RiskCog: Unobtrusive Real-Time User Authentication on Mobile Devices in the Wild

Recent hardware advances have led to the development and consumerization of mobile devices, which mainly include smartphones and various wearable devices. To protect the privacy of users, various user authentication mechanisms have been proposed. In particular, biometrics has been widely used for multi-factor authentication. However, biometrics-based authentication mechanisms usually require costly sensors deployed on devices, and rely on explicit user input and Internet connection for performing user authentication. In this article, we propose a system, called RiskCog, which can authenticate the ownership of mobile devices unobtrusively and in a real-time manner by adopting a learning-based approach. Unlike previous studies on user authentication, for cross-platform deployment, maximum user privacy protection, and unobtrusive authentication, RiskCog only relies on those widely available and privacy-insensitive motion sensors to capture the data related to the users’ daily device usage. It requires no users’ explicit input and has no requirement on the users’ motion state or the device placement. RiskCog is also usable in the environment without Internet access by performing offline user identity verification. We conduct comprehensive experiments on smartphones and smartwatches, which show that RiskCog can authenticate device users rapidly and with high accuracy.

[1]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[2]  Philippe Golle,et al.  On the Anonymity of Home/Work Location Pairs , 2009, Pervasive.

[3]  Bruno Crispo,et al.  Please hold on: Unobtrusive user authentication using smartphone's built-in sensors , 2017, 2017 IEEE International Conference on Identity, Security and Behavior Analysis (ISBA).

[4]  Konrad Rieck,et al.  Continuous Authentication on Mobile Devices by Analysis of Typing Motion Behavior , 2014, Sicherheit.

[5]  Sayan Mukherjee,et al.  Feature Selection for SVMs , 2000, NIPS.

[6]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[7]  Gary M. Weiss,et al.  Smartwatch-based biometric gait recognition , 2015, 2015 IEEE 7th International Conference on Biometrics Theory, Applications and Systems (BTAS).

[8]  Sevil Sen,et al.  Coevolution of Mobile Malware and Anti-Malware , 2018, IEEE Transactions on Information Forensics and Security.

[9]  Jun Yang,et al.  SenGuard: Passive user identification on smartphones using multiple sensors , 2011, 2011 IEEE 7th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[10]  David Kotz,et al.  ZEBRA: Zero-Effort Bilateral Recurring Authentication , 2014, IEEE Symposium on Security and Privacy.

[11]  Zhu Ming-han,et al.  Fisher linear discriminant analysis algorithm based on vector muster , 2011 .

[12]  Xiao Wang,et al.  SenSec: Mobile security through passive sensing , 2013, 2013 International Conference on Computing, Networking and Communications (ICNC).

[13]  Sushil Jajodia,et al.  Protecting Privacy Against Location-Based Personal Identification , 2005, Secure Data Management.

[14]  Gary M. Weiss,et al.  Cell phone-based biometric identification , 2010, 2010 Fourth IEEE International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[15]  Guoliang Xue,et al.  Unobservable Re-authentication for Smartphones , 2013, NDSS.

[16]  Yufei Chen,et al.  Performance Analysis of Multi-Motion Sensor Behavior for Active Smartphone Authentication , 2018, IEEE Transactions on Information Forensics and Security.

[17]  Shari Trewin,et al.  Biometric authentication on a mobile device: a study of user effort, error and task disruption , 2012, ACSAC '12.

[18]  Bruno Crispo,et al.  Hold and Sign: A Novel Behavioral Biometrics for Smartphone User Authentication , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[19]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[20]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[21]  Hongxia Jin,et al.  Secure Pick Up: Implicit Authentication When You Start Using the Smartphone , 2017, SACMAT.

[22]  Jie Yang,et al.  User Verification Leveraging Gait Recognition for Smartphone Enabled Mobile Healthcare Systems , 2015, IEEE Transactions on Mobile Computing.

[23]  Lynne Baillie,et al.  Data Driven Authentication: On the Effectiveness of User Behaviour Modelling with Mobile Device Sensors , 2014, ArXiv.

[24]  Thorsten Joachims,et al.  Text Categorization with Support Vector Machines: Learning with Many Relevant Features , 1998, ECML.

[25]  David Griffiths,et al.  Shoulder surfing defence for recall-based graphical passwords , 2011, SOUPS.

[26]  Mohammad Emtiyaz Khan,et al.  SmarPer: Context-Aware and Automatic Runtime-Permissions for Mobile Devices , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[27]  Ulrike Meyer,et al.  A man-in-the-middle attack on UMTS , 2004, WiSe '04.

[28]  J. Trost Statistically nonrepresentative stratified sampling: A sampling technique for qualitative studies , 1986 .

[29]  Mengjun Xie,et al.  Real time motion-based authentication for smartwatch , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[30]  Ivan Martinovic,et al.  Evaluating Behavioral Biometrics for Continuous Authentication: Challenges and Metrics , 2017, AsiaCCS.

[31]  Nikita Borisov,et al.  Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses , 2016, NDSS.

[32]  Daniel González-Jiménez,et al.  Face recognition for authentication on mobile devices , 2016, Image Vis. Comput..

[33]  David A. Wagner,et al.  The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[34]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[35]  Mengjun Xie,et al.  MotionAuth: Motion-based authentication for wrist worn smart devices , 2015, 2015 IEEE International Conference on Pervasive Computing and Communication Workshops (PerCom Workshops).

[36]  Christopher Krügel,et al.  Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis , 2017, NDSS.

[37]  Christoph Busch,et al.  Unobtrusive User-Authentication on Mobile Phones Using Biometric Gait Recognition , 2010, 2010 Sixth International Conference on Intelligent Information Hiding and Multimedia Signal Processing.

[38]  Lama Nachman,et al.  Unobtrusive gait verification for mobile phones , 2014, SEMWEB.

[39]  Qing Yang,et al.  HMOG: A New Biometric Modality for Continuous Authentication of Smartphone Users , 2015, ArXiv.

[40]  Roy A. Maxion,et al.  Comparing anomaly-detection algorithms for keystroke dynamics , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[41]  Prasant Mohapatra,et al.  Energy expenditure estimation with smartphone body sensors , 2013 .

[42]  Angelos Stavrou,et al.  Continuous Authentication on Mobile Devices Using Power Consumption, Touch Gestures and Physical Movement of Users , 2015, RAID.

[43]  Richard J. Enbody,et al.  User authentication and identification from user interface interactions on touch-enabled devices , 2017, WISEC.

[44]  Qing Yang,et al.  HMOG: New Behavioral Biometric Features for Continuous Authentication of Smartphone Users , 2015, IEEE Transactions on Information Forensics and Security.

[45]  Ali Ghodsi,et al.  Dimensionality Reduction A Short Tutorial , 2006 .

[46]  Ruby B. Lee,et al.  Multi-sensor authentication to improve smartphone security , 2015, 2015 International Conference on Information Systems Security and Privacy (ICISSP).

[47]  René Mayrhofer,et al.  Mobile Match-on-Card Authentication Using Offline-Simplified Models with Gait and Face Biometrics , 2018, IEEE Transactions on Mobile Computing.

[48]  Chikkannan Eswaran,et al.  An unobtrusive Android person verification using accelerometer based gait , 2012, MoMM '12.