Robustness of keystroke-dynamics based biometrics against synthetic forgeries☆
Introduction
Keystroke-dynamics based authentication is a cheap biometric mechanism that has been proven accurate in distinguishing individuals (Bleha et al., 1990; Ilonen, 2003; Killourhy and Maxion, 2008; Monrose and Rubin, 2000; Song et al., 2001; Yu and Cho, 2003). Most of the attack models considered in keystroke-dynamics literature assume the attackers are humans, e.g., a colleague of Alice trying to log in as Alice. However, there has been little effort on studying the robustness of this technique against synthetic and automatic attacks and forgeries.
We evaluate the robustness of keystroke-based biometric authentication systems against a new type of forgery attacks. In the context of biometrics, a synthetic forgery attack is carried out by submitting generated or synthesized credentials to an authentication module. For example, an attacker writes a program that performs statistic manipulation and synthesis to produce keystroke sequences in order to spoof others. These types of forgery attacks pose a serious threat. However, the research community has not extensively investigated on possible anti-forgery techniques. It is unclear from the current literature how robust keystroke dynamics is against forgery attacks. Synthetic forgery attacks may also be possible in other types of biometric systems as well.
The technical enabler for our investigation is a remote authentication framework that we design and implement. The framework called TUBA (Telling hUman and Bot Apart) monitors a user’s typing patterns in a client-and-server architecture. We systematically study the robustness of TUBA through comprehensive experimental evaluation including two simulated bots. We perform a user study with 20 users and use the collected data to simulate and evaluate the difficulty and impact of synthetic forgeries.
Another contribution of this paper is that we describe the use of TUBA and keystroke dynamics to identify anomalous activities on a personal computer, e.g., activities that may be due to malware. We consider a model where a user’s computer in an organization or enterprise may be infected with malicious software that may stealthily launches attacks. This model is motivated by the increasing number of infected hosts caused by organized malicious botnets. Our solution provides strong assurance of authentication results. We provide a practical solution that effectively allows a remote trusted server to monitor the integrity of a computer. The main application of TUBA is to detect stealthy malware residing on a user’s computer such as application-level spyware.
Our study uniquely combines techniques from system and network security, biometrics, machine learning, and usability engineering. Our technical contributions are summarized as follows.
- 1.
We design and implement a simple and easy-to-adopt protocol for authenticating a computer owner that utilizes the user’s keyboard activities as an authentication metric. We present our protocol in a lightweight client-server architecture using the X Windows System (X11 for short).
- 2.
We analyze the keystroke data from a group of users on a diverse set of inputs, including email addresses, a password, and web addresses. We find that performance results vary according to the strings used for authentication. We find that different types of strings give different classification accuracy when used for authentication.
- 3.
We evaluate the robustness of keystroke-dynamics based authentication against automated bot attacks. We implement two bot programs, called GaussianBot and NoiseBot, respectively, which are capable of injecting statistically-generated keystroke event sequences on a (victim) machine. The bot programs aim to pass our keystroke authentication tests by mimicking a particular user’s keystroke dynamics. The bots are capable of launching forgery attacks drawn upon the statistical analysis of collected keystroke data. Experiments show that our classification is robust against these specific attacks, and is able to correctly classify the attacks by GaussianBot and NoiseBot with low false positive rates. The GaussianBot and NoiseBot forge keystroke sequences following simple first-order Markov models.
TUBA is particularly suitable for detecting extrusion in enterprises and organizations, and protecting the integrity of hosts. Our work gives the indication that certain human behaviors, namely user inputs, may be suitable for malware detection purposes. We also give examples that illustrate the prevention of malware forgery in such human-behavior driven security systems. This study is the result of an on-going effort towards designing human-inspired security solutions. Our work also suggests the need for studying the robustness of other biometrics against synthetic forgery attacks beyond the studied keystroke-authentication problem. Because of the wide use biometrics in government, military, and enterprise environments, the better understanding of their security against sophisticated attacks is important.
We describe our design of a remote authentication framework and our security model in Section 2, where a use case of using TUBA to detect anomalous network activities is also described. Details of our implementation including data collection, keystroke logging, feature extraction, and classification can be found in Section 3. We implement two bots that are capable of injecting synthetic keystroke events, which are presented in Section 4. Our experimental evaluation results and user study are described in Section 5. A specific application of TUBA for liveliness detection as well as an open problem are presented in Section 6. Related work is described in Section 7. In Section 8, we conclude the paper and describe plans for future work.
Section snippets
Overview and security model
TUBA is a remote biometric authentication system based on keystroke-dynamics information. We use machine-learning techniques to detect intruders merely based on keystroke dynamics, i.e., timing information of keyboard events. We allow for certain types of key event injection by bots.
Feature extraction and classification
In this section, we describe the feature extraction and classification performed in TUBA on keystroke data, as well as our Markov chain model used for simulating keystroke-forgery attacks. We illustrate how the dimensionality affects the classification results and its security implications.
Bot simulation and events injection
We find that even if we allow for certain types of key event injection by bots under our security model, classification based on keystroke dynamics is able to identify intruders with high accuracy. We play the devil’s advocates and create two bots, the algorithms of which are described next. We assume that the goal of an adversary in our model is to create keystroke events that pass our classification tests. That is, the attacker creates fake keystroke events expecting them to be classified as
Evaluation of classification accuracy
We collect keystroke timing data from 20 user subjects, 10 females and 10 males on M = 5 different strings. We implement a program with a graphic user interface (GUI) that records the keystroke dynamics of the participants. Screenshots of the GUI are shown in Fig. 2. The user is asked to type in the following strings, n = 35times each: google.com, www.amazon.com, 1calend4r, [email protected], and [email protected]. The gender and age of each participant are recorded, as well as their
Discussion and open question
In this section, we describe how TUBA can be integrated with an existing anomaly detection model that leverages the cognitive ability of users for security. We also describe an open question in TUBA about how to further strengthen its security against a stronger adversary model.
Related work
Keystroke-dynamics based authentication has been extensively studied in the security and machine learning literature. Existing work on this topic mainly focuses on the use of keystroke-dynamics analysis for biometric authentication. Recently, Killourhy and Maxion performed thorough comparative analysis on state-of-the-art keystroke dynamics solutions, and presented a methodology for predicting classification error rates (Killourhy and Maxion, 2010). What differs our work from existing
Conclusions and future work
This paper addressed the important problem of biometric security, in particular the robustness of keystroke-based biometric authentication against automatically generated keystroke sequences from attackers. Our work recognizes the security gap that exists in the current biometric research, where adversaries are limited to human users. In order to evaluate the impact of synthetic forgery in the keystroke-dynamic authentication, we presented our design and implementation of a remote
Yao is an assistant professor in the Department of Computer Science at Virginia Tech, Blacksburg. She received her Computer Science Ph.D. degree from Brown University. Before joining VT, she was a assistant professor at Rutgers University CS Department for two years. Her research interests are in network and information security. She received the NSF CAREER Award in 2010 for her work on human-behavior driven malware detection. She won the Best Student Paper Award in ICICS 2006, and the Award
References (29)
- et al.
Keystroke dynamics as a biometric for authentication
Future Generation Computer Systems
(2000) Pattern recognition and machine learning
(2006)- et al.
Computer-access security systems using keystroke dynamics
IEEE Transactions on Pattern Analysis and Machine Intelligence
(1990) - et al.
- et al.
Not-a-bot: improving service availability in the face of botnet attacks
- et al.
Keystroke dynamics
(2003)- et al.
Improvements to platt’s smo algorithm for SVM classifier design
Neural Computation
(2001) - Lkl linux keylogger, http://sourceforge.net/projects/lkl/;...
- Kernel Based Keylogger. http://packetstormsecurity.org/UNIX/security/;...
The effect of clock resolution on keystroke dynamics
Why did my detector do that?! predicting keystroke-dynamics error rates
Cited by (0)
Yao is an assistant professor in the Department of Computer Science at Virginia Tech, Blacksburg. She received her Computer Science Ph.D. degree from Brown University. Before joining VT, she was a assistant professor at Rutgers University CS Department for two years. Her research interests are in network and information security. She received the NSF CAREER Award in 2010 for her work on human-behavior driven malware detection. She won the Best Student Paper Award in ICICS 2006, and the Award for Technological Innovation from Brown in 2006, both for her privacy-preserving identity management work. Danfeng has one provisional patent filed for her recent bot detection techniques.
Stefan received his bachelor and master degrees from Cooper Union Electrical and Computer Engineering Department and is currently a graduate student at Stanford University.
Shu received his bachelor degree from the University of Science and Technology of China. He is currently a Ph.D. student at Virginia Tech.
- ☆
This work was supported in part by Rutgers University DIMACS REU programs, National Science Foundation grants CNS-0831186 and CAREER CNS-0953638. Stefan is currently a graduate student at Stanford University.