Vulnerability analysis of cyber-behavioral biometric authentication

Research on cyber-behavioral biometric authentication has traditionally as­ sumed naive (or zero-effort) impostors who make no attem pt to generate sophisticat­ ed forgeries of biometric samples. Given the plethora of adversarial technologies on the Internet, it is questionable as to whether the zero-effort threat model provides a realistic estimate of how these authentication systems would perform in the wake of adversity. To better evaluate the efficiency of these authentication systems, there is need for research on algorithmic attacks which simulate the state-of-the-art threats. To tackle this problem, we took the case of keystroke and touch-based authenti­ cation and developed a new family of algorithmic attacks which leverage the intrinsic instability and variability exhibited by users’ behavioral biometric patterns. For both fixed-text (or password-based) keystroke and continuous touch-based authentication, we: 1) Used a wide range of pattern analysis and statistical techniques to examine large repositories of biometrics data for weaknesses that could be exploited by ad­ versaries to break these systems, 2) Designed algorithmic attacks whose mechanisms hinge around the discovered weaknesses, and 3) Rigorously analyzed the impact of the attacks on the best verification algorithms in the respective research domains. When launched against three high performance password-based keystroke ver­ ification systems, our attacks increased the mean Equal Error Rates (EERs) of the systems by between 28.6% and 84.4% relative to the traditional zero-effort attack. For the touch-based authentication system, the attacks performed even better, as they increased the system’s mean EER by between 338.8% and 1535.6% depending on parameters such as the failure-to-enroll threshold and the type of touch gesture subjected to attack. For both keystroke and touch-based authentication, we found that there was a small proportion of users who saw considerably greater performance degradation than others as a result of the attack. There was also a sub-set of users who were completely immune to the attacks. Our work exposes a previously unexplored weakness of keystroke and touchbased authentication and opens the door to the design of behavioral biometric systems which are resistant to statistical attacks. APPROVAL FOR SCHOLARLY DISSEMINATION The author grants to the Prescott Memorial Library o f Louisiana Tech University the right to reproduce, by appropriate methods, upon request, any or all portions o f this Dissertation. It is understood that “proper request” consists o f the agreement, on the part o f the requesting party, that said reproduction is for his personal use and that subsequent reproduction will not occur without written approval o f the author o f this Dissertation. Further, any portions o f the Dissertation used in books, papers, and other works must be appropriately referenced to this Dissertation. Finally, the author o f this Dissertation reserves the right to publish freely, in the literature, at any time, any or all portions o f this Dissertation.

[1]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[2]  Nasir D. Memon,et al.  Biometric-rich gestures: a novel approach to authentication on multi-touch devices , 2012, CHI.

[3]  Michael K. Reiter,et al.  Towards practical biometric key generation with randomized biometric templates , 2008, CCS.

[4]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[5]  Debin Gao,et al.  I can be You: Questioning the use of Keystroke Dynamics as Biometrics , 2013, NDSS.

[6]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[7]  M. A. Stephens EDF Statistics for Goodness-of-Fit: Part 1 , 1972 .

[8]  Roy A. Maxion,et al.  Should Security Researchers Experiment More and Draw More Inferences? , 2011, CSET.

[9]  John-John Cabibihan,et al.  Patient-Specific Prosthetic Fingers by Remote Collaboration–A Case Study , 2011, PloS one.

[10]  Vir V. Phoha,et al.  Examining a Large Keystroke Biometrics Dataset for Statistical-Attack Openings , 2013, TSEC.

[11]  Nasir D. Memon,et al.  Investigating multi-touch gestures as a novel biometric modality , 2012, 2012 IEEE Fifth International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[12]  Jun Han,et al.  ACCessory: password inference using accelerometers on smartphones , 2012, HotMobile '12.

[13]  中野 統英,et al.  LEGO MINDSTORMS と工学教育 , 2009 .

[14]  Hari Balakrishnan,et al.  Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks , 2009, NSDI.

[15]  F. Massey The Kolmogorov-Smirnov Test for Goodness of Fit , 1951 .

[16]  Kiran S. Balagani,et al.  Making impostor pass rates meaningless: A case of snoop-forge-replay attack on continuous cyber-behavioral verification with keystrokes , 2011, CVPR 2011 WORKSHOPS.

[17]  Sungzoon Cho,et al.  GA-SVM wrapper approach for feature subset selection in keystroke dynamics identity verification , 2003, Proceedings of the International Joint Conference on Neural Networks, 2003..

[18]  Roy A. Maxion,et al.  A scientific understanding of keystroke dynamics , 2012 .

[19]  H. Lilliefors On the Kolmogorov-Smirnov Test for Normality with Mean and Variance Unknown , 1967 .

[20]  R. Gnanadesikan,et al.  Probability plotting methods for the analysis of data. , 1968, Biometrika.

[21]  Asok Ray,et al.  On the discriminability of keystroke feature vectors used in fixed text keystroke authentication , 2011, Pattern Recognit. Lett..

[22]  Raymond J Staron,et al.  Personal Attributes Authentication Techniques. , 1977 .

[23]  Deian Stefan,et al.  Robustness of keystroke-dynamics based biometrics against synthetic forgeries , 2012, Comput. Secur..

[24]  Tao Feng,et al.  Continuous mobile authentication using touchscreen gestures , 2012, 2012 IEEE Conference on Technologies for Homeland Security (HST).

[25]  J. Ball,et al.  Statistics review 6: Nonparametric methods , 2002, Critical care.

[26]  Michael K. Reiter,et al.  The Practical Subtleties of Biometric Key Generation , 2008, USENIX Security Symposium.

[27]  Vir V. Phoha,et al.  When kids' toys breach mobile phone security , 2013, CCS.

[28]  Luca Podofillini,et al.  Optimal design of reliable network systems in presence of uncertainty , 2005, IEEE Transactions on Reliability.

[29]  Shrijit S. Joshi,et al.  Naive Bayes and similarity based methods for identifying computer users using keystroke patterns , 2009 .

[30]  Christophe Rosenberger,et al.  Keystroke dynamics with low constraints SVM based passphrase enrollment , 2009, 2009 IEEE 3rd International Conference on Biometrics: Theory, Applications, and Systems.

[31]  Roy A. Maxion,et al.  Comparing anomaly-detection algorithms for keystroke dynamics , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[32]  Terence Sim,et al.  Are Digraphs Good for Free-Text Keystroke Dynamics? , 2007, 2007 IEEE Conference on Computer Vision and Pattern Recognition.

[33]  Kun-Chan Lan,et al.  Rapid model parameterization from traffic measurements , 2002, TOMC.

[34]  Vir V. Phoha,et al.  New impostor score based rejection methods for continuous keystroke verification with weak templates , 2012, 2012 IEEE Fifth International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[35]  Daniel P. Lopresti,et al.  Toward Speech-Generated Cryptographic Keys on Resource-Constrained Devices , 2002, USENIX Security Symposium.

[36]  Shai Ben-David,et al.  Detecting Change in Data Streams , 2004, VLDB.

[37]  Vir V. Phoha,et al.  Scan-Based Evaluation of Continuous Keystroke Authentication Systems , 2013, IT Professional.

[38]  Alvin F. Martin,et al.  The DET curve in assessment of detection task performance , 1997, EUROSPEECH.

[39]  Glen D. Rayner,et al.  Robustness to non-normality of various tests for the one-sample location problem , 2004, Adv. Decis. Sci..

[40]  M. Scutari,et al.  Bayesian Network Structure Learning with Permutation Tests , 2011, 1101.5184.

[41]  Markus Jakobsson,et al.  Implicit authentication for mobile devices , 2009 .

[42]  Sung-Hyuk Cha,et al.  Performance of a long-text-input keystroke biometric authentication system using an improved k-nearest-neighbor classification method , 2010, 2010 Fourth IEEE International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[43]  Lucas Ballard,et al.  Robust techniques for evaluating biometric cryptographic key generators , 2008 .

[44]  Lucas Ballard,et al.  Evaluating the Security of Handwriting Biometrics , 2006 .

[45]  Michel Verleysen,et al.  The permutation test for feature selection by mutual information , 2006, ESANN.

[46]  Michael K. Reiter,et al.  Password hardening based on keystroke dynamics , 1999, CCS '99.

[47]  Yong Sheng,et al.  A parallel decision tree-based method for user authentication based on keystroke patterns , 2005, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[48]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[49]  Daniel P. Lopresti,et al.  Biometric Authentication Revisited: Understanding the Impact of Wolves in Sheep's Clothing , 2006, USENIX Security Symposium.

[50]  Vir V. Phoha,et al.  Snoop-Forge-Replay Attacks on Continuous Verification With Keystrokes , 2013, IEEE Transactions on Information Forensics and Security.

[51]  Vir V. Phoha,et al.  Transforming animals in a cyber-behavioral biometric menagerie with Frog-Boiling attacks , 2012, 2012 IEEE Fifth International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[52]  Xian Ke,et al.  Typing patterns: a key to user identification , 2004, IEEE Security & Privacy Magazine.

[53]  Vir V. Phoha,et al.  Which verifiers work?: A benchmark evaluation of touch-based authentication algorithms , 2013, 2013 IEEE Sixth International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[54]  Peter E. Hart,et al.  Nearest neighbor pattern classification , 1967, IEEE Trans. Inf. Theory.

[55]  Claudia Picardi,et al.  Keystroke analysis of free text , 2005, TSEC.

[56]  Daniel P. Lopresti,et al.  Forgery Quality and Its Implications for Behavioral Biometric Security , 2007, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[57]  Chuan Qin,et al.  Progressive Authentication: Deciding When to Authenticate on Mobile Phones , 2012, USENIX Security Symposium.

[58]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[59]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[60]  Paul Barford,et al.  Generating representative Web workloads for network and server performance evaluation , 1998, SIGMETRICS '98/PERFORMANCE '98.

[61]  Claudia Picardi,et al.  User authentication through keystroke dynamics , 2002, TSEC.

[62]  R. Stockton Gaines,et al.  Authentication by Keystroke Timing , 1980 .