260 likes | 487 Views
Enhancing password based schemes with keystroke dynamics. Doctorial Consortium presentation. February 2010. Author : Mr N.Pavaday. Introduction Problem Definition Related work Set up Results Conclusion and future work. Menu. People rely heavily on computer based systems.
E N D
Enhancing password based schemes with keystroke dynamics. • Doctorial Consortium presentation. • February 2010. • Author : Mr N.Pavaday UOM Research Week
Introduction • Problem Definition • Related work • Set up • Results • Conclusion and future work. Menu UOM Research Week
People rely heavily on computer based systems. e.g. -Critical national-scale infrastructures communication networks, the electric power grid, gas lines, water systems, traffic control systems, - Localized systems that perform safety-critical functions in aircraft, automobiles, and home appliances. Without security- at the mercy of the intruders/attackers Computer security involves a number of components among which successful verification of the identity of a person/entity wishing to use the system stands as the essential front line of defense [1]. Effective system administration, auditing, and efficient resource management all hinge on accurate user identification [2-4] Introduction UOM Research Week
Authentication requires users to prove that they really are who they say they are; before being given authorization which then dictates what the user can access [5]. Authentication triangle vertex – Token, Password/Pin, Biometric. Password systems - favorite authentication method in electronic systems - for years now Several reasons- straightforward to implement - easy to use and maintain - their precision adjusted through password-structure policies - changing underlying cryptographic algorithms depending on the security level desired - they are an inexpensive, scalable way of validating users, both locally and remotely & to all sorts of services [6,7]. UOM Research Week
Possession based authentication are susceptible to loss or theft and in some cases copying/cloning token- cards, keys etc. Holder given same rights as authentic user- buddy punching, double dipping. Password based scheme - the strength of the system is dependent on the secrecy of the shared secret- Passwords should be easy to remember and provide swift authentication. On the other hand, in terms of security they should be difficult to guess for an intruder - must be composed of a long, random selection of alphanumeric keys, changed from time to time and unique to a single account [8]. Problem definition UOM Research Week
People forget their password – depend of span of time - easily when not in use. These stringent requirements - many people feel the need to choose simple and predictable words or numbers related to everyday life, and engage in insecure practices, such as recording their secret keys close to their authentication device or even worst sharing them. Same passwords everywhere - cascading security incidents – eventually identify theft Computers make it effective and efficient to initiate dictionary and brute force attacks to obtain the secret. The problem is so serious that the user is often referred to as the ‘weakest link’ in the security chain [9]. UOM Research Week
2002 NTA Monitor Password Survey - Heavy web users have an average of 21 passwords ;81% of users select a common password and 30% write their passwords down or store them in a file. In April 2004, more than 70% - approached at London’s Liverpool Street station were willing to disclose their password – with 34% being willing to reveal the information without the need to bribe them.[10] UOM Research Week
Biometrics - identifying an individual based on his or her physiological or behavioral characteristics Physiological – retina, iris, vein, hand, finger etc.. Behavioral – action related – speak, signature, keystroke Strongest means to authenticate people [11,12] - The third type is extremely difficult to copy, share, distribute and is resistant to forgery. - Only scheme that caters for non repudiation no user can claim the contrary after having accessed the content using his personal characteristics. In addition as no user biometric is easier to break than another all users are on the same level. UOM Research Week
Biometric - requires the support of specialized hardware device for their implementation. High installation cost and difficult to use - training. Biometric when compromised or lost, they are not as easily replaceable as passwords or tokens. Biometric systems – not yes/no - but depends on system performance and threshold. FRR - false rejection rate & FAR false acceptance rate, Mistaking biometric measurements from two different persons to be from the same person is called false match. On the other hand considering two biometric measurements from the same person to be from two different persons is false reject. UOM Research Week
Motivation Multi-factor Authentication – combination to reap benefits - in terms of security and convenience. The system detailed paper fuses two of these security mechanisms in order to reinforce user authentication. A password string complemented with its corresponding typing pattern which represents something the user must be. No additional hardware – or action on user- therefore easy integration with actual system- Problems like non coperative- privacy etc..non existing Can be changed at user’s wish. The uniqueness of a user’s typing pattern was first reported by Joyce and Gupta in 1990 [13] UOM Research Week
some products that use such characteristics are now available on the market e.g. Biopassword Use by net-nanny to control children use of internet. Effectiveness and inner working of such systems is not known as very little research about these is available in the public domain [13]. Two patents issued on use of statistical models [14] – trend is towards machine learning and artificial intelligence. UOM Research Week
Related work The concern of the papers published up to now can be recapped along these core points (1) Target String (2) Training set (3) Features (4) Timing Accuracy (5)Template Adaptation Mechanism (6) Classifiers (7) Trials become of Authentication. In 2005, the impact of the constituents of password was emphasized in a recent study [15] Choice of a target string with capital letters, which combines shift and Caps Lock keys plays an important role in the authentication of users. Moreover familiarity of the user with the target string was also investigated in that same study UOM Research Week
In a recent study Revett and Khan concluded that adding keyboard partitioning reduces the impostor success rate [16] A number of situations – computer generated ones are used- software keys, loss of password, temporary ones etc. A good password – unique and distinguishable – Mathematically – min intra-class and max interclass variability For widespread use of keystroke dynamics _ no difference between human and spontaneously generated password UOM Research Week
Set up A toolkit was constructed in Microsoft Visual Basic 6.0 which allowed capturing - key depression -key release and key code for each physical key being used. generation of random strings of various lengths. template vector of each authorized user based on flight and dwell times recorded to the nearest millisecond. Template - an approach similar to that used by the banks and other financial institutions. A new user goes through a session where he/she provides a number of digital signatures by typing the selected password a number of times UOM Research Week
--------dev------------------- p tmp103 time103 ms duration 6 ms tmu 109 P a tmp141 time141 ms duration 7 ms tmu 148 A s tmp172 time172 ms duration 4 ms tmu 177 S s tmp238 time238 ms duration 8 ms tmu 246 S w tmp369 time369 ms duration 6 ms tmu 375 W duration 6 ms tmu 836 , UOM Research Week
Using the password “Thurs1day” we obtained 8 keystrokes interval and 9 keystroke duration times neglecting the “Enter” key. . Number of attempts – good estimate of variability v/s annoyance of users. Login – captured features compared to template. Above threshold allowed else rejected. UOM Research Week
Results Values captured during enrollment passed to small program Matab function to NN to learn features. Login attempts then fed to NN to find best match. The first step was to explore and fine tune the parameters values for NN. Architecture used - multiple layer perceptron (MLP) with back propagation (BP) – sigmoid transfer function Same NN as used in [17-19] UOM Research Week
Variation of learning with fraction of error feedback UOM Research Week
Users allowed to practice human generated. Press button to get computer generated one and then practice. Comparison using optimal values obtained for NN. (20 hidden nodes, learning rate of 0.6, sample size of 10 and a threshold of 70 %). UOM Research Week
Conclusion Our results shows that human generated is better than computer generated. Human generated – in line with previous research Values obtained favors the use of human generated. For spontaneous password - impersonation is low. Uniqueness of each attempt is supplemented by high FRR Our work shows that computer generated has better differentiating capability- equally important. More hunt and peck type for computer generated. Less attempts because more use of “backspace/delete” with spontaneous one. UOM Research Week
Future work Different timings that have been used and their effect Scalability of system on different systems. Password constituents and differentiating capability. Habituation effect Improving matching score during initiation stage Error correcting capability Incorporation of error correcting capabilities without degrading system performed Fusion of features and even of classifiers. Best combination of fusion if any UOM Research Week
References: [1]- Pfleeger, CP, 1997, “Security in Computing International Edition Second Edition, Prentice Hall International, Inc, Upper Saddle River, NJ, 2nd edition, 1997 [2]- D.L. Jobusch and A.E. Oldehoeft, “A Survey of Password Mechanisms: Weaknesses and Potential Improvements, Part 1,” Computers & Security,Vol. 8, 1989, pp. 587–604. [3]- C.P. Pfleeger, Security in Computing, Prentice - Hall, Upper Saddle River, N.J., 1993. [4]- J.C. Spender, “Identifying Computer Users with uthentication Devices (Tokens),” Computers & Security, Vol. 6, pp. 385–395, 1987. [5]- Roland, J. CCSP Self-study: Securing Cisco IOS networks (SECUR). Indianapolis, IN: Cisco Press, 2004. [6]- S Mandujano and RSoto, Deterring Password Sharing: User Authentication via Fuzzy c-Means Clustering Applied to Keystroke Biometric Data[2004] Proceedings of the Fifth Mexican International Conference in Computer Science (ENC’04) [7]- R. Richardson. Computer crime & security survey 2003. Technical report, Computer Security Institute, CSI and Federal Business of Investigations, FBI, 2003. [8]- An Introduction to Biometric Recognition Anil K. Jain, Fellow, IEEE, Arun Ross, Member, IEEE, and Salil Prabhakar, Member, IEEE, IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS FOR VIDEO TECHNOLOGY, VOL. 14, NO. 1, JANUARY 2004.-pg 4-20. UOM Research Week
[9] -Leggett, J., and Williams, G. “Verifying identity via keyboard characteristics”. Int. J. Man-Machine Studies 23, 1 (Jan. 1988), pp 67-76. [10]- “Passwords revealed by sweet deal”, BBC News online, 20 April 2004. [11]- R. Bolle. Guide to Biometrics. Springer-Verlag, 1st edition, December 2003 [12]- R. Hsu, M. Abdel-Mottaleb, and A. Jain. “Face detection in color images”. IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol 25(5),pp 696–706, 2002. [13]- Rick Joyce and Gopal Gupta, “Identity Authentication Based on Keystroke Latencies”, Vol 33 (2) Communications of the ACM pp168-176, 1990 [14]- J.Bechtel, G.Serpen and M. Brown, International Journal of Computer Intelligence and Applications Vol 2 No.2 pp 1-22, 2002. [15]- Lívia C. F. Araújo, Luiz H. R. Sucupira Jr., Miguel G. Lizárraga, Lee L. Ling, and João B. T. Yabu-uti, User “Authentication through Typing Biometrics Features”, IEEE Transactions on Signal Processing, Vol 53 N0. 2, February 2005, pp 851-855. [16]- Kenneth Revett, Aurangzeb Khan, Revett, K. and Khan, A., 2005, “Enhancing login security using keystroke hardening and keyboard gridding”, Proceedings of the IADIS MCCSIS pp 1-6, 2005 [17]- D.T.lin: “Computer Access authentication with neural network based keystroke indentity verification”, Proc IEEE Intl Conf Neural Networks pg 174-178, 1997 [18] M.S. Obaidat and D.T Macchairolo, “A multilayer neural network system for computer access security”, IEEE transactions on Systems, Machine and Cybernetics VOl 24, No 5, May 1994. [19] D. Rumelhart. G. Hnton and R. Williams “ Learning internal representations by error backpropagation,, “ In parallel distributed processing Cambridge, MA, pp 318-362, MIT press 1986. UOM Research Week
Thank you UOM Research Week