Identity Verification using Keyboard Statistics.

(1)

Identity Verification using Keyboard Statistics

Master’s thesis performed at

Information Theory Division at Linköping Institute of Technology

by

Piotr Mroczkowski

LiTH-ISY-EX-3508-2004

2004-03-08

(2)

(3)

Identity Verification using Keyboard Statistics

Master’s thesis performed at

Information Theory Division at Linköping Institute of Technology

by

Piotr Mroczkowski

LiTH-ISY-EX-3508-2004

Supervisors: Tina Lindkvist, Fredrik Claesson Examiner: Viiveke Fåk

(4)

(5)

Avdelning, Institution Division, Department Institutionen för systemteknik 581 83 LINKÖPING Datum Date 2004-03-08 Språk

Language Rapporttyp Report category ISBN Svenska/Swedish

X Engelska/English Licentiatavhandling X Examensarbete ISRN LITH-ISY-EX-3508-2004

C-uppsats

D-uppsats Serietitel och serienummer _{Title of series, numbering} ISSN

Övrig rapport

____

URL för elektronisk version

http://www.ep.liu.se/exjobb/isy/2004/3508/ Titel

Title Identitetsverifiering med användning av tangentbordsstatistik. Identity Verification using Keyboard Statistics.

Författare

Author Piotr Mroczkowski

Sammanfattning Abstract

In the age of a networking revolution, when the Internet has changed not only the way we see computing, but also the whole society, we constantly face new challenges in the area of user verification. It is often the case that the login-id password pair does not provide a sufficient level of security. Other, more sophisticated techniques are used: one-time passwords, smart cards or biometric identity verification. The biometric approach is considered to be one of the most secure ways of authentication.

On the other hand, many biometric methods require additional hardware in order to sample the corresponding biometric feature, which increases the costs and the complexity of implementation. There is however one biometric technique which does not demand any additional hardware – user identification based on keyboard statistics. This thesis is focused on this way of authentication. The keyboard statistics approach is based on the user’s unique typing rhythm. Not only what the user types, but also how she/he types is important. This report describes the statistical analysis of typing samples which were collected from 20 volunteers, as well as the implementation and testing of the identity verification system, which uses the characteristics examined in the experimental stage.

Nyckelord Keyword

(6)

(7)

ACKNOWLEDGEMENTS

Whatever you do, you never do it by yourself. There are always people who give support. I would like to give thanks to:

- Everyone at the Information Theory Division /ISY, especially to my examiner Viiveke Fåk as well as to my supervisors: Tina Lindkvist and Fredrik Claesson. Thank you for your good advice, your patience and your precious time. I am grateful for the chance I had to learn so much from you.

- All volunteers who took part in my experiments. Your participation and feedback were very important to me. You did a really great job!

- My family for their constant support in every possible way I can think of. You are always with me and without you nothing would be possible.

- My friends for always being around when I need them. - Karolina for everything.

(8)

(9)

1. Introduction

1.1 About this report

This report describes my thesis work for the Master of Computer Science degree at Linköping University. The whole project was carried out at the Division of Information Theory at the Department of Electrical Engineering.

1.2 Background

In the age of a networking revolution, when the Internet has changed not only the way we see computing, but also the whole society, we constantly face new challenges in the area of user verification. It is often the case that the login-id password pair does not provide a sufficient level of security. Other, more sophisticated techniques are used: one-time passwords, smart cards or biometric identity verification. The biometric approach is considered to be one of the most secure ways of authentication.

On the other hand, many biometric methods require additional hardware in order to sample the corresponding biometric feature. In the case of controlling the access to computers, the need for an additional sampling tool limits the possibility of applying the technique: an increase in costs and the difficult implementation, in the case of remote connections. [1]

There is however one biometric technique which does not demand any additional hardware implementations (thus generating lower implementation costs) – user identification based on keystroke dynamics. My report is focused on this way of authentication.

(12)

1.3 Related work

One of the first studies on keyboard biometrics was carried out by Gaines et al. [10]1. Seven secretaries took part in the experiment in which they were asked to retype the same three paragraphs on two different occasions in a period of four months. Keystroke latency timings were collected and analyzed for a limited number of digraphs and observations were based on those digraph values that occurred more than 10 times [2]. Similar experiments were performed by Leggett with 17 programmers [11].

In the 15 last years, much research on keystroke analysis has been done (e.g., Joyce and Gupta [12], Bleha et al. [13], Leggett et al. [11], Brown and Rogers [14], Bergadano et al. [1], and Monrose and Rubin [2,8]). Several proposed solutions got U.S. patents (for instance Brown and Rogers [15]). Some neural network approaches (e.g., Yo and Che [16]) have also been undertaken in the last few years.

More recently, several papers where keystroke biometrics, in conjunction with the login-id password pair access control technique, were proposed (e.g., Tapiador and Sigüenza [9]). Some commercial implementations are also available (‘Biopassword’©, a software tool for Windows platform commercialized by Net Nanny Inc. [17]).

1

Those papers which are only mentioned in the report, are at the end of the reference list (starting with number 10). Those papers which were used in this thesis, are presented in order of appearance (1-9).

(13)

1.4 Goal

This project is meant to fulfill the following goals:

-collect samples from volunteers which characterize the volunteers’ unique typing patterns

-examine statistical characteristics of the collected samples

-create an algorithm for identity verification, based on the discovered characteristics

-implement a prototype logon system for evaluation.

1.5 Outline of the thesis

- Chapter 2 contains the introduction to user verification.

- Chapter 3 explains the important aspects of biometric identity verification.

- Chapter 4 describes the process of collecting typing statistics from volunteers.

- Chapter 5 presents the phase of processing the collected statistics.

- Chapter 6 contains the description of the implemented logon system based on keyboard statistics as well as the results of the performed tests.

(14)

2. Identity verification

In this chapter, some basic identity verification concepts are provided. First, the difference between the terms identification and identity verification is explained. Later on, decision regions and are covered. Finally, the difference between FAR and FRR is explained. Readers familiar with these topics can skip this chapter.

4

2.1 Identification and Identity Verification

In order to understand the concept behind every biometrical identity verification system, it is important to be able to distinguish between identification and identity verification.

Identity verification deals with testing the identity of a particular user. A person attempting to access some protected resource (a remote server, a database, a bank account etc.) must prove her/his identity by providing some unique item (a password or a smart card) which is known to (possessed by) only that particular individual and which matches the template stored in the system. The most common example of identity verification is the login – password pair.

On the other hand, identification determines only who the user is or rather claims to be. The user does not need to provide any information, which verifies the claimed identity. This is usually achieved by comparing database records with the name (login-id) provided by the user. If the login-id is found, the user is granted the access to the resource.

(15)

Identity verification is considered to be more secure, and thus this approach is implemented in an overwhelming majority of computer systems. This thesis deals with verification based on keyboard statistics, so identification will not be considered further.

2.2 Decision regions

The idea behind identity verification is that the system tests whether the hypothesis “The person is A” is true or false [3]. To verify the hypothesis, the input data provided by the user must be compared with those stored in the system database. A rule which defines how to compare these two items must be defined as well.

In the case of the LP pair, the rule for comparing input data with stored templates is very simple – the password provided by the user must exactly match the password stored in the database.

With the biometric approach, the comparison is more complex. Some deviations and noise are introduced into input data (for example the image of the fingerprint has been changed because the user recently got a small scar on his finger or she/he always places his finger in a slightly different position on the scanning device during the verification process) so hardly ever is an exact match achieved. This means that the data does not need to be identical but it must be similar to the template in some sense. The set of input data that is sufficiently close to the template can be illustrated as a “cloud” (objects b and b’ on Figure 2.1)[3]. The template itself defines a decision region and the “cloud” of data provided by the user must be a subset of such a region in order to validate the user.

(16)

Figure 2.1: a)A “cloud” of input data b is the subset of the decision region A, so the user is accepted. b) “Cloud” b’ crosses region A’s border, so access is denied.

The biggest challenge is to assure that the regions of the stored templates for any two possible users do not overlap. In our specific context this means that we have to make sure that data from different persons are separated so that we do not get any false verifications [3].

In figure 2.2, three different cases are illustrated:

a) the regions for different users overlap, so correct verification is not possible

b) the regions do not overlap but they are non-convex [3], so we cannot separate them with straight lines

c) the regions do not overlap and are convex [3], so they can be separated with straight lines, which makes user verification quite simple. The password-based authentication is a good example of convex decision regions.

(17)

Figure 2.2: a) regions that overlap b) non-convex regions c) convex regions

Although the last case is very desirable, it is usually not the case with biometric user verification systems (including the keyboard dynamics approach). The verification algorithm must deal with non-convex regions and thus its complexity increases. Hopefully, together with the increased level of implementation complexity, we gain a higher level of security.

2.3 False Rejection Rate and False Acceptance Rate

When discussing the accuracy and the performance of biometric systems, it is very beneficial to find a suitable measure in order to compare different systems. There are two such measures: the False Acceptance Rate (FAR) and the False Rejection Rate (FRR). FAR is a measure of the likelihood that the access system will wrongly accept an access attempt; that is, will allow an access attempt by an unauthorized user [4]. For many systems, the threshold can be adjusted to ensure that virtually no impostors are accepted. Unfortunately, this often means that an unreasonably high number of authorized users are rejected, which can be

(18)

measured by FRR [5] (the rate that a given system will falsely reject an authorized user).

The trade-off relationship of FAR/FRR is shown on Figure 2.3. As we see, the less FAR we get in our system, the more FRR will increase. It is necessary to find a balance between these two types of errors, so both: security and user friendliness are preserved.

Figure 2.3: The relationship between FAR and FRR. [3]

The user logon prototype system based on keyboard dynamics which I developed was tested in such a manner that those two rates were calculated and it is possible to compare the results with other implementations.

(19)

3. Biometric systems

In this chapter, I will provide a brief introduction to biometric-based user identification techniques. First the basic terminology and most important facts are covered. Later on, the major types of biometric systems are described. Finally, the keyboard dynamics approach is widely discussed. Readers familiar with these topics can skip this chapter.

3.1 What is the biometric system?

The term biometrics is used for automated methods of recognizing a person based on a physiological or a behavioral characteristic[5]. The authentication is based on the features that are considered to be unique to every individual (fingerprints, speech, etc.) and thus can verify her/his identification in a convenient way. Such authentication is sometimes called “third level of authentication” and is based on a “who you are” scheme.

A biometric system is essentially a pattern recognition system that performs personal identification by establishing the authenticity of a specific user’s characteristics. Any biometric system can be divided into the enrollment module [6] and the identification module [6] (see Figure 3.1). During the enrollment phase, the biometric characteristic of an individual is being sampled and stored as a template in a database. During the recognition phase, the input data of the verified user are captured in order to be processed by the feature extractor [6]. Then, the result is compared with the template by a feature matcher [6]. If the input data matches the template according to the given rule, access is granted.

(20)

* In case of keyboard dynamics, no real sensor is needed – characteristics are measured using a timer.

Figure 3.1: A generic biometric system.[6].

Although biometric identity verification systems are considered to be more secure then password or token-based approaches, several vulnerabilities can be observed. Bruce Schneier in [7] presents such list:

- Biometrics are hard to forge, but it possible to steal them. It is not an easy task to put a false fingerprint on your finger, or make your iris look like someone else’s, but input data can be sniffed during the “man in the middle attack” and used by the attacker. To prevent such threats, a system must also verify the encrypted timestamp of biometric data.

- Once your biometric data is stolen, it remains stolen for life. There is no possibility of getting back to a secure situation. You cannot get new, replacement data.

(21)

- Biometrics are not useful when the characteristics of a key are needed: secrecy, randomness and the ability to update or destroy. We have to remember that biometrics are unique but usually they are not secret.

3.2 Biometric technologies

Characteristics on which biometric user verification is based can be divided into two main categories: physical and behavioral. The difference between the two approaches is that physical biometrics do not change at all (or very slightly) among time, whereas behavioral characteristics may vary from time to time, since the recognition is based on user actions.

Some of the techniques described below are already in wide use, while others are still being investigated.

3.2.1 Physical characteristics

Face. Face recognition is typically based on the location and shape of facial

attributes, such as the eyes, eyebrows, nose, lips, and chin, and their spatial relationships [6]. While the performance of such commercially available systems is acceptable, an extensive discussion is taking place whether the face itself, without any additional information, is sufficient for the proper recognition of a user - drastic measures such as plastic surgery can lead to granting an unauthorized person access. Additionally, current face recognition systems put many constrains on how to obtain face patterns (proper light and background etc.).

Facial Thermogram. The vascular system of the human face is claimed to be

unique to each individual and it has several advantages over face recognition technique. Even plastic surgery cannot change the vascular structure.

(22)

Additionally, an infrared camera can capture the face thermogram in very low ambient light or in the absence of any light at all. On the other hand face thermograms may depend on a number of factors such as the emotional state of the subjects or body temperature [6].

Fingerprints. In this technique the pattern of ridges and furrows on the skin of

the thumb is used for authentication [6]. The rapid development of sensors used to read the fingerprint image keeps the cost of implementation at a relatively low level. One problem with this approach is the lack of acceptability among typical users. Nobody wants to feel like a criminal.

Hand geometry. A variety of measurements of the human hand, including its

shape, the length and width of the fingers, can be used as biometric characteristic [6]. The technique is very simple, relatively easy to use, and inexpensive. The main disadvantage is the size of the scanner.

Retinal Pattern. The pattern formed by the veins beneath the retinal surface in

the eye is unique and is, therefore, an accurate and feasible characteristic for recognition [6]. Digital images of retinal patterns can be obtained by projecting a low-intensity beam of visible or infrared light into the eye. During the time the retina is exposed to the sensor’s light, the eye can not be moved. It means that high level of user cooperation is required, which, for some applications, cannot be achieved.

Iris. The visual texture of the iris carries very distinctive information useful for

the identification of individuals. The iris is more readily imaged than the retina; it is extremely difficult to surgically tamper with the iris texture information and it is easy to detect artificial irises [6].

(23)

3.2.2 Behavioral characteristics

Signature. Each person has a unique style of handwriting, but no two

signatures of a person are exactly identical. Thus the performance of systems based on this technique is not sufficient for all types of applications. There are two approaches to identification based on signature [6]: static and dynamic. Static signature identification uses only the geometric features of a signature, whereas dynamic signature identification uses both the geometric features and the dynamic features such as acceleration, velocity, pressure and trajectory profiles of the signature[6]. The great advantage of a this type of biometric system is that the acceptance among users for this method is at a high level.

Speech. The Speech of a person is considered to be distinctive but may not

contain sufficient invariant information to offer proper recognition. Speech-based verification is Speech-based on either a text-dependent or a text-independent speech input [6]. A text-dependent verification authenticates the identity based on a fixed phrase. A text-independent verification verifies the identity of a speaker despite what she/he is saying. The latter approach is much more difficult to implement, but offers more protection against fraud. Generally, speech-recognition systems are sensitive to background noises as well as to the emotional and physical state of the person who is verified [6]. The good thing is that this method has high acceptance among ordinary users.

(24)

3.3 Keyboard dynamics

Keystroke dynamics biometric systems analyze the way a user types at a terminal by monitoring the keyboard events. Identification is based on typing rhythm patterns, which are considered to be a good sign of identity [8]. In other words not what you type, but how you type is important. In this approach several things can be analyzed: time between key-pressed and key-released events, break between two different keystrokes, duration for digraphs and

trigraphs.

Keystroke verification techniques can be divided into two categories: static and continuous. Static verification approaches analyzed keyboard dynamics only at specific times, for example during the logon process. Static techniques are considered as providing a higher level of security than a simple password-based verification system [8]. The main drawback of such an approach is the lack of continuous monitoring, which could detect a substitution of the user after the initial verification. Nevertheless, the combination of the static approach with password authentication was proposed in several papers [e.g. 11] and it is considered as being able to provide a sufficient level of security for the majority of applications. My prototype system is based on such a combination.

Continuous verification, on the contrary, monitors the user's typing behavior through the whole period of interaction [8]. It means that even after a successful login, the typing patterns of a person are constantly analyzed and when they do not mach user’s profile access is blocked. This method is obviously more reliable but, on the other hand, the verification’s algorithm as well as the implementation process itself are much more complex.

(25)

Keystroke dynamics are sensitive to the emotional and physical state of the person who is verified. Very poor typing skills are another factor which can affect the process of authentication. The good thing is that this method is very likely to achieve a high level of acceptance among ordinary users. Moreover, unlike other biometric systems which usually require additional hardware and thus are expensive to implement, biometrics based on keystroke dynamics is almost for free - the only hardware required is the keyboard [8].

(26)

4.Collecting keyboard statistics – description of the

experiment

4.1 Introduction

The experiment took place in December 2003 and January 2004. Twenty volunteers participated in the process of collecting typing samples. Once again, I would like to thank everybody involved.

4.2 Methodology

4.2.1 Technical implementation

In order to collect statistics from volunteers, I developed a Java application: the Keyboard Statistics Collector (KSC). The program records the keystroke events performed by a particular user during the experiment in a format suitable for further statistical analysis. The log data associated with every key event are: - key code – a unique number for every keyboard event

- position of the key on the keyboard – used to distinguish the right and left Shift

- time stamp for event

- type of event - key pressed or key released.

Additionally KSC records such parameters as:

- typing velocity

- typing error ratio

(27)

All data is stored in formatted log files on the hard drive, for further processing in Matlab. Like every Java application, KSC can be run on any platform, so collecting the samples can be performed in any environment.

KSC consists of two independent parts (which means that all data are stored independently for those two parts) called typing modes:

- Login – Password mode - Long Text mode

Login-id password mode was designed in such a manner that it simulates the logging on some remote system. The user has to input the login-id password pair 15 times without typing errors (attempts with typing errors are not counted), which is considered a sufficient sample [9] .

Figure 4.1: The Login-id password mode for KSC.

The purpose of The Long Text mode is to collect the user’s statistics while she/he is typing English text in KSC editor window.

(28)

Figure 4.2: The Long Text mode for KSC.

KSC had been carefully tested on several platforms before the experiment and a few small bugs which had been reported were removed, so KSC is considered to be reliable.

4.2.2 The experimental procedure

I decided to perform the experiment on several different operating systems, to find out whether the OS or hardware platform can affect the samples in some way. The other reason was that users were free to choose any machine and place they wanted. This had the advantage that most of the users were using keyboards they were familiar with. The following OS’s were used: Unix Solaris, Windows 98/2000/XP and Red Hat Linux 9.

The keyboard statistics collection session for a single participant lasted from 10 to 40 minutes. Every volunteer was asked to choose at least two out of four

(29)

login-id password pairs provided by KSC and to type each of them 15 times in KSC’s Login-id password mode. Two of these pairs were considered easy to type (no capital letters or digits), two others as difficult (with capital letters and digits). All LP pairs used in the experiment are shown in Table 5.1.

Login rabbit bluesky FrreDroZ jaBiZZ Password javacode anaconda PandaZ9x4 Xoid1dWd4 Table 4.1: Login-id password pairs used in the experiment.

The second phase was carried out using the Long Text mode. It involved collecting keyboard statistics while the user is typing a text in English and it was much more time-consuming than the login-id password part. This phase consisted of two stages. In the first stage each participant was to retype one page of a text chosen by the author. Its length was fixed and the occurrence of particular letters reflected the statistical properties of English. In the second stage, volunteers were asked to type several sentences of their own choice in English.

4.2.3 Group of participants

Twenty volunteers (including the author) participated in the experiment. Typing skills varied among them –users with little computer experience as well as IT professionals were represented. Despite the fact that for the majority English is the second language (only two of them are native speakers), all participants are considered as being able to speak and write in English more or less fluently.

(30)

5. The results of keyboard samples processing and

analyzing

5.1 Introduction

In this chapter, results from the processing of the users’ samples are discussed. First the methodology of the performed calculations is described. Later on, my observations are presented and discussed.

5.2 Methodology

There were many possible ways of analyzing the collected samples. Due to the fact that time constrains for the experiment were tight as well as resources limited, I decided to focus my research on one very basic measure - the duration

of a key. Other factors such as: the latency, duration of digraphs and trigraphs

were not considered. An additional factor that was analyzed is called the typing path (see 5.2.3).

5.2.1 Mean value and standard deviation.

The mean and standard deviation were calculated for duration values of every char, which occurred at least 15 times in the examined set. Calculations were performed separately for different modes (Login Pass vs. Long Text) as well as for different LP pairs. The following formulas were used:

for mean value (x):

∑

=

n i i

x

n

x

1

,

(31)

for standard deviation (s): 2 1 2 1

)

(

1

1 (

∑

=

−

=

n i i

x

n

s

,

where

x

- mean value, xi – single duration sample, n - the number of duration samples.

5.2.2 Degree of disorder of a vector.

Having two sets of key latencies of the same LP pair, it is possible to measure their “similarity”. One way to calculate that is the degree of disorder (do) technique [1].

Figure 5.1: The distances between the position of each element in V with respect to V’.

Let us define vector V of N elements and vector V’, which includes the same N elements, but ordered in a different way. The degree of disorder in vector V can be defined as the sum of the distances between the position of each element in V with respect to its counterpart vector V’. If all the elements in both vectors are in the same position, the disorder equals 0. Maximum disorder occurs when

(32)

elements in vector V are in the reverse order to the model vector V’. Maximum disorder (domax) is given by:

2

2 max

V

do

=

_{, where |V| is the length of V and it is even}

or by:

2 )

1 (

2 max

−

=

V

do

_{, where |V| is length of V and it is odd.}

In order to get the normalized degree of disorder (donor) of a vector of N elements, we divide do by the value of the maximum disorder. After normalization, the degree of disorder falls between 0 (V and V’ have the same order) and 1 (V is in reverse order to V’). For the vector V on Figure 5.1 the disorder can be calculated as:

10 )

2

1

3

1

0

2 (

+

=

do

,

where domax equals:

24

2

48

2

1

7

2 )

1 (

2 2 max

=

−

=

−

=

V

do

_,

In order to normalize the disorder, we perform:

4167

,

0

24

10

max

=

do

_nor

(33)

5.2.3 Typing paths

Typing paths can be described as a set of key code/key event pairs stored in order of occurrence. If some short sequence of chars is being retyped by a user several times (which is the case with the “Login – Password” mode), the analysis of such paths is likely to show some typical characteristics of a user’s behavior:

- the sign of a latency value between two keys (negative or positive)

- the position of the key pressed in the case of duplicate keys (digits, SHIFT's, etc.)

5.3 Analysis of the samples

5.3.1 Duration accuracy and the “quantization” problem

The very first issue observed is the difference in the performance of KSC software on different platforms. The measured duration was more accurate on some systems than on others. On the Solaris platform, duration intervals

(34)

50

60

70

80

90 o

b

e

s

y

a

n

a

c

d

k

a

l

u

n

chars ms

Solaris

Windows

Figure 5.2: Duration times of all chars in a “bluesky/anaconda” pair (user A): on Solaris (black) and on Windows (white). On some Windows machines unwanted “quantization” is introduced, so the diversity of duration values is affected (only 4 different values for 15 chars).

have an accuracy of around 1-2 milliseconds whereas on some Windows platforms, the values are rounded with 10 milliseconds accuracy. For instance time duration values ‘72’ and ‘79’ could be both represented as ‘70’ or ‘80’. As the result of this unwanted “quantization”, the values measured were less diversified (see Figure 5.2). Such a situation can lead to degenerated performance of the recognition system (see chapter 6). The reason for this shortcoming might be a specific hardware configuration. The good thing is that computers with a CPU clock higher then 2 GHz seem to overcome this problem.

5.3.2 Differences between ‘easy’ and ‘difficult’ LP pairs

The collected and analyzed samples for LP pairs, which are considered to be easy to type (see 4.2.2), have smaller standard deviation values of duration times for single chars. This means that time samples for ‘easy’ LP pairs are more clustered around the mean then for ‘difficult’ pairs. What is more, the process of

(35)

learning is much faster in the case of ‘easy’ pairs. Similar observations were reported in [9].

5.3.3 Comparison of statistics for different modes of typing

Duration times of chars, which appear in all typing modes (LP, retyping, free-typing) performed by a single user, have different statistical characteristics. The mean and standard deviation of single char duration (calculated separately for every mode) differ from each other. The conclusion is that the average user’s statistics are strongly affected by the nature of the task which is performed. The typing of the LP pair procedure resulted in the most stable characteristics of duration times (the smallest value of standard deviation) for the majority of the examined volunteers.

5.3.4 Differences among user’s samples for the same LP pair

At the beginning, I assumed that the statistical characteristics of a single user can change with the passage of time. In order to verify this, two users were asked to retype the same LP pair 15 times again, one month later. In both cases, the mean and standard deviation of all durations were calculated. The results for user B are shown on Figures 5.3 and 5.4.

(36)

0 2 4 6 8 10 12 14 16 a b c d e i j o r t v chars ms December January

Figure 5.3: Standard deviation for the chars in rabbit/javacode pair (user B): calculated from samples collected in December (white) and January (black).

The standard deviation usually has smaller values for samples taken in January. It means that single durations were clustered around the mean more closely than those from December. The reason for that is that in January, the user was already familiar with the given LP pair, so the typing process was more straightforward. The same conclusion may be drawn from analyzing the mean values. Generally, average durations are smaller for samples taken in January, which leads to the conclusion that LP pairs were typed faster.

Another important observation is the fact that the durations for the same chars differ among each other to a large extent. Users with little typing experience have especially divergent durations (in some cases the standard deviation reached over 30% of the mean value). Although single duration times become more and more equal (stable) while a user gets used to a particular LP pair, the implementation of an identity verification system, which would rely only on this approach, is highly problematic.

(37)

0 20 40 60 80 100 120 140 a b c d e i j o r t v chars ms December January

Figure 5.4: Mean for chars in rabbit/javacode pair (user B): calculated from samples collected in December (white) and January (black).

Results from the degree of disorder analysis were more promising. Let us define the distance vector (DV) for a user as the set of chars sorted by duration in ascending order. The set contains all the chars from the given LP pair. 2 A model distance vector for a user is the set of chars sorted in ascending order by its average durations (mean values) calculated from several LP pairs (in this case 15). Having the model DV of the user A, the degree of disorder was calculated for single samples of the given LP pair. The normalized degree of disorder was in the range 0,1 – 0,55, with a strong concentration inside the 0,2 – 0,4 interval.

2

If a char occurs more then once in the LP pair, it is still represented in the distance vector as one item. The average duration is calculated and this value determines the char’s position in the vector.

(38)

0 0,1 0,2 0,3 0,4 0,5 0,6 0,7 1 2 3 4 5 6 7 8 9 10 11 12

normalized degree of disorder

Figure 5.5: The normalized degree of disorder for 12 different LP samples gathered in January, in regards to model vector of user A, from December (‘FrreDroZ/PandaZ9x4’ pair).

Similar results of the normalized degree of disorder were achieved by comparing the December distance vector model with the single DV’s gathered in January (the range was 0,15 – 0,65 with strong concentration inside the 0,25 – 0,45 interval – see Figure 5.5).

5.3.5 Differences between users for the same LP pair

Although chars’ durations vary among different volunteers (Figures 5.6 and 5.7), it is hard to find a simple set of rules, which would enable the clear distinction of users. The reason is always the same – durations for the majority of participants are not stable enough to keep sufficient distance from other users’ samples, so decision regions (2.2) based on this attribute, will overlap.

Calculations of the degree of disorder provided much better results once again. The normalized degree of disorder for any two model distance vectors

(39)

0 5 10 15 20 25 30 35 40 1 4 a B d i j o W X Z chars ms F D G H I

Figure 5.6: The standard deviation of duration for chars from the jaBiZZ/Xoid1dWd4 pair (users F, G, H, I). 0 20 40 60 80 100 120 140 160 1 4 a B d i j o W X Z chars ms F D G H I

Figure 5.6: The mean of the duration for chars from the jaBiZZ/Xoid1dWd4 pair (users F, G, H, I).

of different users was always higher than 0,5. As described in 5.3.4, the DV’s of a single volunteer concentrated mainly inside the 0,2 – 0,4 interval, so a noticeable distance between different users was observed. From this, one can conclude that the normalized degree of disorder is able to differentiate between user and imposter in most cases. What one must keep in mind is the fact that

(40)

there is always a chance that some attacker’s sample could be close enough to the reference vector.

0 0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9 C D E F G H users

normalized degree of disorder

Figure 5.8: The normalized degree of disorder for the model vectors from 6 different users (C-H) in regards to the model vector of user A (‘FrreDroZ/PandaZ9x4’ pair).

5.3.6 Differences in typing paths

While typing, most of the volunteers pressed keys in such a manner that the latency between two consecutively typed keys had a negative value (in other words, duration times overlapped with each other). Experienced typists especially, had a tendency to press the next key before releasing the previous one. Such a tendency was repetitive among the same pairs of letters, so typing paths can be considered as another means of distinguishing users.

5.4 Conclusions

Several factors can affect the user’s typing statistics: mental and physical condition, the environment (an unfamiliar keyboard, background noise, etc.),

(41)

frequency of PC usage or the nature of the task being performed (retyping, typing an LP pair). Keyboard dynamics are also affected by the passage of time.

On the other hand, once a user gets familiar with a particular LP pair, her/his characteristics become more stable. The learning process is faster for LP pairs considered to be ‘easy’ and people with more typing experience achieve stabilization of duration times after 8 – 12 attempts.

As was observed, durations of single chars may vary to such an extend that it is no longer feasible to build an identity verification system on this approach. Absolute values (such as duration) can be affected by several factors, but it is reasonable to expect that changes are homogeneous, affecting all characteristics in a similar way. The degree of disorder, which was also calculated, overlooks any absolute value of typing samples. As a consequence, such a measure, which only considers the relative values, should be less affected by psychological and physiological changes, and thus should be able to achieve satisfactory performance.

Typing paths for the given LP differ among participants and are highly repetitive for a single user. They can be used as the first line of defense against imposters.

5.4.1 Summary

The main purpose of sample analysis was to find certain well-defined characteristics, which allow discrimination among different users. In my opinion, the degree of disorder, together with typing patterns, can be applied to a password-based identity verification system, as an additional means of protection. Such a combination can significantly increase the level of security without the introduction of unnecessary overhead for the legal user.

(42)

6. KSV – prototype system for keyboard statistics

verification

In this chapter, the prototype system for keyboard statistics verification is introduced. First, basic functionality and implementation details are described. Later on, the results of performance testing are presented.

6.1 KSV - Keyboard Statistics Verifier

Keyboard Statistic Verifier is a simulation of a logon system, in which typing dynamics are taken into consideration during the user verification process. The KSV was developed in Java, so it runs on all major operating systems.

Figure 6.1: A screenshot of the KSV system.

The KSV is a high-fidelity prototype, so it only shows how typing-based authentication works, instead of performing a ‘real’ task. Data provided by the user are compared to the templates stored in files, which were created offline

(43)

from samples collected by KSC. First, the LP pair is checked3 - if a match is found, KSV will test the typing path and calculate the normalized degree of disorder (else ‘Wrong login or password’ message is displayed). When the typing path provided by a user is included in the stored template and domax is lower than the given threshold (default is 0,45), KSV returns ‘login successful’ message (else ‘login failed’). The results are saved in a log file.

6.2 Results of performance testing

KSV was tested for three LP pairs with templates taken from two users: A and B (Table 6.1). In order to test the implemented algorithm for the worst-case scenario, the templates were created from samples collected on Windows machines, on which the ‘accuracy problem’ occurs. The experiment itself was carried out on Windows and on Solaris.

Login: Password: User:

bluesky anaconda A

rabbit javacode B piotr cashed14 B

Table 6.1: LP pairs tested in KSV.

Volunteers A and B tested KSV as valid users in order to measure the False Rejection Rate (2.3). The other fourteen randomly chosen people (some of them did not take part in the previous experiment) were acting as imposters trying to

Table 6.2: Results for the imposters.

LP pair: all attempts: successful: blocked by path: blocked by DV: wrong LP pair: FAR:

bluesky/anaconda 168 0 78 56 34 0%

rabbit/javacode 213 0 178 26 9 0%

piotr/cashed14 177 0 148 15 14 0%

log in as A or B. I advised them to vary their typing speed in order to raise the probability of success. Also, in order to increase creativity and motivation, a

(44)

reward was offered to those who manage to log in. The final results are presented in Tables 6.2 and 6.3.

LP pair: all attempts: successful: blocked by path: blocked by DV: wrong LP pair: FRR:

bluesky/anaconda 134 80 12 33 9 36,0%

rabbit/javacode 228 120 26 49 33 38,4%

piotr/cashed14 250 177 28 26 19 23,4%

Table 6.3: Results for the valid users (A and B).

Although nobody managed to gain unauthorized access in this study, the author is aware of the fact that FFR can be slightly bigger than 0 %. The set of samples is relatively small, but a larger number of attempts (and users) could result in a few successful attacks.

(45)

7. Summary

In chapter 7, the following issues are discussed: applications for keyboard statistics, improvements that can be made in the future, and some general conclusions.

7.1 Applications

Password-based-only authentication works well for many applications and is quite simple to implement. Nevertheless, additional use of keystroke analysis could be encouraged in many situations, some of which are presented below:

- Identity Verification – keyboard statistics could be introduced into any verification system right after the user’s LP typing stabilizes.

- Strong Authentication – root password, safety-critical systems and resources.

- Forgotten Passwords – algorithm used in KSV could be used in forgotten password recovery.

7.2 Future work

More extensive testing. KSV should be tested on a larger population of users to

find out under which circumstances the implemented algorithm could be broken by an imposter.

Improvements in current implementation. The False Rejection Ratio of KSV

is not acceptable for some applications. An algorithm that dynamically updates the user’s templates with the newest statistics could reduce the number of unsuccessful attempts for the valid user.

(46)

Client – server implementation. Development of client-server application

could allow the examination of a system’s behavior in the presence of remote connections. Additionally, it would be possible to implement such architecture in a variety of ‘real life’ applications.

7.3 Conclusions.

It is possible to develop an identity verification system based on a password and typing dynamics. Typing recognition increases the level of security, but it may slightly affect the user-friendliness of a system.

Difficult to type or often-changed passwords are often forgotten. In many cases, difficult LP pairs introduce more vulnerabilities than the easy ones (for instance, people write such passwords down and put them on top of the computer screen), even if the main purpose, as well as administrator’s intensions, were exactly opposite. Applying typing dynamics to the verification system would make it possible for passwords to be easy to type and thus easy to remember. What is more, there would be no need to change the passwords. This should in turn increase the level of confidentiality.

KSV works better for those people who use computers very often. This can be explained by the fact that typing behavior is more stable for experienced users.

For users who have very similar durations for all chars, the KSV will perform badly on some Windows machines due to the ‘accuracy’ problem. The good thing is that the newest hardware overcomes bad accuracy, so that in the near future, the problem will disappear.

(47)

7.3.1 Summary

In this thesis, I have investigated keyboard dynamics in order to discover a set of dependencies, which clearly shows the distance between valid user and imposter samples. As a result of this investigation, I designed a recognition algorithm based on typing paths and the degree of disorder. The main advantages of KSV are: fast performance, simplicity and an excellent FAR. The main drawback is the rather high level of FRR, which should be improved for KSV to be used in ‘real’ applications.

(48)

References

1. Francesco Bergadano, Daniele Gunetti, Claudia Picardi, “User

Authentication through Keystroke Dynamics”, University of Torino (November

2002)

2. Fabian Monrose, Aviel Rubin, “Authentication via Keystroke Dynamics”, Conference on Computer and Communications Security (1997)

3. Fredrik Claesson, “Identity verification using signatures”, Linköping University (2000)

4. The Encyclopedia of Computer Security, http://www.itsecurity.com/ 5. Biometric Consortium, http://www.biometrics.org

6. Anil Jain, Lin Hong, Sharath Pankanti “Biometrics identification”, Communications of the ACM (2000)

7. Bruce Schneier, “Inside risks: the uses and abuses of biometrics”, Communications of the ACM (1999)

8. Fabian Monrose and Aviel D. Rubin, “Keystroke Dynamics as a Biometric

for Authentication”, Future Generation Computer Systems, (March, 2000).

9. Marino Tapiador, Juan A. Sigüenza, “Fuzzy Keystroke Biometrics On Web

Security”, Universidad Autónoma de Madrid (2000)

10. R. Gaines, W. Lisowski, S. Press, N. Shapiro, “Authentication by Keystroke

Timing: some preliminary results”, Rand Report R-256-NSF. Rand Corporation

(1980)

11. G. Leggett, J. Williams, M. Usnick, “Dynamic Identity Verification via

Keystroke Characteristics”, International Journal of Man-Machine Studies

(1991)

12. R. Joyce, G. Gupta, “User authorization based on keystroke latencies”, Communications of ACM (1990)

(49)

13. S. Bleha, C. Slivinsky, B. Hussein, “Computer-access security systems using

keystroke dynamics”, IEEE Trans. Patt. Anal. Mach. Int (1990)

14. M. Brown, S. J. Rogers, “User identification via keystroke characteristics

of typed names using neural networks”, Int. J. Man-Mach. Stud. (1993)

15. M. Brown, S. J. Rogers, “Method and apparatus for verification of a

computer user’s identification, based on keystroke characteristics”, Patent

Number 5,557,686, U.S. Patent and Trademark Office, Washington, D.C., Sept. (1996)

16. E. Yu, S. Cho, "Biometrics-based Password Identity Verification: Some

Practical Issues and Solutions," XVth Triennial Congress of the International

Ergonomics Association (IEA), Aug 24-29 2003, Seoul, Korea. 17. http://www.biopassword.com

(50)

Abbreviations

do – degree of disorder

doMAX – maximal degree of disorder doNOR – normalized degree of disorder DV – distance vector

et al. – and others

FAR – False Acceptance Rate (Ratio) FRR – False Rejection Rate (Ratio) LP – Login-id Password

(51)

Glossary

Digraph - two keys typed one after the other [1].

Duration of a key – the time elapsed from when the key is pressed to when it is

released.

Key code – a unique number assigned to every key on the keyboard.

Key event - we can distinguish two key events: key pressed and key released. Latency - the time elapsed from the release of the first key to the depression of

the next; sometimes latency can have negative value.

Trigraph - three consecutively typed keys [1].

Typing modes – we can distinguish the following typing modes: typing the LP

(52)

På svenska

Detta dokument hålls tillgängligt på Internet – eller dess framtida ersättare – under en längre tid från publiceringsdatum under förutsättning att inga extra-ordinära omständigheter uppstår.

Tillgång till dokumentet innebär tillstånd för var och en att läsa, ladda ner, skriva ut enstaka kopior för enskilt bruk och att använda det oförändrat för ick-ekommersiell forskning och för undervisning. Överföring av upphovsrätten vid en senare tidpunkt kan inte upphäva detta tillstånd. All annan användning av dokumentet kräver upphovsmannens medgivande. För att garantera äktheten, säkerheten och tillgängligheten finns det lösningar av teknisk och administrativ art.

Upphovsmannens ideella rätt innefattar rätt att bli nämnd som upphovsman i den omfattning som god sed kräver vid användning av dokumentet på ovan beskrivna sätt samt skydd mot att dokumentet ändras eller presenteras i sådan form eller i sådant sammanhang som är kränkande för upphovsmannens litterära eller konst-närliga anseende eller egenart.

För ytterligare information om Linköping University Electronic Press se

för-lagets hemsida http://www.ep.liu.se/

In English

The publishers will keep this document online on the Internet - or its possible replacement - for a considerable time from the date of publication barring excep-tional circumstances.

The online availability of the document implies a permanent permission for anyone to read, to download, to print out single copies for your own use and to use it unchanged for any non-commercial research and educational purpose. Sub-sequent transfers of copyright cannot revoke this permission. All other uses of the document are conditional on the consent of the copyright owner. The pub-lisher has taken technical and administrative measures to assure authenticity, security and accessibility.

According to intellectual property law the author has the right to be men-tioned when his/her work is accessed as described above and to be protected against infringement.

For additional information about the Linköping University Electronic Press and its procedures for publication and for assurance of document integrity, please

refer to its WWW home page:http://www.ep.liu.se/

Identity Verification using Keyboard Statistics.

Identity Verification using Keyboard Statistics

Master’s thesis performed at

Information Theory Division at Linköping Institute of Technology

by

Piotr Mroczkowski

LiTH-ISY-EX-3508-2004

2004-03-08

Identity Verification using Keyboard Statistics

Master’s thesis performed at

Information Theory Division at Linköping Institute of Technology

by

Piotr Mroczkowski

LiTH-ISY-EX-3508-2004

ACKNOWLEDGEMENTS

Table of contents

1. Introduction

1.1 About this report

1.2 Background

1.3 Related work

1.4 Goal

1.5 Outline of the thesis

2. Identity verification

2.1 Identification and Identity Verification

2.2 Decision regions

2.3 False Rejection Rate and False Acceptance Rate

3. Biometric systems

3.1 What is the biometric system?

3.2 Biometric technologies

3.3 Keyboard dynamics

4.Collecting keyboard statistics – description of the

experiment

4.1 Introduction

4.2 Methodology

5. The results of keyboard samples processing and

analyzing

5.1 Introduction

5.2 Methodology

∑

=

x

n

x

1

)

)

(

1

1

(

∑

−

−

=

x

x

n

s

x

2

V

do

=

2

)

1

(

−

=

V

do

10

)

2

1

1

3

1

0

2