nach oben

Erschienen in:

2019 | OriginalPaper | Buchkapitel

CATCHA: When Cats Track Your Movements Online

verfasst von : Prakash Shrestha, Nitesh Saxena, Ajaya Neupane, Kiavash Satvat

Erschienen in: Information Security Practice and Experience

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Any website can record its users’ mouse interactions within that site, an emerging practice used to learn about users’ regions of interests usually for personalization purposes. However, the dark side of such recording is that it is oblivious to the users as no permissions are solicited from the users prior to recording (unlike other resources like webcam or microphone). Since mouse dynamics may be correlated with users’ behavioral patterns, any website with nefarious intentions (“cat”) could thus try to surreptitiously infer such patterns, thereby compromising users’ privacy and making them prone to targeted attacks. In this paper, we show how users’ personal information, specifically their demographic characteristics, could leak in the face of such mouse movement eavesdropping. As a concrete case study along this line, we present CATCHA, a mouse analytic attack system that gleans potentially sensitive demographic attributes—age group, gender, and educational background—based on mouse interactions with a game CAPTCHA system (a simple drag-and-drop animated object game to tell humans and machines apart).

CATCHA ’s algorithmic design follows the machine learning approach that predicts unknown demographic attributes based on a total of 64 mouse dynamics features extracted from within the CAPTCHA game, capturing users’ innate cognitive abilities and behavioral patterns. Based on a comprehensive data set of mouse movements with respect to a simple game CAPTCHA collected in an online environment, we show that CATCHA can identify the users’ demographics attributes with a high probability (almost all attributes with more than 85%), significantly better than random guessing (50%) and in a very short span of interaction time (about 14 s). We also provide a thorough statistical analysis and interpretation of differentiating features across the demographics attributes that make users susceptible to the CATCHA attack. Finally, we discuss potential extensions to our attack using other user interaction paradigms (e.g., other types of CAPTCHAs or typical web browsing interactions, and under longitudinal settings), and provide potential mitigation strategies to curb the impact of mouse movement eavesdropping.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Secure Best Arm Identification in Multi-armed Bandits

Nächstes Kapitel Designing a Code Vulnerability Meta-scanner

Nur mit Berechtigung zugänglich

InformAction: Noscript - JavaScript/Java/Flash blocker for a safer Firefox experience! - what is it? (2017). https://noscript.net/. Accessed 28 Oct 2017

Ahmed, A.A.E., Traore, I.: Anomaly intrusion detection based on biometrics. In: IEEE SMC Information Assurance Workshop (2005)

Ahmed, A.A.E., Traore, I.: A new biometric technology based on mouse dynamics. IEEE Trans. Dependable Secur. Comput. 4, 165–179 (2007)CrossRef

Bergadano, F., Gunetti, D., Picardi, C.: Identity verification through dynamic keystroke analysis. Intell. Data Anal. 7, 469–496 (2003)CrossRef

Chrome Blog: Everyone can now track down noisy tabs (2017). https://goo.gl/mojwB2. Accessed 19 May 2017

Brodic, D., Petrovska, S., Jankovic, R., Amelio, A., Draganov, I.: User-centric analysis of the CAPTCHA response time: a new perspective in artificial intelligence. ERCIM News 109, 49–50 (2017)

Bursztein, E., Bethard, S., Fabry, C., Mitchell, J.C., Jurafsky, D.: How good are humans at solving CAPTCHAs? A large scale evaluation. In: IEEE Security and Privacy (S&P) (2010)

Carlson, E.L.: Phishing for elderly victims: as the elderly migrate to the internet fraudulent schemes targeting them follow. Elder LJ (2006)

Chen, M.C., Anderson, J.R., Sohn, M.H.: What can a mouse cursor tell us more?: correlation of eye/mouse movements on web browsing. In: Extended Abstracts on Human Factors in Computing Systems (2001)

10.

Datta, A., Tschantz, M.C., Datta, A.: Automated experiments on ad privacy settings. Priv. Enhancing Technol. 2015, 92–112 (2015)CrossRef

11.

Dowland, P.S., Furnell, S.M.: A long-term trial of keystroke profiling using digraph, trigraph and keyword latencies. In: Deswarte, Y., Cuppens, F., Jajodia, S., Wang, L. (eds.) SEC 2004. ITIFIP, vol. 147, pp. 275–289. Springer, Boston, MA (2004). https://doi.org/10.1007/1-4020-8143-X_18CrossRef

12.

Eccles, L.: Money mail reveals why shops want your email address (2016). https://goo.gl/9jFtfr. Accessed 24 Sept 2018

13.

Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1CrossRef

14.

Eckersley, P.: Panopticlick (2010). https://panopticlick.eff.org. Accessed 28 Oct 2017

15.

Epp, C., Lippold, M., Mandryk, R.L.: Identifying emotional states using keystroke dynamics. In: SIGCHI Conference on Human Factors in Computing Systems. ACM (2011)

16.

Fairhurst, M., Da Costa-Abreu, M.: Using keystroke dynamics for gender identification in social network environment. In: Imaging for Crime Detection and Prevention 2011 (ICDP 2011). IET (2011)

17.

Firefox: Mute sound in Firefox tabs (2017). https://goo.gl/KeA80E. Accessed 19 May 2017

18.

FunCaptcha: reCAPTCHA: easy on humans, hard on bots (2017). https://www.funcaptcha.com/. Accessed 13 May 2017

19.

Gao, S., Mohamed, M., Saxena, N., Zhang, C.: Emerging image game CAPTCHAs for resisting automated and human-solver relay attacks. In: Annual Computer Security Applications Conference (2015)

20.

Google Chrome: Change website permissions - google chrome (2017). https://goo.gl/OhoO5H. Accessed 19 May 2017

21.

Henry, N., Powell, A.: Embodied harms gender, shame, and technology-facilitated sexual violence. Violence Against Women 21, 758–779 (2015)CrossRef

22.

Hertzum, M., Hornbæk, K.: How age affects pointing with mouse and touchpad: a comparison of young, adult, and elderly users. Int. J. Hum.-Comput. Interact. 26, 703–734 (2010)CrossRef

23.

Hocquet, S., Ramel, J., Cardot, H.: Users authentication by a study of human computer interactions. In: Proceedings of the Eighth Annual (Doctoral) Meeting on Health, Science and Technology (2004)

24.

Hu, J., Zeng, H.J., Li, H., Niu, C., Chen, Z.: Demographic prediction based on user’s browsing behavior. In: International Conference on World Wide Web (2007)

25.

HuffingtonPost: ‘are you a human’ CAPTCHA game brings fun to web security (2018). https://goo.gl/aEWa4e. Accessed 27 March 2018

26.

Facebook Inc.: Data policy (2018). https://www.facebook.com/policy.php. Accessed 19 Sept 2018

27.

Google Inc.: reCAPTCHA: Easy on humans, hard on bots (2017). https://goo.gl/oL49TZ. Accessed 17 May 2017

28.

Google Inc.: Privacy policy - Google (2018). https://goo.gl/fwnohr. Accessed 19 Sept 2018

29.

James, M.S.: Why do they want my phone number? (2016). https://goo.gl/EWoyqT. Accessed 24 Sept 2018

30.

Joyce, R., Gupta, G.: Identity authentication based on keystroke latencies. Commun. ACM 33, 168–176 (1990)CrossRef

31.

Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: IEEE Symposium on Security and Privacy (SP) (2016)

32.

Li, Q.: Cyberbullying in schools: a research of gender differences. Sch. Psychol. Int. 27, 157–170 (2006)CrossRef

33.

Maxion, R.A., Killourhy, K.S.: Keystroke biometrics with number-pad input. In: Dependable Systems and Networks (DSN) (2010)

34.

Mohamed, M., Gao, S., Saxena, N., Zhang, C.: Dynamic cognitive game captcha usability and detection of streaming-based farming. In: Workshop on Usable Security (USEC), co-located with NDSS (2014)

35.

Mohamed, M., et al.: A three-way investigation of a game-CAPTCHA: automated attacks, relay attacks and usability. In: ACM Symposium on Information, Computer and Communications Security (2014)

36.

Mohamed, M., Saxena, N.: Gametrics: towards attack-resilient behavioral authentication with simple cognitive games. In: Annual Conference on Computer Security Applications (2016)

37.

Monaro, M., Gamberini, L., Sartori, G.: The detection of faked identity using unexpected questions and mouse dynamics. PloS One (2017)

38.

Mouseflow (2017). https://mouseflow.com/. Accessed 13 May 2017

39.

Mowery, K., Bogenreif, D., Yilek, S., Shacham, H.: Fingerprinting information in JavaScript implementations. In: Proceedings of W2SP (2011)

40.

Mulazzani, M., et al.: Fast and reliable browser identification with JavaScript engine fingerprinting. In: Web 2.0 Workshop on Security and Privacy (W2SP) (2013)

41.

Olejnik, L., Castelluccia, C.: Of mice and men: mouse movements tracking and browser UI protections

42.

Pentel, A.: Predicting age and gender by keystroke dynamics and mouse patterns. In: Conference on User Modeling, Adaptation and Personalization (2017)

43.

Radinsky, K., Svore, K.M., Dumais, S., Teevan, J., Bocharov, A., Horvitz, E.: Modeling and predicting behavioral dynamics on the web (2012)

44.

Rodden, K., Fu, X.: Exploring how mouse movements relate to eye movements on web search results pages. In: Web Information Seeking and Interaction (2007)

45.

Sivakorn, S., Polakis, I., Keromytis, A.D.: I am robot: (deep) learning to break semantic image CAPTCHAs. In: IEEE European Symposium on Security and Privacy (EuroS&P) (2016)

46.

The WindowsClub: how to setup Firefox permission manager for websites (2017). https://goo.gl/PNOozZ. Accessed 19 May 2017

47.

Tor: Tor project: Torbutton (2017). https://www.torproject.org/docs/torbutton. Accessed 13 May 2017

48.

Ur, B., Leon, P.G., Cranor, L.F., Shay, R., Wang, Y.: Smart, useful, scary, creepy: perceptions of online behavioral advertising. In: Symposium on Usable Privacy and Security (2012)

49.

Walker, N., Millians, J., Worden, A.: Mouse accelerations and performance of older computer users. In: Human Factors and Ergonomics Society Annual Meeting. SAGE Publications (1996)

50.

Wang, G., Konolige, T., Wilson, C., Wang, X., Zheng, H., Zhao, B.Y.: You are how you click: clickstream analysis for sybil detection. In: USENIX Security Symposium (2013)

51.

Wordpress: Are you a human - the fun spam blocker (2017). https://goo.gl/pszcYQ. Accessed 13 May 2017

52.

WSJ: Facebook tests software to track your cursor on screen (2013). https://goo.gl/tM3zxu

53.

Yamauchi, T.: Mouse trajectories and state anxiety: feature selection with random forest. In: IEEE Affective Computing and Intelligent Interaction (ACII) (2013)

54.

Yamauchi, T., Seo, J.H., Jett, N., Parks, G., Bowman, C.: Gender differences in mouse and cursor movements. Int. J. Hum.-Comput. Interact. 31, 911–921 (2015)CrossRef

55.

Zheng, N., Paloski, A., Wang, H.: An efficient user verification system via mouse movements. In: Conference on Computer and Communications Security (2011)

Titel: CATCHA: When Cats Track Your Movements Online
verfasst von: Prakash Shrestha
Nitesh Saxena
Ajaya Neupane
Kiavash Satvat
Verlag: Springer International Publishing
Buch: Information Security Practice and Experience
Print ISBN: 978-3-030-34338-5

Electronic ISBN: 978-3-030-34339-2

Copyright-Jahr: 2019
DOI: https://doi.org/10.1007/978-3-030-34339-2_10

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"