using a comprehensive framework.

Keystroke and Mouse Dynamics for Usable Security

The existing literature body in behavioral biometrics for authentication and identification emphasizes on ‘strengthening’ existing system by adding the layer(s) of behavioral biometrics in addition to existing authentication, say only text-based username-password authentication. A simplistic logic being used is that such a system would be far more secure, but the extra load on the part of the user is being ignored. For instance, in case of static authentication, out of the fear of going through a longer authentication process, a user may choose not to logout of authentication sessions. Continuous authentication systems, on the other hand, may not be practical for all applications.

** Usable Security diagram goes here. **

Although it is left to be explored in future works, we are yet to see the practical implications of the extra burden of the behavioral biometric that let us achieve the extra theoretical security. [Herley] argues that the user’s rejection of the security advice they receive is entirely rational from an economic perspective. Arguing about stronger password policies, [Inglesant] shows that there is a negative impact on the productivity of users and their organizations. However, inferring from conclusions in [Shay et. al], we may conclude that users in systems with behavioral biometric authentication systems will feel more secure.

This paper presents also presents a scheme where the benefits of added security due to multi-factor static authentication could be enjoyed with much more usability; hence, guaranteeing a better practical performance than previous schemes. In essence, the behavioral biometrics become a decision layer between text-based authentication and extra layers of authentication. Behavioral biometrics is not an end in itself, it is rather a means to an end; the end is more practical security. [Pin et al.] comes closest to such an outlook but it only accomodates for keystroke dynamics and there is an initial enrollment phase.

2. Related Works

2.1 The Landscape

Current research literature for using keyboard and/ or mouse biometric dynamics for security improvements is very diverse. There are some which pertain to alogorithmic optimizations, while others are new integration proposal. For a comprehensive review, we suggest the following approach. Current publications fall under the following categor(y/ies) of:

2.2 Algorithmic Works

Majority of the algorithmic works are concerned with improving the results of existing publications. [Leggett et al.] was one of earliest to propose a dynamic authentication system using statistical methods for digraph latency analysis between the keystroke. [Killourhy et al.] put forth a survey of various algorithms on a a data set of typing behaviour of 51 typists; the dataset was made public (henceforth, referred to as CMU keystroke dataset) and many works have reported performance improvements using different algorithmic techniques [Deng & Zhong, 2013] [Zhong et al., 2013][Ali et al., 2017]. There are other works which have reported performances on different datasets in their experiments. [Rezaei & Mirzakochaki, 2012], for instance, reports a FAR and FRR of 0.0% using a combination of various classifiers.

There is a similar contribution on mouse dynamics as well [\[Salman & Hameed, 2018\]](#salman) [\[Shen et al., 2013\]](#shen) [\[Ahmed & Traore, 2007\]](#ahmed). Some notable contributions use both keystroke and mouse dynamics, hence, effectively using a multi-modal model for the two different biometrics [\[Traore et al., 2012\]](#traore)[\[Mondal & Bours, 2016\]](#mondal). In terms of data sources, some works rely on  **single modality** i.e. either of the two behavioral biometrisc or a **multi-modal** model which takes both keystroke and mouse dynamics as input. A more thorough tabular survey can be found in [table 1](#table1).

2.3 Systems and Integration

Systems and Integration is concerned with the “big-picture” of putting the final work within an existing system with some well-defined purpose. Some works define there application and integration in detail [Shen et al., 2013] [Mondal & Bours, 2016] while some focus more on the algorithmic side and do not feel the necessity to do so. In general, all the published works in behavioral biometric methods for identification and authentication fall in either of the two categories:
1. Static Authentication relies on behavioral biometrics only once, ideally during the authentication phase. Once a an authentication session is active, the biometric authentication methods are not triggered.
2. Continuous Authentication methods have also been suggested in the literature. In this case, the behavioral biometrics is continuously monitored and an active session is maintained as long as the system is convinced about the authenticity of its user.

Publication Purpose Approach Data Sources Performance
Mondal & Bours, 2016 Contiuous Authentication and Indentification Pairwise Coupling Mouse and Keyboard (25) Identification Accuracy Rate = 62.2%
Leggett et al., 1991 Continuous and Static Authentication Digraph Analysis & Sequential Statistics Theory Keyboard (36) Static (FAR=11.7%, IPR=5.8%) Dynamic (FAR=11.1%, IPR=12.8%)
Deng & Zhong, 2013 Static Authentication Gausian Mixture Model & Deep Belief Nets CMU Dataset GMB (EER = 5.5%) DBN (EER = 3.5)
Zhong et al., 2013 Static Authentication Combined Mahalanobis & Manhattan Distance CMU Dataset EER = 8.4%
Killourhy et al., 2009 Static Authentication Manhattan (scaled), Euclidean, Nearest Neighbor (Mahalanobis), SVM (one-class), Fuzzy Logic, k-Means, etc.) CMU Dataset Manhattan(EER = 9.6%, FAR = 60.1%) Euclidean (EER = 17.1%, FAR = 87.5%) Nearest Neighbor (Mahalanobis) (EER = 10.0%, FAR = 46.8%) SVM (one-class) (EER = 10.2%, FAR = 50.4%) Fuzzy Logic (EER = 22.1%, FAR = 93.5%) k Means (EER = 37.2%, FAR = 98.9%)
Salman & Hameed, 2018 Continuous Mouse Authentication Neural Network, Gaussian Naive Bayes Mouse Dynamics of 48 users over 998 sessions. FAR = 2.6%, FRR = 2.5%
Shen et al., 2013 Static Mouse Authentication One Class SVM, Neural Network Backpropagation(NN-BP), 3 Nearest Neighor 5550 samples of 37 subjects SVM (FAR = 8.74%, FRR = 7.96%) NN-BP (FAR = 12.78%, FRR = 12.22%) 3 Nearest Neighor (FAR = 15.67%, FRR = 14.53%)
Lin, 1997 Static Authentication Three layered back-propagation neural network 90 valid users and 61 invalid keystroke dynamics FAR = 1.1% IPR = 0.0%
Ahmed & Traore, 2007 Mouse based biometric detection Neural Network 45 average sessions (each 30 minutes long) for 21 users FAR = 2.5% FRR = 2.5%
Rezaei & Mirzakochaki, 2012 Static Authentication Fusion of LDC, QDC and K-NN classifiers 100 keystroke patterns for 24 users FRR = 0.0% FAR = 0.0% EER = 1.15%
Ali et al., 2017 Static Keystroke verification Partially observable HMM CMU dataset EER = 4.5%
Traore et al., 2012 Static Mouse and Keystroke Authenticaition Bayesian Fusion Keystroke and Mouse behavior of 24 users EER = 8.21%

Table 1: Previous works using different techniques for using behavioral biometrics for different purposes.

3. Our Contribution

The focus of this paper is to use behavioral authentication as a decision layer in authentication systems. If the behavriol authentication are above a certain confidence threshold, the user is successfully authenticated, otherwise additional authentication challenges could be posed to the user to verify his/ her identity. Our contribution is unique in that:

  1. We focus on using behavioral biometrics for additional security but at no extra cost on the part of the user in terms of usability. In other words, we user behavioral biometric as a part of an enhanced security protocol that dynamically adapts for more usability and yet offering the same level of security.
  2. We are able to achieve a usable level of performance in an environment where the data is scarce due to the short interaction time between the user and the computer (typically 5-15 seconds) per session.
  3. There are no additional requirements in terms of hardware, software or add-ons. A web-browser with JavaScript enabled is all that is required on the authenticator side. Additionally, on the user side, there is no additional requirement whatsoever.
  4. We propose a hierarchical scheme where the algorithm is adaptive and allows for different behaviors pertaining to a user.

4. Approach and Model

Instead of using an enrollment phase, we collect keystroke and mouse dynamics from the user from every authentication session (described further in Data Acquisition section below). After multiple successful login attempts, the algorithm generates a biometric profile. The total number of authentications required before a successful biometric profile is generated will depend on the variability in modelling the particular user’s behavior. After a profile is generated, in the future login attempts, the user’s keystroke and mouse dynamics will be checked against to get the full advantage of using keystroke and mouse dynamics for authentication. The next section describes how the model is extended to handle multiple profiles based on user’s interaction on different systems and how the profiles are ranked.

4.1 Data Acquisition

4.1.1 Keystroke Dynamics

The keystroke dynamics is collected from the time the authentication session starts. The kestroke dynamics vector is essnetially a time-series of three attributes:

  1. KP, the key identifier for the key P that was pressed.
  2. KPD, the time when the key was pressed.
  3. KPU, the time when the key was released.

From the above attributes, a new feature vector is generated which has additional information like digraph timing and in-flight time i.e. the time between when a key was released and the following key was pressed. Additionally, the time when the first key was pressed is set to zero to normalize the data.

4.1.2 Mouse Dynamics

The raw data that is collected is a time-series of two attributes:

  1. MB: is the identifier of any mouse button that is pressed.
  2. MM: This event is fired everytime the mouse moves. Essentially, in modern browsers, it is the position of the mouse pointer with different time resolutions. We collect the information of pointer co-ordinates against time.

Unlike keyboard dynamics, we do not normalize the time as MM is fired only when the mouse moves and that is actually a signal that the session is active. Like the keystroke dynamics, the mouse movement is also mapped a direction attribute which could take twelve different values, plus the pointer acceleration values. But these values are derived and calculated only after the above mentioned data points have been collected.

2.2 Design

2.2.1 Feature Extraction and Noise Reduction
Informativeness of features [(Frank et al., 2012)](#frank)
Kalman Filters (have never been applied before in the field).
2.2.2 Fusion of the two modalities:
The question is how do we treat the two biometrics together for generating the profiles and authentication?
The two major works [Traore] and [Modal] propose fusion methods: 
1. [Mondal] uses Pairwise coupling but the performance is really poor for our implementation- needs 333 actions and Identification rate is 58.9%.
2. [Traore] uses Bayesian fusion and the performance , at least in terms of EER is 8.21% which is still promising and it took 8 weeks for the algorithm to learn the behavior.

I am proposing a very simple fusion algorithm. Because the performance based on single modality i.e. either keystroke or mouse dynamics, taken independently, is much better in separate works. The proposed algorithm gives weights to classification result CK, for Keystroke classfication and CM, for mouse dynamics based classificaiton. Assuming CK and CM to be real numbers and are good estimates of confidence, we can assign weights wK and wM proportional to inverse of the standard deviation of the profile. If this simple heuristic doesn’t work, we can also Back Propagation Neural Network to assign the weights to every user independently.

2.2.3 Performance Measurement

Given the requirement that FAR has to 0.0%, find the best FRR.

5. Extending the Model and its Integration

I think this section goes before the previous one because we use definitions from this section in the above one. Here I extend the model to handle multiple behaviors for a single user (for instance, to handle multiple devices) and the bigger picture of the profiling and authentication alogorithm and system.

6. Results and Conclusion

References

A. A. E. Ahmed and I. Traore, “A New Biometric Technology Based on Mouse Dynamics,” in IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 3, pp. 165-179, July-Sept. 2007.
doi: 10.1109/TDSC.2007.70207

C. Shen, Z. Cai, X. Guan, Y. Du and R. A. Maxion, “User Authentication Through Mouse Dynamics,” in IEEE Transactions on Information Forensics and Security, vol. 8, no. 1, pp. 16-30, Jan. 2013.
doi: 10.1109/TIFS.2012.2223677

Deng, Yunbin, and Yu Zhong. 2013. “Keystroke Dynamics User Authentication Based on Gaussian Mixture Model and Deep Belief Nets.” _ISRN Signal Processing_2013: 1–7. doi:10.1155/2013/565183.

Federal Information Processing Standards Publication: Guidelines on evaluation of techniques for automated personal identification. (1977). doi:10.6028/nbs.fips.48

Frank, M., Biedert, R., Ma, E., Martinovic, I., & Song, D. (2013). Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication. _IEEE Transactions on Information Forensics and Security,_8(1), 136-148. doi:10.1109/tifs.2012.2225048

Herley, Cormac. 2009. “So Long, and No Thanks for the Externalities.” Proceedings of the 2009 Workshop on New Security Paradigms Workshop - NSPW 09. doi:10.1145/1719030.1719050.

Inglesant, Philip G., and M. Angela Sasse. 2010. “The True Cost of Unusable Password Policies.” Proceedings of the 28th International Conference on Human Factors in Computing Systems - CHI 10. doi:10.1145/1753326.1753384.

Killourhy, K. S., & Maxion, R. A. (2009). Comparing anomaly-detection algorithms for keystroke dynamics. 2009 IEEE/IFIP International Conference on Dependable Systems & Networks. doi:10.1109/dsn.2009.5270346

Leggett, John, Glen Williams, Mark Usnick, and Mike Longnecker. 1991. “Dynamic Identity Verification via Keystroke Characteristics.” _International Journal of Man-Machine Studies_35 (6): 859–870. doi:10.1016/s0020-7373(05)80165-8.

Lin, Daw-Tung. “Computer-Access Authentication with Neural Network Based Keystroke Identity Verification.” Proceedings of International Conference on Neural Networks (ICNN97). doi:10.1109/icnn.1997.611659.

Mahadi, Nurul Afnan, Mohamad Afendee Mohamed, Amirul Ihsan Mohamad, Mokhairi Makhtar, Mohd Fadzil Abdul Kadir, and Mustafa Mamat. 2018. “A Survey of Machine Learning Techniques for Behavioral-Based Biometric User Authentication.” Recent Advances in Cryptography and Network Security. doi:10.5772/intechopen.76685.

M. L. Ali, J. V. Monaco and C. C. Tappert, “Biometric studies with hidden Markov model and its extension on short fixed-text input,” 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), New York, NY, 2017, pp. 258-264.

Meissner, P., Evaluation of techniques for verifying personal identity, Proc. ACM- NBS Fifteenth Annual Technical Symp., Gaithersburg, MD, June 17, 1976, pp.

Mondal, Soumik, and Patrick Bours. 2016. “Combining Keystroke and Mouse Dynamics for Continuous User Authentication and Identification.” 2016 IEEE International Conference on Identity, Security and Behavior Analysis (ISBA). doi:10.1109/isba.2016.7477228.

Monrose, Fabian, Michael K. Reiter, and Susanne Wetzel. 2002. “Password Hardening Based on Keystroke Dynamics.” _International Journal of Information Security_1 (2): 69–83. doi:10.1007/s102070100006.

Obaidat, M. S., and B. Sadoun. “Keystroke Dynamics Based Authentication.” Biometrics, 213–229. doi:10.1007/0-306-47044-6_10.

Rezaei, A., & Mirzakochaki, S. (2012). A Novel Approach for Keyboard Dynamics Authentication based on Fusion of Stochastic Classifiers.

Salman O.A., Hameed S.M. (2019) Using Mouse Dynamics for Continuous User Authentication. In: Arai K., Bhatia R., Kapoor S. (eds) Proceedings of the Future Technologies Conference (FTC) 2018. FTC 2018. Advances in Intelligent Systems and Computing, vol 880. Springer, Cham

Shay, Richard, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2010. “Encountering Stronger Password Requirements.” Proceedings of the Sixth Symposium on Usable Privacy and Security - SOUPS 10. doi:10.1145/1837110.1837113.

Shay, R., Cranor, L. F., Komanduri, S., Durity, A. L., Huh, P. (., Mazurek, M. L., . . . Christin, N. (2016). Designing Password Policies for Strength and Usability. _ACM Transactions on Information and System Security,_18(4), 1-34. doi:10.1145/2891411

Teh, Pin Shen, Andrew Beng Jin Teoh, Connie Tee, and Thian Song Ong. 2010. “Keystroke Dynamics in Password Authentication Enhancement.” _Expert Systems with Applications_37 (12): 8618–8627. doi:10.1016/j.eswa.2010.06.097.

Traore, Issa, Isaac Woungang, Mohammad S. Obaidat, Youssef Nakkabi, and Iris Lai. 2012. “Combining Mouse and Keystroke Dynamics Biometrics for Risk-Based Authentication in Web Environments.” 2012 Fourth International Conference on Digital Home. doi:10.1109/icdh.2012.59.

U.S. Department of Commerce. “Digital Identity Guidelines- Authentication and Lifecycle Management” NIST Special Publication 800-63B 2017.
Weber, F. (2018). Multi-factor authentication. US7770002B2.

Y. Nakkabi, I. Traore and A. A. E. Ahmed, “Improving Mouse Dynamics Biometric Performance Using Variance Reduction via Extractors With Separate Features,” in IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans, vol. 40, no. 6, pp. 1345-1353, Nov. 2010.
doi: 10.1109/TSMCA.2010.2052602

Zaidan, Dema, Asma Salem, Andraws Swidan, and Ramzi Saifan. 2017. “Factors Affecting Keystroke Dynamics for Verification Data Collecting and Analysis.” 2017 8th International Conference on Information Technology (ICIT). doi:10.1109/icitech.2017.8080032.

Y. Zhong, Y. Deng and A. K. Jain, “Keystroke dynamics for user authentication,” 2012 IEEE Computer Society Conference on Computer Vision and Pattern Recognition Workshops, Providence, RI, 2012, pp. 117-123.

Further Readings and Notes

Behavioral Biometric Authentication in Human-Computer Interaction, John Vincent Monaco, January 2014. Thesis.
TIME INTERVALS AS A BEHAVIORAL BIOMETRIC, John Vincent Monaco, November 2015. Dissertation.
Keystroke Biometric Systems for User Authentication Md Liakat Ali1 · John V. Monaco1 · Charles . Tappert · Meikang Qiu, Feb 2016.
The Partially Observable Hidden Markov Model and its Application to Keystroke Dynamics John V. Monacoa, Charles C. Tappert, November 2017.
An Investigation of Keystroke and Stylometry Traits for Authenticating Online Test Takers

</div>