keystroke dynamics jacob wise and chong gu. introduction ● people have “unique” typing...
TRANSCRIPT
Keystroke DynamicsJacob Wise and Chong Gu
Introduction
● People have “unique” typing patterns– “Unique” in the same way that fingerprints aren't
proven unique● Typing patterns could be used for authentication
– Stronger than password– Harder to copy– Can use challenge-response
● Inexpensive
Previous Work
● Neural Networks– Less mainstream approach– Papers co-authored by M.S. Obaidat
● “Traditional” Approach– Reference Signatures computed by calculating the Mean and
Standard Deviations
– Measures “distance” between Reference Signature and Test Signature
– Use digraph/trigraph
– Rick Joyce & Gopal Gupta (1990); F. Monrose & a. Rubin (1997); F. Bergadano, D. Bunetti, and C. Picardi (2002)
First problem - Collecting Data
● Built-in .NET DateTime class
– Precise only to about 10 milliseconds
● Methods from kernel32.dll
– About 15 significant digits (don't know for sure)
First Prototype
● Timing Data for all fields– User Name– Password– Full Name
● Mistakes not allowed● Signature object is
serialized and saved to a file
The World of Neural Networks
● User Name / Password / Full Name unsuitable
– Can't train a neural network on only positive examples
– Would need to collect break-in attempts by other users
● Hence the “Counterexample” option in the first prototype
● Everyone-Types-The-Same-Thing works better
– Hence the passage collection form...
The Passage Collection Form
Passage Analysis Form
● Tool to help analyze collected keystroke data
– Data is in .psig (PassageSignature) and .signature (Signature) files
● We hope this tool will be used and extended in future work on this project
● Tabs for BPN (Back-Propagation Network), more traditional analyses, and others that are yet to come
Passage Analysis Form
[neural networks]
● Explain BPN basics
● This started as just a first step
● Ended up taking the whole time to tune
“Traditional” Approach
● Reference Signature
– Computed by calculating the mean and standard deviation of samples each user has provided
– Based on Press Time or Flight Time
– Samples that are too far off (greater than a certain threshold above the mean) are discarded. The Means are recalculated.
● This value needs to be tuned
● 3 std results in 0.85% of samples being discarded
● 2 std results in 5% of samples being discarded
“Traditional” Approach - Reference Signatures based on Flight Time
User B's Reference Signature (F)
-0.1
-0.05
0
0.05
0.1
0.15
0.2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
key Press
Flig
ht
Tim
e
Series1
User A's Reference Signature (F)
-0.1
-0.05
0
0.05
0.1
0.15
0.2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
Key Presses
Flig
ht
Tim
e
Series1
“Traditional” Approach - Reference Signatures based on Press Time
User B's Reference Signature
0
0.05
0.1
0.15
0.2
0.25
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
Key Presses
Pre
ss T
ime
Series1
User C's Reference Signature
0
0.05
0.1
0.15
0.2
0.25
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
Key Presses
Pre
ss T
ime
Series1
“Traditional” Approach- Reference Signatures
• We have noticed that there is a bigger variance between users if we base our Reference Signatures on Flight Times.
Press Mean (phrase 1) unfiltered
0
0.05
0.1
0.15
0.2
0.25
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
Key Press
Pre
ss T
ime
Series1
Series2
Series3
Series4
Series5
Series6
Series7
Series8
Series9
Series10
Flight Mean (Phrase 1, filter = 2std)
-0.1
-0.05
0
0.05
0.1
0.15
0.2
0.25
0.3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
Key Press
Flig
ht
Tim
e
Series1
Series2
Series3
Series4
Series5
Series6
Series7
Series8
Series9
Series10
“Traditional” approach- the Verifier
● Two approaches have been considered, but neither is up and running
– Comparing individual Press/flight time of test signature with the Mean Reference Signature. A press/flight time is considered to be valid if it is within x profile standard deviations of the mean reference digraph. (where x needs to be tuned)
– Comparing the magnitude of difference between the mean reference signature (M) and the test signature (T). A certain threshold for an acceptable size of the magnitude is required. A user with a bigger variability of his/her signatures, a bigger threshold value should be used.
● This approach has had some good results
● Again, the threshold value needs to be tuned.
Conclusion
● We have...
– Done lots of work but just barely scratched the surface
– Focused getting some usable analysis tools up and running
– Implemented fairly standard algorithms according to previous research
● There is a lot of work to be done!
Epilogue
● Papers that excite us and into which we didn't have time to seriously delve:
– “User Authentication through Keystroke Dynamics” Bergadano, Gunetti, Picardi (2002)
– “Password hardening based on keystroke dynamics” Monrose, Reiter, Wetzel (2001)
● Not just authentication