user authentication through keystroke dynamics · advanced signal processing i user authentication...
TRANSCRIPT
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Johannes Luig
1
User Authentication through Keystroke Dynamics
1
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Overview
2
‣ Introduction
‣ Measurable Characteristics
‣ How to measure „Similarity“?
‣ User Authentication
‣ Performance
2
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Introduction
3
Biometric Features
3
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Introduction
3
Biometric Features
physiological behavioural
3
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Introduction
3
Biometric Features
physiological behavioural
face
eyes (retina, iris)
fingerprint
palm topologythermal image
3
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Introduction
3
Biometric Features
physiological behavioural
face
eyes (retina, iris)
fingerprint
palm topologythermal image
keystroke dynamics
voiceprintsignature
3
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Introduction
‣ Motivation:
- Typing on keyboard does not produce continuous stream of non-stop data, but distinctive patterns
- Human actions are predictible in the performance of repetitive and routine tasks
- No specific (expensive) tools needed
- Method is reasonable (even „hidden check“ possible)
4
4
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Measurable Characteristics
‣ Hold Time
‣ Interkey Time
‣ Press/Release Latency
5
5
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Measurable Characteristics
‣ Hold Time
‣ Interkey Time
‣ Press/Release Latency
5
timeS SP C
5
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Measurable Characteristics
‣ Hold Time
‣ Interkey Time
‣ Press/Release Latency
5
timeS SP C
HP
5
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Measurable Characteristics
‣ Hold Time
‣ Interkey Time
‣ Press/Release Latency
5
timeS SP C
HP IKSC
5
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Measurable Characteristics
‣ Hold Time
‣ Interkey Time
‣ Press/Release Latency
5
timeS SP C
PLSP HP IKSC
5
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Measurable Characteristics
‣ Hold Time
‣ Interkey Time
‣ Press/Release Latency
5
timeS SP C
PLSP HP RLPS IKSC
5
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Measurable Characteristics
‣ Timing
- Internal CPU clock
- 8253 timer in IBM-compatible computers
- BIOS microsecond timing function
6
6
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Measurable Characteristics
‣ Timing
- Example: simulation of remote situation
7
from Bergadano et al.:„User Authentication through
Keystroke Dynamics“
7
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Measurable Characteristics
‣ Timing
- Example: simulation of remote situation
7
from Bergadano et al.:„User Authentication through
Keystroke Dynamics“
7
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ General approach:
- Measure hold and/or interkey times
- Measurement data = vectors in vector space
- Identify typing person using traditional pattern recognition techniques or Neural Network paradigms
8
8
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Pattern recognition techniques include:
- k-Means Clustering
- Cosine Measure
- Minimum Distance
- Bayes‘ Rule
- Potential Function
9
9
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Pattern recognition techniques include:
- k-Means Clustering
- Cosine Measure
- Minimum Distance
- Bayes‘ Rule
- Potential Function
9
• cluster data into k partitions
• try to find centers of „natural“ clusters
• minimize intra-cluster variance (squared error):
9
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Pattern recognition techniques include:
- k-Means Clustering
- Cosine Measure
- Minimum Distance
- Bayes‘ Rule
- Potential Function
10
10
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Pattern recognition techniques include:
- k-Means Clustering
- Cosine Measure
- Minimum Distance
- Bayes‘ Rule
- Potential Function
10
• cosine of angle between two feature vectors:
10
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Pattern recognition techniques include:
- k-Means Clustering
- Cosine Measure
- Minimum Distance
- Bayes‘ Rule
- Potential Function
11
11
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Pattern recognition techniques include:
- k-Means Clustering
- Cosine Measure
- Minimum Distance
- Bayes‘ Rule
- Potential Function
11
• euclidean distance:
11
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Pattern recognition techniques include:
- k-Means Clustering
- Cosine Measure
- Minimum Distance
- Bayes‘ Rule
- Potential Function
12
12
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Pattern recognition techniques include:
- k-Means Clustering
- Cosine Measure
- Minimum Distance
- Bayes‘ Rule
- Potential Function
12
• relates conditional and marginal probability distributions of random variables to each other
12
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Pattern recognition techniques include:
- k-Means Clustering
- Cosine Measure
- Minimum Distance
- Bayes‘ Rule
- Potential Function
13
13
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Pattern recognition techniques include:
- k-Means Clustering
- Cosine Measure
- Minimum Distance
- Bayes‘ Rule
- Potential Function
13
• A vector v has a potential function F, if
grad(F) = v
13
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Neural Network paradigms include:
- Backpropagation
- Fuzzy ARTMAP
- Radial Basis Functions
- Learning Vector Quantization
- (Hybrid) Sum-of-Products
14
14
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Neural Network paradigms include:
- Backpropagation
- Fuzzy ARTMAP
- Radial Basis Functions
- Learning Vector Quantization
- (Hybrid) Sum-of-Products
14
• feed-forward multilayer network
• input for each unit = sum of outputs of previous units
• „gradient descent algorithm“ (weigths are moved along negative gradient)
14
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Neural Network paradigms include:
- Backpropagation
- Fuzzy ARTMAP
- Radial Basis Functions
- Learning Vector Quantization
- (Hybrid) Sum-of-Products
15
15
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Neural Network paradigms include:
- Backpropagation
- Fuzzy ARTMAP
- Radial Basis Functions
- Learning Vector Quantization
- (Hybrid) Sum-of-Products
15
• supervised Neural Network with very fast convergence
• comparable to Multilayer Perceptron
15
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Neural Network paradigms include:
- Backpropagation
- Fuzzy ARTMAP
- Radial Basis Functions
- Learning Vector Quantization
- (Hybrid) Sum-of-Products
16
16
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Neural Network paradigms include:
- Backpropagation
- Fuzzy ARTMAP
- Radial Basis Functions
- Learning Vector Quantization
- (Hybrid) Sum-of-Products
16
• real-valued functions, whose values depend only on the distance from center
• popular: Gaussians
16
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Neural Network paradigms include:
- Backpropagation
- Fuzzy ARTMAP
- Radial Basis Functions
- Learning Vector Quant.
- (Hybrid) Sum-of-Products
17
17
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Neural Network paradigms include:
- Backpropagation
- Fuzzy ARTMAP
- Radial Basis Functions
- Learning Vector Quant.
- (Hybrid) Sum-of-Products
17
• supervised competetive network
• goal: find some kind of structure in data by determining in which way it is clustered
17
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Neural Network paradigms include:
- Backpropagation
- Fuzzy ARTMAP
- Radial Basis Functions
- Learning Vector Quantization
- (Hybrid) Sum-of-Products
18
18
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (1)
‣ Neural Network paradigms include:
- Backpropagation
- Fuzzy ARTMAP
- Radial Basis Functions
- Learning Vector Quantization
- (Hybrid) Sum-of-Products
18
• backpropagation network with modified layer connections
• input for each unit = product of outputs of previous unit with weighting factor
18
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Performance
19
‣ Pattern Recognition Techniquesfrom Obaidat/Sadoun:
„Keystroke Dynamicsbased Authentication“
Classification based on Hold TimesClassification based on Interkey Times
False Rejection Rate
False Acceptance Rate
False Rejection Rate
False Acceptance Rate
19
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Performance
19
‣ Pattern Recognition Techniquesfrom Obaidat/Sadoun:
„Keystroke Dynamicsbased Authentication“
Classification based on Hold TimesClassification based on Interkey Times
False Rejection Rate
False Acceptance Rate
False Rejection Rate
False Acceptance Rate
< 5%
2.5%
19
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Performance
19
‣ Pattern Recognition Techniquesfrom Obaidat/Sadoun:
„Keystroke Dynamicsbased Authentication“
Classification based on Hold TimesClassification based on Interkey Times
False Rejection Rate
False Acceptance Rate
False Rejection Rate
False Acceptance Rate
< 5%
2.5% < 2.5%1%
19
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Performance
20
‣ Pattern Recognition Techniquesfrom Obaidat/Sadoun:
„Keystroke Dynamicsbased Authentication“
Classification based on Hold and Interkey Times
False Rejection Rate
False Acceptance Rate
20
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Performance
20
‣ Pattern Recognition Techniquesfrom Obaidat/Sadoun:
„Keystroke Dynamicsbased Authentication“
Classification based on Hold and Interkey Times
False Rejection Rate
False Acceptance Rate
3.5%2%
20
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Performance
21
‣ Neural Networksfrom Obaidat/Sadoun:
„Keystroke Dynamicsbased Authentication“
Classification based on Hold TimesClassification based on Interkey Times
False Rejection Rate
False Acceptance Rate
False Rejection Rate
False Acceptance Rate
21
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Performance
21
‣ Neural Networksfrom Obaidat/Sadoun:
„Keystroke Dynamicsbased Authentication“
Classification based on Hold TimesClassification based on Interkey Times
False Rejection Rate
False Acceptance Rate
False Rejection Rate
False Acceptance Rate
0%0%
21
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Performance
22
‣ Neural Networksfrom Obaidat/Sadoun:
„Keystroke Dynamicsbased Authentication“
Classification based on Hold and Interkey Times
False Rejection Rate
False Acceptance Rate
22
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Performance
22
‣ Neural Networksfrom Obaidat/Sadoun:
„Keystroke Dynamicsbased Authentication“
Classification based on Hold and Interkey Times
False Rejection Rate
False Acceptance Rate
0%
22
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (2)
‣ Alternative Approach (Bergadano et al.):
- Measure duration (latency) of trigraphs and sort them in ascending order
- Define distance between two samples as the „degree of disorder“ between sorted trigraphs
- Normalize distance by maximum degree of disorder
23
23
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (2)
24
Example: User is asked to type austria
Trigraph aus ust str tri riaDuration 277 ms 231 ms 281 ms 248 ms 295 ms
24
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (2)
24
Example: User is asked to type austria
Trigraph aus ust str tri riaDuration 277 ms 231 ms 281 ms 248 ms 295 ms
ust tri aus str ria
231 248 277 281 295sorted version
24
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (2)
24
Example: User is asked to type austria
Trigraph aus ust str tri riaDuration 277 ms 231 ms 281 ms 248 ms 295 ms
ust tri aus str ria
231 248 277 281 295sorted version
d = 1 d = 2 d = 2 d = 1 d = 0
24
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (2)
24
Example: User is asked to type austria
Trigraph aus ust str tri riaDuration 277 ms 231 ms 281 ms 248 ms 295 ms
ust tri aus str ria
231 248 277 281 295sorted version
d = 1 d = 2 d = 2 d = 1 d = 0
max. degree of disorder:|array|2 -1
2dnorm =
1+2+2+1+0
12= 0.5
24
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (2)
25
ust tri aus str ria
231 248 277 281 295Sample 1 (sorted)
25
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (2)
25
ust tri aus str ria
231 248 277 281 295Sample 1 (sorted)
d = 3 d = 0 d = 2 d = 1 d = 2
str tri ust ria aus
222 236 254 269 280Sample 2 (sorted)
25
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (2)
25
ust tri aus str ria
231 248 277 281 295Sample 1 (sorted)
d = 3 d = 0 d = 2 d = 1 d = 2
d(S1, S2) = 3+0+2+1+2
12= 0.6666
str tri ust ria aus
222 236 254 269 280Sample 2 (sorted)
25
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (2)
26
md(A, X) = (d(A1, X) + d(A2, X) + d(A3, X) + d(A4, X)) / 4
md(B, X) = (d(B1, X) + d(B2, X) + d(B3, X)) / 3
md(C, X) = (d(C1, X) + d(C2, X) + d(C3, X) + d(C4, X) + d(C5, X)) / 5
‣ User Classification
- Compute „mean distance“ of incoming sample to each user‘s model (all available samples of that user)
X ............ current incoming sampleA, B, C ... user models consisting of Samples A1...n, B1...n, C1...n
26
Advanced Signal Processing I User Authentication through Keystroke Dynamics
User Authentication
27
‣ Access Control System
- Samples may be provided by illegal users with unknown typing patterns
➡ even if FAR = 0%, best possible IPR = (100/N)%
‣ Condition:
- Input sample must not only be closer to a certain model than to any other model; it must be sufficiently close to this model
27
Advanced Signal Processing I User Authentication through Keystroke Dynamics
User Authentication
27
‣ Access Control System
- Samples may be provided by illegal users with unknown typing patterns
➡ even if FAR = 0%, best possible IPR = (100/N)%
‣ Condition:
- Input sample must not only be closer to a certain model than to any other model; it must be sufficiently close to this model
„False Alarm Rate“
„Impostor Pass Rate“
27
Advanced Signal Processing I User Authentication through Keystroke Dynamics
User Authentication
28
‣ Use of Thresholds
- Compute mean value of „inner-model“ distances:
- Classify sample X as belonging to A, if (and only if):
m(A) = (d(A1, A2) + d(A1, A3) + d(A1, A4) + d(A2, A3) + d(A2, A4) + d(A3, A4)) / 6
md(A, X) < m(A) + | k * (md(B, X) - m(A)) |
md(B, X) ... mean value of „second closest“ modelA, B, C ... user models consisting of Samples A1...n, B1...n, C1...n
28
Advanced Signal Processing I User Authentication through Keystroke Dynamics
User Authentication
29
‣ Values for k:- k = 1: plain classification scenario
- k = 0.5: md(A, X) closer to m(A) than to any other md(B,X)
- k = 0.33: md(A, X) twice as close to m(A) than to md(B,X)
md(B, X) ... mean value of „second closest“ modelA, B, C ... user models consisting of Samples A1...n, B1...n, C1...n
md(A, X) < m(A) + | k * (md(B, X) - m(A)) |
29
Advanced Signal Processing I User Authentication through Keystroke Dynamics
User Authentication
29
‣ Values for k:- k = 1: plain classification scenario
- k = 0.5: md(A, X) closer to m(A) than to any other md(B,X)
- k = 0.33: md(A, X) twice as close to m(A) than to md(B,X)
md(B, X) ... mean value of „second closest“ modelA, B, C ... user models consisting of Samples A1...n, B1...n, C1...n
md(A, X) < m(A) + | k * (md(B, X) - m(A)) |
from Bergadano et al.:„User Authentication through
Keystroke Dynamics“
29
Advanced Signal Processing I User Authentication through Keystroke Dynamics
User Authentication
29
‣ Values for k:- k = 1: plain classification scenario
- k = 0.5: md(A, X) closer to m(A) than to any other md(B,X)
- k = 0.33: md(A, X) twice as close to m(A) than to md(B,X)
md(B, X) ... mean value of „second closest“ modelA, B, C ... user models consisting of Samples A1...n, B1...n, C1...n
md(A, X) < m(A) + | k * (md(B, X) - m(A)) |
from Bergadano et al.:„User Authentication through
Keystroke Dynamics“
29
Advanced Signal Processing I User Authentication through Keystroke Dynamics
User Authentication
30
‣ Additional filtering
- Thresholds improve classification results but may have counterintuitive behavior:
md(A, X) = 0.307025 d(A1, A2) = 0.212378
md(B, X) = 0.420123 d(A1, A3) = 0.204381
md(C, X) = 0.423223 d(A2, A3) = 0.226024
m(A) = 0.214261
md(A, X) < m(A) + | k * ( md(B, X) - m(A) ) |
30
Advanced Signal Processing I User Authentication through Keystroke Dynamics
User Authentication
30
‣ Additional filtering
- Thresholds improve classification results but may have counterintuitive behavior:
md(A, X) = 0.307025 d(A1, A2) = 0.212378
md(B, X) = 0.420123 d(A1, A3) = 0.204381
md(C, X) = 0.423223 d(A2, A3) = 0.226024
m(A) = 0.214261
0.307025 < 0.214261 + | 0.5 * (0.420123 - 0.214261) | ✓
30
Advanced Signal Processing I User Authentication through Keystroke Dynamics
User Authentication
30
‣ Additional filtering
- Thresholds improve classification results but may have counterintuitive behavior:
md(A, X) = 0.307025 d(A1, A2) = 0.212378
md(B, X) = 0.420123 d(A1, A3) = 0.204381
md(C, X) = 0.423223 d(A2, A3) = 0.226024
m(A) = 0.214261
0.307025 < 0.214261 + | 0.5 * (0.420123 - 0.214261) | ✓
?30
Advanced Signal Processing I User Authentication through Keystroke Dynamics
User Authentication
31
‣ Additional filtering
- For each sample, compute mean distance w.r.t. all the other samples in the model:
m(Axyz) = (d(Ax, Ay) + d(Ax, Az) + d(Ay, Az)) / 3
dA1 = | (d(A1, A2) + d(A1, A3) + d(A1, A4)) / 3 - m(A234) |dA2 = | (d(A2, A1) + d(A2, A3) + d(A2, A4)) / 3 - m(A134) |dA3 = | (d(A3, A1) + d(A3, A2) + d(A3, A4)) / 3 - m(A124) |dA4 = | (d(A4, A1) + d(A4, A2) + d(A4, A3)) / 3 - m(A123) |
31
Advanced Signal Processing I User Authentication through Keystroke Dynamics
User Authentication
31
‣ Additional filtering
- For each sample, compute mean distance w.r.t. all the other samples in the model:
m(Axyz) = (d(Ax, Ay) + d(Ax, Az) + d(Ay, Az)) / 3
dA1 = | (d(A1, A2) + d(A1, A3) + d(A1, A4)) / 3 - m(A234) |dA2 = | (d(A2, A1) + d(A2, A3) + d(A2, A4)) / 3 - m(A134) |dA3 = | (d(A3, A1) + d(A3, A2) + d(A3, A4)) / 3 - m(A124) |dA4 = | (d(A4, A1) + d(A4, A2) + d(A4, A3)) / 3 - m(A123) |
md(A, X) < m(A) + a * max(dA1, dA2, dA3, dA4) + b * std(dA1, dA2, dA3, dA4)
31
Advanced Signal Processing I User Authentication through Keystroke Dynamics
User Authentication
31
‣ Additional filtering
- For each sample, compute mean distance w.r.t. all the other samples in the model:
md(A, X) < m(A) + a * max(dA1, dA2, dA3, dA4) + b * std(dA1, dA2, dA3, dA4)
from Bergadano et al.:„User Authentication through
Keystroke Dynamics“
31
Advanced Signal Processing I User Authentication through Keystroke Dynamics
User Authentication
31
‣ Additional filtering
- For each sample, compute mean distance w.r.t. all the other samples in the model:
md(A, X) < m(A) + a * max(dA1, dA2, dA3, dA4) + b * std(dA1, dA2, dA3, dA4)
from Bergadano et al.:„User Authentication through
Keystroke Dynamics“
31
Advanced Signal Processing I User Authentication through Keystroke Dynamics
How to measure „Similarity“? (2)
‣ Advantages
- Measure considers relative relative values of various typing features only
- No need for specific tuning or training
- Typing errors allowed (additional pre-filtering to keep only the shared trigraphs)
32
32
Advanced Signal Processing I User Authentication through Keystroke Dynamics
Bibliography
33
‣ „User Authentication through Keystroke Dynamics“F. Bergadano et al.
‣ „Keystroke Dynamics based Authentication“M.S. Obaidat and B. Sadoun
‣ „Artificial Rhythms and Cues for Keystroke Dynamics based Authentication“S. Cho and S. Hwang
‣ „Computer User Authentication using Hidden Markov Model through Keystroke Dynamics “S.K. Vuyyuru et al.
33
Thank you.
34