Online risk-based authentication using behavioral biometrics

In digital home networks, it is expected that independent smart devices communicate and cooperate with each other, without the knowledge of the fundamental communication technology, on the basis of a distributed operating system paradigm. In such context, securing the access rights to some objects such as data, apparatus, and contents, is still a challenge. This paper introduces a risk-based authentication technique based on behavioral biometrics as solution approach to tackle this challenge. Risk-based authentication is an increasingly popular component in the security architecture deployed by many organizations to mitigate online identity fraud. Risk-based authentication uses contextual and historical information extracted from online communications to build a risk profile for the user that can be used accordingly to make authentication and authorization decisions. Existing risk-based authentication systems rely on basic web communication information such as the source IP address or the velocity of transactions performed by a specific account, or originating from a certain IP address. Such information can easily be spoofed, and as such, put in question the robustness and reliability of the proposed systems. In this paper, we propose a new online risk-based authentication system that provides more robust user identity information by combining mouse dynamics and keystroke dynamics biometrics in a multimodal framework. We propose a Bayesian network model for analyzing free keystrokes and free mouse movements involved in web sessions. Experimental evaluation of our proposed model with 24 participants yields an Equal Error Rate of 8.21 %. This is very encouraging considering that we are dealing with free text and free mouse movements, and the fact that many web sessions tend to be very short.

[1]  Patrick Bours,et al.  A Login System Using Mouse Dynamics , 2009, 2009 Fifth International Conference on Intelligent Information Hiding and Multimedia Signal Processing.

[2]  B. Liu,et al.  [Effect of BN52021 on platelet activating factor induced aggregation of psoriatic polymorphonuclear neutrophils]. , 1994, Zhonghua yi xue za zhi.

[3]  Emil C. Lupu,et al.  Risk Based Authorisation for Mobile Ad Hoc Networks , 2007, AIMS.

[4]  Abdulmotaleb El-Saddik,et al.  Experiments in haptic-based authentication of humans , 2008, Multimedia Tools and Applications.

[5]  Tomoya Enokido,et al.  Purpose-Based Information Flow Control for Cyber Engineering , 2011, IEEE Transactions on Industrial Electronics.

[6]  Remco R. Bouckaert,et al.  Bayesian network classifiers in Weka , 2004 .

[7]  John J. Leggett,et al.  Dynamic Identity Verification via Keystroke Characteristics , 1991, Int. J. Man Mach. Stud..

[8]  Xi Chen,et al.  Content distribution and copyright authentication based on combined indexing and watermarking , 2010, Multimedia Tools and Applications.

[9]  Heejo Lee,et al.  Contextual Risk-Based Access Control , 2007, Security and Management.

[10]  Claudia Picardi,et al.  User authentication through keystroke dynamics , 2002, TSEC.

[11]  David Ingram,et al.  Risk Models for Trust-Based Access Control(TBAC) , 2005, iTrust.

[12]  Maria Papadaki,et al.  Keystroke Analysis as a Method of Advanced User Authentication and Response , 2002, SEC.

[13]  Norman Shapiro,et al.  Authentication by Keystroke Timing: Some Preliminary Results , 1980 .

[14]  Sung-Hyuk Cha,et al.  Keystroke Biometric Recognition Studies on Long-Text Input under Ideal and Application-Oriented Conditions , 2006, 2006 Conference on Computer Vision and Pattern Recognition Workshop (CVPRW'06).

[15]  Nir Friedman,et al.  Bayesian Network Classifiers , 1997, Machine Learning.

[16]  Carla E. Brodley,et al.  User re-authentication via mouse movements , 2004, VizSEC/DMSEC '04.

[17]  Yigitcan Aksari,et al.  Active authentication by mouse movements , 2009, 2009 24th International Symposium on Computer and Information Sciences.

[18]  Usama M. Fayyad,et al.  Multi-Interval Discretization of Continuous-Valued Attributes for Classification Learning , 1993, IJCAI.

[19]  Eiji Okamoto,et al.  A User Identification System Using Signature Written with Mouse , 1998, ACISP.

[20]  Shiuh-Pyng Shieh,et al.  Keystroke statistical learning model for web authentication , 2007, ASIACCS '07.

[21]  Mohammad S. Obaidat,et al.  An online neural network system for computer access security , 1993, IEEE Trans. Ind. Electron..

[22]  Claudia Picardi,et al.  Keystroke analysis of free text , 2005, TSEC.

[23]  Igor Kononenko,et al.  On Biases in Estimating Multi-Valued Attributes , 1995, IJCAI.

[24]  Ahmed Awad E. Ahmed,et al.  A New Biometric Technology Based on Mouse Dynamics , 2007, IEEE Transactions on Dependable and Secure Computing.

[25]  Fabian Monrose,et al.  Authentication via keystroke dynamics , 1997, CCS '97.

[26]  Mohammad S. Obaidat,et al.  Verification of computer users using keystroke dynamics , 1997, IEEE Trans. Syst. Man Cybern. Part B.

[27]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[28]  I. Woungang,et al.  Combining Mouse and Keystroke Dynamics Biometrics for Risk-Based Authentication in Web Environments , 2012, 2012 Fourth International Conference on Digital Home.

[29]  Ana L. N. Fred,et al.  An Identity Authentication System Based On Human Computer Interaction Behaviour , 2003, PRIS.

[30]  Hamid Jahankhani,et al.  A Survey of User Authentication Based on Mouse Dynamics , 2008 .