keystroke dynamics

Keystroke DynamicsJacob Wise and Chong Gu

Introduction

● People have “unique” typing patterns– “Unique” in the same way that fingerprints aren't

proven unique● Typing patterns could be used for authentication

– Stronger than password– Harder to copy– Can use challenge-response

● Inexpensive

Previous Work

● Neural Networks– Less mainstream approach– Papers co-authored by M.S. Obaidat

● “Traditional” Approach– Reference Signatures computed by calculating the Mean and

Standard Deviations

– Measures “distance” between Reference Signature and Test Signature

– Use digraph/trigraph

– Rick Joyce & Gopal Gupta (1990); F. Monrose & a. Rubin (1997); F. Bergadano, D. Bunetti, and C. Picardi (2002)

First problem - Collecting Data

● Built-in .NET DateTime class

– Precise only to about 10 milliseconds

● Methods from kernel32.dll

– About 15 significant digits (don't know for sure)

First Prototype

● Timing Data for all fields– User Name– Password– Full Name

● Mistakes not allowed● Signature object is

serialized and saved to a file

The World of Neural Networks

● User Name / Password / Full Name unsuitable

– Can't train a neural network on only positive examples

– Would need to collect break-in attempts by other users

● Hence the “Counterexample” option in the first prototype

● Everyone-Types-The-Same-Thing works better

– Hence the passage collection form...

The Passage Collection Form

Passage Analysis Form

● Tool to help analyze collected keystroke data

– Data is in .psig (PassageSignature) and .signature (Signature) files

● We hope this tool will be used and extended in future work on this project

● Tabs for BPN (Back-Propagation Network), more traditional analyses, and others that are yet to come

Passage Analysis Form

[neural networks]

● Explain BPN basics

● This started as just a first step

● Ended up taking the whole time to tune

“Traditional” Approach

● Reference Signature

– Computed by calculating the mean and standard deviation of samples each user has provided

– Based on Press Time or Flight Time

– Samples that are too far off (greater than a certain threshold above the mean) are discarded. The Means are recalculated.

● This value needs to be tuned

● 3 std results in 0.85% of samples being discarded

● 2 std results in 5% of samples being discarded

“Traditional” Approach - Reference Signatures based on Flight Time

User B's Reference Signature (F)

-0.1

-0.05

0

0.05

0.1

0.15

0.2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

key Press

Flig

ht

Tim

e

Series1

User A's Reference Signature (F)

-0.1

-0.05

0

0.05

0.1

0.15

0.2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

Key Presses

Flig

ht

Tim

e

Series1

“Traditional” Approach - Reference Signatures based on Press Time

User B's Reference Signature

0

0.05

0.1

0.15

0.2

0.25

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

Key Presses

Pre

ss T

ime

Series1

User C's Reference Signature

0

0.05

0.1

0.15

0.2

0.25

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

Key Presses

Pre

ss T

ime

Series1

“Traditional” Approach- Reference Signatures

• We have noticed that there is a bigger variance between users if we base our Reference Signatures on Flight Times.

Press Mean (phrase 1) unfiltered

0

0.05

0.1

0.15

0.2

0.25

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

Key Press

Pre

ss T

ime

Series1

Series2

Series3

Series4

Series5

Series6

Series7

Series8

Series9

Series10

Flight Mean (Phrase 1, filter = 2std)

-0.1

-0.05

0

0.05

0.1

0.15

0.2

0.25

0.3

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

Key Press

Flig

ht

Tim

e

Series1

Series2

Series3

Series4

Series5

Series6

Series7

Series8

Series9

Series10

“Traditional” approach- the Verifier

● Two approaches have been considered, but neither is up and running

– Comparing individual Press/flight time of test signature with the Mean Reference Signature. A press/flight time is considered to be valid if it is within x profile standard deviations of the mean reference digraph. (where x needs to be tuned)

– Comparing the magnitude of difference between the mean reference signature (M) and the test signature (T). A certain threshold for an acceptable size of the magnitude is required. A user with a bigger variability of his/her signatures, a bigger threshold value should be used.

● This approach has had some good results

● Again, the threshold value needs to be tuned.

Conclusion

● We have...

– Done lots of work but just barely scratched the surface

– Focused getting some usable analysis tools up and running

– Implemented fairly standard algorithms according to previous research

● There is a lot of work to be done!

Epilogue

● Papers that excite us and into which we didn't have time to seriously delve:

– “User Authentication through Keystroke Dynamics” Bergadano, Gunetti, Picardi (2002)

– “Password hardening based on keystroke dynamics” Monrose, Reiter, Wetzel (2001)

● Not just authentication