improving authentication accuracy using artificial rhythms and cues for keystroke dynamics-based...

8
Improving authentication accuracy using artificial rhythms and cues for keystroke dynamics-based authentication Seong-seob Hwang a , Hyoung-joo Lee a,b, * , Sungzoon Cho a a Department of Industrial Engineering, Seoul National University, San 56-1, Shillim-dong, Daehakdong, Kwanak-gu, Seoul 151-744, Republic of Korea b Department of Engineering Science, University of Oxford, Parks Road, Oxford, OX1 3PJ, UK article info Keywords: Keystroke dynamics Biometrics User authentication Data quality Artificial rhythms Tempo cues Novelty detection abstract Keystroke dynamics-based authentication (KDA) is to verify a user’s identity using not only the password but also keystroke dynamics. With a small number of patterns available, data quality is of great impor- tance in KDA applications. Recently, the authors have proposed to employ artificial rhythms and tempo cues to improve data quality: consistency and uniqueness of typing patterns. This paper examines whether improvement in uniqueness and consistency translates into improvement in authentication per- formance in real-world applications. In particular, we build various novelty detectors using typing pat- terns based on various strategies in which artificial rhythms and/or tempo cues are implemented. We show that artificial rhythms and tempo cues improve authentication accuracies and that they can be applicable in practical authentication systems. Ó 2009 Elsevier Ltd. All rights reserved. 1. Introduction The password-based authentication is the most commonly used in identity verification. However, it becomes vulnerable when a password is stolen. Keystroke dynamics-based authentication (KDA) was proposed to provide additional security (Gaines, Lisow- ski, Press, & Shapiro, 1980). KDA was motivated by the observation that a user’s keystroke patterns are repeatable and distinct from those of other users (Umphress & Williams, 1985). Its potential applications include internet banking, ATM machines, digital door- locks, and cellular phones, which require high security. It is possible to complement the password-based authentication using other bio- metric attributes such as fingerprint, iris, and voice (Jain, Bolle, & Pankanti, 1999; Polemi, 1997). However, these methods require very expensive devices (Monrose & Rubin, 2000). In addition, users may be reluctant to provide those biometric data. On the other hand, KDA requires no additional device and involves little user discomfort (de Ru & Eloff, 1997; Monrose, Reiter, & Wetzel, 2002; Monrose & Rubin, 2000). For recent reviews on KDA, see Monrose and Rubin (2000), Peacock, Ke, and Wilkerson (2004). There are three steps involved in KDA as illustrated in Fig. 1. First, a user enrolls his/her keystroke patterns. A keystroke pattern is defined as depicted in Fig. 2. A password of m characters is transformed into a (2m + 1)-dimensional timing vector. A ‘‘dura- tion” denotes a time period during which a key is pressed while an ‘‘interval” is a time period between releasing a key and stroking the next key. Second, a classifier is built using the keystroke pat- terns. Third, when a new keystroke pattern is presented it is either accepted or rejected by the classifier. One of the most obvious difficulties in KDA from a pattern rec- ognition point of view is that impostor patterns are not available when building a classifier. Thus it is not possible to train a binary classifier. This limitation can be overcome by the novelty detection framework (Cho, Han, Han, & Kim, 2000; Lee & Cho, 2007; Yu & Cho, 2004). In novelty detection, the valid user’s patterns are des- ignated as normal and all other possible individuals’ patterns as novel. A novelty detector learns the characteristics of normal patterns during training and detects novel patterns that are differ- ent from the normal ones during test. In a geometric sense, a novelty detector defines a closed boundary around the normal pat- terns in the input space (Japkowicz, 2001; Schölkopf, Platt, Shawe- Taylor, Smola, & Williamson, 2001). Another difficulty in KDA stems from the fact that in practice, the number of the valid user’s patterns is limited. When a large number of typing patterns are available, complex algorithms such as neural network (Bishop, 1995) and support vector machines (SVMs) (Vapnik, 1998) can be built. When only a small number of typing patterns are available, on the other hand, simple algo- rithms such as k-nearest neighbor (Knorr, Ng, & Tucakov, 2000) and K-means (Lee & Cho, 2007) have to be adopted. However, a small number of patterns usually result in low accuracies. It is not realistic to ask a user to provide hundreds of patterns in 0957-4174/$ - see front matter Ó 2009 Elsevier Ltd. All rights reserved. doi:10.1016/j.eswa.2009.02.075 * Corresponding author. Address: Department of Engineering Science, University of Oxford, Parks Road, Oxford OX1 3PJ, UK. Tel.: +44 1865 283153; fax: +44 1865 273908. E-mail addresses: [email protected] (S.-s. Hwang), [email protected] (H.-j. Lee), [email protected] (S. Cho). Expert Systems with Applications 36 (2009) 10649–10656 Contents lists available at ScienceDirect Expert Systems with Applications journal homepage: www.elsevier.com/locate/eswa

Upload: seong-seob-hwang

Post on 21-Jun-2016

213 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Improving authentication accuracy using artificial rhythms and cues for keystroke dynamics-based authentication

Expert Systems with Applications 36 (2009) 10649–10656

Contents lists available at ScienceDirect

Expert Systems with Applications

journal homepage: www.elsevier .com/locate /eswa

Improving authentication accuracy using artificial rhythms and cuesfor keystroke dynamics-based authentication

Seong-seob Hwang a, Hyoung-joo Lee a,b,*, Sungzoon Cho a

a Department of Industrial Engineering, Seoul National University, San 56-1, Shillim-dong, Daehakdong, Kwanak-gu, Seoul 151-744, Republic of Koreab Department of Engineering Science, University of Oxford, Parks Road, Oxford, OX1 3PJ, UK

a r t i c l e i n f o

Keywords:Keystroke dynamicsBiometricsUser authenticationData qualityArtificial rhythmsTempo cuesNovelty detection

0957-4174/$ - see front matter � 2009 Elsevier Ltd. Adoi:10.1016/j.eswa.2009.02.075

* Corresponding author. Address: Department of Enof Oxford, Parks Road, Oxford OX1 3PJ, UK. Tel.: +44273908.

E-mail addresses: [email protected] (S.-s. HwangLee), [email protected] (S. Cho).

a b s t r a c t

Keystroke dynamics-based authentication (KDA) is to verify a user’s identity using not only the passwordbut also keystroke dynamics. With a small number of patterns available, data quality is of great impor-tance in KDA applications. Recently, the authors have proposed to employ artificial rhythms and tempocues to improve data quality: consistency and uniqueness of typing patterns. This paper examineswhether improvement in uniqueness and consistency translates into improvement in authentication per-formance in real-world applications. In particular, we build various novelty detectors using typing pat-terns based on various strategies in which artificial rhythms and/or tempo cues are implemented. Weshow that artificial rhythms and tempo cues improve authentication accuracies and that they can beapplicable in practical authentication systems.

� 2009 Elsevier Ltd. All rights reserved.

1. Introduction

The password-based authentication is the most commonly usedin identity verification. However, it becomes vulnerable when apassword is stolen. Keystroke dynamics-based authentication(KDA) was proposed to provide additional security (Gaines, Lisow-ski, Press, & Shapiro, 1980). KDA was motivated by the observationthat a user’s keystroke patterns are repeatable and distinct fromthose of other users (Umphress & Williams, 1985). Its potentialapplications include internet banking, ATM machines, digital door-locks, and cellular phones, which require high security. It is possibleto complement the password-based authentication using other bio-metric attributes such as fingerprint, iris, and voice (Jain, Bolle, &Pankanti, 1999; Polemi, 1997). However, these methods require veryexpensive devices (Monrose & Rubin, 2000). In addition, users maybe reluctant to provide those biometric data. On the other hand,KDA requires no additional device and involves little user discomfort(de Ru & Eloff, 1997; Monrose, Reiter, & Wetzel, 2002; Monrose &Rubin, 2000). For recent reviews on KDA, see Monrose and Rubin(2000), Peacock, Ke, and Wilkerson (2004).

There are three steps involved in KDA as illustrated in Fig. 1.First, a user enrolls his/her keystroke patterns. A keystroke patternis defined as depicted in Fig. 2. A password of m characters is

ll rights reserved.

gineering Science, University1865 283153; fax: +44 1865

), [email protected] (H.-j.

transformed into a (2m + 1)-dimensional timing vector. A ‘‘dura-tion” denotes a time period during which a key is pressed whilean ‘‘interval” is a time period between releasing a key and strokingthe next key. Second, a classifier is built using the keystroke pat-terns. Third, when a new keystroke pattern is presented it is eitheraccepted or rejected by the classifier.

One of the most obvious difficulties in KDA from a pattern rec-ognition point of view is that impostor patterns are not availablewhen building a classifier. Thus it is not possible to train a binaryclassifier. This limitation can be overcome by the novelty detectionframework (Cho, Han, Han, & Kim, 2000; Lee & Cho, 2007; Yu &Cho, 2004). In novelty detection, the valid user’s patterns are des-ignated as normal and all other possible individuals’ patterns asnovel. A novelty detector learns the characteristics of normalpatterns during training and detects novel patterns that are differ-ent from the normal ones during test. In a geometric sense, anovelty detector defines a closed boundary around the normal pat-terns in the input space (Japkowicz, 2001; Schölkopf, Platt, Shawe-Taylor, Smola, & Williamson, 2001).

Another difficulty in KDA stems from the fact that in practice,the number of the valid user’s patterns is limited. When a largenumber of typing patterns are available, complex algorithms suchas neural network (Bishop, 1995) and support vector machines(SVMs) (Vapnik, 1998) can be built. When only a small numberof typing patterns are available, on the other hand, simple algo-rithms such as k-nearest neighbor (Knorr, Ng, & Tucakov, 2000)and K-means (Lee & Cho, 2007) have to be adopted. However, asmall number of patterns usually result in low accuracies. It isnot realistic to ask a user to provide hundreds of patterns in

Page 2: Improving authentication accuracy using artificial rhythms and cues for keystroke dynamics-based authentication

Fig. 1. Three steps of KDA framework: enrollment, classifier building, and login (user authentication).

Fig. 2. A keystroke pattern is transformed into a timing vector when a user types astring ‘ABCD’. The duration and interval times are measured by milliseconds.

10650 S.-s. Hwang et al. / Expert Systems with Applications 36 (2009) 10649–10656

keystroke enrollment. In order to address this problem, we have toimprove the quality of patterns since improving data quality couldbe far more effective than finding a superior technique.

To make matters worse, users do change their passwords everyonce in a while and may adopt different passwords for different ac-counts. Therefore, it is not unusual that a password is newlyadopted and/or relatively unfamiliar to the user. Unfamiliar pass-words are usually translated into inconsistent keystroke patterns.In a preliminary experiment, equal error rates (EERs) of 25 usersincreased from 2.3% for familiar passwords to 11.7% for unfamiliarones.

Recently, artificial rhythms and tempo cues were proposed toimprove the quality of patterns: uniqueness and consistency inparticular (Cho & Hwang, 2006). Uniqueness refers to how differ-ent the valid user’s keystroke patterns are from those of potentialimpostors. Consistency is concerned with how similar the user’spatterns in the authentication stage are to those enrolled in theenrollment stage. Kang, Park, Hwang, Lee, and Cho (2008) empiri-cally showed that artificial rhythms increased uniqueness whilecues increased consistency.

This paper examines whether improvement in uniqueness andconsistency by implementing artificial rhythm and tempo cuestranslates into improvement in authentication performance inreal-world off-line applications. First, artificial rhythms are shownto increase authentication accuracy. Second, we also show thatartificial rhythms, if coupled with tempo cues, increase accuracyeven more. Third, we show that artificial rhythms and cues areespecially beneficial to users who are not good at typing.

The organization of this paper is as follows. The followingsection introduces strategies to improve data quality in KDA.Section 3 describes how data were collected for the experimentsand various novelty detectors used in our experiments. In Section4, various novelty detectors based on various strategies are com-pared in terms of accuracies. Finally, conclusions and future workare discussed in Section 5.

2. Strategies to improve the data quality in KDA

This section introduces data quality measures for typing pat-terns: uniqueness, consistency, and discriminability. Also dis-cussed are strategies to improve the quality measures byemploying artificial rhythms and tempo cues, and previous re-search on the conceptual effectiveness of the strategies.

2.1. Measures of data quality

Data quality in KDA can be measured in terms of uniqueness,consistency, and discriminability (Cho & Hwang, 2006). Unique-ness is concerned with how different a valid user’s typing patternsused to build a classifier (we refer these typing patterns to enrolltyping patterns) are from those of potential impostors’ (we referthese typing patterns to impostor typing patterns). The more dif-ferent enroll typing patterns are from impostor typing patterns,the easier a classifier can classify a valid user from impostors. Forexample, let ‘‘ABCD” be a password. Users usually type this pass-word as they normally type those characters. However, if one types‘‘abc” and pauses for, say, three beats before typing ‘‘d,” this typingpattern becomes unique, because it has very different keystrokedynamics from potential impostors’ typing patterns. Let f~xi j i ¼1; . . . ;Nxg; f~yj j j ¼ 1; . . . ;Njg, and f~zk jk ¼ 1; . . . ;Nkg denote enrolltyping patterns, access typing patterns, and impostor typing pat-terns, respectively. Given the prototype pattern ~m ¼

P~xi=Nx,

uniqueness can be defined as

Uniqueness ¼XNz

k¼1

j~zk � ~mjNz

�XNx

i¼1

j~xi � ~mjNx

; ð1Þ

where j � j is a Euclidean distance. A high uniqueness will result in alow false acceptance.

Consistency is concerned with how similar a valid user’s accesstyping patterns are to his enroll typing patterns. Since a classifier isbuilt based on enroll typing patterns, even a valid user would berejected if access typing patterns were not similar enough to enrolltyping patterns. Consequently, improving consistency can also in-crease the performance of a classifier. We defined inconsistencyrather than consistency for computational convenience asfollows:

Inconsistency ¼XNy

j¼1

j~yj � ~mjNy

�XNx

i¼1

j~xi � ~mjNx

: ð2Þ

A low inconsistency will result in a low false rejection.

Page 3: Improving authentication accuracy using artificial rhythms and cues for keystroke dynamics-based authentication

S.-s. Hwang et al. / Expert Systems with Applications 36 (2009) 10649–10656 10651

Discriminability is concerned with how well access typingpatterns and impostor typing patterns could be separated. Thus,discriminability can be explained by the relation between unique-ness and consistency. High uniqueness implies that impostor typ-ing patterns are very different from enroll typing patterns. Also,high consistency or low inconsistency implies that access typingpatterns are very similar to enroll typing patterns. High uniquenessand low inconsistency results in high discriminability. Thus, it canbe defined as

Discriminability ¼ minkj~zk � ~mj �max

jj~yj � ~mj: ð3Þ

A high discriminability will lead to a low overall error.

2.2. Artificial rhythms and cues

Eq. (3) implies that two possible methods exist to improve dis-criminability. First is to improve uniqueness, and second is to im-prove consistency. In Cho and Hwang (2006), artificial rhythmswere proposed for the former while tempo cues for the latter. Inthis paper, we examine the practical effectiveness of three artificialrhythms (pause, musical rhythm, and slow tempo) coupled withauditory cues. Specifically, six strategies resulted from combiningthose artificial rhythms and cues are shown in Table 1. Strategy‘‘Natural Rhythm” indicates that a user types a password with anatural rhythm, or in the way one usually types it. We includedthis strategy as a control. Strategy ‘‘Pause without Cue” indicatesthat a user inserts long pauses while typing a password, but cuesare not used. A user can, in general, insert any number of pauses.Strategy ‘‘Pause with Cue” indicates that a user inserts pauseswhile hearing auditory cues. Strategy ‘‘Musical Rhythm” indicatesthat a user types a password with a familiar musical rhythm. Mu-sical rhythm functions as cues, thus we did not provide cues. Strat-egy ‘‘Slow Tempo without Cue” indicates that a user types apassword in a slow tempo without cues. Strategy ‘‘Slow Tempowith Cue” indicates that a user uses auditory cues. As shown inFig. 3, a user’s average typing patterns are significantly differentbetween different strategies. Two long intervals standing out instrategy ‘‘Pause without Cue” and strategy ‘‘Pause with Cue” corre-spond to pauses. In strategies involving slow tempo (e) and (f),intervals are fairly large.

2.3. Hypothesis tests on uniqueness and consistency

Kang et al. (2008), through experiments, found that the use ofartificial rhythms and cues improves the quality of typing patterns.Two conceptual hypotheses were tested: (1) artificial rhythmsincrease discriminability, (2) cues increase discriminability.Specific hypotheses they tested are summarized in Table 2. Artifi-cial rhythms increase discriminability except strategy ‘‘Slow Tem-po without Cue.” Discriminability of the strategy did not increasebecause consistency loss canceled out uniqueness gain. However,both strategies using cues resulted in higher discriminabilityvalues than the strategies without cues.

Table 1Six strategies resulting from the combinations of artificial rhythms and cues.

Strategy name Artificial rhythm Use of cues

1 Natural rhythm Nothing No2 Pause without cue Pause No3 Pause with cue Pause Yes4 Musical rhythm Musical rhythm No5 Slow tempo without cue Slow tempo No6 Slow tempo with cue Slow tempo Yes

3. Data collection and classifiers

In this section, we describe the procedure for collecting typingpatterns that were used in our experiments. Then classifiers, i.e.novelty detectors, used for the authentication task are presented.

3.1. Experimental data

We assumed and simulated a real-world KDA application whichis implemented on PCs in an off-line environment. A total of 25users were asked to create and use new passwords in order to sim-ulate the situation in which users recently changed their pass-words and thus are unfamiliar to them. The same password foreach user was used in all strategies. Each user enrolled 30 typingpatterns. Since there are six strategies, each user typed his pass-word 180 times. During enroll, users are presented the averageof timing vectors enrolled so far and the most recently enrolledtiming vector (See Fig. 4a). A user is allowed to remove the mostrecently enrolled one. This self-correcting feature helps patternsbe more consistent. After enroll, each user provided 24 accesspatterns for each strategy (see Fig. 4b). In order to make the situa-tion more realistic, a user typed six different strategies in oneset and repeated 24 sets. For simplicity, when the strategiesinvolving pauses were used, the number of pauses was all fixedto two. When using ‘‘Musical Rhythm,” each user was asked toimitate whatever rhythm that he was familiar with. For thestrategies involving slow tempo, users were asked to type theirpasswords as slowly as possible. In all strategies using cues, thetempo was fixed to 400 ms.

Impostor patterns were obtained as follows. Users were givenpasswords of other users and told to try to imitate the target pat-tern for each strategy. Thus, each user typed another user’s pass-word 6 times, once for each strategy. Since there are 24 ‘‘other”users, each user typed passwords 144 times. For strategies ‘‘Pausewithout cue” and ‘‘Pause with cue,” the impostors were informedthat two pauses were inserted, but they had to guess the locationsand lengths of pauses. For strategy ‘‘Musical Rhythm,” they wereonly told that the passwords were typed with some musicalrhythms, so they had to guess what musical rhythms were used.For strategies ‘‘Slow tempo without cue” and ‘‘Slow tempo withcue,” they were told to type slowly. However, they were not givencues for any strategy since it is unrealistic for an impostor to cor-rectly guess the tempo.

3.2. Novelty detectors

In novelty detection, a model learns the characteristics of normalpatterns in training data and detects novel patterns (or outliers) thatare different from the normal ones (Bishop, 1994). In a geometricsense, the model generates closed boundaries around the normalpatterns (Japkowicz, 2001; Schölkopf et al., 2001). Real-world appli-cations include user verification in computer systems (Cho et al.,2000; Yu & Cho, 2004), speaker identification (Gori, Lastrucci, & Soda,1996), currency validation (Frosini, Gori, & Priami, 1996; He &Girolami, 2004) and machine fault detection (Hayton, Schölkopf,Tarassenko, & Anuzis, 2001; Tax & Duin, 2004). Various noveltydetection methods have been proposed for these applications(Markou & Singh, 2003a, 2003b; Marsland, 2003). In this paper, fivenovelty detectors were implemented as potential authenticators:Gaussian (Gauss) (Barnett & Lewis, 1994) and Parzen window(Parzen) (Bishop, 1994) density estimators, k-nearest neighbor(k-NN) (Knorr et al., 2000), K-means clustering (KMC) (Lee & Cho,2006, 2007), and one-class support vector machine (1-SVM)(Schölkopf et al., 2001).

Density estimators pose a novelty detection problem in terms ofthe hypothesis test. A probability density function pð�Þ is estimated

Page 4: Improving authentication accuracy using artificial rhythms and cues for keystroke dynamics-based authentication

Fig. 3. Average timing vectors of the six strategies of a user whose password is ‘‘blue1821.” An ‘‘E” at the end of the password indicates stroking the enter key.

Table 2Hypotheses tested.

Hypothesis t-statistics p-value

Ha Discriminability of strategy ‘‘Pause without cue” is larger than discriminability of strategy ‘‘Natural Rhythm” 2.58 0.0082Hb Discriminability of strategy ‘‘Musical rhythm” is larger than discriminability of strategy ‘‘Natural Rhythm” 2.49 0.0101Hc Discriminability of strategy ‘‘Slow Tempo without Cue” is larger than discriminability of strategy ‘‘Natural Rhythm” �0.58 0.7170Hd Discriminability of strategy ‘‘Pause with Cue” is larger than discriminability of strategy ‘‘Pauses without Cue” 2.34 0.0141He Discriminability of strategy ‘‘Slow Tempo with Cue” is larger than discriminability of strategy ‘‘Slow Tempo without Cue” 2.83 0.0046

10652 S.-s. Hwang et al. / Expert Systems with Applications 36 (2009) 10649–10656

using the training data and a threshold hp is determined. Given aninput pattern x, if the density level of x is lower than the threshold,i.e. pðxÞ < hp, x will be rejected as novel. The simplest parametricmethod assumes a Gaussian distribution (Barnett & Lewis, 1994).That is, the density of a pattern x is estimated as

pðxÞ ¼ ð2pÞ�d2jRj�

12 exp �1

2ðx� lÞTR�1ðx� lÞ

� �; ð4Þ

where d;l and R are the dimensionality of data, the estimated meanvector and covariance matrix, respectively. Parzen density estima-tors (Bishop, 1994) have been also popular among non-parametricapproaches. The Parzen method estimates the density of a patternx as

pðxÞ ¼ 1N

XN

i¼1

ð2pr2Þ�d2 exp �kx� xik2

2r2

" #; ð5Þ

where r is a kernel width. In our experiments, r was obtained byleave-one out maximum likelihood estimation.

Novelty detectors using k-NN methods have been proposed(Knorr et al., 2000). According to the methods, novel patterns arethose whose distance to their kth nearest neighbors are larger thansome threshold. That is, a pattern x is rejected as novel ifNNðxÞ > h, where NNðxÞ is the kth nearest neighbors of x. We se-lected k using leave-one-out density estimation.

K-means clustering (Lee & Cho, 2006) generates a set of code-books (or cluster centers) W ¼ fwkjk ¼ 1;2; . . . ;Kg;K � N, to

Page 5: Improving authentication accuracy using artificial rhythms and cues for keystroke dynamics-based authentication

Fig. 4. Typing patterns collection system: (a) enroll data collection, (b) access data collection, (c) impostors data collection.

S.-s. Hwang et al. / Expert Systems with Applications 36 (2009) 10649–10656 10653

describe the normal data. The codebook mðxÞ of a pattern x is de-fined as follows,

mðxÞ ¼ wk; if kwk � xk2< kw‘ � xk2

; 8‘ – k: ð6Þ

When a new pattern x is given, one will reject it as novel if thequantization error eðxÞ ¼ kx�mðxÞk2 is greater than some thresh-old, or accept it as normal otherwise. We selected K as the pointwhere the sum of quantization error became stable.

1-SVM finds a function that is positive in a small region contain-ing most normal patterns and negative in all other regions(Schölkopf et al., 2001). A hyperplane w is defined to separate afraction of patterns from the origin in a feature space by a maximalmargin. In essence, an optimization problem is solved as follows,

min12kwk2 � qþ 1

mN

Xi

ni; ð7Þ

s:t wTUðxiÞP q� ni; ni P 0; 8i:

The dual formulation of Eq. (7) can be expressed in terms of innerproducts between UðxiÞ’s. Although we do not know Uð�Þ explicitly,using Mercer kernels allows us to evaluate inner products in featurespace. The solutions, w and q, can be obtained using the standardquadratic programming technique. When a keystroke pattern x ispresented, it will be allowed access if wTUðxÞP q. We trained 1-SVMs with various kernel widths, r, and cost coefficients, m, basedon which EERs were computed.

4. Experimental results

In this section, we examined whether improvement in unique-ness and consistency actually translates into improvement inauthentication performance. In particular, the following conjec-tures were investigated:

� Artificial rhythms improve authentication performances.� Artificial rhythms, coupled with tempo cues, improve authenti-

cation performances even more.� Artificial rhythms and tempo cues are especially beneficial to

those whose typing abilities are poor.

Each novelty detector was constructed on a training set andthen its performance was evaluated on the corresponding testset. Any biometrics-based approach including KDA has two typesof error, i.e. false acceptance rate (FAR) and false rejection rate(FRR) (Golfarelli, Maio, & Maltoni, 1997). Since one type of errorcan be reduced at the expense of the other by varying a threshold,these models were compared in terms of the equal error rate (EER)where the FRR and the FAR are equal. We used both duration andinterval features as input. Some features are more important thanothers while some features may be useless or even detrimental toauthentication accuracy (Yu & Cho, 2004). But, note that featureselection is not of our interest in this paper.

4.1. Artificial rhythms

The results from the strategies not employing tempo cues aresummarized in Fig. 5. Remember that the passwords used herewere unfamiliar to users. When the users adopted strategy ‘‘Natu-ral Rhythm,” the errors were too high from 11% to 15%. Employingthe pause strategy reduced the errors to 3%, comparable to thosefrom familiar passwords. The pause strategy is much better thanother strategies. It seems that pauses are generally easier toremember and execute than other artificial rhythms. While strate-gies ‘‘Musical Rhythm” and ‘‘Slow tempo without cue” did betterthan ‘‘Natural Rhythm,” its EERs were relatively high. When a useremployed the strategies without cues, he probably found it diffi-cult to keep the typing tempo consistent.

Page 6: Improving authentication accuracy using artificial rhythms and cues for keystroke dynamics-based authentication

Fig. 5. The average EERs from the strategies not employing tempo cues. ‘‘NoQ” indicates that tempo cues are not used.

10654 S.-s. Hwang et al. / Expert Systems with Applications 36 (2009) 10649–10656

Typing patterns from artificial rhythms were found to be signif-icantly more unique than those patterns from a natural rhythm(Cho & Hwang, 2006; Kang et al., 2008). It is safe to say that theimprovement of uniqueness led to better authentication perfor-mances. However, if typing patterns had been more consistent,one would have achieved an even better performance. In Section4.2, we observe that artificial rhythms, when coupled with tempocues, increase authentication performance even more.

4.2. Tempo cues

Fig. 6 presents the results from strategies ‘‘Pause” and ‘‘SlowTempo.” While employing the pause strategy reduced the errorto 3%, providing auditory cues reduced the errors even more tonearly 1%. It is probably because cues help one to type passwordsconsistently. Although ‘‘Slow Tempo without Cue” produced thehighest EERs among the artificial rhythms, ‘‘Slow Tempo with Cue”significantly improved EERs, resulting in the second best EERs be-hind ‘‘Pause with Cue.” The results from strategies involving cuesshow that auditory cues can be a solution to inconsistency prob-lem. For most passwords and models, the EERs are about 1%. Notethat the variation of EERs is much larger between strategies thanbetween novelty detectors, which indicates that improving dataquality is far more effective than finding a superior novelty detec-tor. Obviously, a simple model is sufficient for KDA if keystrokepatterns are both unique and consistent.

4.3. Typing ability

When strategy ‘‘Natural Rhythm” is adopted, average EERs arerelatively very high. However, there are two groups of users. The

Fig. 6. The average EERs from strategi

first group consists of users who could get familiar with a newpassword quickly and establish unique and consistent keystrokepatterns. The second group consists of those who would take moretime to get used to their passwords. Their keystroke patterns wereneither unique nor consistent. Let us call the first group ‘‘goodtypists” and the second group ‘‘poor typists.” we call as ‘‘poor typ-ists” those whose average ‘‘Natural Rhythm” EER over the fivemodels is greater than 10%. We found eight poor typists out of25 users. Their average ‘‘Natural Rhythm” EER is about 28%. Strat-egies to improve uniqueness and consistency are expected to beespecially beneficial to this group of users. In Fig. 7, the averageEERs from the poor typists are presented. For the poor users, theerror rates are quite high when the users use strategy ‘‘NaturalRhythm.” But they decreased to 0 or 1% with artificial rhythmsand cues ((c) and (f)). Comparing with the results in Figs. 5 and6, which are the average EERs over all users, it is clear that artificialrhythms and cues are especially beneficial for users with a poortyping ability. All models show essentially the same trends. It isinteresting to note that poor typists did even better than good typ-ists when they employed slow tempo strategies, with or withoutcues. It seems that those strategies, given their nature, are benefi-cial to poor typists especially well.

4.4. Summary

The results from the six strategies are summarized in Fig. 8.When the users adopted the natural rhythms, the errors weretoo high from 11% to 15%. Employing the pause strategy reducedthe errors to 3%, comparable to those from familiar passwords.Providing auditory cues reduced the errors even more to nearly1%. The strategies involving pauses were at least equivalent to or,

es with and without tempo cues.

Page 7: Improving authentication accuracy using artificial rhythms and cues for keystroke dynamics-based authentication

Fig. 7. The average EERs for ‘‘poor typists.” Note that the scale of y-axis (EER) is different from that of Figs. 5 and 6.

S.-s. Hwang et al. / Expert Systems with Applications 36 (2009) 10649–10656 10655

especially when coupled with auditory cues, much better thanother strategies. While the strategies without cues did better than‘‘Natural Rhythm,” its EERs were reduced even more by providingauditory cues. Thus, we found that improved data quality byimplementing artificial rhythms and tempo in turn did improveauthentication accuracies.

5. Conclusion

Uniqueness and consistency are two major factors of keystrokedata quality. In order to improve them, artificial rhythms and cueswere proposed. In this paper, we examined the practical effective-ness of strategies employing them. In the experiments simulatingreal-world situations, the performances of all classifiers were muchbetter when built with typing patterns using artificial rhythms andcues than when built with typing patterns using natural rhythms.

Moreover, they were particularly useful to poor typists. We alsofound that the quality of keystroke patterns is much more impor-tant than the particular novelty detector employed. In conclusion,artificial rhythms and cues can indeed improve the authenticationperformance and they need to be considered for practical KDAapplications where many of users are likely poor typists.

A few limitations and future directions need to be addressed.First, we measured the accuracy in terms of EER. Thus, the accuracypresented in the paper should be taken as a reference. In practice,depending on the application, FAR may be more important thanFRR or vice versa. Second, due to the class imbalance, it is difficultto use typical validation methods in KDA. For a real-world KDAapplication, parameter selection cannot be applied. Instead, a pre-defined set of parameter have to be used. Third, a total of 30 pat-terns were used. In practice, however, much fewer patterns maybe available. We need to investigate how many patterns are

Page 8: Improving authentication accuracy using artificial rhythms and cues for keystroke dynamics-based authentication

Fig. 8. The best (filled) and worst (open) EERs among five models for the sixstrategies averaged over the 25 users. ‘‘Q” and ‘‘NoQ” indicate that the correspond-ing strategies are used with and without cues, respectively.

10656 S.-s. Hwang et al. / Expert Systems with Applications 36 (2009) 10649–10656

required for KDA with or without artificial rhythms or cues. Finally,in this paper, we have examined the effectiveness of the strategiesin an off-line PC environment. Our future work will extend to var-ious other environments such as the internet, mobile phones, oreven ATMs.

Acknowledgements

This work was supported by the Korea Research FoundationGrant funded by the Korean Government (MOEHRD) (KRF-2007-357-D00276), the Basic Research Program of the Korea Scienceand Engineering Foundation (R01-2005-000-103900-0), the BrainKorea 21 program in 2006, the Seoul R&BD Program (TR080589),and the Engineering Research Institute of SNU.

References

Barnett, V., & Lewis, T. (1994). Outliers in statistical data. New York, USA: Wiley andSons.

Bishop, C. M. (1994). Novelty detection and neural network validation. Proceedingsof IEE Conference on Vision, Image and Signal Processing, 141(4), 217–222.

Bishop, C. M. (1995). Neural networks for pattern recognition. New York, USA: OxfordUniversity Press.

Cho, S., Han, C., Han, D., & Kim, H.-I. (2000). Web based keystroke dynamics identityverification using neural networks. Journal of Organizational Computing andElectronic Commerce, 10(4), 295–307.

Cho, S., & Hwang, S. (2006). Artificial rhythms and cues for keystroke dynamicsbased authentication. In D. Zhang & A. K. Jain (Eds.). Proceedings of advances inbiometrics, international conference (ICB 2006) (Vol. 3832, pp. 626–632). LectureNotes in Computer Science, Springer.

de Ru, W. G., & Eloff, J. H. P. (1997). Enhanced password authentication throughfuzzy logic. IEEE Expert, 12(6), 38–45.

Frosini, A., Gori, M., & Priami, P. (1996). A neural network-based model for papercurrency recognition and verification. IEEE Transactions on Neural Networks,7(6), 1482–1490.

Gaines, R. S., Lisowski, W., Press, S. J., & Shapiro, N. (1980). Authentication bykeystroke timing: Some preliminary results. Technical Report Rand Report R-256-NSF, Rand Corporation.

Golfarelli, M., Maio, D., & Maltoni, D. (1997). On the error-reject trade-off inbiometric verification systems. IEEE Transactions on Pattern Analysis and MachineIntelligence, 19(7), 786–796.

Gori, M., Lastrucci, L., & Soda, G. (1996). Autoassociator-based models for speakerverification. Pattern Recognition Letters, 17(3), 241–250.

Hayton, P., Schölkopf, B., Tarassenko, L., & Anuzis, P. (2001). Support vector noveltydetection applied to jet engine vibration spectra. In T. K. Leen, T. G. Dietterich, &V. Tresp (Eds.). Advances in neural information processing systems (Vol. 13,pp. 946–952). Massachusetts, USA: MIT Press.

He, C., & Girolami, M. (2004). Novelty detection employing an L2 optimal non-parametric density estimator. Pattern Recognition Letters, 25(12), 1389–1397.

Jain, A. K., Bolle, R., & Pankanti, S. (Eds.). (1999). Biometrics: Personal identification innetworked society. Massachusetts, USA: Kluwer.

Japkowicz, N. (2001). Supervised versus unsupervised binary-learning by feed-forward neural networks. Machine Learning, 42(1–2), 97–122.

Kang, P., Park, S., Hwang, S., Lee, H., & Cho, S. (2008). Improvement of keystroke dataquality through artificial rhythms and cues. Computers and Security, 27(1-2),3–11.

Knorr, E. M., Ng, R. T., & Tucakov, V. (2000). Distance-based outliers: Algorithms andapplications. VLDB Journal, 8(3), 237–253.

Lee, H., & Cho, S. (2006). Application of LVQ to novelty detection using outliertraining data. Pattern Recognition Letters, 27(13), 1572–1579.

Lee, H., & Cho, S. (2007). Retraining a keystroke dynamics-based authenticator withimpostor patterns. Computers and Security, 26(4), 300–310.

Markou, M., & Singh, S. (2003a). Novelty detection: A review – Part 1: Statisticalapproaches. Signal Processing, 83(12), 2481–2497.

Markou, M., & Singh, S. (2003b). Novelty detection: A review – Part 2: Neuralnetwork based approaches. Signal Processing, 83(12), 2499–2521.

Marsland, S. (2003). Novelty detection in learning systems. Neural ComputingSurveys, 3, 157–195.

Monrose, F., Reiter, M. K., & Wetzel, S. (2002). Password hardening based onkeystroke dynamics. International Journal of Information Security, 1(2), 69–83.

Monrose, F., & Rubin, A. D. (2000). Keystroke dynamics as a biometric forauthentication. Future Generation Computer Systems, 16(4), 351–359.

Peacock, A., Ke, X., & Wilkerson, M. (2004). Typing patterns: A key to useridentification. IEEE Security and Privacy Magazine, 2(5), 40–47.

Polemi, D. (1997). Biometric techniques: Review and evaluation of biometrictechniques for identification and authentication, including an appraisal of theareas where they are most applicable. Technical Report, Institute ofCommunication and Computer Systems, National Technical University ofAthens, Athens, Greece <ftp://ftp.cordis.lu/pub/infosec/docs/biomet.doc>.

Schölkopf, B., Platt, J. C., Shawe-Taylor, J., Smola, A. J., & Williamson, R. C. (2001).Estimating the support of a high-dimensional distribution. Neural Computation,13(7), 1443–1471.

Tax, D. M. J., & Duin, R. P. W. (2004). Support vector data description. MachineLearning, 54(1), 45–66.

Umphress, D., & Williams, G. (1985). Identity verification through keyboardcharacteristics. International Journal of Man–Machine Studies, 23(3), 263–273.

Vapnik, V. (1998). Statistical learning theory. New York, USA: John Wiley.Yu, E., & Cho, S. (2004). Keystroke dynamics identity verification – its problems and

practical solutions. Computer and Security, 23(5), 428–440.