On the Effectiveness of Sensor-enhanced Keystroke Dynamics Against Statistical Attacks

In recent years, simple password-based authentication systems have increasingly proven ineffective for many classes of real-world devices. As a result, many researchers have concentrated their efforts on the design of new biometric authentication systems. This trend has been further accelerated by the advent of mobile devices, which offer numerous sensors and capabilities to implement a variety of mobile biometric authentication systems. Along with the advances in biometric authentication, however, attacks have also become much more sophisticated and many biometric techniques have ultimately proven inadequate in face of advanced attackers in practice. In this paper, we investigate the effectiveness of sensor-enhanced keystroke dynamics, a recent mobile biometric authentication mechanism that combines a particularly rich set of features. In our analysis, we consider different types of attacks, with a focus on advanced attacks that draw from general population statistics. Such attacks have already been proven effective in drastically reducing the accuracy of many state-of-the-art biometric authentication systems. We implemented a statistical attack against sensor-enhanced keystroke dynamics and evaluated its impact on detection accuracy. On one hand, our results show that sensor-enhanced keystroke dynamics are generally robust against statistical attacks with a marginal equal-error rate impact (<0.14%). On the other hand, our results show that, surprisingly, keystroke timing features non-trivially weaken the security guarantees provided by sensor features alone. Our findings suggest that sensor dynamics may be a stronger biometric authentication mechanism against recently proposed practical attacks.

[1]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[2]  Rajesh Kumar,et al.  Beware, Your Hands Reveal Your Secrets! , 2014, CCS.

[3]  Jan-Michael Frahm,et al.  Seeing double: reconstructing obscured typed input from repeated compromising reflections , 2013, CCS.

[4]  Vir V. Phoha,et al.  When kids' toys breach mobile phone security , 2013, CCS.

[5]  Kiran S. Balagani,et al.  Making impostor pass rates meaningless: A case of snoop-forge-replay attack on continuous cyber-behavioral verification with keystrokes , 2011, CVPR 2011 WORKSHOPS.

[6]  Alessandro Neri,et al.  Keystroke dynamics authentication for mobile phones , 2011, SAC.

[7]  Anil K. Jain,et al.  Biometric Authentication: System Security and User Privacy , 2012, Computer.

[8]  Deian Stefan,et al.  Robustness of keystroke-dynamics based biometrics against synthetic forgeries , 2012, Comput. Secur..

[9]  Nasir D. Memon,et al.  Biometric-rich gestures: a novel approach to authentication on multi-touch devices , 2012, CHI.

[10]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[11]  Vir V. Phoha,et al.  Examining a Large Keystroke Biometrics Dataset for Statistical-Attack Openings , 2013, TSEC.

[12]  Duncan S. Wong,et al.  Touch Gestures Based Biometric Authentication Scheme for Touchscreen Mobile Phones , 2012, Inscrypt.

[13]  Xuan Huang,et al.  Development of a Typing Behaviour Recognition Mechanism on Android , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[14]  Mauro Conti,et al.  Mind how you answer me!: transparently authenticating the user of a smartphone when answering or placing a call , 2011, ASIACCS '11.

[15]  Ting-Yi Chang,et al.  Two novel biometric features in keystroke dynamics authentication systems for touch screen devices , 2014, Secur. Commun. Networks.

[16]  Sébastien Marcel,et al.  Biometrics Evaluation Under Spoofing Attacks , 2014, IEEE Transactions on Information Forensics and Security.

[17]  Norman Poh,et al.  Biometric system design under zero and non-zero effort attacks , 2013, 2013 International Conference on Biometrics (ICB).

[18]  James L. Wayman,et al.  Error rate equations for the general biometric system , 1999, IEEE Robotics Autom. Mag..

[19]  Michael Weber,et al.  Password entry usability and shoulder surfing susceptibility on different smartphone platforms , 2012, MUM.

[20]  Heikki Ailisto,et al.  Identifying users of portable devices from gait pattern with accelerometers , 2005, Proceedings. (ICASSP '05). IEEE International Conference on Acoustics, Speech, and Signal Processing, 2005..

[21]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[22]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[23]  Steven Furnell,et al.  Authenticating mobile phone users using keystroke analysis , 2006, International Journal of Information Security.

[24]  Cristiano Giuffrida,et al.  Memoirs of a browser: a cross-browser detection model for privacy-breaching extensions , 2012, ASIACCS '12.

[25]  Alex X. Liu,et al.  Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it , 2013, MobiCom.

[26]  Sungzoon Cho,et al.  Keystroke dynamics-based authentication for mobile devices , 2009, Comput. Secur..

[27]  F. Roli,et al.  Security evaluation of biometric authentication systems under real spoofing attacks , 2012, IET Biom..

[28]  Mauro Conti,et al.  I Sensed It Was You: Authenticating Mobile Users with Sensor-Enhanced Keystroke Dynamics , 2014, DIMVA.

[29]  Vir V. Phoha,et al.  Snoop-Forge-Replay Attacks on Continuous Verification With Keystrokes , 2013, IEEE Transactions on Information Forensics and Security.

[30]  Einar Snekkenes,et al.  Spoof Attacks on Gait Authentication System , 2007, IEEE Transactions on Information Forensics and Security.

[31]  J. L. Wayman,et al.  Best practices in testing and reporting performance of biometric devices. , 2002 .

[32]  F. Okumura,et al.  A Study on Biometric Authentication based on Arm Sweep Action with Acceleration Sensor , 2006, 2006 International Symposium on Intelligent Signal Processing and Communications.

[33]  Sharath Pankanti,et al.  Biometrics: a tool for information security , 2006, IEEE Transactions on Information Forensics and Security.