user authentication through keystroke dynamics · advanced signal processing i user authentication...

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Johannes Luig

1

User Authentication through Keystroke Dynamics

1

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Overview

2

‣ Introduction

‣ Measurable Characteristics

‣ How to measure „Similarity“?

‣ User Authentication

‣ Performance

2

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Introduction

3

Biometric Features

3

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Introduction

3

Biometric Features

physiological behavioural

3

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Introduction

3

Biometric Features

physiological behavioural

face

eyes (retina, iris)

fingerprint

palm topologythermal image

3

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Introduction

3

Biometric Features

physiological behavioural

face

eyes (retina, iris)

fingerprint

palm topologythermal image

keystroke dynamics

voiceprintsignature

3

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Introduction

‣ Motivation:

- Typing on keyboard does not produce continuous stream of non-stop data, but distinctive patterns

- Human actions are predictible in the performance of repetitive and routine tasks

- No specific (expensive) tools needed

- Method is reasonable (even „hidden check“ possible)

4

4

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Measurable Characteristics

‣ Hold Time

‣ Interkey Time

‣ Press/Release Latency

5

5

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Measurable Characteristics

‣ Hold Time

‣ Interkey Time

‣ Press/Release Latency

5

timeS SP C

5

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Measurable Characteristics

‣ Hold Time

‣ Interkey Time

‣ Press/Release Latency

5

timeS SP C

HP

5

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Measurable Characteristics

‣ Hold Time

‣ Interkey Time

‣ Press/Release Latency

5

timeS SP C

HP IKSC

5

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Measurable Characteristics

‣ Hold Time

‣ Interkey Time

‣ Press/Release Latency

5

timeS SP C

PLSP HP IKSC

5

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Measurable Characteristics

‣ Hold Time

‣ Interkey Time

‣ Press/Release Latency

5

timeS SP C

PLSP HP RLPS IKSC

5

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Measurable Characteristics

‣ Timing

- Internal CPU clock

- 8253 timer in IBM-compatible computers

- BIOS microsecond timing function

6

6

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Measurable Characteristics

‣ Timing

- Example: simulation of remote situation

7

from Bergadano et al.:„User Authentication through

Keystroke Dynamics“

7

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Measurable Characteristics

‣ Timing

- Example: simulation of remote situation

7

from Bergadano et al.:„User Authentication through

Keystroke Dynamics“

7

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ General approach:

- Measure hold and/or interkey times

- Measurement data = vectors in vector space

- Identify typing person using traditional pattern recognition techniques or Neural Network paradigms

8

8

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Pattern recognition techniques include:

- k-Means Clustering

- Cosine Measure

- Minimum Distance

- Bayes‘ Rule

- Potential Function

9

9

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Pattern recognition techniques include:

- k-Means Clustering

- Cosine Measure

- Minimum Distance

- Bayes‘ Rule

- Potential Function

9

• cluster data into k partitions

• try to find centers of „natural“ clusters

• minimize intra-cluster variance (squared error):

9

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Pattern recognition techniques include:

- k-Means Clustering

- Cosine Measure

- Minimum Distance

- Bayes‘ Rule

- Potential Function

10

10

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Pattern recognition techniques include:

- k-Means Clustering

- Cosine Measure

- Minimum Distance

- Bayes‘ Rule

- Potential Function

10

• cosine of angle between two feature vectors:

10

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Pattern recognition techniques include:

- k-Means Clustering

- Cosine Measure

- Minimum Distance

- Bayes‘ Rule

- Potential Function

11

11

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Pattern recognition techniques include:

- k-Means Clustering

- Cosine Measure

- Minimum Distance

- Bayes‘ Rule

- Potential Function

11

• euclidean distance:

11

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Pattern recognition techniques include:

- k-Means Clustering

- Cosine Measure

- Minimum Distance

- Bayes‘ Rule

- Potential Function

12

12

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Pattern recognition techniques include:

- k-Means Clustering

- Cosine Measure

- Minimum Distance

- Bayes‘ Rule

- Potential Function

12

• relates conditional and marginal probability distributions of random variables to each other

12

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Pattern recognition techniques include:

- k-Means Clustering

- Cosine Measure

- Minimum Distance

- Bayes‘ Rule

- Potential Function

13

13

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Pattern recognition techniques include:

- k-Means Clustering

- Cosine Measure

- Minimum Distance

- Bayes‘ Rule

- Potential Function

13

• A vector v has a potential function F, if

grad(F) = v

13

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Neural Network paradigms include:

- Backpropagation

- Fuzzy ARTMAP

- Radial Basis Functions

- Learning Vector Quantization

- (Hybrid) Sum-of-Products

14

14

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Neural Network paradigms include:

- Backpropagation

- Fuzzy ARTMAP

- Radial Basis Functions

- Learning Vector Quantization

- (Hybrid) Sum-of-Products

14

• feed-forward multilayer network

• input for each unit = sum of outputs of previous units

• „gradient descent algorithm“ (weigths are moved along negative gradient)

14

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Neural Network paradigms include:

- Backpropagation

- Fuzzy ARTMAP

- Radial Basis Functions

- Learning Vector Quantization

- (Hybrid) Sum-of-Products

15

15

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Neural Network paradigms include:

- Backpropagation

- Fuzzy ARTMAP

- Radial Basis Functions

- Learning Vector Quantization

- (Hybrid) Sum-of-Products

15

• supervised Neural Network with very fast convergence

• comparable to Multilayer Perceptron

15

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Neural Network paradigms include:

- Backpropagation

- Fuzzy ARTMAP

- Radial Basis Functions

- Learning Vector Quantization

- (Hybrid) Sum-of-Products

16

16

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Neural Network paradigms include:

- Backpropagation

- Fuzzy ARTMAP

- Radial Basis Functions

- Learning Vector Quantization

- (Hybrid) Sum-of-Products

16

• real-valued functions, whose values depend only on the distance from center

• popular: Gaussians

16

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Neural Network paradigms include:

- Backpropagation

- Fuzzy ARTMAP

- Radial Basis Functions

- Learning Vector Quant.

- (Hybrid) Sum-of-Products

17

17

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Neural Network paradigms include:

- Backpropagation

- Fuzzy ARTMAP

- Radial Basis Functions

- Learning Vector Quant.

- (Hybrid) Sum-of-Products

17

• supervised competetive network

• goal: find some kind of structure in data by determining in which way it is clustered

17

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Neural Network paradigms include:

- Backpropagation

- Fuzzy ARTMAP

- Radial Basis Functions

- Learning Vector Quantization

- (Hybrid) Sum-of-Products

18

18

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (1)

‣ Neural Network paradigms include:

- Backpropagation

- Fuzzy ARTMAP

- Radial Basis Functions

- Learning Vector Quantization

- (Hybrid) Sum-of-Products

18

• backpropagation network with modified layer connections

• input for each unit = product of outputs of previous unit with weighting factor

18

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Performance

19

‣ Pattern Recognition Techniquesfrom Obaidat/Sadoun:

„Keystroke Dynamicsbased Authentication“

Classification based on Hold TimesClassification based on Interkey Times

False Rejection Rate

False Acceptance Rate

False Rejection Rate

False Acceptance Rate

19

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Performance

19

‣ Pattern Recognition Techniquesfrom Obaidat/Sadoun:

„Keystroke Dynamicsbased Authentication“

Classification based on Hold TimesClassification based on Interkey Times

False Rejection Rate

False Acceptance Rate

False Rejection Rate

False Acceptance Rate

< 5%

2.5%

19

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Performance

19

‣ Pattern Recognition Techniquesfrom Obaidat/Sadoun:

„Keystroke Dynamicsbased Authentication“

Classification based on Hold TimesClassification based on Interkey Times

False Rejection Rate

False Acceptance Rate

False Rejection Rate

False Acceptance Rate

< 5%

2.5% < 2.5%1%

19

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Performance

20

‣ Pattern Recognition Techniquesfrom Obaidat/Sadoun:

„Keystroke Dynamicsbased Authentication“

Classification based on Hold and Interkey Times

False Rejection Rate

False Acceptance Rate

20

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Performance

20

‣ Pattern Recognition Techniquesfrom Obaidat/Sadoun:

„Keystroke Dynamicsbased Authentication“

Classification based on Hold and Interkey Times

False Rejection Rate

False Acceptance Rate

3.5%2%

20

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Performance

21

‣ Neural Networksfrom Obaidat/Sadoun:

„Keystroke Dynamicsbased Authentication“

Classification based on Hold TimesClassification based on Interkey Times

False Rejection Rate

False Acceptance Rate

False Rejection Rate

False Acceptance Rate

21

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Performance

21

‣ Neural Networksfrom Obaidat/Sadoun:

„Keystroke Dynamicsbased Authentication“

Classification based on Hold TimesClassification based on Interkey Times

False Rejection Rate

False Acceptance Rate

False Rejection Rate

False Acceptance Rate

0%0%

21

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Performance

22

‣ Neural Networksfrom Obaidat/Sadoun:

„Keystroke Dynamicsbased Authentication“

Classification based on Hold and Interkey Times

False Rejection Rate

False Acceptance Rate

22

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Performance

22

‣ Neural Networksfrom Obaidat/Sadoun:

„Keystroke Dynamicsbased Authentication“

Classification based on Hold and Interkey Times

False Rejection Rate

False Acceptance Rate

0%

22

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (2)

‣ Alternative Approach (Bergadano et al.):

- Measure duration (latency) of trigraphs and sort them in ascending order

- Define distance between two samples as the „degree of disorder“ between sorted trigraphs

- Normalize distance by maximum degree of disorder

23

23

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (2)

24

Example: User is asked to type austria

Trigraph aus ust str tri riaDuration 277 ms 231 ms 281 ms 248 ms 295 ms

24

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (2)

24

Example: User is asked to type austria

Trigraph aus ust str tri riaDuration 277 ms 231 ms 281 ms 248 ms 295 ms

ust tri aus str ria

231 248 277 281 295sorted version

24

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (2)

24

Example: User is asked to type austria

Trigraph aus ust str tri riaDuration 277 ms 231 ms 281 ms 248 ms 295 ms

ust tri aus str ria

231 248 277 281 295sorted version

d = 1 d = 2 d = 2 d = 1 d = 0

24

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (2)

24

Example: User is asked to type austria

Trigraph aus ust str tri riaDuration 277 ms 231 ms 281 ms 248 ms 295 ms

ust tri aus str ria

231 248 277 281 295sorted version

d = 1 d = 2 d = 2 d = 1 d = 0

max. degree of disorder:|array|2 -1

2dnorm =

1+2+2+1+0

12= 0.5

24

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (2)

25

ust tri aus str ria

231 248 277 281 295Sample 1 (sorted)

25

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (2)

25

ust tri aus str ria

231 248 277 281 295Sample 1 (sorted)

d = 3 d = 0 d = 2 d = 1 d = 2

str tri ust ria aus

222 236 254 269 280Sample 2 (sorted)

25

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (2)

25

ust tri aus str ria

231 248 277 281 295Sample 1 (sorted)

d = 3 d = 0 d = 2 d = 1 d = 2

d(S1, S2) = 3+0+2+1+2

12= 0.6666

str tri ust ria aus

222 236 254 269 280Sample 2 (sorted)

25

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (2)

26

md(A, X) = (d(A1, X) + d(A2, X) + d(A3, X) + d(A4, X)) / 4

md(B, X) = (d(B1, X) + d(B2, X) + d(B3, X)) / 3

md(C, X) = (d(C1, X) + d(C2, X) + d(C3, X) + d(C4, X) + d(C5, X)) / 5

‣ User Classification

- Compute „mean distance“ of incoming sample to each user‘s model (all available samples of that user)

X ............ current incoming sampleA, B, C ... user models consisting of Samples A1...n, B1...n, C1...n

26

Advanced Signal Processing I User Authentication through Keystroke Dynamics

User Authentication

27

‣ Access Control System

- Samples may be provided by illegal users with unknown typing patterns

➡ even if FAR = 0%, best possible IPR = (100/N)%

‣ Condition:

- Input sample must not only be closer to a certain model than to any other model; it must be sufficiently close to this model

27

Advanced Signal Processing I User Authentication through Keystroke Dynamics

User Authentication

27

‣ Access Control System

- Samples may be provided by illegal users with unknown typing patterns

➡ even if FAR = 0%, best possible IPR = (100/N)%

‣ Condition:

- Input sample must not only be closer to a certain model than to any other model; it must be sufficiently close to this model

„False Alarm Rate“

„Impostor Pass Rate“

27

Advanced Signal Processing I User Authentication through Keystroke Dynamics

User Authentication

28

‣ Use of Thresholds

- Compute mean value of „inner-model“ distances:

- Classify sample X as belonging to A, if (and only if):

m(A) = (d(A1, A2) + d(A1, A3) + d(A1, A4) + d(A2, A3) + d(A2, A4) + d(A3, A4)) / 6

md(A, X) < m(A) + | k * (md(B, X) - m(A)) |

md(B, X) ... mean value of „second closest“ modelA, B, C ... user models consisting of Samples A1...n, B1...n, C1...n

28

Advanced Signal Processing I User Authentication through Keystroke Dynamics

User Authentication

29

‣ Values for k:- k = 1: plain classification scenario

- k = 0.5: md(A, X) closer to m(A) than to any other md(B,X)

- k = 0.33: md(A, X) twice as close to m(A) than to md(B,X)

md(B, X) ... mean value of „second closest“ modelA, B, C ... user models consisting of Samples A1...n, B1...n, C1...n

md(A, X) < m(A) + | k * (md(B, X) - m(A)) |

29

Advanced Signal Processing I User Authentication through Keystroke Dynamics

User Authentication

29

‣ Values for k:- k = 1: plain classification scenario

- k = 0.5: md(A, X) closer to m(A) than to any other md(B,X)

- k = 0.33: md(A, X) twice as close to m(A) than to md(B,X)

md(B, X) ... mean value of „second closest“ modelA, B, C ... user models consisting of Samples A1...n, B1...n, C1...n

md(A, X) < m(A) + | k * (md(B, X) - m(A)) |

from Bergadano et al.:„User Authentication through

Keystroke Dynamics“

29

Advanced Signal Processing I User Authentication through Keystroke Dynamics

User Authentication

29

‣ Values for k:- k = 1: plain classification scenario

- k = 0.5: md(A, X) closer to m(A) than to any other md(B,X)

- k = 0.33: md(A, X) twice as close to m(A) than to md(B,X)

md(B, X) ... mean value of „second closest“ modelA, B, C ... user models consisting of Samples A1...n, B1...n, C1...n

md(A, X) < m(A) + | k * (md(B, X) - m(A)) |

from Bergadano et al.:„User Authentication through

Keystroke Dynamics“

29

Advanced Signal Processing I User Authentication through Keystroke Dynamics

User Authentication

30

‣ Additional filtering

- Thresholds improve classification results but may have counterintuitive behavior:

md(A, X) = 0.307025 d(A1, A2) = 0.212378

md(B, X) = 0.420123 d(A1, A3) = 0.204381

md(C, X) = 0.423223 d(A2, A3) = 0.226024

m(A) = 0.214261

md(A, X) < m(A) + | k * ( md(B, X) - m(A) ) |

30

Advanced Signal Processing I User Authentication through Keystroke Dynamics

User Authentication

30

‣ Additional filtering

- Thresholds improve classification results but may have counterintuitive behavior:

md(A, X) = 0.307025 d(A1, A2) = 0.212378

md(B, X) = 0.420123 d(A1, A3) = 0.204381

md(C, X) = 0.423223 d(A2, A3) = 0.226024

m(A) = 0.214261

0.307025 < 0.214261 + | 0.5 * (0.420123 - 0.214261) | ✓

30

Advanced Signal Processing I User Authentication through Keystroke Dynamics

User Authentication

30

‣ Additional filtering

- Thresholds improve classification results but may have counterintuitive behavior:

md(A, X) = 0.307025 d(A1, A2) = 0.212378

md(B, X) = 0.420123 d(A1, A3) = 0.204381

md(C, X) = 0.423223 d(A2, A3) = 0.226024

m(A) = 0.214261

0.307025 < 0.214261 + | 0.5 * (0.420123 - 0.214261) | ✓

?30

Advanced Signal Processing I User Authentication through Keystroke Dynamics

User Authentication

31

‣ Additional filtering

- For each sample, compute mean distance w.r.t. all the other samples in the model:

m(Axyz) = (d(Ax, Ay) + d(Ax, Az) + d(Ay, Az)) / 3

dA1 = | (d(A1, A2) + d(A1, A3) + d(A1, A4)) / 3 - m(A234) |dA2 = | (d(A2, A1) + d(A2, A3) + d(A2, A4)) / 3 - m(A134) |dA3 = | (d(A3, A1) + d(A3, A2) + d(A3, A4)) / 3 - m(A124) |dA4 = | (d(A4, A1) + d(A4, A2) + d(A4, A3)) / 3 - m(A123) |

31

Advanced Signal Processing I User Authentication through Keystroke Dynamics

User Authentication

31

‣ Additional filtering

- For each sample, compute mean distance w.r.t. all the other samples in the model:

m(Axyz) = (d(Ax, Ay) + d(Ax, Az) + d(Ay, Az)) / 3

dA1 = | (d(A1, A2) + d(A1, A3) + d(A1, A4)) / 3 - m(A234) |dA2 = | (d(A2, A1) + d(A2, A3) + d(A2, A4)) / 3 - m(A134) |dA3 = | (d(A3, A1) + d(A3, A2) + d(A3, A4)) / 3 - m(A124) |dA4 = | (d(A4, A1) + d(A4, A2) + d(A4, A3)) / 3 - m(A123) |

md(A, X) < m(A) + a * max(dA1, dA2, dA3, dA4) + b * std(dA1, dA2, dA3, dA4)

31

Advanced Signal Processing I User Authentication through Keystroke Dynamics

User Authentication

31

‣ Additional filtering

- For each sample, compute mean distance w.r.t. all the other samples in the model:

md(A, X) < m(A) + a * max(dA1, dA2, dA3, dA4) + b * std(dA1, dA2, dA3, dA4)

from Bergadano et al.:„User Authentication through

Keystroke Dynamics“

31

Advanced Signal Processing I User Authentication through Keystroke Dynamics

User Authentication

31

‣ Additional filtering

- For each sample, compute mean distance w.r.t. all the other samples in the model:

md(A, X) < m(A) + a * max(dA1, dA2, dA3, dA4) + b * std(dA1, dA2, dA3, dA4)

from Bergadano et al.:„User Authentication through

Keystroke Dynamics“

31

Advanced Signal Processing I User Authentication through Keystroke Dynamics

How to measure „Similarity“? (2)

‣ Advantages

- Measure considers relative relative values of various typing features only

- No need for specific tuning or training

- Typing errors allowed (additional pre-filtering to keep only the shared trigraphs)

32

32

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Bibliography

33

‣ „User Authentication through Keystroke Dynamics“F. Bergadano et al.

‣ „Keystroke Dynamics based Authentication“M.S. Obaidat and B. Sadoun

‣ „Artificial Rhythms and Cues for Keystroke Dynamics based Authentication“S. Cho and S. Hwang

‣ „Computer User Authentication using Hidden Markov Model through Keystroke Dynamics “S.K. Vuyyuru et al.

33

Thank you.

34