keystroke biometric identification and authentication on long-text input summary of eight years of...

Keystroke Biometric Identification andAuthentication on Long-Text Input

Summary of eight years of research in this area

Charles TappertSeidenberg School of CSIS, Pace University

DPS+PhD Biometric Dissertations• Completed

– Keystroke Biometric (long text input)• Identification: feasibility study – Mary Curtin 2006• Identification: desk/laptop + copy/free text – Mary Villani 2006• Identification: touch-type feature/fallback hierarchy – Mark Ritzmann 2007• Authentication: kNN ROC curve derivation methods – Robert Zack 2010• Authentication: statistical fallback for missing/incomplete info – Steve Kim 2013

– Keystroke Biometric (short and long text input)• Authentication: text/spreadsheet/browser/keypad input – Ned Bakelman 2014

– Stylometry + Keystroke Biometric (long text input)• Authentication of online test-takers – John Stewart 2012

• In Progress– Keystroke Biometric (short and long text input)

• Authentication of Impaired Users – Gonzalo Perez• Authentication on Smartphones of Short Text Input – Mike Coakley• Authentication System Improvements – Vinnie Monaco

– Stylometry• Authentication of Facebook Postings – Jenny Li

– Speaker Verification• Common passphrase approach: “My name is” – Jonathan Leet• Qualitative study replacing username/password with biometrics – James Sicuranza?, Hugh Eng?

– Mouse Movement (Phil Dressner?)– Authentication Biometrics on Handhelds (Leigh Anne Clevenger?, Alecia Copeland?, Mantie

Reid?, Rich Barilla?, Stephanie Haughton?)

Keystroke Biometric Studies


References1. L. Jain, J.V. Monaco, M.J. Caokley, and C.C. Tappert, Passcode Keystroke Biometric Performance on Smartphone Touchscreens is Superior to that on

Hardware Keyboards, Int. J. Research in Computer Apps. & Info. Tech., IASTER, Vol.2, Issue 4, July-August, 2014, pp 29-33. Preview of Coakley’s dissertation.

2. S. Kim, S. Cha, J.V. Monaco, and C.C. Tappert, A Correlation Method for Handling Infrequent Data in Keystroke Biometric Systems, Proc. 2nd Int. Workshop Biometrics & Forensics (IWBF 2014)., Malta, Mar 2014. Summary of Kim’s dissertation.

3. J.V. Monaco, J.C. Stewart, S. Cha, and C.C. Tappert, Behavioral Biometric Verification of Student Identity in Online Course Assessment and Authentication of Authors in Literary Works, Proc. IEEE 6th Int. Conf. Biometrics, Wash. D.C., Sep 2013. Preview of Monaco’s dissertation.

4. N. Bakelman, J.V. Monaco, S. Cha, and C.C. Tappert, Keystroke Biometric Studies on Password and Numeric Keypad Input, Proc. 2013 European Intelligence and Security Informatics Conf., Sweden, Aug 2013. Summary of Bakelman’s dissertation.

5. J.V. Monaco, N. Bakelman, S. Cha, and C.C. Tappert, Recent Advances in the Development of a Long-Text-Input Keystroke Biometric Authentication System for Arbitrary Text Input, Proc. European Intell. and Sec. Inform. Conf., Sweden, Aug 2013.

6. J.V. Monaco, N. Bakelman, S. Cha, and C.C. Tappert, Developing a Keystroke Biometric System for Continual Authentication of Computer Users, Proc. European Intell. and Sec. Inform. Conf., Denmark, Aug 2012, pp 210-216.

7. J.C. Stewart, J.V. Monaco, S. Cha, and C.C. Tappert, "An Investigation of Keystroke and Stylometry Traits," Proc. Int. Joint Conf. Biometrics (IJCB 2011), Wash. D.C., Oct 2011. Summary of Stewart’s dissertation.

8. C.C. Tappert, S. Cha, M. Villani, and R.S. Zack, "A Keystroke Biometric System for Long-Text Input," Int. J. Info. Security and Privacy (IJISP), Vol 4, No 1, 2010, pp 32-60. Best overall summary of keystroke system.

9. R.S. Zack, C.C. Tappert and S.-H. Cha, "Performance of a Long-Text-Input Keystroke Biometric Authentication System Using an Improved k-Nearest-Neighbor Classification Method," Proc. IEEE 4th Int Conf Biometrics: Theory, Apps, and Systems (BTAS 2010), Washington, D.C., Sep 2010. Summary of Zack’s dissertation.

10. S. Cha, Y. An, and C.C. Tappert, "ROC Curves for Multivariate Biometric Matching Models," Proc. Int. Conf. Artificial Intelligence and Pattern Recognition, Orlando, Florida, July 2010.

11. C.C. Tappert, M. Villani, and S. Cha, "Keystroke Biometric Identification and Authentication on Long-Text Input," pp 342-367, Chapter 16 in Behavioral Biometrics for Human Identification: Intelligent Applications, Edited by Liang Wang and Xin Geng, Medical Information Science Reference, 2010.

12. M. Villani, C.C. Tappert, G. Ngo, J. Simone, H. St. Fort, and S. Cha, "Keystroke Biometric Recognition Studies on Long-Text Input under Ideal and Application-Oriented Conditions," Proc. CVPR 2006 Workshop on Biometrics, New York, NY, June 2006. Summary of Villani’s dissertation.


IntroductionBuild a Case for Usefulness of Study

• Validate importance of study – applications• Define keystroke biometric• Appeal of keystroke over other biometrics• Previous work on the keystroke biometric• No direct study comparisons on same data• Feature measurements• Make case for using: data over the internet, long

text input, free (arbitrary) text input• Extends previous work by authors• Summary of scope and methodology• Summary of paper organization


Introduction Validate importance of study – applications

• Internet authentication application– Authenticate (verify) student test-takers

• Internet identification application– Identify perpetrators of inappropriate email

• Internet security for other applications– Important as more businesses move toward

e-commerce


Introduction Define Keystroke Biometric

• The keystroke biometric is one of the less-studied behavioral biometrics

• Based on the idea that typing patterns are unique to individuals and difficult to duplicate


Introduction Appeal of Keystroke Biometric

• Not intrusive – data captured as users type– Users type frequently for business/pleasure

• Inexpensive – keyboards are common– No special equipment necessary

• Can continue to check ID with keystrokes after initial authentication– As users continue to type


Introduction Previous Work on Keystroke Biometric

• One early study goes back to typewriter input• Identification versus authentication

– Most studies were on authentication• Two commercial products on hardening passwords

– Few on identification (more difficult problem)• Short versus long text input

– Most studies used short input – passwords, names– Few used long text input –copy or free text

• Other keystroke problems studies– One study detected fatigue, stress, etc. – Another detected ID change via monitoring


Introduction No Direct Study Comparisons on Same Data

• No comparisons on a standard data set– (desirable, available for many biometric and

pattern recognition problems)• Rather, researchers collect their own data • Nevertheless, literature optimistic of

keystroke biometric potential for security


Introduction Feature Measurements

• Features derived from raw data– Key press times and key release times– Each keystroke provides small amount of data

• Data varies from different keyboards, different conditions, and different entered texts

• Using long text input allows– Use of good (statistical) feature measurements– Generalization over keyboards, conditions, etc.


Introduction Make Case for Using

• Data over the internet– Required by applications

• Long text input– More and better features– Higher accuracy

• Free text input– Required by applications– Predefined copy texts unacceptable


Introduction Extends Previous Work by Authors

• Previous keystroke identification study– Ideal conditions

• Fixed text and • Same keyboard for enrollment and testing

– Less ideal conditions• Free text input• Different keyboards for enrollment and testing


Introduction Summary of Scope and Methodology

• Determine distinctiveness of keystroke patterns

• Two application types– Identification (1-of-n problem)– Authentication (yes/no problem)

• Two indep. variables (4 data quadrants)– Keyboard type – desktop versus laptop– Entry mode – copy versus free text


Keystroke Biometric System Components

• Raw keystroke data capture• Feature extraction• Classification for identification• Classification for authentication


Keystroke Biometric SystemRaw Keystroke Data Capture


Keystroke Biometric SystemFeature Extraction

• Mostly statistical features– Averages and standard deviations

• Key press times • Transition times between keystroke pairs

– Individual keys and groups of keys – hierarchy• Percentage features

– Percentage use of non-letter keys– Percentage use of mouse clicks

• Input rates – average time/keystroke



t-key h-key

t-key h-key

time

t1

t2

a) Non-overlapping

b) Overlapping

duration

A two-key sequence (th) showing the two transition measures



All Keys

Freq Cons

Vowels

AllLetters

Next Freq Cons

LeastFreq Cons

Left Letters

RightLetters

ae io u

t n s r h

Space

ShiftPunctuation Numbers

Other

NonLetters

l d c p f

Other. , ‘m w y b g Other

Hierarchy tree for the 39 duration categories



Any-key/Any-key

Cons/Vowel

Letter/Letter

Left/Right

Right/Left

Right/Right

Vowel/Cons Vowel/

Vowel

Cons/Cons

Left/Leftan

in

er

es

on he

ea

ti

Space/Letter

Letter/Space

Space/ShiftShift/

Letter

Letter/Punct

Punct/Space

Double Letters

Letter/Non-letter

th

Non-letter/Non-letterNon-letter/

Letter

re

st

nd

at

en

or

Hierarchy tree for the 35 transition categories



• Fallback procedure for few/missing samples• When the number of samples is less than a fallback

threshold, take the weighted average of the key’s mean and the fallback mean

weightfallback

weightfallback

kin

fallbackkiini

)(

)()()()('



• Two preprocessing steps– Outlier removal

• Remove duration and transition times > threshold

– Feature standardization• Convert features into the range 0-1

minmax

min'xx

xxx


Keystroke Biometric SystemClassification for Identification

• Nearest neighbor using Euclidean distance• Compare a test sample against the training

samples, and the author of the nearest training sample is identified as the author of the test sample


Keystroke Biometric SystemClassification for Authentication

• Cha’s vector-distance (dichotomy) modelTransformation to DichotomyTransformation to Dichotomy

Feature space(Polychotomy)

Distance space(Dichotomy)

dd1,31,3

dd1,21,2

dd2121

dd1,11,1

dd2222

dd2323

dd3131

dd3232dd3333

f1

f2

f1

f2

((dd1,21,2 ,,dd1,31,3))

((dd1,21,2 ,,dd1,31,3))((dd1,31,3 ,,dd2,12,1))

((dd1,31,3 ,,dd2,12,1))


Experimental and Data Collection Design

• Two independent variables– Keyboard type

• Desktop – all Dell • Laptop – 90% Dell + IBM, Compaq, Apple, HP, Toshiba

– Input mode • Copy task – predefined text• Free text input – e.g., arbitrary email


Subjects and Data Collection

• Subjects provided samples in at least two quadrants• Five samples per quadrant per subject• Summary of subject demographics

Age Female Male Total

Under 20 15 19 34

20-29 12 23 35

30-39 5 10 15

40-49 7 11 18

50+ 11 5 16

All 50 68 118


Experimental Results

• Identification experimental results• Authentication experimental results• Longitudinal study results• System hierarchical model and parameters

– Hierarchical fallback model– Outlier parameters– Number of enrollment samples– Input text length– Probability distributions of statistical features


Experimental ResultsIdentification Experimental Results

90%

95%

100%

0 20 40 60 80 100

Number of Subjects

Per

cen

t A

ccu

racy

Desk-Copy

Lap-Copy

Desk-Free

Lap-Free

Identification performance under ideal conditions(same keyboard type and input mode, leave-one-out

procedure)


Experimental ResultsIdentification Experimental Results

0%

10%

20%

30%

40%

50%60%

70%

80%

90%

100%

0 20 40 60 80 100

Number of Subjects

Pe

rce

nt

Ac

cu

rac

y Group 1

Group 2

Group 3

Group 4

Group 5

Group 6

Identification performance under non-ideal conditions

(train on one file, test on another)


Experimental ResultsAuthentication Experimental Results

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

DeskCopy LapCopy DeskFree LapFree

Performance

FRR

FAR

Perc

ent A

ccur

acy

Conditions

Authentication performance under ideal conditions(weak enrollment: train on 18 subjects and test on 18 different

subjects)


Experimental ResultsLongitudinal Study Results

• Identification – 13 subjects at 2-week intervals– Average 6 arrow groups: 90% -> 85% -> 83%

• Authentication – 13 subjects at 2-week intervals– Average 6 arrow groups: 90% -> 87% -> 85%

• Identification – 8 subjects at 2-year interval– Average 6 arrow groups: 84% -> 67%

• Authentication – 8 subjects at 2-year interval– Average 6 arrow groups: 94% -> 92%

(all above results under non-ideal conditions)


Experimental Results System hierarchical model and parameters

Touch-type hierarchy tree for durations (Mark Ritzmann)



Identification accuracy versus outlier removal passes



Identification accuracy versus outlier removal distance (sigma)



70

75

80

85

90

95

100

1 2 3 4

Enrollment Samples

Per

cen

t A

ccu

racy

Identification accuracy versus enrollment samples



Identification accuracy versus input text length



Distributions of “u” duration times for each entry mode


Conclusions

• Results are important and timely as more people become involved in the applications of interest– Authenticating online test-takers– Identifying senders of inappropriate email

• High performance (accuracy) results if– 2 or more enrollment samples/user– Users use same keyboard type

ROC Curves (Robert Zack, 2010)

ROC curves from the kNN classifier with k=21: method m-kNN (left), method wm-kNN (center), and method hd-kNN (right).

FAR and FRR versus threshold

Closed 14-14 system, kNN classifier with k=21: FAR and FRR versus threshold for method m-kNN (left), wm-kNN (center), hd-kNN (right).

Conclusions (Robert Zack, Authentication Study, 2010)

• Keystroke password performance – approximately 10% EER– See extensive study by Killourhy & Maxion, 2009– Advertised performance of commercial products is exaggerated

• Keystroke long-text performance – approximately 1% EER– Reasonable considering powerful statistical features

• Closed system better than open system performance• Three ROC curve derivation methods developed for kNN

procedure– All are two-parameter methods – k plus a threshold

Online Test-Taker Authentication (John Stewart, 2011)

• Best Keystroke Performance – 0.55% EER– Closed system of 30 students

• Best Previous Keystroke Performance – 1.0% EER– Closed system of 14 students (Robert Zack, 2010)

• Best Stylometry Performance – approximately 30.0% EER– Keystroke biometric operates at the automatic motor control level – Because stylometry operates at a higher cognitive word/syntax level,

longer text passages are required for reasonable performance• This hypothesis was verified on much longer texts of short novels

Keystroke Data Capture Systems

• Java Applet– Mary Curtin, Mary Villani, Mark Ritzmann, Robert Zack,

Vinnie Monaco/Ned Bakelman (EISIC paper)

• Java Script (Vinnie Monaco)– John Stewart / Vinnie Monaco

• Fimbel Open Source Keylogger– Ned Bakelman / Vinnie Monaco

• Should we develop our own keylogger?

Continual Authentication of Computer Users(EISIC 2013 Conference Paper)

• Motivation – The technology is applicable to a wide range of government, private company, and academic applications worldwide– For example, to detect intruders, the U.S. Government wants to

continually authenticate all government computer users, both military and non-military

• U.S. DARPA 2010 and 2012 Requests for Proposals• Requirement – detect intruder within minutes• Current study focuses on this fast detection application

– Authentication of students taking online tests• U.S. Higher Education Opportunity Act of 2008

46EISIC 2013

Continual Burst Authentication StrategyAssumptions

• Most computer users tend to have bursts of input activity interspersed with periods of inactivity while doing other things

• The application is designed for typical business or government office computer usage

• Note: it would be interesting to determine the frequency and duration of bursts of computer input activity in typical office environments

47EISIC 2013

Continuous vs Continual Authenticationwith Data Capture Windows

• Continuous (ongoing) burst authentication

• Continual burst authentication with pauses0 5 min 10 min

1min

1min

1min

Burst 1 Burst 2 Burst 3

0 8 min 30 min

1min

1min

1min

PauseThreshold

Burst 1 Burst 2 Burst 3

PauseThreshold

48EISIC 2013

Continual Burst Strategy after PausesReduces Frequency of Authentications

• Avoids capture of excessive quantities of data• Reduces need for excessive computing resources• Reduces false alarm rate • Still provides sufficient data for continual training of

the biometric system

49EISIC 2013

Two Important Time Periodsfor Continual Burst Authentication

1. Length of the data capture window– Short enough to catch an intruder before significant

harm is caused• On the order of minutes – DARPA

– Long enough to make an accurate detection and reduce false alarms

2. Length of the pause– Must be shorter than entry time of intruder– Long enough to reduce authentication rateNote: periods of little computer activity cause long pauses

50EISIC 2013

Possible Broader Intrusion Detection Plan Multi-biometric System

• Motor control level – keystroke + mouse movement• Linguistic level – stylometry (char, word, syntax)• Semantic level – target likely intruder commands

Intruder

Keystroke + Mouse

Stylometry

Motor Control Level

Linguistic Level

SemanticLevel

51EISIC 2013

Three ExperimentsDichotomy Model kNN Classification Leave-One-Out Procedure

52EISIC 2013

Experimental ResultsEER versus #Keystrokes

53EISIC 2013

Experimental ResultsROC Curves at Maximum #Keystrokes

54EISIC 2013

Keystrokes per Typing Speed

• Average typing speed ~200 keystrokes/min• Professional typing speed ~400 keystrokes/min• Therefore, at average typing speed the EER versus

#keystrokes graph goes from about ½ minute to 4 minutes indicating the time to detect an intruder

55EISIC 2013

Conclusions(EISIC 2013 Conference Paper)

• As the number of keystrokes per test sample increases, EER decreased roughly logarithmically

• EER increases with increase in population size• Performance results of 99.6% on 14, 98.3% on 30, and

96.3% on 119 participants indicates the strong potential of this approach

56EISIC 2013

keystroke biometric identification and authentication on long-text input summary of eight years of...

Documents

authentication biometrics

keystroke biometric

keystroke biometric

text input summary

authentication of authors

arbitrary text input

investigation of keystroke

numeric keypad input