Transcript ppt
I can be You: Questioning the
use of Keystroke Dynamics as
Biometrics
Tey Chee Meng, Payas Gupta, Debin Gao
Ke Chen
Outline
•
•
•
•
•
Introduction
Keystroke biometrics
Experimental Design
Experimental Results
Conclusion
Authentication using Biometrics
• Physiological biometric:
–
–
–
–
facial features
hand geometry
Fingerprints
iris scans
• Behavioral biometric:
– Signatures
– Handwriting
– Typing patterns (i.e. keystroke dynamics)
Is Keystroke Biometrics Unique?
• If imitation is possible, then keystroke
dynamics would be unsuitable for use as
a biometrics feature.
• it is possible to imitate someone else’s
keystroke typing if appropriate feedback
is provided?
Keystroke Dynamics
Keystroke dynamics refer to information about
the typing pattern.
pressing and releasing of a keystroke pair (ka,
kb) results in 4 timings which are of interest to
keystroke biometrics systems
when eva
Keystroke dynamics referThe
to information
collected
user of thve
Choice
of dynamics
timing information
ing pattern.
Forrefer
example,
pressing
and
eystroke
refer Keystroke
to information
about
the
typdynamics
towhen
information
abou
evaluating
a 1r
user and
keystroke
(ka , kb) of
results
in the
4ing.
timings
w
user
system,
ing pressing
pattern.
Forpair
example,
pressing
and
relea
pattern. For example,
and
releasing
a of
1 ad
ystroke
dynamics
to
information
to(kkeystroke
biometrics
systems:
k
user
and
1 setwhich
of(a)ano
keystroke
pairabout
, the
kb) typresults
4 timings
troke
pair
(ka , kbrefer
) results
in 4terest
timings
are
of in
inawhich
ing
vector
↓
↑
attern. For example, pressing of
and
releasing
of a timeing.
1
additional
k
:
t
,
(b)
key-up
of
k
:
t
, (c)
keys
a
a
terestsystems:
to keystroke
biometricstime
systems:the
key-d
t to keystroke biometrics
(a)
k a key-down
k(a)
a anoma
roke↓ •pair
(ka , kb) results
in 4 timings
are of in↓ ↑ which
↑vectors
↓
↑ are used
ing
Key-down
time:
k
:
t
and
(d)
key-up
time
of
k
:
t
of
k
:
t
,
(b)
key-up
time
of
k
:
t
,
(c)
key-dow
: t k a , (b) key-up time of kaa : kt ka ba , (c)
key-down time aof k a b structed
k
k
fr
b
b
to
keystroke
biometrics
systems:
(a)
key-down
time
the
anomalous
timin
experiments
to verifyktothe
these
absolute
time
↓ feasi↑
↓larger
↑the feasi- FromFrom
↓ andscale
↑
experiments
verify
these
absolute
time
(d) key-up
time
(d)
key-up
time
: and
t k bkey-down
the same
Key-up
time:
b : t k b from
key-up
time
of kabof
:: ttk
time
of of kstructed
k tbk ,•(b)
the no
kkbb, (c)
Keystroke Dynamics
a
a
this
paper,
we paper,
demonstrate
that thattimings
can be
derived:
attacks.
In
this
we
demonstrate
timings
can
be derived:
↑
From
these absolute
time
measurements,
four
relative
and
(d)
key-up
time
of
k
:
t
the
same authentica
b kb
b
•
four
relative
timings
can
be
derived:
meone
else’s
keystroke
typing
if
imitate
someone
else’sthe
keystroke
if
timings
can beto
derived:
eo experiments
verify
feasi- typingFrom
these
absolute
time measurem
•
an
inter-keystroke
timin
•
an
inter-keystroke
timing
edback
is
provided.
ovided.
n this •paper,
we demonstrate
that ka timings
can be derived:
↓= t ↓ ↓- t ↓ .
an
inter-keystroke
timing
between
and
k
:
I
b
k a=,ktb
ents
to verify
the↓ feasiFrom these
absolute
relat
Itime
-k tb k a .kfour
eomeone
a novel
feedback
interface
Mimesis
with
the
a
k a ,kmeasurements,
↓
b
k
else’s
keystroke
typing
if
dback
interface
Mimesis
with
the
b
I k ,k = t k - t k .
er,
we
demonstrate
that
timings
can
be derived:
• an inter-keystroke
timing
• hold timing
of kbetween
gn goals: (a) The information
must
a : H ka
↑
↓be easy to
rovided.
• hold
of ka : H k a =
Thekeystroke
to
↓ timing
↓
•information
hold timing
of must
kifa : H k be
= teasy
se’s
typing
k - tk
I
=
t
t
.
k
,k
th minimal
cognitive
load required.
The latter a timing
b
k bbetween
k atiming
edback
interface
Mimesis
with•↑ the
↓inter-keystroke
an
ka and
•
hold
of k↑b: H k↓b =
• hold
timing
of kb: H k The
= t k latter
- tk
ognitive
load
required.
↓The
↓ • timing
hold
timing
of
k
:
H
=
kers
focus on their
imitation
task.
(b)
•
hold
of
k
:
H
=
t
t
a)
Theto
information
must
be
easy
to
b
k
a
k
b
I
=
t
t
.
a
k
k
k
,k
a
•
a
key
up-down
timing
ba
•Mimesis
a keyimitation
up-down
timing
between
ka and kkb: k
erface
with the
sld
on
their
task.
(b)
The
↓
↓ tips
↑ onThe
↓ timing
↑↑
cognitive
load
required.
latter
provide
specific
particular
aspects
to
↑up-down
↓
•
a
key
bet
U
=
t
t
•
hold
timing
of
k
:
H
=
t
t
k
,k
• hold timing of ka : H k = U
t kk a -,ktbbk = t kk bb - t kkab k b
rmation must be easy
to
k
k
↓
↑
ecific
tips
on
particular
aspects
to
us
onrequired.
their
imitation
task. (b)feedback
The
c)
Both
positive
and
negative
should
↑
↓
•
a
key
up-down
timing
between
ka
oad
The
latter
Uk k a=,kt kb =- t tk k b - t k a
•
hold
timing
of
k
:
H
Different
anomaly
detectors
used
in
keystroke
biometb
↓
↑
pecific
tips
onsoparticular
aspects
to
theand
attacker
that
she can
repeatedly
makeUk ,k = Different
anomaly detecto
ve
negative
feedback
should
imitation
task.
(b)
The
t
t
a
b
rics used different combinations
of
I
,
H
and
U
such
as
I
,
k
k
• a key up-down timing between
ka a and kb:
b
itive
and
negative
feedback
should
ments
to
her
typing
pattern
to
imitate
better.
different combinati
↓ U [7],
s so
on H
particular
aspects
that
can
and she
U [7],
onlyrepeatedly
Ito[13, 7], onlymake
only
I rics
and usedanomaly
detector
UHk [7],
- t ↑ Different
,k = t
a
b
b
a
a
b
a
a
b
b
a
a
b
b
a
b
b
a
a
b
a
b
a
b
Table 1. Example of data vectorization
Data
vectorization
password, e.g. ‘serndele’, each timing inform
can be represented as
‘serndele’
z = I s,e , . . . , I l ,e , H s , . . . , H e
inter-keystroke time
hold time
collected vectors are typically divided into 4
valuating a keystroke biometrics system. For
et al. requires both a mean vector and an absolute deviation
vector [7]. Once the parameters are determined, a detector
can compute an anomaly score for each test vector.
Anomaly Detector Scoring
Computation of mean vector The mean vector, denoted
• mean vector
by x̄ is computed from:
⎛
⎜
x̄ = ⎝
n
n
I ki 1 ,k 2
i= 1
n
I ki l −
,...,
n
= ( x̄ 1 , x̄ 2 , . . . , x̄ 2l − 1 )
i= 1
n
H ki 1
1 ,k l
,
⎞
n
i= 1
n
,...,
H ki l ⎟
⎠
i= 1
n
Computation of absolute deviation vector The absolute
deviation d can be computed from:
= ( x̄ 1 , x̄ 2 , . . . , x̄ 2l − 1 )
Anomaly Detector Scoring
Computation of absolute deviation vector The absolute
d can
be computed
from:
• deviation
absolute
deviation
vector
⎛
⎜
d=⎝
n
n
|I ki 1 ,k 2 − x̄ 1 |
i= 1
n− 1
|I ki l −
,...,
n
i= 1
n− 1
= (d1 , . . . , d2l − 1 )
,...,
− x̄ l − 1 |
i= 1
n− 1
n
|H ki 1 − x̄ l |
1 ,k l
,
⎞
|H ki l − x̄ 2l − 1 | ⎟
⎠
i= 1
n− 1
Euclidean distance based anomaly score After the parameters of the detector are computed, the anomaly score
for any given test vector can be computed by applying
the detection
algorithm.Detector
Denoting the Scoring
test vector as t s =
Anomaly
(ts1 , ts2 , . . . , ts2l − 1 ), we calculate the Euclidean distance
• Euclidean
distance
anomaly score
based
anomaly score
ae ofbased
t s using,
2l − 1
(tsj − x̄ j ) 2
ae =
j=1
• Note
Manhattan
distance
based
anomaly
score
nomaly
score
as calculation
is
computed
using,
that the
of Euclidean
distance
requires
only the mean vector of the victim but not the absolute de2l − 1
|tsj − x̄ j |
viation vector.
as =
j=1
dj
Manhattan distance based anomaly score Unlike the
Euclidean distance, the Manhattan (scaled) distance re-
Anomaly Detection Threshold
• FRR: false rejection rate, decrease as threshold
sets higher
• FAR: false acceptance rate, increase as
threshold sets higher
• EER: equal error rate where FRR=FAR
Experiment Design
• Attack scenarios
– the attacker is able to extract the victim pattern
from a compromised biometrics database.
– the attacker may be able to capture samples of
the victim’s keystrokes as she is authenticating
(e.g. by installing a key- logger).
Choice of Password
• “serndele”
– minimize finger movements on a standard US
keyboard.
• “ths.ouR2”
– chosen to maximize finger movements and
therefore difficulty of typing.
Experiment 1 (e1)
• Training Data Collection
88 participants were asked to submit 200 samples for
each of the two passwords using an existing keystroke
dynamics based authentication system.
Experiment 2 (e2)
• Imitation using Euclidean distance
30 minutes imitation task:
84 participants played the role of attackers. 10 victims were randomly chosen
from e1. Each attacker was randomly assigned one of the 10 victims, and was
given the victim’s mean vector for. Attackers gets real-time feedback of the
Euclidean distance based anomaly score.
Experiment 3 (e3a)
• Investigate the additional imitation session
with Euclidean distance
14 best attackers were chosen from e2 to perform the
same imitation task in e2 for only 20 minutes.
Experiment 4 (e3b)
• Investigate the imitation performance of highly
motivated attackers in optimal environment
Feedback is based on full victim typing pattern Information
(Manhattan distance and absolute deviation)
Feedback Interface: Mimesis
Experiment Results
30
ths.ouR2
serndele
25
20
which i
scenario
15
1.5
10
5
0
0-0.2
0.2-0.4
0.4-0.6
0.6-0.8
0.8-1
Overall FAR
Figure 6. Overall FAR in e1
given a target organization with 10 high value targets, if a team of 84
attackers were to be assembled, we expect to find on average, one
6.1.2 Estimation of anomaly detector parameters from
attacker with the
typing pattern as one of the high value targets.
fewsame
samples
We conducted a Monte Carlo simulation based on the tim-
e2 b20 FAR - e1 FAR
Number of Participants
• Result from e1: collision attack
1
0.5
0
0
-0.5
Figu
e1
• Results from e2: Improvement in FAR after
which is not known to the attacker. The partial information
imitation
training
scenario is plausible, but not ideal.
from
e tim-
1.5
e2 b20 FAR - e1 FAR
uR2
dele
Experiment Results
1
0.5
0
0
-0.5
20
40
60
80
100
Participants
Figure 7. Improvement in FAR in e2 b20 from
e1
overall FAR e1
overall FAR e2
20
30
No. of Participants
No. of Participants
25
overall FAR e1
overall FAR e2
25
Experiment Results
15
10
5
20
15
10
5
• Results from e2: Effect of password difficulty
0
0
0-0.2
0.2-0.4
0.4-0.6
0.6-0.8
0.8-1
0-0.2
0.2-0.4
0.4-0.6
FAR
(a) ‘serndele’ - Using all samples
overall FAR e1
0.8-1
(b) ‘ths.ouR2’ - Using all samples
30
b20 FAR e2
No. of Participants
No. of Participants
25
0.6-0.8
FAR
20
15
10
5
0
overall FAR e1
b20 FAR e2
25
20
15
10
5
0
0-0.2
0.2-0.4
0.4-0.6
0.6-0.8
0.8-1
0-0.2
0.2-0.4
0.4-0.6
FAR
0.6-0.8
0.8-1
FAR
(c) ‘serndele’ - Using best consecutive 20 samples
(d) ‘ths.ouR2’ - Using best consecutive 20 samples
Figure 8. Improvement in FAR in e2 from e1
The differences
mean
between
the harder
Mean
Variance int Stat
P(T≤
t)
t Critical the easier
Groupsand Mean
Variance password
t Stat
P(T≤ t)
Groups
e1 overall
e2 overall
0.241
e1 overall
0.065
0.241
0.065
-3.586
< 0.001
1.993easier to type are also easier-5.126
< 0.001
suggest
passwords
that are
to imitate.
0.471 that
0.085
e2 b20
0.633
0.150
(a) ‘serndele’
Groups
Mean
e1 overall
e2 overall
0.196
0.288
Variance
t Stat
0.050
-1.769
0.075
(b) ‘ths.ouR2’
t Critical
1.998
(a) ‘serndele’
P(T≤ t)
t Critical
0.081
1.987
Groups
Mean
e1 overall
e2 b20
0.196
0.425
Variance
t Stat
0.050
-3.678
0.131
(b) ‘ths.ouR2’
P(T≤ t)
t Critical
< 0.001
1.991
9. Therethat con-
•
0.035
ed on
Experiment Results
Number of Participants
ths.ouR2
serndele
in Figure 5 that there is further room for improvement when
given a second session. This suggests that instead of a single long session, imitation may be more effective when conducted in multiple sessions of shorter duration. A full investigation into the outcome for various combinations of session duration and number of sessions is however out of the
Results
e2: effect
of training
duration
scopefrom
of this paper
and we leave
it for future work.
40
30
20
10
0
0-10
11-20
21-30
31-40
Time
uestion is
Figure 11. Time required in e2
56% attackers took no more than 20 minutes to reach their b20 performance.
er consisof each at6.3. Imitation outcome of e3a
left of the
hs.ouR2’.
After e2, the 14 best attackers (based on their imitation
ord ‘sern-
l
Experiment Results
1
b20 FAR
s no
ation
y red by
value
h un- •
he p
ce in
cant.
a week’s rest. They were then recalled for a repeat of e2.
Based on the findings in e2 we limit the duration of e3a to
20 mins. The question we want to investigate in this section
is that under the partial information scenario, do attackers
reach their peak performance within the first 30 minutes or
they are capable of further improvements when given more
Results
from
e3a:
time to rest,
reflect
and repeat their earlier efforts.
0.8
0.6
e2
e3a
0.4
0.2
0
1
2
3
4
5
6
7
8
9
10
11
12
Participants
Figure 12.
b20 FAR
and e3a
– 6 attackers
improved
their in
b20e2FAR
– 4 attackers unchanged
– 4 attackers worsened
13
14
Groups
e3a
e3b
Mean
Variance
t Stat
0.992
3.29E-04
P(T≤ t)
Experiment
Results
0.842
0.046
-2.594
0.022
t Critical
2.160
Table
7. t-test
• Results
from
e3b: on b20 FAR in e3a and e3b
1
b20 FAR
0
in the FAR for e3a and e3b is statistically significant.
0.8
0.6
e3b
e3a
0.4
0.2
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Participants
Figure 14. b20 FAR in e3a and e3b for participants of all four experiments
Experiment Results
• Factors affecting imitation outcome
– Gender: male performs significantly better than
females
– Therefore there exists a weak correlation between
the imitation outcome and the similarity between
the attacker and victim’s typing pattern
– Typing speed, keyboard, Number of trials per
minute are not affecting factors
Conclusion
• A user’s typing pattern can be imitated
– Trained with incomplete model of the victim’s
typing pattern, an attacker’s success rate is around
0.52
– The best attacker increases FAR to 1 after training
– When the number of attackers and victims are
sizeable, chance of natural collision is significant
Conclusion
• Easier passwords are easily imitated
• Males are better imitators
Questions?