TouchWB: Touch behavioral user authentication based on web browsing on smartphones

https://doi.org/10.1016/j.jnca.2018.05.010Get rights and content

Abstract

Modern mobile devices especially smartphones have rapidly evolved and are widely adopted by people of different ages. Smartphones can assist users in a variety of activities, i.e., from social networking to online shopping, but also have become an attractive target for cyber-criminals due to the stored personal data and sensitive information. The traditional authentication mechanisms like PIN suffer from well-known limitations and drawbacks in the security community; thus, touch behavioral authentication has recently received much attention. Intuitively, authentication based on free touches would be hard to build a stand-alone system. In this work, we advocate that such authentication can consider users’ actions under certain phone applications like web browser, and then propose a touch gesture-based authentication scheme, called TouchWB, with 21 features that can be extracted from web browsing gestures. For evaluation, we implemented the scheme on Android phones and conducted a user study involving 48 participants. Experimental results demonstrated that our approach could reduce the touch behavioral deviation by nearly half and achieve an average error rate of about 2.4% by using a combined classifier of PSO-RBFN.

Introduction

Nowadays, smartphones have undoubtedly dominated the phone market. A report from International Data Corporation has shown that a total of 344.3 million smartphones have been shipped around the world only in the first quarter of 2017 (1Q17), achieving a 3.4% increase over the last year (IDC, 2017). Due to the increasingly enhanced capabilities of smartphones, users often store their personal data and even sensitive information on the phones for convenience, such as personal photos, credit card numbers, online transaction credentials and so on (Karlson et al., 2009). The use of smartphones are beneficial to people's daily life, but the stored data is an attractive target for cyber-criminals, who are always keen on breaking into the phones and making profits (Huang et al., 2017; Li et al., 2018). As a result, there is a significant need to deploy proper user authentication schemes to protect these devices.

Current authentication on smartphones is still provided by conventional password-based mechanisms like Personal Identification Numbers (PIN) and graphical passwords (Bonneau et al., 2012). However, password-based authentication has well-known drawbacks. For instance, passwords are easily to be stolen through direct observations like “shoulder surfing” (Tari et al., 2006), smudge attacks (Aviv et al., 2010) and smartphone charging attacks (Meng et al., 2016b, 2017b), where an attacker can take advantage of observation techniques, the smudges left by a finger and record phone screen to refer users’ privacy, respectively. In addition, due to the long-term memory limitation of remembering a strong password, users are found more likely to choose a simple and memorable password instead, which would degrade the whole authentication security level.

To address this issue, research has been discussed on the use of behavioral authentication, which uses measurements from human actions to verify a user. This kind of authentication will firstly build a normal behavioral model (or profile) and then identify great deviations in current behavioral events. Machine learning techniques are commonly applied for building such a normal profile (Meng et al., 2015). For example, Frank et al. (2013) constructed a behavioral authentication scheme with 30 touch features, called Touchalytics, and found that a median equal error rate of below 4% could be achieved using a SVM classifier. However, they also emphasized that Touchalytics could not work as a standalone mechanism due to the dynamic nature of users’ touch gestures (e.g., big deviation).

Contributions. To handle the touch behavioral deviation, we advocate that users' touch behavior would become relatively stable under certain scenarios on phones, according to the observations from the previous work (Meng et al., 2016a). Motivated by this, we propose a touch gesture-based authentication scheme of TouchWB on smartphones, taking advantage of users’ web browsing behavior. The adoption of web browsing behavior relies on that various touch gestures could be captured during web browsing actions like touch movement and multi-touch, as compared to some simple tasks, i.e., inputting a PIN. The contributions of our work can be summarized as below.

  • We propose a touch gesture-based authentication scheme including a total of 21 features to verify a user in terms of their web browsing behavior on smartphones. In particular, we consider multi-touch as one of the extracted features, referring a situation that touching phone screen with multiple fingers at the same time, e.g., zoom-in and zoom-out.

  • In addition to several traditional classifiers, we adopt and implement a combined classifier with Particle Swarm Optimization (PSO) and Radial Basis Function Network (RBFN), aiming to deal with variations in users' touch gestures. This combined classifier has showed a fast training speed and high accuracy in the previous study (Meng et al., 2012).

  • To investigate the performance of TouchWB, we conduct a user study involving 48 phone users with Android phones under two groups. The participants in one group can use the phone freely while the participants in another group are required to browse websites. The study results demonstrated that TouchWB can reduce the touch behavioral deviation and the combined classifier of PSO-RBFN can outperform other classifiers by achieving a better average error rate of approximately 2.4%, as compared to the authentication based on free touches.

The reminder of this paper is organized as follows. Section 2 introduces relevant studies regarding biometric authentication on mobile devices. We detail our approach including authentication architecture, touch features, data collection and session identification in Section 3. In Section 4, we introduce the evaluation metrics and conduct a user study with 48 participants to investigate the performance of our approach. We discuss some open issues and challenges in Section 5 and conclude our work in Section 6.

Section snippets

Related work

In the earliest era of mobile phones, behavioral authentication has focused on keystroke dynamics, which authenticates phone users based on their typing actions on keyboard (Clarke and Furnell, 2007; Zahid et al., 2009). For example, Clarke et al. (Clarke and Furnell, 2007) developed a keystroke dynamics-based authentication scheme based on the features of key hold-time and inter-key latency on typing keypads. With a neural network classifier, they presented an average equal error rate of

Our approach

In this section, we describe the touch dynamics-based authentication architecture, feature extraction, data collection and session identification, respectively.

Evaluation

In this section, we introduce the methodology of our user study, describe the employed machine learning classifiers and evaluation metrics in the comparison, and analyze the collected results.

Discussion

In this section, we discuss some open challenges regarding touch behavioral authentication on mobile devices and present several interesting topics in future.

  • Touch gesture classification. In this work, we only classified touch actions into three types: single-touch, touch movement and multi-touch, whereas our scheme does not identify a specific touch gesture like pinch, zoom-in, zoom-out, etc. To employ more concrete touch types can provide more features for user authentication, while may also

Conclusion

With the popularity of smartphones, touch behavioral authentication has received more attention. In this work, we advocate that users’ behavior would become relatively stable under certain scenarios and propose a touch behavioral authentication scheme, named TouchWB, which authenticates users based on their touch gestures during web browsing. Our scheme involves a total of 21 touch features including average touch movement speed per direction, the fraction of touch movements per direction,

Acknowledgments

We would like to thank the participants for their hard work in the user study. This work was partially supported by National Natural Science Foundation of China (No. 61472091).

Weizhi Meng is currently an assistant professor in the Department of Applied Mathematics and Computer Science, Technical University of Denmark (DTU), Denmark. He received his B.Eng. degree in Computer Science from the Nanjing University of Posts and Telecommunications, China and obtained his Ph.D. degree in Computer Science from the City University of Hong Kong (CityU), Hong Kong. He was known as Yuxin Meng and prior to joining DTU, he worked as a research scientist in Infocomm Security

References (40)

  • S.E. Fahlman

    An Empirical Study of Learning Speed in Back-propagation Networks

    (1998)
  • T. Feng et al.

    Continuous mobile authentication using touchscreen gestures

  • M. Frank et al.

    Touchalytics: on the applicability of touchscreen input as a behavioral biometric for continuous authentication

    IEEE Trans. Inf. Forensics Secur.

    (2013)
  • Z. Huang et al.

    Insight of the protection for data security under selective opening attacks

    Inf. Sci.

    (2017)
  • IDC

    Smartphone Vendor Market Share

    (2017)
  • A.K. Karlson et al.

    Can i borrow your phone?: Understanding concerns when sharing mobile phone

  • J. Li et al.

    Significant permission identification for machine learning based android malware detection

    IEEE Trans. Ind. Inf.

    (2018)
  • W. Meng

    Evaluating the effect of multi-touch behaviours on Android unlock patterns

    Inf. Comput. Secur.

    (2016)
  • Y. Meng et al.

    Touch gestures based biometric authentication scheme for touchscreen mobile phones

  • Y. Meng et al.

    Design of touch dynamics based user authentication with an adaptive mechanism on mobile phones

  • Cited by (53)

    • Sensor-based continuous user authentication on smartphone through machine learning

      2023, Microprocessors and Microsystems
      Citation Excerpt :

      Prior works [14–30] had addressed several attack models on smartphone’s touchscreen-based user authentication and their solutions. Unlike earlier works [14–30], we address the robotic attack on touchscreen-based authentication of the smartphone. This attack uses a robotic finger to unlock the smartphone.

    • TIM: Secure and usable authentication for smartphones

      2022, Journal of Information Security and Applications
    • A framework of dynamic selection method for user classification in touch-based continuous mobile device authentication

      2022, Journal of Information Security and Applications
      Citation Excerpt :

      Therefore, it is a suitable authentication method to complement the existing initial-login authentication methods. Several studies have shown that this behavioural biometric modality has discriminative ability to distinguish between the legitimate and illegitimate users [10–17]. Both the legitimate and illegitimate users can be distinguished using a classification algorithm based on the behavioural features extracted from touch actions such as touch coordinate, pressure, size of a touch area, and duration of a touch.

    View all citing articles on Scopus

    Weizhi Meng is currently an assistant professor in the Department of Applied Mathematics and Computer Science, Technical University of Denmark (DTU), Denmark. He received his B.Eng. degree in Computer Science from the Nanjing University of Posts and Telecommunications, China and obtained his Ph.D. degree in Computer Science from the City University of Hong Kong (CityU), Hong Kong. He was known as Yuxin Meng and prior to joining DTU, he worked as a research scientist in Infocomm Security Department, Institute for Infocomm Research, Singapore, and as a senior research associate in CityU. He won the Outstanding Academic Performance Award during his doctoral study, and is a recipient of the HKIE Outstanding Paper Award for Young Engineers/Researchers in both 2014 and 2017. He is also a co-recipient of the Best Student Paper Award from the 10th International Conference on Network and System Security (NSS) in 2016. His primary research interests are cyber security and intelligent technology in security including intrusion detection, mobile security and authentication, HCI security, cloud security, trust computation, web security, malware and vulnerability analysis. He also shows a strong interest in applied cryptography. He is a member of IEEE.

    Yu Wang received his Ph.D. degree in computer science from Deakin University, Victoria, Australia. He is currently an associate professor with the School of Computer Science, Guangzhou University, China. His research interests include network traffic analysis, mobile networks, social networks, and cyber security.

    Duncan S. Wong received the BEng degree from the University of Hong Kong in 1994, the MPhil degree from the Chinese University of Hong Kong in 1998, and the PhD degree from Northeastern University, Boston, MA, in 2002. He is currently an associate professor in the Department of Computer Science at the City University of Hong Kong, and the director of security and data sciences at ASTRI, Hong Kong. His primary research interest is cryptography; in particular, cryptographic protocols, encryption and signature schemes, and anonymous systems. He is also interested in other topics in information security, such as network security, wireless security database security, and security in cloud computing.

    Sheng Wen received PhD degree from Deakin University, Melbourne, in October 2014. He has been working full-time as a senior lecturer in Swinburne University of Technology from Oct. 2017. Before that, he served as a research fellow, and then become a Lecturer in Computer Science in the School of Information Technology in Deakin University. Dr Wen's research interests include system security, and social media analysis.

    Yang Xiang received his PhD in Computer Science from Deakin University, Australia. He is the Dean of Digital Research & Innovation Capability Platform, Swinburne University of Technology, Australia. His research interests include cyber security, which covers network and system security, data analytics, distributed systems, and networking. In particular, he is currently leading his team developing active defense systems against large-scale distributed network attacks. He is the Chief Investigator of several projects in network and system security, funded by the Australian Research Council (ARC). He has published more than 200 research papers in many international journals and conferences, such as IEEE Transactions on Computers, IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Information Security and Forensics, and IEEE Journal on Selected Areas in Communications. He served as the Associate Editor of IEEE Transactions on Computers, IEEE Transactions on Parallel and Distributed Systems, Security and Communication Networks (Wiley), and the Editor of Journal of Network and Computer Applications. He is the Coordinator, Asia for IEEE Computer Society Technical Committee on Distributed Processing (TCDP). He is a Senior Member of the IEEE.

    A preliminary version of this paper appears in Proceedings of the 8th China International Conference on Information Security and Cryptology (INSCRYPT), pp. 331–350, LNCS, Springer, 2012. The first author finalized the work during the visit at School of Computer Science, Guangzhou University.

    View full text