user authentication through keystroke dynamics · advanced signal processing i user authentication...

Advanced Signal Processing I User Authentication through Keystroke Dynamics

Johannes Luig

1

User Authentication through Keystroke Dynamics

1


Overview

2

‣ Introduction

‣ Measurable Characteristics

‣ How to measure „Similarity“?

‣ User Authentication

‣ Performance

2


Introduction

3

Biometric Features

3


Introduction

3

Biometric Features

physiological behavioural

3


Introduction

3

Biometric Features


face

eyes (retina, iris)

fingerprint

palm topologythermal image

3


Introduction

3

Biometric Features


face

eyes (retina, iris)

fingerprint

palm topologythermal image

keystroke dynamics

voiceprintsignature

3


Introduction

‣ Motivation:

- Typing on keyboard does not produce continuous stream of non-stop data, but distinctive patterns

- Human actions are predictible in the performance of repetitive and routine tasks

- No specific (expensive) tools needed

- Method is reasonable (even „hidden check“ possible)

4

4


Measurable Characteristics

‣ Hold Time

‣ Interkey Time

‣ Press/Release Latency

5

5



‣ Hold Time

‣ Interkey Time


5

timeS SP C

5



‣ Hold Time

‣ Interkey Time


5

timeS SP C

HP

5



‣ Hold Time

‣ Interkey Time


5

timeS SP C

HP IKSC

5



‣ Hold Time

‣ Interkey Time


5

timeS SP C

PLSP HP IKSC

5



‣ Hold Time

‣ Interkey Time


5

timeS SP C

PLSP HP RLPS IKSC

5



‣ Timing

- Internal CPU clock

- 8253 timer in IBM-compatible computers

- BIOS microsecond timing function

6

6



‣ Timing

- Example: simulation of remote situation

7

from Bergadano et al.:„User Authentication through

Keystroke Dynamics“

7


How to measure „Similarity“? (1)

‣ General approach:

- Measure hold and/or interkey times

- Measurement data = vectors in vector space

- Identify typing person using traditional pattern recognition techniques or Neural Network paradigms

8

8



‣ Pattern recognition techniques include:

- k-Means Clustering

- Cosine Measure

- Minimum Distance

- Bayes‘ Rule

- Potential Function

9

9





- Cosine Measure

- Minimum Distance

- Bayes‘ Rule


9

• cluster data into k partitions

• try to find centers of „natural“ clusters

• minimize intra-cluster variance (squared error):

9





- Cosine Measure

- Minimum Distance

- Bayes‘ Rule


10

10





- Cosine Measure

- Minimum Distance

- Bayes‘ Rule


10

• cosine of angle between two feature vectors:

10





- Cosine Measure

- Minimum Distance

- Bayes‘ Rule


11

11





- Cosine Measure

- Minimum Distance

- Bayes‘ Rule


11

• euclidean distance:

11





- Cosine Measure

- Minimum Distance

- Bayes‘ Rule


12

12





- Cosine Measure

- Minimum Distance

- Bayes‘ Rule


12

• relates conditional and marginal probability distributions of random variables to each other

12





- Cosine Measure

- Minimum Distance

- Bayes‘ Rule


13

13





- Cosine Measure

- Minimum Distance

- Bayes‘ Rule


13

• A vector v has a potential function F, if

grad(F) = v

13



‣ Neural Network paradigms include:

- Backpropagation

- Fuzzy ARTMAP

- Radial Basis Functions

- Learning Vector Quantization

- (Hybrid) Sum-of-Products

14

14




- Backpropagation

- Fuzzy ARTMAP




14

• feed-forward multilayer network

• input for each unit = sum of outputs of previous units

• „gradient descent algorithm“ (weigths are moved along negative gradient)

14




- Backpropagation

- Fuzzy ARTMAP




15

15




- Backpropagation

- Fuzzy ARTMAP




15

• supervised Neural Network with very fast convergence

• comparable to Multilayer Perceptron

15




- Backpropagation

- Fuzzy ARTMAP




16

16




- Backpropagation

- Fuzzy ARTMAP




16

• real-valued functions, whose values depend only on the distance from center

• popular: Gaussians

16




- Backpropagation

- Fuzzy ARTMAP


- Learning Vector Quant.


17

17




- Backpropagation

- Fuzzy ARTMAP


- Learning Vector Quant.


17

• supervised competetive network

• goal: find some kind of structure in data by determining in which way it is clustered

17




- Backpropagation

- Fuzzy ARTMAP




18

18




- Backpropagation

- Fuzzy ARTMAP




18

• backpropagation network with modified layer connections

• input for each unit = product of outputs of previous unit with weighting factor

18


Performance

19

‣ Pattern Recognition Techniquesfrom Obaidat/Sadoun:

„Keystroke Dynamicsbased Authentication“

Classification based on Hold TimesClassification based on Interkey Times

False Rejection Rate

False Acceptance Rate



19


Performance

19








< 5%

2.5%

19


Performance

19








< 5%

2.5% < 2.5%1%

19


Performance

20



Classification based on Hold and Interkey Times



20


Performance

20






3.5%2%

20


Performance

21

‣ Neural Networksfrom Obaidat/Sadoun:







21


Performance

21








0%0%

21


Performance

22






22


Performance

22






0%

22



‣ Alternative Approach (Bergadano et al.):

- Measure duration (latency) of trigraphs and sort them in ascending order

- Define distance between two samples as the „degree of disorder“ between sorted trigraphs

- Normalize distance by maximum degree of disorder

23

23



24

Example: User is asked to type austria

Trigraph aus ust str tri riaDuration 277 ms 231 ms 281 ms 248 ms 295 ms

24



24



ust tri aus str ria

231 248 277 281 295sorted version

24



24



ust tri aus str ria

231 248 277 281 295sorted version

d = 1 d = 2 d = 2 d = 1 d = 0

24



24



ust tri aus str ria

231 248 277 281 295sorted version

d = 1 d = 2 d = 2 d = 1 d = 0

max. degree of disorder:|array|2 -1

2dnorm =

1+2+2+1+0

12= 0.5

24



25

ust tri aus str ria

231 248 277 281 295Sample 1 (sorted)

25



25

ust tri aus str ria

231 248 277 281 295Sample 1 (sorted)

d = 3 d = 0 d = 2 d = 1 d = 2

str tri ust ria aus

222 236 254 269 280Sample 2 (sorted)

25



25

ust tri aus str ria

231 248 277 281 295Sample 1 (sorted)

d = 3 d = 0 d = 2 d = 1 d = 2

d(S1, S2) = 3+0+2+1+2

12= 0.6666

str tri ust ria aus

222 236 254 269 280Sample 2 (sorted)

25



26

md(A, X) = (d(A1, X) + d(A2, X) + d(A3, X) + d(A4, X)) / 4

md(B, X) = (d(B1, X) + d(B2, X) + d(B3, X)) / 3

md(C, X) = (d(C1, X) + d(C2, X) + d(C3, X) + d(C4, X) + d(C5, X)) / 5

‣ User Classification

- Compute „mean distance“ of incoming sample to each user‘s model (all available samples of that user)

X ............ current incoming sampleA, B, C ... user models consisting of Samples A1...n, B1...n, C1...n

26


User Authentication

27

‣ Access Control System

- Samples may be provided by illegal users with unknown typing patterns

➡ even if FAR = 0%, best possible IPR = (100/N)%

‣ Condition:

- Input sample must not only be closer to a certain model than to any other model; it must be sufficiently close to this model

27


User Authentication

27

‣ Access Control System

- Samples may be provided by illegal users with unknown typing patterns

➡ even if FAR = 0%, best possible IPR = (100/N)%

‣ Condition:

- Input sample must not only be closer to a certain model than to any other model; it must be sufficiently close to this model

„False Alarm Rate“

„Impostor Pass Rate“

27


User Authentication

28

‣ Use of Thresholds

- Compute mean value of „inner-model“ distances:

- Classify sample X as belonging to A, if (and only if):

m(A) = (d(A1, A2) + d(A1, A3) + d(A1, A4) + d(A2, A3) + d(A2, A4) + d(A3, A4)) / 6

md(A, X) < m(A) + | k * (md(B, X) - m(A)) |

md(B, X) ... mean value of „second closest“ modelA, B, C ... user models consisting of Samples A1...n, B1...n, C1...n

28


User Authentication

29

‣ Values for k:- k = 1: plain classification scenario

- k = 0.5: md(A, X) closer to m(A) than to any other md(B,X)

- k = 0.33: md(A, X) twice as close to m(A) than to md(B,X)


md(A, X) < m(A) + | k * (md(B, X) - m(A)) |

29


User Authentication

29

‣ Values for k:- k = 1: plain classification scenario

- k = 0.5: md(A, X) closer to m(A) than to any other md(B,X)

- k = 0.33: md(A, X) twice as close to m(A) than to md(B,X)


md(A, X) < m(A) + | k * (md(B, X) - m(A)) |



29


User Authentication

30

‣ Additional filtering

- Thresholds improve classification results but may have counterintuitive behavior:

md(A, X) = 0.307025 d(A1, A2) = 0.212378

md(B, X) = 0.420123 d(A1, A3) = 0.204381

md(C, X) = 0.423223 d(A2, A3) = 0.226024

m(A) = 0.214261

md(A, X) < m(A) + | k * ( md(B, X) - m(A) ) |

30


User Authentication

30



md(A, X) = 0.307025 d(A1, A2) = 0.212378

md(B, X) = 0.420123 d(A1, A3) = 0.204381

md(C, X) = 0.423223 d(A2, A3) = 0.226024

m(A) = 0.214261

0.307025 < 0.214261 + | 0.5 * (0.420123 - 0.214261) | ✓

30


User Authentication

30



md(A, X) = 0.307025 d(A1, A2) = 0.212378

md(B, X) = 0.420123 d(A1, A3) = 0.204381

md(C, X) = 0.423223 d(A2, A3) = 0.226024

m(A) = 0.214261

0.307025 < 0.214261 + | 0.5 * (0.420123 - 0.214261) | ✓

?30


User Authentication

31


- For each sample, compute mean distance w.r.t. all the other samples in the model:

m(Axyz) = (d(Ax, Ay) + d(Ax, Az) + d(Ay, Az)) / 3

dA1 = | (d(A1, A2) + d(A1, A3) + d(A1, A4)) / 3 - m(A234) |dA2 = | (d(A2, A1) + d(A2, A3) + d(A2, A4)) / 3 - m(A134) |dA3 = | (d(A3, A1) + d(A3, A2) + d(A3, A4)) / 3 - m(A124) |dA4 = | (d(A4, A1) + d(A4, A2) + d(A4, A3)) / 3 - m(A123) |

31


User Authentication

31



m(Axyz) = (d(Ax, Ay) + d(Ax, Az) + d(Ay, Az)) / 3

dA1 = | (d(A1, A2) + d(A1, A3) + d(A1, A4)) / 3 - m(A234) |dA2 = | (d(A2, A1) + d(A2, A3) + d(A2, A4)) / 3 - m(A134) |dA3 = | (d(A3, A1) + d(A3, A2) + d(A3, A4)) / 3 - m(A124) |dA4 = | (d(A4, A1) + d(A4, A2) + d(A4, A3)) / 3 - m(A123) |

md(A, X) < m(A) + a * max(dA1, dA2, dA3, dA4) + b * std(dA1, dA2, dA3, dA4)

31


User Authentication

31



md(A, X) < m(A) + a * max(dA1, dA2, dA3, dA4) + b * std(dA1, dA2, dA3, dA4)



31



‣ Advantages

- Measure considers relative relative values of various typing features only

- No need for specific tuning or training

- Typing errors allowed (additional pre-filtering to keep only the shared trigraphs)

32

32


Bibliography

33

‣ „User Authentication through Keystroke Dynamics“F. Bergadano et al.

‣ „Keystroke Dynamics based Authentication“M.S. Obaidat and B. Sadoun

‣ „Artificial Rhythms and Cues for Keystroke Dynamics based Authentication“S. Cho and S. Hwang

‣ „Computer User Authentication using Hidden Markov Model through Keystroke Dynamics “S.K. Vuyyuru et al.

33

Thank you.

34

user authentication through keystroke dynamics · advanced signal processing i user authentication...

Documents