CASTRA: Seamless and Unobtrusive Authentication of Users to Diverse Mobile Services

This paper presents context-aware security technology for responsive and adaptive protection (CASTRA), an “always-on” context-aware authentication and access control framework that seamlessly and unobtrusively authenticate users to mobile applications of varying sensitivity levels. CASTRA uses a continuous and multifaceted behavioral biometrics authentication that passively authenticates the user in the background while the device is being in contact with the user, and a context-aware risk assessment and access control that provides access to applications based on the perceived threat level around the device. The behavioral authentication module is constructed by exploiting a combination of supervised and unsupervised learning techniques on raw sensor and GPS data passively gathered from the mobile device. Multiple inferences about the user (or user behavioral traits) such as frequently visited locations, location transition patterns, physical proximity of user with the device (e.g., device in the pocket or placed on the table), and walking patterns are automatically inferred and extracted. Analytical studies were conducted to derive optimal thresholds to fuse these multiple traits and an adaptive trust score is generated every user-defined time period to determine the degree to which the user is trustworthy to access the applications. CASTRA is implemented in a client-server mode, utilizing the Android and the Amazon Cloud computing platform. The novelty of CASTRA stems from the design and fusion of multiple behavioral biometric-based authentication factors and the development and deployment of a practical end-to-end architecture that enables real-time data acquisition, automatic training and learning of user behavioral patterns, and context-aware risk assessment and access control. The performance of CASTRA was evaluated under natural settings, on 15 subjects, using different variants of the Samsung devices. Multiple realistic attack scenarios (e.g., stolen, lost, and shared devices) targeting mobile devices were designed to prove the security and user-friendliness of the proposed scheme. We also present techniques to reduce energy and bandwidth consumption and ways to unobtrusively acquire data for supervised learning algorithms without requiring explicit user annotation.

[1]  Chuan Qin,et al.  Progressive Authentication: Deciding When to Authenticate on Mobile Phones , 2012, USENIX Security Symposium.

[2]  Mauro Conti,et al.  On the Effectiveness of Sensor-enhanced Keystroke Dynamics Against Statistical Attacks , 2016, CODASPY.

[3]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[4]  Jinyuan Sun,et al.  PersonaIA: A Lightweight Implicit Authentication System Based on Customized User Behavior Selection , 2019, IEEE Transactions on Dependable and Secure Computing.

[5]  Markus Jakobsson,et al.  Implicit authentication for mobile devices , 2009 .

[6]  Xiaojiang Chen,et al.  Cracking Android Pattern Lock in Five Attempts , 2017, NDSS.

[7]  P.Susan Lalitha Grace,et al.  Active Authentication on Mobile Devices via Stylometry, Application Usage, Web Browsing, and GPS Location , 2017 .

[8]  Sheldon M. Ross,et al.  Introduction to Probability Models (4th ed.). , 1990 .

[9]  Jun Yang,et al.  SenGuard: Passive user identification on smartphones using multiple sensors , 2011, 2011 IEEE 7th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[10]  Robert Tibshirani,et al.  The Elements of Statistical Learning: Data Mining, Inference, and Prediction, 2nd Edition , 2001, Springer Series in Statistics.

[11]  Xiang-Yang Li,et al.  SilentSense: silent user identification via touch and movement behavioral biometrics , 2013, MobiCom.

[12]  Mauro Conti,et al.  I Sensed It Was You: Authenticating Mobile Users with Sensor-Enhanced Keystroke Dynamics , 2014, DIMVA.

[13]  Mauro Conti,et al.  CRePE: Context-Related Policy Enforcement for Android , 2010, ISC.

[14]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[15]  Ahmad-Reza Sadeghi,et al.  ConXsense: automated context classification for context-aware access control , 2013, AsiaCCS.

[16]  Chandrasekhar Bhagavatula,et al.  Usability Analysis of Biometric Authentication Systems on Mobile Phones , 2014 .

[17]  Jie Yang,et al.  Smartphone based user verification leveraging gait recognition for mobile healthcare systems , 2013, 2013 IEEE International Conference on Sensing, Communications and Networking (SECON).

[18]  Steven Furnell,et al.  Authenticating mobile phone users using keystroke analysis , 2006, International Journal of Information Security.

[19]  Bruno Crispo,et al.  ITSME: Multi-modal and Unobtrusive Behavioural User Authentication for Smartphones , 2015, PASSWORDS.

[20]  Ian Oakley,et al.  CASA: context-aware scalable authentication , 2013, SOUPS.

[21]  Devu Manikantan Shila,et al.  A multi-faceted approach to user authentication for mobile devices — Using human movement, usage, and location patterns , 2016, 2016 IEEE Symposium on Technologies for Homeland Security (HST).

[22]  Ivan Martinovic,et al.  Evaluating Behavioral Biometrics for Continuous Authentication: Challenges and Metrics , 2017, AsiaCCS.

[23]  Mauro Conti,et al.  Mind how you answer me!: transparently authenticating the user of a smartphone when answering or placing a call , 2011, ASIACCS '11.

[24]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[25]  Rama Chellappa,et al.  PATH: Person authentication using trace histories , 2016, 2016 IEEE 7th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON).