ABSTRACT
Research in the field of keystroke dynamics (KD) has traditionally assumed impostor attacks to be originated by humans. However, recent studies have revealed that bots and various categories of malware have the capacity to implement intelligently crafted synthetic attacks against KD systems. In this paper we make a large-scale study of human typing traits, and then use the general observed statistical trends to train a tool that breaks password-KD templates. Our aim is to investigate how a synthetic attack designed with general knowledge about users' typing habits would perform against a password-KD co-authentication system in practice. Our initial results indicate that in the wake of synthetic impostor attacks, the incorporation of KD into regular password-based systems may not necessarily lessen the burden of users having to maintain strong passwords for guaranteed security.
- A. Adler. Can images be regenerated from biometric templates? In Proceedings of the Biometrics Consortium Conference, 2003.Google Scholar
- K. S. Balagani, V. V. Phoha, A. Ray, and S. Phoha. On the discriminability of keystroke feature vectors used in fixed text keystroke authentication. Pattern Recognition Letters, Feb. 2011. Google ScholarDigital Library
- F. Bergadano, D. Gunetti, and C. Picardi. User authentication through keystroke dynamics. ACM Trans. Inf. Syst. Secur., 5:367--397, November 2002. Google ScholarDigital Library
- S. D and Y. D. Keystroke-dynamics authentication against synthetic forgeries. In Proceedings of the 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing, CollaborateCom '10. IEEE Computer Society, October 2010.Google Scholar
- R. Giot, M. El-Abed, and C. Rosenberger. Greyc keystroke: a benchmark for keystroke dynamics biometric systems. In 3rd IEEE International Conference on Biometrics: Theory, Applications and Systems. IEEE Press, 2009. Google ScholarDigital Library
- D. Hosseinzadeh and S. Krishnan. Gaussian mixture modeling of keystroke patterns for biometric applications. Systems, Man, and Cybernetics, Part C: Applications and Reviews, IEEE Transactions on, 38(6):816--826, 2008. Google ScholarDigital Library
- B. Joseph and P. Soren. The password thicket: Technical and market failures in human authentication on the web. In Ninth Workshop on the Economics of Information Security, WEIS, 2010, 2010.Google Scholar
- R. Joyce and G. Gupta. Identity authentication based on keystroke latencies. Commun. ACM, 33:168--176, February 1990. Google ScholarDigital Library
- R. Khandaker, K. Balagani, and V. Phoha. Making impostor pass rates meaningless: A case of snoop-forge-replay attack on continuous cyber-behavioural verification with keystrokes. In IEEE Computer Society and IEEE Biometrics Council Workshop on Biometrics, BIOM, 2011.Google Scholar
- K. Killourhy and R. Maxion. The effect of clock resolution on keystroke dynamics. In Recent Advances in Intrusion Detection, volume 5230/2008 of Lecture Notes in Computer Science, pages 331--350. Springer-Verlag, 2008. Google ScholarDigital Library
- K. S. Killourhy and R. A. Maxion. Comparing anomaly-detection algorithms for keystroke dynamics. In DSN, pages 125--134, 2009.Google ScholarCross Ref
- J. J. Leggett and G. Williams. Verifying identity via keystroke characteristics. International Journal of Man-Machine Studies, 28(1):67--76, 1988. Google ScholarDigital Library
- J. J. Leggett, G. Williams, M. Usnick, and M. Longnecker. Dynamic identity verification via keystroke characteristics. International Journal of Man-Machine Studies, 35(6):859--870, 1991. Google ScholarDigital Library
- E. Maiorana, P. Campisi, N. González-Carballo, and A. Neri. Keystroke dynamics authentication for mobile phones. In Proceedings of the 2011 ACM Symposium on Applied Computing, SAC '11, pages 21--26, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- F. Monrose, M. K. Reiter, and S. Wetzel. Password hardening based on keystroke dynamics. In International Journal of Information Security, pages 73--82. ACM Press, 1999. Google ScholarDigital Library
- A. Narayanan and V. Shmatikov. Fast dictionary attacks on passwords using time-space tradeoff. In Proceedings of the 12th ACM conference on Computer and communications security, CCS '05, pages 364--372, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- A. Peacock, X. Ke, and M. Wilkerson. Typing patterns: A key to user identification. IEEE Security and Privacy, 2:40--47, 2004. Google ScholarDigital Library
- N. K. Ratha, J. H. Connell, and R. M. Bolle. Enhancing security and privacy in biometrics-based authentication systems. IBM Syst. J., 40:614--634, March 2001. Google ScholarDigital Library
- T. A. Salthouse. Effects of age and skill in typing. Journal of Experimental Psychology: General, 113(3):345--371, 1984.Google ScholarCross Ref
- T. A. Salthouse. Perceptual, cognitive, and motoric aspects of transcription typing. Psychological Bulletin, 99(3):303--319, 1986.Google ScholarCross Ref
- M. Scott. Upgrading and Repairing PCs. Que Publishing, 2003.Google Scholar
- D. X. Song, D. Wagner, and X. Tian. Timing analysis of keystrokes and timing attacks on ssh. In Proceedings of the 10th conference on USENIX Security Symposium - Volume 10, pages 25--25, Berkeley, CA, USA, 2001. USENIX Association. Google ScholarDigital Library
- M. Weir, S. Aggarwal, M. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 162--175, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- Y. Zhang, F. Monrose, and M. K. Reiter. The security of modern password expiration: an algorithmic framework and empirical analysis. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 176--186, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
Index Terms
- Using global knowledge of users' typing traits to attack keystroke biometrics templates
Recommendations
Examining a Large Keystroke Biometrics Dataset for Statistical-Attack Openings
Research on keystroke-based authentication has traditionally assumed human impostors who generate forgeries by physically typing on the keyboard. With bots now well understood to have the capacity to originate precisely timed keystroke sequences, this ...
User authentication through typing biometrics features
This paper uses a static keystroke dynamics in user authentication. The inputs are the key down and up times and the key ASCII codes captured while the user is typing a string. Four features (key code, two keystroke latencies, and key duration) were ...
Enhanced password authentication through keystroke typing characteristics
AIAP'07: Proceedings of the 25th conference on Proceedings of the 25th IASTED International Multi-Conference: artificial intelligence and applicationsBiometric security systems enable more secure authentication methods to access a computer system's resources. This paper presents a biometric security system based on keystroke dynamics that enable hardening or strengthening the password verification ...
Comments