keystroke dynamics
DESCRIPTION
Jacob Wise and Chong Gu. Keystroke Dynamics. Introduction. People have “unique” typing patterns “Unique” in the same way that fingerprints aren't proven unique Typing patterns could be used for authentication Stronger than password Harder to copy Can use challenge-response Inexpensive. - PowerPoint PPT PresentationTRANSCRIPT
Keystroke DynamicsJacob Wise and Chong Gu
Introduction
● People have “unique” typing patterns– “Unique” in the same way that fingerprints aren't
proven unique● Typing patterns could be used for authentication
– Stronger than password– Harder to copy– Can use challenge-response
● Inexpensive
Previous Work
● Neural Networks– Less mainstream approach– Papers co-authored by M.S. Obaidat
● “Traditional” Approach– Reference Signatures computed by calculating the Mean and
Standard Deviations
– Measures “distance” between Reference Signature and Test Signature
– Use digraph/trigraph
– Rick Joyce & Gopal Gupta (1990); F. Monrose & a. Rubin (1997); F. Bergadano, D. Bunetti, and C. Picardi (2002)
First problem - Collecting Data
● Built-in .NET DateTime class
– Precise only to about 10 milliseconds
● Methods from kernel32.dll
– About 15 significant digits (don't know for sure)
First Prototype
● Timing Data for all fields– User Name– Password– Full Name
● Mistakes not allowed● Signature object is
serialized and saved to a file
The World of Neural Networks
● User Name / Password / Full Name unsuitable
– Can't train a neural network on only positive examples
– Would need to collect break-in attempts by other users
● Hence the “Counterexample” option in the first prototype
● Everyone-Types-The-Same-Thing works better
– Hence the passage collection form...
The Passage Collection Form
Passage Analysis Form
● Tool to help analyze collected keystroke data
– Data is in .psig (PassageSignature) and .signature (Signature) files
● We hope this tool will be used and extended in future work on this project
● Tabs for BPN (Back-Propagation Network), more traditional analyses, and others that are yet to come
Passage Analysis Form
[neural networks]
● Explain BPN basics
● This started as just a first step
● Ended up taking the whole time to tune
“Traditional” Approach
● Reference Signature
– Computed by calculating the mean and standard deviation of samples each user has provided
– Based on Press Time or Flight Time
– Samples that are too far off (greater than a certain threshold above the mean) are discarded. The Means are recalculated.
● This value needs to be tuned
● 3 std results in 0.85% of samples being discarded
● 2 std results in 5% of samples being discarded
“Traditional” Approach - Reference Signatures based on Flight Time
User B's Reference Signature (F)
-0.1
-0.05
0
0.05
0.1
0.15
0.2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
key Press
Flig
ht
Tim
e
Series1
User A's Reference Signature (F)
-0.1
-0.05
0
0.05
0.1
0.15
0.2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
Key Presses
Flig
ht
Tim
e
Series1
“Traditional” Approach - Reference Signatures based on Press Time
User B's Reference Signature
0
0.05
0.1
0.15
0.2
0.25
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
Key Presses
Pre
ss T
ime
Series1
User C's Reference Signature
0
0.05
0.1
0.15
0.2
0.25
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
Key Presses
Pre
ss T
ime
Series1
“Traditional” Approach- Reference Signatures
• We have noticed that there is a bigger variance between users if we base our Reference Signatures on Flight Times.
Press Mean (phrase 1) unfiltered
0
0.05
0.1
0.15
0.2
0.25
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
Key Press
Pre
ss T
ime
Series1
Series2
Series3
Series4
Series5
Series6
Series7
Series8
Series9
Series10
Flight Mean (Phrase 1, filter = 2std)
-0.1
-0.05
0
0.05
0.1
0.15
0.2
0.25
0.3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
Key Press
Flig
ht
Tim
e
Series1
Series2
Series3
Series4
Series5
Series6
Series7
Series8
Series9
Series10
“Traditional” approach- the Verifier
● Two approaches have been considered, but neither is up and running
– Comparing individual Press/flight time of test signature with the Mean Reference Signature. A press/flight time is considered to be valid if it is within x profile standard deviations of the mean reference digraph. (where x needs to be tuned)
– Comparing the magnitude of difference between the mean reference signature (M) and the test signature (T). A certain threshold for an acceptable size of the magnitude is required. A user with a bigger variability of his/her signatures, a bigger threshold value should be used.
● This approach has had some good results
● Again, the threshold value needs to be tuned.
Conclusion
● We have...
– Done lots of work but just barely scratched the surface
– Focused getting some usable analysis tools up and running
– Implemented fairly standard algorithms according to previous research
● There is a lot of work to be done!
Epilogue
● Papers that excite us and into which we didn't have time to seriously delve:
– “User Authentication through Keystroke Dynamics” Bergadano, Gunetti, Picardi (2002)
– “Password hardening based on keystroke dynamics” Monrose, Reiter, Wetzel (2001)
● Not just authentication