Using global knowledge of users' typing traits to attack keystroke biometrics templates

Research in the field of keystroke dynamics (KD) has traditionally assumed impostor attacks to be originated by humans. However, recent studies have revealed that bots and various categories of malware have the capacity to implement intelligently crafted synthetic attacks against KD systems. In this paper we make a large-scale study of human typing traits, and then use the general observed statistical trends to train a tool that breaks password-KD templates. Our aim is to investigate how a synthetic attack designed with general knowledge about users' typing habits would perform against a password-KD co-authentication system in practice. Our initial results indicate that in the wake of synthetic impostor attacks, the incorporation of KD into regular password-based systems may not necessarily lessen the burden of users having to maintain strong passwords for guaranteed security.

[1]  Asok Ray,et al.  On the discriminability of keystroke feature vectors used in fixed text keystroke authentication , 2011, Pattern Recognit. Lett..

[2]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[3]  T. Salthouse Perceptual, cognitive, and motoric aspects of transcription typing. , 1986, Psychological bulletin.

[4]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[5]  Deian Stefan,et al.  Keystroke-dynamics authentication against synthetic forgeries , 2010, 6th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom 2010).

[6]  Scott Mueller,et al.  Upgrading and Repairing PCs , 1995 .

[7]  Xian Ke,et al.  Typing patterns: a key to user identification , 2004, IEEE Security & Privacy Magazine.

[8]  Christophe Rosenberger,et al.  GREYC keystroke: A benchmark for keystroke dynamics biometric systems , 2009, 2009 IEEE 3rd International Conference on Biometrics: Theory, Applications, and Systems.

[9]  John J. Leggett,et al.  Verifying Identity via Keystroke Characteristics , 1988, Int. J. Man Mach. Stud..

[10]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[11]  John J. Leggett,et al.  Dynamic Identity Verification via Keystroke Characteristics , 1991, Int. J. Man Mach. Stud..

[12]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[13]  Roy A. Maxion,et al.  The Effect of Clock Resolution on Keystroke Dynamics , 2008, RAID.

[14]  Claudia Picardi,et al.  User authentication through keystroke dynamics , 2002, TSEC.

[15]  Michael K. Reiter,et al.  Password hardening based on keystroke dynamics , 2002, International Journal of Information Security.

[16]  Aaron Adler,et al.  Can images be regenerated from biometric templates , 2003 .

[17]  Nalini K. Ratha,et al.  Enhancing security and privacy in biometrics-based authentication systems , 2001, IBM Syst. J..

[18]  Kiran S. Balagani,et al.  Making impostor pass rates meaningless: A case of snoop-forge-replay attack on continuous cyber-behavioral verification with keystrokes , 2011, CVPR 2011 WORKSHOPS.

[19]  T. Salthouse Effects of age and skill in typing. , 1984, Journal of experimental psychology. General.

[20]  Alessandro Neri,et al.  Keystroke dynamics authentication for mobile phones , 2011, SAC.

[21]  Roy A. Maxion,et al.  Comparing anomaly-detection algorithms for keystroke dynamics , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[22]  Gopal K. Gupta,et al.  Identity authentication based on keystroke latencies , 1990, Commun. ACM.

[23]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[24]  Danoush Hosseinzadeh,et al.  Gaussian Mixture Modeling of Keystroke Patterns for Biometric Applications , 2008, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).