Digital Signal Processing 22 (2012) 707–712

Contents lists available at SciVerse ScienceDirect

Digital Signal Processing

www.elsevier.com/locate/dsp

User authentication via keystroke dynamics based on difference subspace andslope correlation degree

Wang Xuan a,b,∗, Guo Fangxia a, Ma Jian-feng b

a College of Physics and Information Technology, Shaanxi Normal University, Xi’an 710062, Chinab The Key Laboratory of the Ministry of Education for Computer Networks and Information Security, Xidian University, Xi’an 710071, China

a r t i c l e i n f o a b s t r a c t

Article history:Available online 2 May 2012

Keywords:Keystroke dynamicsUser authenticationDifference subspaceSlope correlation degree

User authentication via keystroke dynamics remains a challenging problem due to the fact that keystrokedynamics pattern cannot be maintained stable over time. This paper describes a novel keystrokedynamics-based user authentication approach. The proposed approach consists of two stages, a trainingstage and an authentication stage. In the training stage, a set of orthogonal bases and a commonfeature vector are periodically generated from keystroke features of a legitimate user’s several recentsuccessful authentications. In the authentication stage, the current keystroke feature vector is projectedonto the set of orthogonal bases, and the distortion of the feature vector between its projection isobtained. User authentication is implemented by comparing the slope correlation degree of the distortionbetween the common feature vector with a threshold determined periodically using the recent impostorpatterns. Theoretical and experimental results show that the proposed method presents high toleranceto instability of user keystroke patterns and yields better performance in terms of false acceptance rate(FAR) and false rejection rate (FRR) compared with some recent methods.

© 2012 Elsevier Inc. All rights reserved.

1. Introduction

User authentication is a major problem in gaining access rightsfor computer resources. Many biometric properties of users suchas iris, fingerprint and palmprint are used to provide additionalsecurity [1]. An authentication approach using user’s keystroke dy-namics patterns was proposed by Gaines [2]. Since the keystrokedynamics-based user authentication approaches do not require theaid of extra special tools, keystroke analysis has been an activeresearch topic for more than three decades. Many keystroke anal-ysis approaches were proposed. Some of them formulated thekeystroke dynamics-based user authentication into a binary clas-sification problem [3–8]. In these approaches, both the imposter’spatterns and the legitimate user’s patterns were used for training.This is unrealistic in practice since there are millions of potentialimposters. It is not possible to obtain all the prospective imposterpatterns.

In order to alleviate the limitation mentioned above, manynovelty detection approaches have been employed for keystrokeanalysis [9–14], in which only the legitimate user’s patterns wereused for training. Cho et al. proposed a 2-layer auto-associativemulti-layer perceptron (AaMLP) neural network novelty detectionmodel [9]. Since the 2-layer AaMLP is weak in modeling the

* Corresponding author at: College of Physics and Information Technology,Shaanxi Normal University, Xi’an 710062, China.

E-mail address: wxuan@snnu.edu.cn (X. Wang).

1051-2004/$ – see front matter © 2012 Elsevier Inc. All rights reserved.http://dx.doi.org/10.1016/j.dsp.2012.04.012

data with nonlinear or multi-modal distributions, Yu and Cho ap-plied a 4-layer AaMLP to improve the performance of the neuralnetwork model [10], their latter work presented a keystroke dy-namics identity verification method using support vector machine(SVM) [11]. These modes yield better performances than binaryclassification-based methods. The major drawbacks are that eachtime a new user is introduced into the database, these meth-ods must be retrained and the training requirements are relativelytime-consuming. Furthermore, it is well known that keystroke dy-namics patterns cannot be maintained stable over time [14,15],user authentication via keystroke dynamics remains a challengingproblem.

Although there is no impostor pattern available when a key-stroke dynamics-based authentication system is first implemented,a few impostor patterns may become available in the future. Im-postors may try to get access but be blocked by the authenticationsystem, those failed login attempts can be used as impostor pat-terns. Recently those impostor patterns were used to retrain thenovelty detector [16]. It has been experimentally shown that itimproves the performance of novelty detectors. Motivated by thesuccess of Lee and Cho’s method, we exploit the possibility of re-training the novelty detectors using the legitimate user’s recentpatterns to alleviate the instability effects of user keystroke pat-terns. The main problem is how to construct a novelty detectorwith low training requirements. Guven et al. proposed a vectorbased algorithm, in which user authentication was implementedby comparing the Euclidean distance between the legitimate user’s

708 X. Wang et al. / Digital Signal Processing 22 (2012) 707–712

Fig. 1. (A) The block diagram of the training stage. (B) The block diagram of the authentication stage.

Fig. 2. A keystroke pattern is transformed into a timing vector when a user types a string ‘ABCD’. The duration and interval times are measured by milliseconds.

last successful authentication and the current feature vector witha threshold [17]. The algorithm is quite simple and easily adapt-able for programming. The main drawbacks are that the legitimateuser’s last successful authentication cannot represent the user’skeystroke dynamics patterns very well, and the Euclidean distanceis sensitive to instability of user keystroke patterns which lead tooffsets on each element of the keystroke feature vector.

This paper describes a novel user authentication approach.In order to alleviate the limitation resulted from the fact thatkeystroke dynamics pattern cannot be maintained stable overtime; the system is periodically retrained using the legitimateuser’s recent several successful authentications, and the slopecorrelation degree is introduced to implement user authentica-tion. Theoretical and experimental results show that the proposedmethod presents high tolerance to instability of user keystroke pat-terns and yields a high detection performance in terms of falseacceptance rate (FAR) and false rejection rate (FRR). The outlineof this paper is as follows: In Section 2, the proposed approachis presented. Experimental results are described in Section 3, andconclusions are presented in Section 4.

2. The proposed approach

The proposed approach consists of two stages: a training stage[see Fig. 1(A)] and an authentication stage [see Fig. 1(B)].

2.1. The training stage

In typing a phrase or a string of characters, the keystrokedynamics pattern can be measured, which is defined as follows[9,16]. The times that each key is stroked and then released aremeasured by milliseconds. A “duration” denotes a time period dur-ing which a key is pressed while an “interval” is a time periodbetween releasing a key and stroking. If a password of n charactersis typed, a (2n − 1)-dimensional timing vector is obtained, whichconsists of n keystroke duration times and (n − 1)-keystroke in-terval times. For example, a keystroke pattern of a string ‘ABCD’is represented as a nine-dimensional timing vector as shown in

Fig. 2. A negative interval value results from releasing ‘D’ afterstroking ‘ENTER’ key.

The set consisting of keystroke features of a user’s several suc-cessful authentications is given by

A = {ai

∣∣ ai ∈ RN ,1 � i � k}

(1)

where ai is the keystroke feature vector of the user’s ith success-ful authentication, RN denotes N (N = 2n − 1)-dimensional vectorspace, k is the number of recent successful authentications andk < N . Difference subspace of RN based on the set A is defined as

B = span{b1,b2, . . . ,bk−1} (2)

where bi = ai −a1. We can get a set of orthogonal bases z1, z2, . . . ,

zk−1 in the difference subspace B via Gram–Schmidt method,which satisfies the orthogonal condition

〈zi, z j〉 = δi j (3)

Let a′i be the projection of ai onto the orthogonal base, i.e.

a′i = 〈ai, z1〉z1 + 〈ai, z2〉z2 + · · · + 〈ai, zk−1〉zk−1 (4)

The distortion between ai and a′i is defined as

dai = ai − a′i (5)

Since ai − a1 ∈ B and z1, z2, . . . , zk−1 is a set of orthogonal basesof B , we have

ai − a1 = 〈ai − a1, z1〉 + 〈ai − a2, z2〉 + · · · + 〈ai − ak−1, zk−1〉(6)

Eq. (6) can be rewritten as

ai − [〈ai, z1〉z1 + · · · + 〈ai, zk−1〉zk−1]

= a1 − [〈a1, z1〉z1 + · · · + 〈a1, zk−1〉zk−1]

(7)

According to Eq. (5), we have

dai = da1 = acom ∀i = 1,2, . . . ,k (8)

X. Wang et al. / Digital Signal Processing 22 (2012) 707–712 709

Fig. 3. The framework that the threshold T is adjusted periodically.

As shown in Eq. (8), for any keystroke feature vector ai ∈ A, thedistortion of ai is independent of i and remains constant vector.We use acom to depict the constant vector and call it the commonfeature vector of A, i.e.

da1 = da2 = · · · = dak = acom (9)

For example, given A = {a1 = (1,2,1,2), a2 = (1,1,2,2), a3 =(0,1,2,1)}, the difference subspace B = span{b1 = a2 − a1 =(0,−1,1,0), b2 = a3 − a1 = (−1,−1,1,−1)}. According to Gram–Schmidt method, z1 = b1‖b1‖ = 1√

2(0,−1,1,0), β2 = b2 −〈b2, z1〉z1 =

(−1,0,0,−1), z2 = β2‖β2‖ = 1√2(−1,0,0,−1), substituting z1 =

1√2(0,−1,1,0), z2 = 1√

2(−1,0,0,−1) into Eq. (6), we have acom =

(− 12 , 3

2 , 32 , 1

2 ).The training stage consists of three steps, which are detailed in

Fig. 1(A). A set of orthogonal bases z1, z2, . . . , zk−1 and a commonfeature vector acom were generated from the set A by constructingthe difference subspace of RN . Unlike recent methods such as theneural network-based and SVM-based methods, the training of thismethod only involves several vector operations. Therefore, the sys-tem can be periodically retrained with low training requirements.

2.2. The authentication stage

The authentication stage consists of three steps, which are de-tailed in Fig. 1(B). The keystroke feature vector x to be verified wasprojected onto the set of orthogonal bases z1, z2, . . . , zk−1 and theprojection x′ was determined. The distortion of x between x′ , de-noted as xcom , was computed using

xcom = x − x′ (10)

The slope correlation degree ε(xcom,acom) can be determined by

ε(xcom,acom) = 1

1 + d1xcomacomd2

xcomacom

(11)

where d1xcomacom

and d2xcomacom

are given by

d1xcomacom

= 1

N − 1

N−1∑

i=1

∣∣xcomi+1 − acomi+1 − (xcomi − acomi )∣∣

d2xcomacom

= 1

N − 2

N−1∑

i=2

∣∣xcomi+1 − acomi+1 − 2(xcomi − acomi )

+ xcomi−1 − acomi−1

∣∣ (12)

The slope correlation degree has some useful properties outlinedas follows:

Property 1. 0 < ε(xcom,acom) � 1, and as xcom = acom, the value ofslope correlation degree ε(xcom,acom) = 1.

Property 2. If xcom = acom ± �y ∗ I , where �y is a constant, I is unitvector which dimension is same as acom, the slope correlation distanceε(xcom,acom) = 1.

Proof. According to Eq. (12), we have

d1xcomacom

= 1

N − 1

N−1∑

i=1

∣∣xcomi+1 − acomi+1 − (xcomi − acomi )∣∣ = 0

d2xcomacom

= 1

N − 2

N−1∑

i=2

∣∣xcomi+1 − acomi+1 − 2(xcomi − acomi )

+ xcomi−1 − acomi−1

∣∣ = 0 (13)

Substituting (13) into (12), we have

ε(xcom,acom) = 1

1 + d1xcomacomd2

xcomacom

= 1 (14)

User authentication was implemented by comparing ε(xcom,

acom) with a threshold T , which can be adjusted periodically basedon the recent impostor patterns. The framework is illustrated inFig. 3. When the authentication system is deployed for operation.Of a number of login attempts, some will get access and otherswill not. Let ε1 be the least ε(xcom,acom) of the keystroke pat-terns allowed access, ε2 denote the maximal ε(xcom,acom) of thekeystroke patterns denied access, the threshold T can be adjustedperiodically by

T = ε1 + ε2

2(15)

The initial value of the threshold T was determined as 0.88 byexperiments [see Experiment 1].

In a geometric sense, the novelty detection-based methods im-plement user authentication via defining a closed boundary aroundthe normal patterns, from Eq. (5), if the current keystroke featurevector x is near to any vector of the training set in terms of Eu-clidean distance, we have

x − x′ ≈ acom (16)

where x′ is the projection of x onto the set of orthogonal bases,acom is the common feature vector generated from the trainingkeystroke features. Therefore, in a geometric sense, the proposedapproach implements user authentication via defining a boundaryaround each keystroke feature in the training set. The reason thatwe use the slope correlation degree instead of the Euclidean dis-tance is that the slope correlation degree presents high toleranceto instability of user keystroke patterns which lead to offsets oneach element of the keystroke feature vector. Since the authentica-tion of this method only involves several vector operations on thekeystroke feature vector x corresponding to a password which usu-ally is less than 20 characters, the authentication approach shouldbe very efficient.

3. Simulation results and performance analysis

The proposed approach has been implemented using Visual C++6.0. Two groups of datasets were considered in the simulation.Group 1 was collected from 20 users. For each user’s password,the legitimate user provided 5 patterns for training and 300 pat-terns for test, and 15 “impostors” that had continuously practiced

710 X. Wang et al. / Digital Signal Processing 22 (2012) 707–712

Fig. 4. The number of patterns versus their slope correlation degrees.

the password for 50 times provided 300 imposter patterns for test.Therefore for each user’s password, a training set including 5 le-gitimate user patterns, a test set including 300 legitimate userpatterns and 300 imposter patterns were obtained.

Group 2 was also collected from the 20 users, but it is morerealistic than the group 1 for two reasons. First, legitimate userpatterns had been collected for three months form their normaluse of their own machines. Second, imposter patterns were col-lected from the procedure that the imposter tried to intrude intothe system online. For each password, the valid user provided 1000patterns for test and the other 19 users provided 1900 imposterpatterns for test. Therefore for each user’s password, a test set in-cluding 1000 valid user patterns and 1900 imposter patterns wasobtained.

The experiments were conducted to show the discriminatingability of slope correlation degrees. The second objective was toverify the effectiveness of the proposed method in terms of thefalse acceptance rate and false rejection rate. A comparison ofthe performance of this method with the neural network-basedmethod [10], SVM-based method [11] and the SVM-based methodwith retraining [16] was performed.

Experiment 1. This experiment was conducted to show the dis-criminating ability of slope correlation degrees. Group 1 of thedatasets were used in this experiment. Four representative pass-

words were selected from group 1. Passwords 1 and 2 only includeEnglish characters, their lengths are 6 and 10, respectively. WhilePasswords 3 and 4 contain special characters and their lengthsare 8 and 12, respectively. For each password, a set of orthogonalbases z1, z2, . . . , zk−1 and a common feature vector were gener-ated from the corresponding training set of group 1, each patternof the corresponding test set of group 1 was projected onto the setof orthogonal bases z1, z2, . . . , zk−1 and a slope correlation degreecorresponding to the pattern was determined. The results are sum-marized in Fig. 4. As can be concluded from the results that theslope correlation degrees of the legitimate user patters are sharplydistributed in (0.89,1], while the slope correlation degrees of theimposters are all less than 0.88. Therefore, slope correlation de-grees possess of high discriminating ability, and we selected theinitial value of the threshold as 0.88.

Experiment 2. This experiment was conducted to verify the au-thentication accuracy of this approach in terms of the false ac-ceptance rate and false rejection rate. Group 2 of the datasetswere used in this experiment. We utilized our approach, the neu-ral network-based method, SVM-based method and SVM-basedmethod with retraining to implement authentication. The neuralnetwork-based method was trained with 200 patterns, and theSVM-based method was trained with 50 patterns. All training pat-terns were randomly selected from the valid user patterns of the

X. Wang et al. / Digital Signal Processing 22 (2012) 707–712 711

Table 1The classification performance in terms of FAR and FRR of the proposed method, the neural network-based method, SVM-based method and the SVM-based method withretraining for group 2 of datasets.

Methods Neural network-basedmethod

SVM-basedmethod

Our method SVM-based methodwith retraining

FARS 4.16 4.37 0.47 2.95FRRS 3.4 3.2 0 4.3

Table 2The training time and the keystroke authentication time using our approach, the neural network-based method, SVM-based method.

Methods Neural network-based method SVM-based method Our method

The number of training patterns 300 50 5The training time (s) 123.4 18.2 1.3The authentication time (s) 1.8 1.0 0.7

group 2 and the rest were used for testing. Our approach withretraining was periodically retrained using the legitimate user’s re-cent five patterns with 20 successful authentications intervals. Wealso repeated the experiments of the SVM-based method with re-training [16]. The resultant values are listed in Table 1. In termsof FRRS, our method turned out to be the best in terms of overallerrors. It can be concluded that our method yields a better perfor-mance compared with the other methods.

Experiment 3. Our purpose in this experiment was to test thecomputational cost of this method. The simulation experiment wasrun on a personal computer with Intel(R) Celeron(R) CPU 3.06 GHz,1.00 GB memory, and the operation system is Microsoft WindowsXP professional. The training time and the keystroke authentica-tion time using our approach, the neural network-based method,SVM-based method were obtained, the results are summarizedin Table 2. It can be concluded that our method yields a bet-ter computational performance compared with the other methods.In terms of the training time, our approach only needed 1.3 s toconstruct a model, whereas the neural network-based method andSVM-based method needed 123.4 s and 18.2 s respectively.

4. Conclusions

In this paper, we have described a novel user authenticationapproach via keystroke dynamics, which consists of two stages,a training stage and an authentication stage. In the training stage,a set of orthogonal bases and a common feature vector wereperiodically generated from keystroke features of the legitimateuser’s several recent successful authentications. In the authentica-tion stage, the current keystroke feature vector is projected ontothe set of orthogonal bases to determine the distortion of the fea-ture vector between its projections. User authentication is imple-mented by comparing the slope correlation degree of the distortionbetween the common feature vector with a threshold. Theoreticaland experimental results show that the proposed method yields abetter performance in terms of false acceptance rate and false re-jection rate in comparison with some recent methods.

This model can be applied to any circumstances where pass-word based access controls take place. For instance, it can be em-bedded into a Window NT or Window 2000 log-in module. Anyusers accessing the computer are prompted to type their password.If their typing passwords are correct, their current keystroke pat-terns are analyzed by the model to provide additional security.

Acknowledgment

This work was supported by the National Natural ScienceFoundation of China under Grant No. 90204012; the National

High-Tech Research and Development Plan of China under GrantNo. 2002AA143021.

References

[1] A.K. Jain, R. Bolle, S. Pankanti (Eds.), Biometrics: Personal Identification in Net-worked Society, Kluwer, Massachusetts, USA, 1999.

[2] R.S. Gaines, W. Lisowski, S.J. Press, N. Shapiro, Authentication by keystroke tim-ing: some preliminary results, Technical Report, Rand Report R-256-NSF, RandCorporation, 1980.

[3] J. Leggett, G. Williams, M. Usnick, Dynamic identity verification via keystrokecharacteristics, Int. J. Man Mach. Stud. 35 (6) (1991) 859–870.

[4] M.S. Obaidat, B. Sadoun, Verification of computer users using keystroke dynam-ics, IEEE Trans. Syst. Man Cybern. B Cybern. 27 (2) (1997) 261–269.

[5] M.S. Obaidat, A methodology for improving computer access security, Comput.Secur. 12 (7) (1993) 657–662.

[6] F. Wong, A.S. Supian, A.F. Ismail, Enhanced user authentication through typingbiometrics with artificial neural networks and k-nearest neighbor algorithm,in: The 35th International Conference on Signals, Systems and Computers, Cal-ifornia, USA, 2001.

[7] A. Peacock, X. Ke, M. Wilkerson, Typing patterns: a key to user identification,IEEE Secur. Priv. Mag. 2 (5) (2004) 40–47.

[8] M. Brown, S.J. Rogers, User identification via keystroke characteristics of typednames using neural networks, Int. J. Man Mach. Stud. 39 (1993) 999–1014.

[9] S. Cho, C. Han, D. Han, H. Kim, Web-based keystroke dynamics identity ver-ification using neural network, J. Organ. Comput. Electron. Commerce 10 (4)(2000) 295–307.

[10] E. Yu, S. Cho, Novelty detection approach for keystroke dynamics identity ver-ification, in: Fourth International Conference on Intelligent Data Engineeringand Automated Learning, Hong Kong, China, 2003.

[11] E. Yu, S. Cho, Keystroke dynamics identity verification—its problems and prac-tical solutions, Comput. Secur. 23 (5) (2004) 428–440.

[12] D.M.J. Tax, R.P.W. Duin, Support vector data description, Mach. Learn. 54 (1)(2004) 45–66.

[13] L.C.F. Araújo, L.H.R. Sucupira Jr., M.G. Lizárraga, L.L. Ling, J.B.T. Yabu-Uti, Userauthentication through typing biometrics features, IEEE Trans. Signal Pro-cess. 53 (2) (2005) 851–855.

[14] F. Bergadano, D. Gunetti, C. Picardi, User authentication through keystroke dy-namics, ACM Trans. Inform. Syst. Secur. 5 (4) (2002) 367–397.

[15] F. Monrose, A.D. Rubin, Keystroke dynamics as a biometric for authentication,Future Generat. Comput. Syst. 16 (2000) 351–359.

[16] H. Lee, S. Cho, Retraining a keystroke dynamics-based authenticator with im-postor patterns, Comput. Secur. 26 (4) (2007) 300–310.

[17] A. Guven, I. Sogukpinar, Understanding users’ keystroke patterns for computeraccess security, Comput. Secur. 22 (8) (2003) 695–706.

Xuan Wang was born in 1966. He received theB.S. and M.S. degrees in Electrical Engineering fromShaanxi Normal University, Xi’an, China in 1983 and1987, and received Ph.D. degree in the Key Labora-tory of the Ministry of Education for Computer Net-works and Information Security. He is currently Pro-fessor and Head of School of Physics and InformationTechnology at Shaanxi Normal University. His researchinterests include image processing and pattern recog-

nition.

712 X. Wang et al. / Digital Signal Processing 22 (2012) 707–712

Fang-Xia Guo was born in 1965. She received theM.S. degree in Electrical Engineering from ShaanxiNormal University. She is currently Vice Professor ofShaanxi Normal University and pursuing the Ph.D. de-gree at Shaanxi Normal University. Her research inter-ests include image processing and pattern recognition.

Jian-Feng Ma was born in 1961. He received thePh.D. degree in communication and electronic sys-tems from Xidian University. He is currently a Pro-fessor and the Dean of School of Computer in XidianUniversity. He is also a member of IEEE. His researchinterests include image processing and informationand network security.