KeySens: Passive User Authentication Through Micro Behavior Modeling of Soft Keyboard Interaction
4 likes•1,604 views
The document discusses mobile device security, particularly in the context of unauthorized access to sensitive patient data in healthcare. It explores innovative methods of passive user authentication using keystroke dynamics and various smartphone sensors to detect and block unauthorized users quickly. The research showcases successful detection rates and emphasizes the potential for integrating contextual information to enhance security measures.
KeySens: Passive User Authentication Through Micro Behavior Modeling of Soft Keyboard Interaction
- 1. MobiCASE 2013 6-7 November, Paris, France Ben Draffin, Jiang Zhu, Joy Zhang 1
- 2. Tablet used for patient data ◦ Sensitive, private information ◦ Designed to be easily accessible Urgent call from other room ◦ Nurse steps away Bystander picks up tablet, writes down patient data, places it back Results in identity theft 2
- 3. Mobile devices are at high risk of theft Relatively easy to break into (Zahid 2009) After phone’s pin is entered, secondary authentication is rare Users may take many minutes to realize their phones are stolen 3
- 4. Provides a way to passively authenticate while using common, sensitive applications. Allows for rapid detection of unauthorized users ◦ Block their access as quickly as possible. Uses a variety of sensors available on common smartphones 4
- 5. Ask for password at opening of every app ◦ Some don’t need it ◦ Gets annoying Allow for usage under certain situations (at work, at home) ◦ Prompt if deviations from normal routine Rely on prompt calls from affected party ◦ Call up IT department to deactivate phone ◦ What if first thing is to turn on airplane mode? 5
- 6. Keystroke Dynamics are a popular subject ◦ Many papers—focusing primarily on desktops Great success for passwords, good success for arbitrary text Typing rate, key-to-key latencies are the primary features Once people are skilled at typing, they develop natural rhythms (on desktops) 6
- 7. Detecting keystroke patterns on mobile phones is challenging Focus on Desktop-like attributes ◦ Typing rate, timing, di-graphs, tri-graphs, etc. Need to leverage wealth of smartphone features 7
- 8. Use background applications to ―sniff‖ keystrokes ◦ Without direct access to keyboard Successful demonstrations using accelerometers Akin to microphone attacks on typing 8
- 9. Frequent use ◦ Typically single user Context awareness ◦ Protected applications vs Non-protected ◦ Current location, historical patterns Touchscreens provide wealth of data ◦ Touch location, pressure, finger size, finger drift Wide variety of other sensors ◦ Accelerometers, gyroscopes 9
- 10. Limited computing power ◦ Need to use efficient algorithms Finite battery life ◦ Users are sensitive to battery life impact Highly mobile ◦ Typical usage: lying down, sitting, walking, passenger in car/train/subway system ◦ Need to behave gracefully 10
- 11. 11
- 12. Location pressed on key Length of press (key down to key up) Force of press ◦ Also, how force changes over key press Size of finger Drift of finger during press Recent accelerometer history Orientation (depreciated) 12
- 13. 13
- 14. 14
- 15. From finger down to finger up 15
- 16. Only use data from a single user’s phone ◦ Generative model rather than Discriminative Respond quickly when unauthorized user detected, yet avoid false positives Work in open, unrestricted environments ◦ How to compensate for users sitting or laying down 16
- 17. 13 initial users after short recruiting drive 2 week long collection period 86,000 keystrokes 430,000 data points @ ~5/keystroke Data split into training and testing: Training Data for Model 50% CV 15% Training for Keys 15% CV for Keys 10% Final Testing 15% 17
- 18. 18
- 19. 19
- 20. Intrusion Detection Rate: 67.7% FAR:32.3% FRR:4.6% 20
- 21. Intrustion Detection Rate:84.8% FAR: 15.2% FRR: 2.2% 21
- 22. Some users are harder to differentiate than others ◦ Gaps between ROC curves ◦ Could use more investigation Pretty good success in the absence of any contextual information. ◦ Continuing work on incorporating meta-data ◦ With contextual knowledge, accuracy increases 22
- 23. Addresses: How to block unauthorized users from protected applications? Leverages a variety of sensors (besides just keyboard) Developed as part of a larger behavioral analysis program at Carnegie Mellon Univ.-SV Led by Joy Zhang and Jiang Zhu 23
- 24. Employees' phones ◦ Bring Your Own Device (BYOD) Delivery persons IT administrators Parents with children Social events Business travelers Nurses with mobile devices for patient records 24
- 25. 25
- 26. Require use of the default Android keyboard during password or sensitive text entry Disable sensors while entering text into password fields Collaborate with context awareness groups or side channel attack researchers Consider research into swiping gestures 26
- 27. KeySens ◦ Use keyboard interaction to detect unauthorized users SenSec ◦ Leverage keyboard and sensors to block unauthorized users Applications Next Steps 27
- 28. CyLab at Carnegie Mellon Northrop Grumman Cybersecurity Research Consortium Cisco ◦ Research award for ―Privacy Preserved Personal Big Data Analytics through Fog Computing'' Cybersecurity Research Consortium 28
- 29. Passive User Authentication through Microbehavior Modeling of Soft Keyboard Interaction Thank You MobiCASE 2013 29
- 30. Salil P. Banerjee and Damon L. Woodard. Biometric authentication and identification using keystroke dynamics: A survey. Journal of Pattern Recognition Research, 2012. Francesco Bergadano, Daniele Gunetti, and Claudia Picardi. User authentication through keystroke dynamics. ACM Trans. Inf. Syst. Secur., 5(4):367–397, November 2002. Liang Cai and Hao Chen. On the practicality of motion based keystroke inference attack. In Stefan Katzenbeisser, Edgar Weippl, L.Jean Camp, Melanie Volkamer, Mike Reiter, and Xinwen Zhang, editors, Trust and Trustworthy Computing, volume 7344 of Lecture Notes in Computer Science, pages 273–290. Springer Berlin Heidelberg, 2012. F. Cherifi, B. Hemery, R. Giot, M. Pasquet, and C. Rosenberger. Performance evaluation of behavioral biometric systems. In Behavioral Biometrics for Human Identication: Intelligent Applications, pages 57–74. IGI Global, 2010. Richard O. Duda, Peter E. Hart, and David. G. Stork. Multi-layer neural networks. In Pattern Classication, 2nd Edition, volume 2. John Wiley and Sons, Inc., 2001. M. Frank, R. Biedert, E. Ma, I. Martinovic, and D. Song. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. Information Forensics and Security, IEEE Transactions on, 8(1):136–148, 2013. Dawud Gordon, Jrgen Czerny, and Michael Beigl. Activity recognition for creatures of habit. Personal and Ubiquitous Computing, pages 1–17, 2013. Paul Holleis, Jussi Huhtala, and Jonna H¨akkil¨a. Studying applications for touch-enabled mobile phone keypads. In Proceedings of the 2nd international conference on Tangible and embedded interaction, TEI ’08, pages 15–18, New York, NY, USA, 2008. ACM. Anil Jain, Lin Hong, and Sharath Pankanti. Biometric identification. Commun. ACM, 43(2):90– 98, February 2000. 30
- 31. K.S. Killourhy and R.A. Maxion. Comparing anomaly-detection algorithms for keystroke dynamics. In Dependable Systems Networks, 2009. DSN '09. IEEE/IFIP International Conference on, pages 125–134, 2009. Emanuele Maiorana, Patrizio Campisi, Noelia Gonz´alez-Carballo, and Alessandro Neri. Keystroke dynamics authentication for mobile phones. In Proceedings of the 011 ACM Symposium on Applied Computing, SAC ’11, pages 21–26, New York, NY, USA, 2011. ACM. Emmanuel Owusu, Jun Han, Sauvik Das, Adrian Perrig, and Joy Zhang. Accessory: password inference using accelerometers on smartphones. In Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications, HotMobile ’12, pages 9:1–9:6, New York, NY, USA, 2012. ACM. A. Peacock, Xian Ke, and M. Wilkerson. Typing patterns: a key to user identification. Security Privacy, IEEE, 2(5):40 –47, sept.-oct. 2004. Elaine Shi, Yuan Niu, Markus Jakobsson, and Richard Chow. Implicit authentication through learning user behavior. In Mike Burmester, Gene Tsudik, Spyros Magliveras, and Ivana Ili, editors, Information Security, volume 6531 of Lecture Notes in Computer Science, pages 99–113. Springer Berlin Heidelberg, 2011. Saira Zahid, Muhammad Shahzad, SyedAli Khayam, and Muddassar Farooq. Keystroke-based user identification on smart phones. In Engin Kirda, Somesh Jha, and Davide Balzarotti, editors, Recent Advances in Intrusion Detection, volume 5758 of Lecture Notes in Computer Science, pages 224–243. Springer Berlin Heidelberg, 2009. Jiang Zhu, Hao Hu, Sky Hu, Pang Wu, and Joy Ying Zhang. Mobile behaviometrics: Models and applications. In Proceedings of the Second IEEE/CIC Inter- national Conference on Communications in China (ICCC), Xi’An, China, August 12-14 2013. Jiang Zhu, Pang Wu, Xiao Wang, Adrian Perrig, Jason Hong, and Joy Ying Zhang. Sensec: Mobile application security through passive sensing. In Proceedings of International Conference on Computing, Networking and Communications. (ICNC 2013), San Diego, CA, USA, January 2831 2013. 31
Editor's Notes
- #3: Nurse’s name is Nora
- #18: Models were trained with 3000 keystrokes from primary user and 2000 from each of 3 other users.
- #21: Models were trained with 3000 keystrokes from primary user and 2000 from each of 3 other users. These models were tested against [on average] 539 ‘primary user’ keystrokes and 489 keystrokes from a wide variety of other users (not used to train the model)