ned bakelman , john v. monaco, sung_hyuk cha, charles c. tappert
DESCRIPTION
Continual Keystroke Biometric Authentication on Short Bursts of Keyboard Input. Ned Bakelman , John V. Monaco, Sung_Hyuk Cha, Charles C. Tappert. Overview. This study focuses on intruder detection using short bursts of keyboard input - PowerPoint PPT PresentationTRANSCRIPT
Ned Bakelman, John V. Monaco, Sung_Hyuk Cha, Charles C. Tappert
Continual Keystroke Biometric Authentication on Short Bursts of Keyboard Input
Overview
This study focuses on intruder detection using short bursts of keyboard input
•Text, spreadsheet and browser input was used for experiments•For text input, performance was measured as a function of keystroke length (strong performance)•For spreadsheet and browser, performance was measured on overall samples (weaker performance)•Focus on detection in a Continual Authentication environment
Background
•Biometrics•The study of human traits to identify and verify a person based on their
physiological and behavioral characteristics• Physiological – Fingerprint, DNA, Iris, Facial•Behavioral – Voice, Walking Gait, Typing Rhythms
Biometrics, Wikipedia (2011, October 17). Biometrics. [Online]. Available http://en.wikipedia.org/wiki/Biometrics.
Background (continued)
Pace University Keystroke Biometric System (PKBS)
Guglielmo, M., Weisman, A,. Prekelezaj, E., Camilo, D., (2012). Keystroke Biometric Intrusion Detection. Conference Proceedings, Pace University, New York.
Continual Burst Strategy
0 5 minutes 10 minutes
1min
1min
1min
Burst 1 Burst 2 Burst 3
Uniform burst authentication
0 8 minutes 30 minutes
1min
1min
1min
PauseThreshold
Burst 1 Burst 2 Burst 3
PauseThreshold
Burst authentication with pauses
• Continual - ongoing verification but with possible interruption•Burst Authentication - verification on short periods of computer input•Pause – period of inactivity from computer input devices (keyboard, mouse)•Continual Burst Authentication – ongoing verification occurring on short bursts
only after a pause
Text Samples Experiment
• Performance increases with number of keystrokes•Good performance in the 200 – 300 range• Important when considering short bursts of keyboard input
Text Input – Equal Error Rate (EER) per number of Keystrokes
Behavioral Biometrics and Cognitive Levels
Features can be thought of as representing various human cognitive levels of the person operating the computer. Thus providing a Behavioral Cognitive Fingerprint.
• Keystroke and Mouse – Operate at a sub conscious ballistic motor control level• Stylometric – Focuses on characters, words, syntax, therefore operates on a linguistic level• Intruder – Operates at the semantic level of intentional motivation
For example, intruder features are stylometric in that they help determine “authorship” and therefore operate at the Linguistic level. And they’re also Semantic in that the context they occur in can help determine intentional motivation.
Intruder
Keystroke + Mouse
Stylometry
Motor Control Level
Linguistic Level
Semantic Level
Features
Wikipedia.org http://en.wikipedia.org/wiki/Computer_keyboard, last updated: March 6, 2012
Numeric Features
Numeric KeypadQWERTY
Separate numeric features for both keypad and qwerty. These include durations and transitions between numeric keys, arithmetic operators, etc.
Spreadsheet Template2010 2009 2008
AssetsCash
Investments:Cash Equity Securities Corporate debt securities US government securities Private equity Real estate
Total Investments 0 0 0
Other Assets Total Assets $0 $0 $0
Liabilities and Net Assets
Liabilities:Penalities Accounts Payable Advance from Lendor Federak excuse tax
Total Liabilities 0 0 0
Net Assets:Tangiable Non Tangiable
Total Net Assets 0 0 0Total Net Assets and Liabilities $0 $0 $0
Special Journal EntriesEnter Journal Entry 1 Enter Journal Entry 2 Enter Journal Entry 3
Total Journal Entries $0.00 $0.00 $0.00
Preliminary Spreadsheet Samples Experiment
• Equal Error Rate (EER) ≈ 13.5 % (fair performance)•Approximately 400 Keystrokes per sample•Mostly numeric entry using Keypad and some QWERTY
Spreadsheet Input
0 10 20 30 40 50 60 70 80 90 1000
10
20
30
40
50
60
70
80
90
100
FRR
FAR
0 15 18.5 23 28.534.541.5 48 55 59.5 66 72 81 86.592.50
2
4
6
8
10
12
14
16
18
20
FRRFAR
Parameter m
FAR/
FRR
%
Train 20 - Test 20, 5 samples each
Preliminary Browser Samples Experiment
• Equal Error Rate (EER) ≈ 30 % (poor performance)• Less than 200 Keystrokes per sample•Mostly mouse input with sporadic keystroke entry
Browser Input
0 10 20 30 40 50 60 70 80 90 1000
10
20
30
40
50
60
70
80
90
100
FRR
FAR
60.6666666666666 86 97.3333333333333100 1000
10
20
30
40
50
FRR
FAR
Parameter m
FAR/
FRR
%
Train 15 - Test 15, 5 samples each
Conclusion
Main Contributions• Evaluation of text-input performance as a function of keystrokes per sample•As the number of keystrokes per sample increases so does performance (EER decreases)• Explored keystroke input from spreadsheet (numeric input) and Browser samples• Text input appears to be more robust than spreadsheet or browser input (Preliminary)
Next Steps• Explore other non-textual input such as spreadsheets and browser • Investigate intruder input• Include mouse features•Collect more data•Run more experiments
Backup Slides
Intruder Experiment Design (continued)
• Authenticate user on various window sizes, beginning 300-keystroke windows• Window Type 1: use overlapping windows to:
•Minimize the “wait” period for the next authentication•Maximize fast intruder detection
1 300 600 900 1200 1500 1800
300KS
300KS
300KS
300KS
300KS
300KS
150
300KS
450 750 1050 1350 1650
300KS
300KS
300KS
300KS
Keystroke Count
Intruder Experiment Design (continued)
• Window Type 2: Non-overlapping windows and re-start when Pause Threshold exceeded• Assumes a pause for intruder• Negates the necessity for overlapping windows
• Dependent Variable – Detection Accuracy (FAR / FRR trade off, EER etc.)• Independent Variables
• Windows Size (keystroke length)• Pause / Reset time interval• New Features (numeric input / keypad input)
1 300 600 900 1 300 600
300KS
300KS
300KS
300KS
300KS
PauseThreshold
Keystroke Count
Intruder Experiment Design (continued)
• Window Type 3: Spaced non-overlapping windows and re-start when Pause Threshold exceeded
• Assumes a pause for intruder• No need for overlapping windows• No need for continuous checking – only authenticate after pauses and after longer time intervals
• Dependent Variable – Detection Accuracy (FAR / FRR trade off, EER etc.)• Independent Variables
• Windows Size (keystroke length)• Pause / Reset time interval• New Features (numeric input / keypad input)
1 300 600 900 1 300 600
300KS
300KS
300KS
PauseThreshold
Keystroke Count
Preliminary New Results
Experiment 1 (train on text, test on spreadsheet - Weak Training)
• 5 Training User Subjects; 5 Testing User Subjects• Train: Text - 225 authentic and 1000 imposter samples• Test: Excel - 225 authentic and 1000 imposter samples
Weak Training - Text -> Spreadsheet
kNN Train Test FRR FAR Performance
3 225-1000 225 - 1000 25.78% 25.50% 74.45%
5 225-1000 225 - 1000 20.44% 30.90% 71.02%
9 225-1000 225 - 1000 17.33% 36.80% 66.78%
Mean Results: 21.18% 31.07% 70.75%
Preliminary New Results (continued)
Experiment 2 (train on spreadsheet, test on text - Weak Training)
• 5 Training User Subjects; 5 Testing User Subjects• Train: Excel- 225 authentic and 1000 imposter samples• Test: Text - 225 authentic and 1000 imposter samples
Weak Training - Spreadsheet -> Text
kNN Train Test FRR FAR Performance
3 225 - 1000 225 - 1000 0.00% 84.00% 31.43%
5 225 - 1000 225 - 1000 0.00% 87.60% 28.49%
9 225 - 1000 225 - 1000 0.00% 88.60% 27.67%
Mean Results: 0.00% 86.73% 29.20%
Preliminary New Results (continued)
Strong Training – Spreadsheet -> Spreadsheet
kNN Train Test FRR FAR Performance
3 50 - 250 50 - 250 16.00% 4.40% 93.67%
5 50 - 250 50 - 250 12.00% 5.60% 93.33%
9 50 - 250 50 - 250 12.00% 6.00% 93.33%
Mean Results: 13.33% 5.33% 93.44%
Experiment 3 (train on spreadsheet, test on spreadsheet - Strong Training)
• 5 Training User Subjects; 5 Testing User Subjects• Train: Excel - 50 authentic and 250 imposter samples• Test: Excel - 50 authentic and 250 imposter samples
Preliminary New Results (continued)
Experiment 4 (train on spreadsheet, test on spreadsheet - Weak Training)
• 5 Training User Subjects; 5 Testing User Subjects• Train: Excel - 225 authentic and 1000 imposter samples• Test: Excel - 225 authentic and 1000 imposter samples
Weak Training - Spreadsheet -> Spreadsheet
kNN Train Test FRR FAR Performance
3 225 - 1000 225 - 1000 16.00% 26.30% 75.59%
5 225 - 1000 225 - 1000 16.00% 28.50% 73.80%
9 225 - 1000 225 - 1000 16.00% 28.80% 73.55%
Mean Results: 16.00% 27.87% 74.31%
Preliminary New Results (continued)
Experiment 5 (train on browser, test on browser - Weak Training)
• 5 Training User Subjects; 5 Testing User Subjects• Train: Browser - 225 authentic and 1000 imposter samples• Test: Browser - 225 authentic and 1000 imposter samples
Weak Training - Browser -> Browser
kNN Train Test FRR FAR Performance
3 225 - 1000 225 - 1000 35.56% 12.90% 82.94%
5 225 - 1000 225 - 1000 33.33% 13.90% 82.53%
9 225 - 1000 225 - 1000 32.00% 13.60% 83.02%
Mean Results: 33.63% 13.47% 82.83%
Preliminary New Results (continued)
Experiment 6 (train on browser, test on browser - Strong Training)
• 5 Training User Subjects; 5 Testing User Subjects• Train: Browser - 100 authentic and 1125 imposter samples• Test: Browser - 100 authentic and 1125 imposter samples
Strong Training - Browser -> Browser
kNN Train Test FRR FAR Performance
3 100 - 1125 100 - 1125 62.00% 3.56% 91.67%
5 100 - 1125 100 - 1125 62.00% 2.22% 92.90%
9 100 - 1125 100 - 1125 73.00% 1.96% 92.94%
Mean Results: 65.67% 2.58% 92.50%
Preliminary New Features Comparison
Experiment 1 Numeric (New Features Comparison)
Weak Training - Spreadsheet -> Spreadsheet
kNN Train Test FRR FAR Performance
3 225 - 1000 225 - 1000 16.00% 26.30% 75.59%
5 225 - 1000 225 - 1000 16.00% 28.50% 73.80%
9 225 - 1000 225 - 1000 16.00% 28.80% 73.55%
Mean Results: 16.00% 27.87% 74.31%
Weak Training Spreadsheet(No Additional Numeric Features)
• Train with non team members (50)• Test with team members (50)
Weak Training Spreadsheet(With Numeric Duration and Transition features)
• Train with non team members (50)• Test with team members (50)• 4.5% improvement
• numeric keypad and QWERTY durations (96)• numeric keypad and QWERTY transitions type II (272)
Weak Training - Spreadsheet -> Spreadsheet
kNN Train Test FRR FAR Performance
3 225 - 1000 225 - 1000 5.11% 23.00% 78.45%
5 225 - 1000 225 - 1000 15.11% 24.30% 77.39%
9 225 - 1000 225 - 1000 14.22% 24.80% 77.14%
Mean Results: 11.48% 24.03% 77.66%
Preliminary New Features Comparison
Experiment 2 Numeric (New Features Comparison)
Weak Training - Spreadsheet -> Spreadsheet
kNN Train Test FRR FAR Performance
3 225 - 1000 225 - 1000 16.00% 26.30% 75.59%
5 225 - 1000 225 - 1000 16.00% 28.50% 73.80%
9 225 - 1000 225 - 1000 16.00% 28.80% 73.55%
Mean Results: 16.00% 27.87% 74.31%
Weak Training Spreadsheet(No Additional Numeric Features)
• Train with non team members (50)• Test with team members (50)
Weak Training Spreadsheet(With Numeric Duration and Transition features)
• Train with non team members (50)• Test with team members (50)• 11.3% improvement
• numeric keypad and QWERTY durations (96)• numeric keypad transitions type I per digit (200)• numeric keypad transitions type II per digit (200)
Weak Training - Spreadsheet -> Spreadsheet
kNN Train Test FRR FAR Performance
3 225 - 1000 225 - 1000 12.00% 18.10% 83.02%
5 225 - 1000 225 - 1000 11.11% 19.00% 82.45%
9 225 - 1000 225 - 1000 8.89% 19.40% 82.53%
Mean Results: 10.67% 18.83% 82.67%
Preliminary New Features Comparison
Experiment 3 Numeric (New Features Comparison)
Weak Training - Spreadsheet -> Spreadsheet
kNN Train Test FRR FAR Performance
3 225 - 1000 225 - 1000 16.00% 26.30% 75.59%
5 225 - 1000 225 - 1000 16.00% 28.50% 73.80%
9 225 - 1000 225 - 1000 16.00% 28.80% 73.55%
Mean Results: 16.00% 27.87% 74.31%
Weak Training Spreadsheet(No Additional Numeric Features)
• Train with non team members (50)• Test with team members (50)
Weak Training Spreadsheet(With Numeric Duration and Transition features)
• Train with non team members (50)• Test with team members (50)• 14.6% improvement
• numeric keypad durations per digit (20)• numeric keypad transitions type I per digit (200)• numeric keypad transitions type II per digit (200)
Weak Training - Spreadsheet -> Spreadsheet
kNN Train Test FRR FAR Performance
3 225 - 1000 225 - 1000 10.22% 16.40% 84.73%
5 225 - 1000 225 - 1000 7.11% 16.00% 85.63%
9 225 - 1000 225 - 1000 6.22% 16.70% 85.22%
Mean Results: 7.85% 16.37% 85.19%
Java Input System vs. Fimbel Keylogger
Experiment 7 (Similarity Comparison – Java Input System vs. Fimbel Keylogger)
Strong Training – Spreadsheet / Text -> Same
kNN Train Test FRR FAR Performance
3 60 - 375 60 - 375 13.33% 2.93% 95.63%
5 60 - 375 60 - 375 11.67% 3.20% 95.63%
9 60 - 375 60 - 375 10.00% 3.47% 95.63%
Mean Results: 11.67% 3.20% 95.63%
Strong Training Spreadsheet + Text
• 50 Spreadsheet samples collected (10 per subject)• 10 Text samples collected from Input System• Split samples evenly for training and testing
(Text Samples Collected Simultaneously From Java Input System and Fimbel Keylogger)
Strong Training – Spreadsheet / Text -> Same
kNN Train Test FRR FAR Performance
3 60 - 375 60 - 375 11.67% 2.67% 96.09%
5 60 - 375 60 - 375 11.67% 3.47% 95.40%
9 60 - 375 60 - 375 10.00% 3.73% 95.40%
Mean Results: 11.11% 3.29% 95.63%
Strong Training Spreadsheet + Text
• 50 Spreadsheet samples collected (10 per subject)• 10 Text samples collected from Fimbel Keylogger• Split samples evenly for training and testing
(Text Samples Collected Simultaneously From Java Input System and Fimbel Keylogger)
Features
Villani, M. (2006). Keystroke biometric identification studies on long text input. Doctoral dissertation, Pace University, New York.
Fallback Hierarchy – Durations
.
?
,
‘“
Punctuation
! ;
Shift
RightLeft
Ctrl
RightLeft
Enter
Tab
Space Caps Lock
QWERTYNon Letters
All Keys
56
0
4
1
23 7
8
9
.
Digits/Period
NumLock
Enter/
* - +
Num lock/EnterArithmetic
Other
Home
PgUp
PgDnDel
Ins
4 arrows
Center Pad
End
NumericKeypad
aue
io
Vowels
th
n s r
Most FreqCons
d qc f
w
OtherLeft Cons
All LeftLetters
All RightLetters
AllLetters
l kmy p
OtherRight Cons
4 5 6
01
23 7
8
9
Digits Symbols
/
* -+
ArithmeticLogic
=
Esc
F1 – F12
:
()
_&
~`
%#
$@
\|
{}[]Alt
RightLeft
^
>
<
PrintScreen/SysRqScrollLock/Pause/Break
g vjb
x
z
Fallback Hierarchy – Numeric Transitions
1-0
Any Digit / 0
2-0
3-0
4-0 5-0 6-0
7-0
8-0
Any Digit / (/*-+)
1-(/*-+)
2-(/*-+)
3-(/*-+)
4-(/*-+)
5-(/*-+) 6-(/*-+)
7-(/*-+)
8-(/*-+)
9-(/*-+)
0-(/*-+)
Numeric /Numeric
/ - (0…9)
* - (0…9)- - (0…9)
+ - (0…9)
(/*-+) / Any Digit
4-3
1-2Any Digit /
Neighbor Digit2-1
3-4
4-5
6-7
8-7
9-09-8
0-92-3
3-2
5-6
5-4 6-57-8
7-68-9
1-nnAny Digit /
Non Neighbor
2-nn
3-nn
4-nn
5-nn
6-nn
7-nn8-nn
9-nn
0-nn
1-1
Any Double Digit
2-2
3-3
4-4
5-5
6-6 7-7
8-89-9
0-0
Any Digit-(/*-+)
1-(/*-+)
2-(/*-+)
3-(/*-+)
4-(/*-+)
5-(/*-+) 6-(/*-+)
7-(/*-+)
8-(/*-+)
9-(/*-+)
0-(/*-+)
Keypad /Keypad
/ - (0…9)
* - (0…9) - - (0…9)
+ - (0…9)
(/*-+)-Any Digit
Any Digit-Any Digit1-1,2,3…0
2-1,2,3…0
3-1,2,3…0
9-1,2,3…0
4-1,2,3…0
0-1,2,3…0
6-1,2,3…05-1,2,3…0
8-1,2,3…0
7-1,2,3…0
PKBS Old Versuses New
KeystrokeData File
Data Capture
FeatureData File
BAS
JavaApplication
KeystrokeFeature
Extractor
Classification
Front End
FeatureExtraction
PKBS
Key LoggerOutput
DataCapture
Key Logger(Fimbel)
Converter
KeystrokeData File
FeatureData File
BAS
KeystrokeFeature
Extractor
Classification
FeatureExtraction
JavaApplication
Front End
New System
Identical Format
Typing Speed
•Average typing speed: 38 – 40 wpm (words per minute)
•Certainly higher for experts: 50 and above wpm
•Average word length: 5 or so characters per word
• 300 (ks window) / 5 + 1(space bar) = 50 words• At 50 wpm: ks window occurs 1 time per 60 seconds• At 40 wpm: ks window occurs 1 time per 75 seconds
Ostrach, Teresia, http://readi.info/documents/TypingSpeed.pdf, last accessed: October 13, 2011
Answers.yahoo.com. http://answers.yahoo.com/question/index?qid=20080526032554AAB28AF, last updated: May 5, 2006
Preliminary Results
Strong Training - Spreadsheet
kNN Train Test FRR FAR Performance
3 50 - 250 50 - 250 16.00% 4.40% 93.67%5 50 - 250 50 - 250 12.00% 5.60% 93.33%9 50 - 250 50 - 250 12.00% 6.00% 93.33%
Mean Results: 13.33% 5.33% 93.44%
Experiment 1
• 50 samples collected (10 per team member)• Split samples evenly for training and testing• Used the Excel Template to generate samples
Weak Training - Text -> Spreadsheet
kNN Train Test FRR FAR Performance
3 1350 - 43500 225 - 1000 36.89% 7.90% 86.78%5 1350 - 43500 225 - 1000 36.89% 10.20% 84.90%9 1350 - 43500 225 - 1000 33.78% 9.00% 86.45%
Mean Results: 35.85% 9.03% 86.04%
Experiment 3
• 300 Text samples obtained from previous study (10 per test taker)• 50 Spreadsheet samples obtained from Experiment 1• Text samples used for training• Spreadsheet samples used for tesing
Weak Training - Spreadsheet -> Text
kNN Train Test FRR FAR Performance
3 225 - 1000 1350 - 43500 1.48% 78.54% 23.78%5 225 - 1000 1350 - 43500 1.26% 79.83% 22.54%9 225 - 1000 1350 - 43500 1.41% 80.14% 22.23%
Mean Results: 1.38% 79.50% 22.85%
Experiment 3 - Reversed
• 300 Text samples obtained from previous study (10 per test taker)• 50 Spreadsheet samples obtained from Experiment 1• Spreadsheet samples used for training• Text samples used for tesing
Preliminary Results continued
Weak Training - Spreadsheet -> Text
kNN Train Test FRR FAR Performance
3 225 - 1000 225 - 1000 0.00% 84.00% 31.43%5 225 - 1000 225 - 1000 0.00% 87.60% 28.49%9 225 - 1000 225 - 1000 0.00% 88.60% 27.67%
Mean Results: 0.00% 86.73% 29.20%
Experiment 3A - Reversed
• 50 Text samples obtained from previous study (10 per test taker)• 50 Spreadsheet samples obtained from Experiment 1• Spreadsheet samples used for training• Text samples used for tesing
Weak Training - Text -> Spreadsheet
kNN Train Test FRR FAR Performance
3 225-1000 225 - 1000 25.78% 25.50% 74.45%5 225-1000 225 - 1000 20.44% 30.90% 71.02%9 225-1000 225 - 1000 17.33% 36.80% 66.78%
Mean Results: 21.18% 31.07% 70.75%
Experiment 3A
• 50 Text samples obtained from previous study (10 per test taker)• 50 Spreadsheet samples obtained from Experiment 1• Text samples used for training• Spreadsheet samples used for tesing
Weak Training - Spreadsheet -> Spreadsheet
kNN Train Test FRR FAR Performance
3 225 - 1000 225 - 1000 16.00% 26.30% 75.59%5 225 - 1000 225 - 1000 16.00% 28.50% 73.80%9 225 - 1000 225 - 1000 16.00% 28.80% 73.55%
Mean Results: 16.00% 27.87% 74.31%
Experiment 2
• 50 Spreadsheet samples collected (10 per team member)• 50 Spreadsheet samples collected (10 per non team member)• Split samples evenly for training and testing• Used the Excel Template to generate samples
Vector – Difference Dichotomy Model
Yoon, S., Choi, S-S., Cha, S-H., Lee, Y., & Tappert, C.C. (2005). On the individuality of the iris biometric. Proc. Int. J. Graphics, Vision & Image Processing, 5(5), 63-70.
Transforms feature space into feature-vector-difference space.Two classes: within-class (same person), between–class (different people).
Spreadsheet Template2010 2009 2008
AssetsCash
Investments:Cash Equity Securities Corporate debt securities US government securities Private equity Real estate
Total Investments 0 0 0
Other Assets Total Assets $0 $0 $0
Liabilities and Net Assets
Liabilities:Penalities Accounts Payable Advance from Lendor Federak excuse tax
Total Liabilities 0 0 0
Net Assets:Tangiable Non Tangiable
Total Net Assets 0 0 0Total Net Assets and Liabilities $0 $0 $0
Special Journal EntriesEnter Journal Entry 1 Enter Journal Entry 2 Enter Journal Entry 3
Total Journal Entries $0.00 $0.00 $0.00
Intruder Experiment Design (continued)
0 5 minutes 10 minutes
1min
1min
1min
Burst 1 Burst 2 Burst 3
0 8 minutes 30 minutes
1min
1min
1min
PauseThreshold
Burst 1 Burst 2 Burst 3
PauseThreshold