I Sensed It Was You: Authenticating Mobile Users with - - PowerPoint PPT Presentation

I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics

Cristiano Giuffrida Kamil Majdanik Mauro Conti Herbert Bos

VU University Amsterdam

11th Conference on Detection of Intrusions and Malware and Vulnerability Assessment Egham, UK July 10-11, 2014

1 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

The Blossom of the Mobile Computing Era

2 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Mobile Data

Presentations / briefing notes. Address book information. Personal photos, movies, and email. Personal health, salary, and benefits information. Access credentials for networks and applications. Credit card and e-banking information.

3 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Mobile Threats

4 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Mobile Threats

4 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Mobile Threats

4 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Mobile Threats

4 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Mobile Authentication

Password/PIN/Pattern-based authentication.

✧ Simple and widespread. ✪ No continuous authentication. ✪ Prone to guessing attacks (not mobile specific). ✪ Prone to smudge [WOOT’10] and shoulder-surfing [CCS’13] attacks.

Biometric authentication.

✧ A viable option for many mobile users. ✧ Amenable to continuous authentication. ✧ Several existing mechanisms: gaits, gestures, keystroke dynamics. ✪ Poor accuracy (> 5%EER) or prone to statistical attacks [CCS’13].

5 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

WWW: What We Want

High-accuracy biometric authentication for mobile devices. Robustness against human attacks. Robustness against statistical attacks. Static authentication capabilities. Continuous authentication capabilities. Robustness against uncontrolled settings.

6 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

WWW: What We Want

✧ High-accuracy biometric authentication for mobile devices. ✧ Robustness against human attacks.

• Robustness against statistical attacks.

✧ Static authentication capabilities.

• Continuous authentication capabilities.
• Robustness against uncontrolled settings.

6 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics Soft keyboard on a mobile device

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics Scenario: User typing ’HELLO’

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 KeyDowns User 1 KeyUps

Keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 KeyDowns User 1 KeyUps

Keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 KeyDowns User 1 KeyUps

Keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 KeyDowns User 1 KeyUps

Keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 KeyDowns User 1 KeyUps

Keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 KeyDowns User 1 KeyUps

Keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 KeyDowns User 1 KeyUps

Keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 KeyDowns User 1 KeyUps

Keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 KeyDowns User 1 KeyUps

Keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 KeyDowns User 1 KeyUps

Keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 KeyDowns User 1 KeyUps

Keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 KeyDowns User 1 KeyUps

Keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 User 1 KeyDowns User 1 KeyUps

• 0,10
• 0,05

0,00 0,05 0,10 Value Gyroscope

Sensor-enhanced keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 User 1 KeyDowns User 1 KeyUps

• 0,10
• 0,05

0,00 0,05 0,10 Value Gyroscope

Sensor-enhanced keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 User 1 KeyDowns User 1 KeyUps

• 0,10
• 0,05

0,00 0,05 0,10 Value Gyroscope

Sensor-enhanced keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 User 1 KeyDowns User 1 KeyUps

• 0,10
• 0,05

0,00 0,05 0,10 Value Gyroscope

Sensor-enhanced keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 User 1 KeyDowns User 1 KeyUps

• 0,10
• 0,05

0,00 0,05 0,10 Value Gyroscope

Sensor-enhanced keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 User 1 KeyDowns User 1 KeyUps

• 0,10
• 0,05

0,00 0,05 0,10 Value Gyroscope

Sensor-enhanced keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 User 1 KeyDowns User 1 KeyUps

• 0,10
• 0,05

0,00 0,05 0,10 Value Gyroscope

Sensor-enhanced keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 User 1 KeyDowns User 1 KeyUps

• 0,10
• 0,05

0,00 0,05 0,10 Value Gyroscope

Sensor-enhanced keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 User 1 KeyDowns User 1 KeyUps

• 0,10
• 0,05

0,00 0,05 0,10 Value Gyroscope

Sensor-enhanced keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 User 1 KeyDowns User 1 KeyUps

• 0,10
• 0,05

0,00 0,05 0,10 Value Gyroscope

Sensor-enhanced keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 User 1 KeyDowns User 1 KeyUps

• 0,10
• 0,05

0,00 0,05 0,10 Value Gyroscope

Sensor-enhanced keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Sensor-enhanced Keystroke Dynamics

User 1 User 1 KeyDowns User 1 KeyUps

• 0,10
• 0,05

0,00 0,05 0,10 Value Gyroscope

Sensor-enhanced keystroke dynamics

7 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Unagi

2l 3l 4l 5l 6l 7l 8l 9l 0l 1l

Ql W l U l Il O l El R l Tl Yl Pl Al Sl Dl Fl Gl Hl Jl Kl Ll

Dell

Zl Xl Cl Vl Bl Nl Ml

Shiftl

Sensor samples Keystroke events KD Feature extraction module Training module Detection module

8 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Gathering Keystroke Events

Modified Android keyboard intercepts and records keystroke events. Records only events of interest (i.e., alphanumeric characters). KD time: Timestamp associated to key-down events. KU time: Timestamp associated to key-up events.

9 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Gathering Sensor Data

Relies on the Android API to record sensor values while typing. Can sample sensor values at a high frequency (e.g., 17 Hz). Gyroscope: measures device orientation on the 3 axes. Accelerometer: measures device acceleration on the 3 axes.

10 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Feature Extraction

A A A

A B C KD-KD KD-KU KU-KU KU-KD

Traditional keystroke dynamics

11 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Feature Extraction

A A A

A B C

0.5-graph 1-graph 1.5-graph Complete word

KU KD KU KD KU KD 1 feature for each n-graph between KD/KU events. Keystroke dynamics: time interval associated to each n-graph. Sensor dynamics: statistical metrics associated to each n-graph.

11 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Detection

Features gathered in a labeled vector and normalized. Feature vectors used to train a binary classification algorithm. Algorithms:

Once-class Support Vector Machines (SVM). Naive Bayes. k-Nearest Neighbors (kNN). Mean algorithm.

Distance metrics:

Euclidean. Euclidean normed. Manhattan. Manhattan scaled. Mahalanobis.

12 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Experimental Setup

Fixed-text authentication system in a controlled setting. 2 predetermined passwords: “internet” and “satellite”. 20 test subjects, 40 (typo-free) password repetitions. Samsung Nexus S with a soft landscape keyboard. Trained detector for each user using leave-one-out cross-validation. Measured FAR, FRR, EER and averaged results across users. Factors considered: window size, algorithm, sampling frequency.

13 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Accuracy vs. Window Size

4,00% 5,00% 6,00% 7,00% 8,00% 9,00% 10,00% 0.5-graph 0.5-graph & 1.0-graph 1.5-graph & 0.5-graph & 1.0-graph 2.0-graph & 0.5-graph & 1.0-graph 2.5-graph & 0.5-graph & 1.0-graph 3.0-graph & 0.5-graph & 1.0-graph 3.5-graph & 0.5-graph & 1.0-graph 4.0-graph & 0.5-graph & 1.0-graph 4.5-graph & 0.5-graph & 1.0-graph EER

internet (min) satellite (min)

0,00% 0,05% 0,10% 0,15% 0,20% 0,25% 0,30% 1.0-graph 1.5-graph 2.0-graph 2.5-graph 3.0-graph 3.5-graph 4.0-graph 4.5-graph whole word EER

internet (min) satellite (min)

14 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Accuracy vs. Detection Algorithm

0,00% 0,20% 0,40% 0,60% 0,80% 1,00% 1,20% 1,40% EER sensors sensors & timings

15 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Accuracy vs. Sampling Frequency

0,00% 0,50% 1,00% 1,50% 2,00% 2,50% 3,00% 3,50% 4,00%

0,03 0,09 0,17 0,34 0,85 1,70 3,40 4,25 5,67 8,50 11,33 12,75 13,60 15,30 16,15 16,66 16,83 16,92 16,97 17,00

EER Frequency (Hz) 16 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

Summary

Sensor-enhanced Keystroke Dynamics (SKD): A new biometric authentication mechanism for mobile devices. Unagi: A fixed-text authentication system based on SKD. Key results:

Movement sensors are suitable for biometric authentication purposes. Sensors can drastically enhance keystroke dynamics accuracy. Effective even with short passwords and low sampling frequencies.

Future work:

Applicability to free-text authentication and uncontrolled settings. Robustness against statistical attacks.

17 / 18 I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Cristiano Giuffrida

I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics Thank you! Any questions?

Cristiano Giuffrida, Kamil Majdanik, Mauro Conti, Herbert Bos {giuffrida,k.majdanik,mconti,herbertb}@cs.vu.nl

VU University Amsterdam