[PPT] - No Training Hurdles: Fast Training- Agnostic Attacks to Infer Your PowerPoint Presentation

SLIDE 1

No Training Hurdles: Fast Training- Agnostic Attacks to Infer Your Typing

Song Fang*, Ian Markwood†, Yao Liu†, Shangqing Zhao†, Zhuo Lu†, Haojin Zhu‡

*University of Oklahoma †University of South Florida ‡Shanghai Jiaotong University

SLIDE 2

Background

Typing via a keyboard plays a very important

role in our daily life.

Hacker What are you typing?

2 of 37

SLIDE 3

Existing Non-invasive Attacks

Software or hardware based keylogger

General principle: pressing a key causes subtle environmental impacts unique to that key

3 of 37

SLIDE 4

Example Attacks

Training Phase Attack Phase Trained model Environmental change

Vibration pattern Wireless distortion

Keystrokes Unknown disturbances Checking training data

Acoustic feature

4 of 37

SLIDE 5

Why Is Training A Hurdle

A user may change typing behaviors No physical control of keyboard Require pressed key knowledge

5 of 37

SLIDE 6

e t a o i n s h r d l c umw f g y p b v k j x q z 0.05 0.1 0.15

Letter frequency distribution in English

Statistical Methods

Frequency analysis: analyzing the frequencies
f observed disturbances

A large amount of text

6 of 37

SLIDE 7

Probabilistic Statistics

Question: Is it possible to develop a non-invasive keystroke eavesdropping within a shorter time?

Self-contained structures of words Type Disturbances sense

!

7 of 37

SLIDE 8

v Advantages: ü Ubiquitous deployment of wireless infrastructures ü Radio signal nature of invisibility ü Elimination of the line-of-sight requirement

CSI (channel state information) quantifies the disturbances

Wireless Signal Based Attacks

H ( f ,t ) = Y ( f ,t ) X ( f ,t )

Tx Rx

X(f, t) Y(f, t) Public

8 of 37

SLIDE 9

Motivation
Attack Design
Experiment Results
Conclusion

Outline

SLIDE 10

Keystrokes

System Overview

CSI samples Pre-processing CSI word group generation Dictionary demodulation Alphabet matching Signal Noise removal Channel estimation CSI time series Reduction Segmentation A CSI sample refers to an individual segment corresponding to the action of pressing a key.

10 of 37

SLIDE 11

CSI word groups CSI samples Word segmentation Sorting Classification

CSI Word Group Generation

A CSI word group refers to the a group of CSI samples comprising each typed word.

11 of 37

SLIDE 12

Set 1 CSI samples Set 2 · · ·

· · ·

Similarity calculation Classification Sorting Word segmentation

12 of 37

SLIDE 13

Set 1 Set 2 · · · Set N · · · Set i · · · · · · · · · Sort based

n the size

Classification Sorting Word segmentation

13 of 37

SLIDE 14

CSI word group

/ / /··· …… …… ……

Space-associated Non-space-associated time Dictionary demodulation Classification Sorting Word segmentation

14 of 37

SLIDE 15

English words CSI word groups

Dictionary Demodulation (DD)

(Eg., ) Feature Extraction Joint Demodulation Error Tolerance DD Non-Alphabetical Impact

15 of 37

SLIDE 16

Ø Length L: number of constituent letters

Feature Extraction

Ø Inter-Element Relationship Matrix M Ø Repetition {L, (t1, …, tr)}:

r is the number of distinct letters that repeat,
ti denotes how many times the corresponding letter repeats

if xi and xj are same or similar

16 of 37

SLIDE 17

Set 1 English words Set 2 · · · · · · Selected feature

Feature Extraction

Length OR Repetition OR Relationship Matrix

Dictionary: Top 1,500 most frequently used word list[1]

[1] Mark Davies. “Word frequency data from the Corpus of Contemporary American English (COCA),” http://www.wordfrequency.info/free.asp.

17 of 37

SLIDE 18

Uniqueness rate = T p

T

- number of sets obtained
- number of consider words

Better partitioning (distinguishability) Uniqueness rate Average set cardinality Length 0.009 107 Repetition 0.042 24 Relationship matrix 0.225 4

Feature Extraction

18 of 37

SLIDE 19

A dictionary W={‘among’, ‘apple’, ‘are’, ‘hat’, ‘honey’,

‘hope’, ‘old’, ‘offer’, ‘pen’}.

Type in two words: “apple” and “pen”
Example:

2) compute the relationship matrix for each word in W, and compare each with R1 Candidates: “apple” and “offer”

Joint Demodulation

1) R1:

19 of 37

SLIDE 20

3) Candidates: {“hat”, “old”, “are”, “pen”} 5) Candidates T of the two-word sequence, 6) Generate the relationship matrix for each new candidate in T and compare it with Rnew {“apple||hat”, “apple||old”, “apple||are”, “apple||pen”, “offer||hat”, “offer||old”, “offer||are”, “offer||pen”} 4) || Rnew

Joint Demodulation

Final result: “apple||pen”

20 of 37

SLIDE 21

Input:

Ø

m CSI word groups S = {S1, S2, …, Sm};

Ø

dictionary with q words W = {W1, W2, …, Wq}

Output:

Ø

a corresponding phrase of m words

Observation:

Ø

each CSI word group => multiple candidate words

Ø

each candidate => <CSI sample, letter> mapping info

Joint Demodulation

21 of 37

SLIDE 22

Step 1: find initial candidate words for each CSI word group

RCSI word group Reach word => match, add the word as a candidate; no match, add the CSI word group to the “undemodulated set” U Compare

Joint Demodulation

22 of 37

SLIDE 23

Step 2 (iteratively):

=> match, add Tij||Sik as a candidate for Ti+1 ; no match, add Si to U and skip to Si+1 (a) Ti : concatenation of the first i-1 demodulated CSI word groups; candidates for Ti are {Ti1 , Ti2 ,…, Tip } (b) Si : the i-th CSI word group; candidates for Si are {Si1 , Si2 ,…, Siq } (by step 1) (c) Find new candidates for concatenated CSI word groups R R Compare

Ti||SI Tij||Sik (1<=j<=p, 1<=k<=q)

Joint Demodulation

23 of 37

SLIDE 24

Alphabet matching: the mapping can be applied to the

remaining CSI word groups and those in U

Ø Example: the user types “deed” || “would” after the

mapping is established;

Joint Demodulation

24 of 37

SLIDE 25

A CSI sample for the letter

Error/Non-Alphabetical Characters Tolerance

Set of CSI samples for the letter

X

Consequence Have no candidates Match with invalid words Add the CSI word group to the set U Cascading discovery failures

Abnormal situations:

Ø CSI classification errors Ø Typos/Non-Alphabetical Characters

25 of 37

SLIDE 26

Motivation
Attack Design
Experiment Results
Conclusion

Outline

SLIDE 27

Experiment Results

Attack system:

Ø a wireless transmitter + a receiver

(each is a USRP connected with a PC)

Ø the channel estimation algorithm runs at the receiver to

extract the CSI for key inference.

Ø dictionary: Top 1,500 most frequently used word list

Target user:

Ø a desktop computer with a Dell SK-8115 USB wired

standard keyboard

27 of 37

SLIDE 28

Recovering words not in the dictionary: The boy/box was there when the sun rose. A *** is used to catch **** *****. The source of the huge river is the clear

spring. **** the ball straight and follow through. Help the

woman get back to her ****. Input paragraph: The boy was there when the sun rose. A rod is used to catch pink salmon. The source of the huge river is the clear spring. Kick the ball straight and follow through. Help the woman get back to her feet. (1) rod; (2) pink; (3) salmon; (4) Kick; (5) feet. Searching results: Step%1% Step%2%

Randomly select 5 sentences from the representative

English sentences in the Harvard sentences[2].

Example Recovery Process

[2] IEEE Subcommittee on Subjective Measurements. “IEEE Recommended Practice for Speech Quality Measurements,” IEEE Transactions on Audio and Electroacoustics, vol. 17, no. 3 (Sep 1969), pp. 227–246.

28 of 37

SLIDE 29

50 100 0.2 0.4 0.6 0.8 1 Word recovery ratio Number of typed words

Eavesdropping Accuracy

Word recover ratio= total # of input words # of successfully recovered words

Single article recovery (Type a piece of CNN news)

29 of 37

SLIDE 30

Success rate of classification 0.4 0.5 0.6 0.7 0.8 0.9 1 Word recovery ratio 0.2 0.4 0.6 0.8 1 1500-word dictionary 1000-word dictionary 500-word dictionary

Impact of CSI Sample Classification Errors

We artificially introduce errors into the groupings.

30 of 37

SLIDE 31

Overall Recovery Accuracy

20 40 60 0.2 0.4 0.6 0.8 1 Number L of typed words Empirical CDF P(LW RR>0.8 < L) P(LW RR>0.9 < L)

LWRR>x denotes the required number of typed words

from each article to satisfy the ratio x.

31 of 37

SLIDE 32

Time Complexity Analysis

The comparison of relationship matrices is the

dominant part of the demodulation phase.

10 20 30 40 50 10 10

1

10

2

10

3

10

4

10

5

Number of words New comparison number 1500−word dictionary 1000−word dictionary 500−word dictionary

32 of 37

SLIDE 33

Key length

6 7 8 9 10 11 12

Ratio of letters

0.2 0.4 0.6 0.8

Password Entropy Reduction

The higher the entropy, the more the randomness
2012 Yahoo! Voices hack[3]: 342,508 passwords:

98.42% of passwords are 12 characters or fewer

[3] 2012 Yahoo! Voices hack. https://en.wikipedia.org/wiki/2012_Yahoo!_Voices_hack

33 of 37

SLIDE 34

Breaking a 9-character password is reduced to

guessing 1-5 non-letter characters.

Password Entropy Reduction (Cont’d)

34 of 37

SLIDE 35

Motivation
Attack Design
Experiment Results
Conclusion

Outline

SLIDE 36

Conclusion

ü Identify a new type of keystroke eavesdropping

attack bypassing the training requirement

ü Create a joint demodulation algorithm to establish

the mapping between a letter and a CSI sample

ü Implement this attack on software-defined radio

platforms and conduct a suite of experiments to validate its impact

36 of 37

SLIDE 37

37 of 37