wearia: wearable device implicit authentication based...

WearIA: Wearable Device Implicit Authenticationbased on Activity Information

Yunze Zeng, Amit Pande, Jindan Zhu, Prasant MohapatraDepartment of Computer Science, University of California, Davis, CA, USA

{zeng, pande, jdzhu, pmohapatra}@ucdavis.edu

Abstract—Privacy and authenticity of data pushed by or intowearable devices are of important concerns. Wearable devicesequipped with various sensors can capture user’s activity in fine-grained level. In this work, we investigate the possibility of usinguser’s activity information to develop an implicit authenticationapproach for wearable devices. We design and implement aframework that does continuous and implicit authenticationbased on ambulatory activities performed by the user. Thesystem is validated using data collected from 30 participants withwearable devices worn across various regions of the body. Theevaluation results show that the proposed approach can achieveas high as 97% accuracy rate with less than 1% false positiverate to authenticate a user using a single wearable device. Andthe accuracy rate can go up to 99.6% when we use the fusion ofmultiple wearable devices.

I. INTRODUCTION

Recent hardware advances have led to the developmentand consumerization of wearable computing devices rangingfrom exercise and sleep tracking bracelets [3], vital signs(e.g. heart rate and blood pressure) monitoring devices [1]to augmented reality glasses [2]. Building on top of thesewearable devices, many personalized applications have beendeveloped for providing easy-to-use service and convenientuser experience. These new technologies open enormously vastopportunities in sensing user context and monitoring healthstatus, as well as providing plethora of new services. Whileenabling a spectrum of new applications, they also introduceunexplored paradigms in security and privacy.

Wearable devices can create new forms of interactionsbetween humans and machines. Users’ physical environmentand context can be efficiently sensed by wearable devices.The ECG, heart-rate, ultraviolet, infrared, accelerometer andmany other type of sensors can sense context and recorddata for an individual, which can be used to understandhuman activity [15], energy expenditure [21], personal healthmonitoring [24], etc. Wearable devices equipped with thesesensors can sense, collect and upload personal health andactivity related information (e.g. heart rate and steps) to theElectric Health Record(EHR)/cloud for further record andanalysis. Meanwhile, wearable devices can also be used to cre-ate new types of immersive human-machine interactions withproducts such as smartwatch or smartglass. These interactionscan be used for the applications of smart home and office.Moreover, different personal notifications, such as emails, textmessages and reminders can be pushed to wearable devices

EHR/Cloudhealth data

text, email, coming calls

Fig. 1. Wearable devices application scenarios

through the smartphones or directly from the cloud thoughWiFi connection for convenient viewing. Personal notificationsoften contain a brief viewing of the message content. Suchnotifications are highly private and people usually do not wantothers to see these contents. Figure 1 shows us the rolesof wearable devices in our daily life using an example ofsmartwatch. Here we name the first case of service (sensingcontext) that a wearable can provide us as upload service andthe second case (notifications) as download service.

Almost all the smart functions available on mobile/wearabledevices require user authentication as the first step. Usually,smartphone like devices use traditional explicit authenticationmethods, such as inputting PIN code or graphic pattern andusing fingerprint. However, such ways can not be easily usedon wearable devices due to the small form factor or lackof screens. Wearable devices have limited input method andfeedback modality, which make it even harder to use traditionalauthentication methods designed for smartphone. Moreover,PIN code-based ways are not user-friendly and sometimes notfully secure. Due to aforementioned reasons, current wearabledevices only rely on the BLE (Bluetooth Low Energy) pairingprocess to authenticate a user. However, the paring processonly requires password for the first time and the devicewill automatically be paired for the rest of times withoutchecking the user’s identity. Such one-time authenticationmanner cannot ensure that there is no mishap or misbondingbetween the device and the user. An implicit and continuousauthentication service is needed, which will allow the user tosave the intervention required in the pairing process as well asensure that there is no mishap or misbonding in the rest timeof usage.

For both upload and download services, security and pri-vacy concerns are important to be ensured. It is commonplaceto imagine a child, spouse or friend wearing a user’s wearabledevice for some short time period. Family members sharing thesame medical wearable device, such as non-invasive glucosemonitoring device, is also common to happen. Ideally, such978-1-5386-2723-5/17/$31.00 c©2017 IEEE

wearable device must be able to automatically recognize theperson wearing it and provide services catered to her. This isapplicable to both upload and download services. For example,it is necessary to make sure that the pushed notifications arenot downloaded when the actual person wearing the deviceis not the owner. Similarly, the vital signs collected by thewearable may be integrated to her EHR and such data shouldbe uploaded corresponding to the right user.

It is pertinent to secure such wearable devices using animplicit and continuous authentication way, which providesthe ability to authenticate users based on actions they wouldcarry out anyway. Such authentication framework provides adelicate balance between usability and security by implicitlyverifying the genuineness of the user using the device withoutany explicit PIN or password requests but only using the user’spatterns of activity. Similar ideas has been proved in smart-phones using feature-tuned application centric [12] and touch-based [9] approaches. We argue that wearable devices willbenefit more through such implicit authentication approach.However, there are unique challenges for designing suchapproach on wearable platforms. For instance, there are limitedpatterns and computing resources we can leverage. Moreover,we need to focus on the user-friendly and effortless design forwearable applications. These and many other challenges willbe discussed and addressed in our work. Some of the mainrequirements of this framework are: passive and continuousmonitoring of the user (and data), accurate authentication andlow outliers, user-friendliness and minimum burden to usersand energy-efficiency (low computational cost).

Inertial sensors, such as accelerometer and gyroscope, arebecoming essential parts of various mobile and wearableplatforms. Usually, these sensors have high sampling ratecapability with low cost to capture users’ activities [19].Google Fit and Apple HealthKit are recently released for easyaccessing to these sensor information on Android and IOSplatforms respectively for developers. Among all the existingapps, the major functions by using these sensors are heathrelated, such as physical activities prediction, and anomalydetection and diagnosis [5].

In this paper, we investigate the possibility of using ambu-latory activities as unique markers of the user to design animplicit authentication method. Here, we present WearIA, aWearable device Implicit Authentication framework. WearIAis based on the unique patterns derived from wearable sensorswhen the user is performing different activities. We designand implement a framework of collecting and processing theinformation from inertial sensors on the wearable platform toauthenticate the user implicitly and continuously. We evaluateour proposed framework using real world data and experiment.We asked 30 users to perform common ambulatory activities(e.g. walking, running) and conducted measurements usinginertial sensors from wearable devices on different body partsof the users to verify the accuracy of our proposed approach.The main contributions of this work are as follows:

1) We investigate the problem of implicitly authenticating auser on wearable devices. We design and implement an

implicit authentication framework for wearable devicesbased on the user’s activity information available frominertial sensors.

2) We demonstrate that we can increase the authenticationaccuracy by predicting the activity type, knowing the de-vice placement and fusion of multiple on body sensors.We quantify the impact and performance improvementfor each of above steps.

3) We collected a dataset which involves 30 participantswith 5 wearable devices in different on body locations.We conducted extensive evaluation for our system usingthe dataset. We also implemented our system on a realwearable platform.

The rest of the paper is summarized as follows: SectionII provides an overview about related work. We discuss thedetailed system design components in Section III. In Sec-tion IV, we talk about experiment setup and data collection.We then evaluate the performance of our system in Section V.Section VI discusses the further works and conclusions.

II. RELATED WORK

There has been recent interest in implicit authentication(IA) in smartphones. Shi et al. [23] models user’s recentbehavior using a Gaussian Mixture Model to identify currentactive user of mobile phone. Implicit authentication is obtainedusing keystroke dynamics and typing patterns, geo-location,file system activity and network access [26], proximity in-formation and touch-sensitivity and pressure applied whiletouching smartphone [9], [18]. De Luca et al. [9] use dynamictime warping on user’s touch pressure sensitivity to improveperformance of pattern-based phone unlocks. TIPS [11] ex-tends the use of touch screen to ubiquitiously monitor andimplicitly authenticate smartphone user. ITUS [12] frameworksupports different behavioral classifiers but it is focused onAndroid OS for smartphones. ZEBRA [17] framework in-volves smartwatch sensors for IA but uses smartwatch toauthenticate the user’s inputs on a smartphone. A good studyof different IA schemes is provided by [13]. However, thesework are limited to smartphone, and not considering the casefor wearable devices. Moreover, Khan et al. [14] shows thatcurrent touch input based IA solutions suffer from shouldersurfing and offline training attacks. Recent work has beenproposed to use different methods of IA for smart glasses [7],[16], [20], [27] and IoT devices [22]. However, these solutionscannot be generalized for wearable devices with different bodyplacements.

Some work have been done in gait-based user authenticationusing wearable devices and other type of sensing media (e.g.RF signals) [10], [28]. However, such authentication is basedon gait-detection, and restricted to walking. Gait detectioninvolves finding gait cycle and matching gait properties amongusers. But the attacker can be trained to impersonate otherperson’s gait. Our work considers generic activity-based IA,which is more robust and practical. Moreover, we also elab-orate the impact of sensor placement and generalization ofdifferent activities to IA.

Monitoring user activity

Data pre-processing

User performs different activities

Sliding window based analysis

Featureextraction Activity

classifier

ASM authentication

engine

Generic activity authentication engineTraining process

Window based signature extraction

Labeled data User identity

output

Accelerometer Data Processing User Authentication

Model Building

User identity check

Success

Fail

Fig. 2. Overview of WearIA

III. DESIGN

In this section, we first discuss motivation and applica-tion scenarios of continuous and implicit authentication forwearable devices. Then, we present the design goals and anoverview of WearIA. We also describe each component indetail.

A. Motivation: User Scenarios

Different kinds of wearable devices are being equipped onpeople for fitness tracking and convenient message viewingand human-computer interaction. Typically, a wearable devicewill be paired with a gateway device (e.g. smartphone) toprovide its full functionality. Here, we use smartwatch as anexample to illustrate the usage scenarios of various wearabledevices. Before the first time of use, the user needs to performpairing process for a smartwatch. To start paring, the userneeds to enable Bluetooth for both devices and make sure theyare in transmission range. Usually, the pairing needs a codeor pattern generated from the smartwatch and the smartphonewill use the code or pattern to identify the smartwatch to pairwith. The pairing will only happen once and the smartwatchwill automatically be paired with the smartphone in its vicinityfor the rest of times. We call such authentication as one timeauthentication.

The information exchanged between smartwatch and smart-phone include sensor data collected by the smartwatch andnotifications and message briefings generated by the smart-phone. Although such wearable devices are designed mainlyfor one user, there are certain circumstances that the devicesare used by other users for a short period of time. Onetime authentication manner cannot guarantee the sensor dataare from the intended user. Moreover, it cannot make surethat the notifications and message briefings are viewed bythe intended user. In this way, a continuous and implicitauthentication is needed to protect data on wearable devices.Such authentication can benefit in the following three ways.

1) User A uses a smartwatch to record and track hisdaily activity. User B borrows the device for two hoursto measure her energy expenditure. Continuous andimplicit authentication will automatically detect that thistwo hours data is not from user A and prevent it to beuploaded to user A’s health profile.

2) User A has a smartwatch and use it to receive no-tifications. Some of the notifications contain private

information. User B wears it occasionally. Continuousand implicit authentication can know when the deviceis not worn by user A and stop sending notifications tothe device.

3) User A owns a smartwatch which is paired withher smartphone. Continuous and implicit authenticationprocess on the smartwatch can constantly verify thewearer’s identity. Applications (e.g. bank APPs) on hersmartphone can leverage the proximity of the smart-watch to enable a convenient two-factor authentication.In this way, smartwatch can help her better secure thesmartphone applications.

B. Design Goals

To design a system which can provide continuous and im-plicit authentication for wearable devices, we need to considerboth practicability and applicability of the proposed system.Based on the identified challenges for wearable devices, theproposed authentication framework should meet the followingdesign goals:

1) Implicity and continuity: Different from the existingone-time authentication approach, the main purpose ofour system is to continuously authenticate the userswithout explicitly asking users to provide any informa-tion. We should build the framework to implicitly collectavailable information from wearable devices and use thatto design the authentication engine.

2) Effortlessness and user-friendliness: The systemshould not require the user to perform additional actionsin order to make the authentication process as effortlessas possible. It is expected that the user wear the deviceand use it naturally. No proactive interaction from theuser will be necessary to get identified.

3) Low computational cost: We are targeting differentwearable platforms with limited battery and computingresources. The solution should be low cost. Such lowcost solution comes form two folds. The sampling raterequired for the data collection should be as low as pos-sible and the authentication algorithms should involveonly low computational calculation.

C. System Overview

Our central idea in this work is to design a user activity-based authentication framework for wearable devices. In order

Xiaomi Mi4i Samsung S40.020.040.060.080.0

100.0120.0

Pow

er C

onsu

mpt

ion

(mW

)

AccelerometerGyroscope

Fig. 3. Power consumption comparision between accelerometer andgyroscope

to meet the above design goals, we propose WearIA, a systemdesign which can be applied on wearable platforms to conductcontinuous and implicit authentication. Figure 2 shows the out-line diagram of WearIA. WearIA requires a separate trainingphase which can be conducted when the user uses her wearabledevice for the first time. The user just needs to perform certainactivities to train the model. Our training phase is conductedoffline. We then constantly monitor and collect user’s activitydata (e.g. accelerometer) from the wearable device. We dividethe time series data into small window chunks and pre-processthe data in each window to remove the noise, where we apply alow pass filter with a cutoff frequency at 20Hz [25] to removethe high frequency noise caused by the vibration which cannotinfer any activity status. Note that we use low pass/band passfilters with different cutoff frequencies for feature calculation,but for the pre-processing, we use the fixed 20Hz cutoffthreshold. After the data pre-processing, we extract a numberof activity features from each window and select the significantfeatures for authentication. We evaluate two approaches forthe user authentication module. Both approaches need separatetraining phases conducted offline to generate the authenticationmodels. One simple and naive approach is to directly runa generic authentication engine without predicting the user’sactivity type. The other approach is to first classify user’sactivity type and then check if it is the default user(e.g. theowner of the device or the most recent user) by running abinary classification model. If it is not the default user, a pre-trained Activity Specific Model (ASM) will be used basedon the activity type to predict the user’s identity and furtherauthenticate the user.

D. Wearable Sensor Selection

Current wearable devices have been equipped with manysensors including accelerometer, gyroscope, heart rate andambient light sensors. WearIA is based on activity informationobserved from wearable devices. User’s activity informationcan be directly captured by accelerometer and gyroscope sen-sors. Heart rate sensor can also capture the activity indirectly,however it cannot provide us fine-grained level of activityinformation. Both accelerometer and gyroscope are widelyused for understanding and classifying user’s different activi-ties. Due to the design differences, the power consumption of

TABLE ISELECTED TIME DOMAIN FEATURES FOR ACTIVITY

EXTRACTION

Features for individual axis- Mean, Minimum, Maximum, Median, Absolute Mean- Variance, Standard Deviation, DC Mean- DC Area: The area under the signal after a low-pass filter(1Hz).

DCArea =

window size∑i=1

accelerationi (1)

- 90th percentile, 10th percentile, Signal Range- Cumulative sum over absolute signal value(AbsACArea)- Zero crossing rate, Mean crossing rate, Auto correlation- Pitch: The magnitude of the second peak of auto-correlation function.- Skewness (3rd moment): Measuring the asymmetry of the signal.- Kurtosis (4th moment): Measuring the peakedness of the signal.- Quartiles (first, second and third), Inter quartile range- Coefficient of variation over absolute value of signalFeatures across 3 axis- Total DC Mean across X, Y and Z axis- Total area under the absolute signals values across X, Y and Z- Total signal vector magnitude across X, Y and Z axis- DC Posture Dist: The difference value between means of X-Y, X-Z andY-Z after a low-pass filter(1Hz).- Correlation across X, Y and Z axis

TABLE IISELECTED FREQUENCY DOMAIN FEATURES FOR ACTIVITY

EXTRACTION

Features for individual axis- Normalized-Entropy: Measuring the disorder of the signal in frequencydomain(Vi is the normalized FFT coefficients).

H = −window size/2∑

i=1

Vi · log2 (Vi) (2)

- Normalized-Energy: Measuring the sum of energy without DC compo-nent in frequency domain(Vi is the normalized FFT coefficients).

E =

window size/2∑i=1

V 2i (3)

- FFT Peaks, Ratio of energy in dominant frequency- AC Band Energy: Normalized activity band energy(0.2-3.5Hz).- AC Low Energy: Normalized energy of low intensity physical activity(0-0.7Hz).- AC Mod Vig Energy: Normalized energy of moderate to vigorousphysical activity(0.71-10Hz).

these two sensors are quite different. From our measurement,we found that gyroscope consumes much more power thanaccelerometer at the same sampling rate. Figure 3 shows usthe power consumption of accelerometer and gyroscope fortwo smartphones at 200Hz sampling rate. We can see thatgyroscope consumes 20mW to 30mW more power. In order tomeet the low cost desigh goal, we choose to use accelerometerfor WearIA.

E. Feature Extraction and Selection

We extract a number of time and frequency domain featuresfrom each window (all three axis of each accelerometer). Atotal of 102 features are extracted which are summarized in

XZ_PostureDist

Z_DCArea

Z_DCMean

XY_PostureDist

X_DCArea

X_DCMean

Y_DCArea

YZ_PostureDist

Y_DCMean

Z_ACLowEnergy

0.4

0.6

0.8

1.0

1.2In

form

atio

n G

ain Generic Model

Walk Model

Fig. 4. Information Gain for selected features

Table I and II. A detailed description of these features is givenin [25].

From all the candidate features shown in Table I, we furtherselect a subset of most useful features for the authenticationpurpose. To determine how well a given feature can be used toidentify the user, we use Information Gain (IG) to evaluate andselection the feature set. IG was calculated using GainRatiocriterion. It is equal to the total entropy for an attribute iffor each of the attribute values a unique classification can bemade for the result attribute. In this case, the relative entropysubtracted from the total entropy is 0. Let FV denote a featurevector.

GainRatio(C,FV ) = (H(C)−H(C|FV ))/H(FV ) (4)

where C is the set of all training examples, and H() denotesentropy. The missing merge scheme is used to distribute countsfor missing values. Counts are distributed across other valuesin proportion to their frequency. Otherwise, the missing istreated as a separate value.

Figure 4 shows the ten features with highest IG values.Here the top ten features are the same for generic as well aswalking data (as well as running data). Next, we use a featureselection algorithm to find the independent features which cangive high predictive power. Feature selection aims at reducingthe number of attributes to be used in the model, while tryingto retain the predictive power of the original set of attributesin the pre-processed data. We use the Correlation FeatureSelection (CFS) strategy to identify a subset of attributes whichwere highly correlated with the outcome variable while havinglow inter-correlation among themselves. The CFS techniquewas used in conjunction with a greedy step wise search tofind the subset S with the best average merit, which is givenby:

Merits =nrfo√

n+ n(n− 1)rff(5)

where n is the number of features in S,rfo is the average valueof feature- outcome correlations, and rff is the average valueof all feature-feature correlations.

TABLE IIISENSOR PLACEMENT

Placement Sensor NodeWrist (left) Shimmer 6DoF IMUAnkle (right) Shimmer 6DoF IMUHip/Torso (center right) Samsung Galaxy S4 i9500Thigh/Front Pocket (left) Samsung Galaxy Nexus i9250Upper Arm (right) Samsung Galaxy Nexus i9250

TABLE IVUSER INFO. (MEAN±STDEV (MIN/MAX))

Number of Subjects 30 (20 males & 10 females)Age(year) 27.8± 6.9(19/45)Height(cm) 168.9± 10.8(150/189)Weight(kg) 66.9± 15.1(48/105)BMI (kg/m2) 22.7± 3.4(18/30)

TABLE VACTIVITY SEQUENCE

Timed Activity (Part1) Timed Activity (Part2)0 Jumping 0 Walking1 Walking 1 Standing2 Turning/Walking 2 Sitting3 U-Turn/Walking 3 Standing4 Turning/Walking 4 Walking11 Walking (repeat) 5 Elevator (up)12 ... 6 Elevator (down)13 Stairs climbing(up) 7 Walking14 Stairs climbing(down) 9 Running

F. Authentication Classifier

We use sliding window based method to buffer the sensordata and calculate features. The feature calculation and modelchecking need to be performed periodically. Because our targetplatform for the authentication classifier is a wearable devicewhich has limited computational resource and small capacitybattery, we would like to choose a light-weight and energyefficient classifier. For the authentication engines, we useRandom Forest [6] which is a decision-tree based classifierand only needs implement simple if-else conditions to do theclassification. Our system requires separate training phasesfor both generic and ASM authentication engines. To trainthe models, we ask the user to perform a set of pre-definedactivities and label the data for training. Note that our modelbuilding is conducted in the cloud which does not consume anyresource from wearable devices. To evaluate the performance,we divide the overall data for the model into n = 10 folds,where, n-1 folds are for supervised learning and one fold isused to test the model for errors. The errors obtained in a foldare added to the weights of nodes of next fold in the trainingset. Such 10-fold cross validation was used to evaluate themodel in order to ensure that the model was tested on datathat it had not seen while training, to minimize chance forover-fitting. Considering the fact that most wearable devicesare frequently used only by the owner (the default user) ofthe device, we design a user identity check module, where weuse a binary classifier to first check if the current user is theowner. For the binary classification, we use Support VectorMachine (SVM) with the Radial Basis Function (RBF) kernel

WalkingRunning

ClimbingJumping

20.030.040.050.060.070.080.090.0100.0

Accuracy(%)

WalkingRunning

JumpingClimbing

0.0

1.0

2.0

3.0

4.0

5.0

Fals

e P

ositi

ve R

ate(

%)

Fig. 5. The overall performance with ASMs

Upper ArmWrist Thigh Waist Ankle10.020.030.040.050.060.070.080.090.0

100.0

Acc

urac

y(%

)

WalkingRunningClimbingJumping

Upper ArmWrist Thigh Waist Ankle0.00.51.01.52.02.53.03.54.0

Fals

e P

ositi

ve R

ate(

%)


Fig. 6. Overall performance with known device placement

to perform the non liner separation. A similar 10-fold crossvalidation method is used for the evaluation.

IV. EXPERIMENT SETUP

A. Implementation and Platform

A platform of 5 wearable sensors are used for the datacollection and evaluation, including 2 wearable Shimmer IMUnodes and 3 smartphones. Nodes are attached to differentbody parts as described in Table III, and continuously collectaccelerometer samples at a fixed frequency of 50Hz. Alldevices are time synchronized before collection. During thecollection, Shimmer units stream real-time sensing data tocontrolling smartphone via a Bluetooth connection, whilesmartphones will store all data locally for later processing.We also implemented our system on a Shimmer device witha Android smartphone to demonstrate the real-time authenti-cation based on the user’s activities.

B. Subjects

We recruited a total of 30 participants (10 females and 20males) for the study. All participants are physically fit forperforming typical ambulatory activities of a normal person,as described below. Physical characteristics of all participantsare summarized in Table IV. The study is approved by Institu-tional Review Board (IRB) at our university. Participants arerecruited from the university campus and the medical center,

and all have given oral consent prior to the experiment inaccord with IRB regulation.

C. Data Collection Protocol

We designed a semi-controlled protocol for the data col-lection. Participants were asked to perform a sequence ofpre-defined types of ambulatory activities, following specifiedroutes. However, the environment where the collection isconducted is inside a regular office building and the courtyardoutside, with moderate traffic. The activity sequence is brokeninto two parts, as described in Table V, designed to emulateordinary behavior of a person in such environment. Theparticipants are asked to perform the activities as naturalas possible, and no rest between activities in each part.Completion of the whole sequence will take each participantapproximately 30 minutes. A supervisor accompanying theparticipant will manually time the instance when an activitytransition happens. Annotation of the activities is performedoffline. Data from all participants was combined to create adataset. Each person wore the same set of sensors and theexperiment was carried in the lab over a couple of days.

V. PERFORMANCE EVALUATION

In this section, we evaluate our system using the real-world dataset we have collected from 30 users. Meanwhile,we summarize our findings in order to provide insights fordeveloping better implicit authentication for wearable devices.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25User ID

0.0

0.2

0.4

0.6

0.8

1.0P

reci

sion

WristAnkleUpper ArmThighWaist

Fig. 7. The detailed precision comparison for 25 users

0 0.2 0.4 0.6 0.8 10

0.2

0.4

0.6

0.8

1

Precision

CD

F

Wrist

Ankle

Upper Arm

Thigh

Waist

Fig. 8. CDF of authentication precision for user identity check module

A. Evaluation Metrics

To evaluate our system, we consider the following metrics.1) True Positive (TP) rate (accuracy): TP rate is the fraction

of instances of user A that are correctly identified as userA. The overall accuracy is the weighted average of TPrate of all the users.

2) False Positive (FP) rate: FP rate is the fraction ofinstances that are incorrectly identified as user A. Theoverall FP rate is the weighted average of FP rate of allthe users.

3) Precision: It is defined as the number of true positivesover the number of true positives plus the number offalse positives.

B. Accuracy using Generic Model

We first consider the most robust case where we use ageneric model without classifying the activities and the sensorplacement on body is unknown. In this scenario, the user picksup a wearable device, puts it on any position (within fivepositions considered in this work) of the body and performs acertain activity. The accuracy to identify the user with a simplegeneric model is 80.9% and FP rate is less than 1%. The timewindow of 2 seconds is used in this setup to process sampleddata. Note that using the generic model we do not identifyactivity types as the first step. 80.9% of TP rate shows us that

WearIA can find the unique pattern existed in different activitytypes of the same user.

C. Improvements with Activity Specific Models (ASMs)

Next, we investigate whether it is possible to improve theauthentication accuracy using ASMs. ASMs have been widelyused to improve the Caloric energy expenditure estimationusing mobile sensors [4], [8]. We consider that knowingthe activity type will help to find the unique pattern forthe user. Here, we use a two-step approach to conduct theauthentication. For the same scenario (robust case), we traina custom classifier for each activity type and use activity-specific classifier to identify a user. We first apply an activityclassifier (which is also a random forest based model) toclassify user’s activity. The activities we have consideredare walking, running, climbing and jumping. The accuracyof activity classification is close to 95%. Then we apply aactivity-specific authentication model (ASM) after detectingthe user’s activity. Figure 5 shows the performance for eachactivity model. Walking and running models can achieve92.8% and 90.3% accuracy which improve the performance by15% and 12%. We can see from Figure 5 that climbing modelslightly performs worse than generic model and jumpingactivity cannot infer user’s identity information. Walking andrunning are the most common activities in our daily life, henceit is reasonable to assume that we trigger the authenticationprocess when we detect that the user is walking or running.Walking and running involves movements unique to the users,while jumping is an activity in free air. This may be the reasonfor low performance of jumping activity.

Summary: With a generic model, we have a fair accuracyrate for the user authentication. However, ASMs can signifi-cantly improve the accuracy.

D. Improvements using Device Placement

The placement of wearable devices is usually fixed. Forexample, we prefer to wear the smartwatch on our wrist andhang the Fitbit or smartphone around waist or pant pockets. Soit is reasonable to assume that we know the device placementeverytime when we want to authenticate the current user. Here

1 2 3 4Time Window Size(s)

10.020.030.040.050.060.070.080.090.0

100.0A

ccur

acy(

%)


(a) TP rate for Mixed placement


10.020.030.040.050.060.070.080.090.0

100.0

Acc

urac

y(%

)


(b) TP rate for Upper Arm


10.020.030.040.050.060.070.080.090.0

100.0

Acc

urac

y(%

)


(c) TP rate for Thigh


0.0

2.0

4.0

6.0

8.0

10.0

Fals

e P

ositi

ve R

ate(

%)


(d) FP rate for Mixed placement


0.0

2.0

4.0

6.0

8.0

10.0

Fals

e P

ositi

ve R

ate(

%)


(e) FP rate for Upper Arm


0.0

2.0

4.0

6.0

8.0

10.0

Fals

e P

ositi

ve R

ate(

%)


(f) FP rate for Thigh

Fig. 9. The performance with different authentication window size for selected placement cases

TABLE VIAVERAGE PRECISION OF SVM CLASSIFIER

Wrist Ankle Upper Arm Thigh WaistPrecision 0.78 0.72 0.74 0.83 0.86

we use a similar approach to build separate classifiers for eachactivity type with different device placement. Figure 6 showsus the performance if we know the placement of the wearabledevice, for each activity. Note that we assume the users toprovide the device placement information. We can alwayscheck whether the device is remaining on the target placementby simply applying a placement classification algorithm, sincedifferent placement will observe the same activity in differentways. From Figure 6, we can observe that putting the deviceon thigh or waist can achieve the highest accuracy (withmore than 97%) while walking. The average accuracy we canachieve by applying a placement-specific model is 93.2% and90.7% for walking and running respectively.

Summary: We need to build different models for differentsensor placements in order to achieve a very high accuracyrate.

E. Performance of User Identity Check Module

The user identity check module runs a SVM binary classifierto check if current user is the default user. Since walking is themost common activity during our daily life, WearIA triggersthe SVM binary classification once it detects a walking activ-ity. The overall average precision for user identity checkingis 0.78 based on walking activity. Table VI and Figure 8

shows us the average precision and CDF of all precisionamong 30 users for each device placement. We can see thatplacing the device on thigh or waist can achieve relativelybetter performance. However, through the analysis we foundthat different users have different authentication results. Tounderstand the detailed precision for each individual user withdifferent device placements, Figure 7 shows us the results ofcomparison for 25 users. The actual performance varies fromuser to user, but placing the device on waist can have thehighest precision for most of users.

F. Changing Authentication Window Size

To allow real time implementation, we adopt a slidingwindow based approach to analyze the sensor data fromwearable devices in real time. All the features are calculatedbased on samples collected in one time window. The windowsize determine how long the user needs to maintain in acertain activity before we can authenticate the user. In the otherwords, the window size determines how fast we can identifyand authenticate a user. Figure 9 shows us the performancewith different window sizes. Obviously, with a larger windowsize we can always get more activity data from the user andachieve a better accuracy. However, from Figure 9, we cansee that using 2 seconds window size can give us more than90% accuracy for most cases. Requiring a user to wear adevice for only 2 seconds makes WearIA a practical system.The performance of jumping activity reduces for larger timewindow because jumping is usually accompanied by secondsof inactivity.

G. Improvements with Sensor Fusion

Here we consider an extreme case where a user carries fivedevices with different placement and we fuse the data fromall five devices to authenticate the user. The accuracy ratesof ASMs and generic model are all greater than 99%. In thisway, some cloud services can identify a user with nearly 100%accuracy using multiple data sources from the user at the sametime.

Summary: With fusion of multiple devices of a user, we canachieve nearly 100% accuracy rate.

VI. DISCUSSION AND CONCLUSIONS

This work is limited to the use of accelerometer sensor,however we would like to investigate the impact of fusinginformation from gyroscope as well as compass sensor in thenext step. Heart rate sensor may also be used as an indicativeof user activity and it would be interesting to see how thatfeed improves the accuracy of user authentication. In a real-world setting, the wearable shifts its placement in human bodybecause of slips or re-adjustments by user which will introduceadditional challenges. To guard against data-replay attacks, itis also possible to use strong mathematical models which areable to draw correlations between multiple sensor data.

In this paper, we design and implement WearIA which usesactivity-sensing approach to implicitly authenticate users forwearable devices. The results are favorable and 97% accuracywas obtained in user identification using single sensor. More-over, the accuracy was high even when we didn’t know theexact location of the sensor, combine one or many sensorsand without using ASMs. The decision trees based classifierand feature extraction are simple computations and easy toimplement in existing wearable devices. The accuracy of 97%is high enough for tasks such as authentication for healthrecords. It can be further improved by aggregating the resultsof classifiers over multiple consecutive time windows (we mayrequire that the user to be recognized in two of the threeconsecutive time windows, which will increase the overallaccuracy). This work has leveraged both binary and 1-out-of-N classification methods to authenticate users. Our system canbe used in real-world to recognize and authenticate individualuser and automatically detect (N + 1)th user.

VII. ACKNOWLEDGMENTS

We appreciate insightful comments from the anonymousreviewers. This work was supported in part by the NSF CRII1464421 grant.

REFERENCES

[1] “https://store.dexcom.com,” [Online; accessed Dec. 2016].[2] “https://www.oculus.com,” [Online; accessed Dec. 2016].[3] “http://www.fitbit.com/flex,” [Online; accessed Dec. 2016].[4] M. Altini, J. Penders, and O. Amft, “Energy expenditure estimation using

wearable sensors: a new methodology for activity-specific models,” inProceedings of ACM the conference on Wireless Health, 2012.

[5] H. Banaee, M. U. Ahmed, and A. Loutfi, “Data mining for wearablesensors in health monitoring systems: a review of recent trends andchallenges,” Sensors, vol. 13, no. 12, pp. 17 472–17 500, 2013.

[6] L. Breiman, “Random forests,” Machine learning, vol. 45, no. 1, pp.5–32, 2001.

[7] J. Chauhan, H. J. Asghar, A. Mahanti, and M. A. Kaafar, “Gesture-based continuous authentication for wearable devices: The smart glassesuse case,” in International Conference on Applied Cryptography andNetwork Security. Springer, 2016, pp. 648–665.

[8] S. Chen, J. Lach, O. Amft, M. Altini, and J. Penders, “Unsupervisedactivity clustering to estimate energy expenditure with a single bodysensor,” in IEEE International Conference on Body Sensor Networks,2013.

[9] A. De Luca, A. Hang, F. Brudy, C. Lindner, and H. Hussmann, “Touchme once and i know it’s you!: implicit authentication based on touchscreen patterns,” in Proceedings of ACM CHI, 2012.

[10] M. O. Derawi, “Accelerometer-based gait analysis, a survey,” Norskinformasjonssikkerhetskonferanse (NISK), 2010.

[11] T. Feng, J. Yang, Z. Yan, E. M. Tapia, and W. Shi, “Tips: Context-aware implicit user identification using touch screen in uncontrolledenvironments,” in Proceedings of ACM HotMobile, 2014.

[12] H. Khan, A. Atwater, and U. Hengartner, “Itus: an authenticationframework for android,” in Proceedings of ACM Mobicom.

[13] ——, “A comparative evaluation of implicit authentication schemes,”in Research in Attacks, Intrusions and Defenses. Springer, 2014, pp.255–275.

[14] H. Khan, U. Hengartner, and D. Vogel, “Targeted mimicry attacks ontouch input based implicit authentication schemes,” in Proceedings of the14th Annual International Conference on Mobile Systems, Applications,and Services. ACM, 2016, pp. 387–398.

[15] O. D. Lara and M. A. Labrador, “A survey on human activity recognitionusing wearable sensors,” Communications Surveys & Tutorials, IEEE,vol. 15, no. 3, pp. 1192–1209, 2013.

[16] S. Li, A. Ashok, Y. Zhang, C. Xu, J. Lindqvist, and M. Gruteser, “Whosemove is it anyway? authenticating smart wearable devices using uniquehead movement patterns,” in Pervasive Computing and Communications(PerCom), 2016 IEEE International Conference on. IEEE, 2016, pp.1–9.

[17] S. Mare, A. M. Markham, C. Cornelius, R. Peterson, and D. Kotz, “Ze-bra: Zero-effort bilateral recurring authentication,” in IEEE Symposiumon Security and Privacy (SP), 2014.

[18] S. Mondal and P. Bours, “Swipe gesture based continuous authenticationfor mobile devices,” in IEEE International Conference on Biometrics(ICB), 2015.

[19] A. Pande, Y. Zeng, A. K. Das, P. Mohapatra, S. Miyamoto, E. Seto,E. K. Henricson, and J. J. Han, “Energy expenditure estimation withsmartphone body sensors,” in Proceedings of the 8th International Con-ference on Body Area Networks. ICST (Institute for Computer Sciences,Social-Informatics and Telecommunications Engineering), 2013, pp. 8–14.

[20] G. Peng, G. Zhou, D. T. Nguyen, X. Qi, Q. Yang, and S. Wang,“Continuous authentication with touch behavioral biometrics and voiceon wearable glasses,” IEEE Transactions on Human-Machine Systems,2016.

[21] A. Ruiz-Zafra, E. O. Gonzalez, M. Noguera, K. Benghazi, and J. M. H.Jimenez, “Energy expenditure analysis: A comparative research ofbased on mobile accelerometers,” in Ambient Assisted Living and DailyActivities. Springer, 2014, pp. 38–45.

[22] Y. Sharaf-Dabbagh and W. Saad, “On the authentication of devices inthe internet of things,” in World of Wireless, Mobile and MultimediaNetworks (WoWMoM), 2016 IEEE 17th International Symposium on A.IEEE, 2016, pp. 1–3.

[23] E. Shi, Y. Niu, M. Jakobsson, and R. Chow, “Implicit authenticationthrough learning user behavior,” in Information Security. Springer,2011, pp. 99–113.

[24] J. Snoeck-Stroband, “Internet-based self-monitoring of physical activity(pa) in copd patients: a study of the usability of activity monitors andpatients preferences,” in Medicine 2.0 Conference. JMIR PublicationsInc., Toronto, Canada, 2013.

[25] E. M. Tapia, “Using machine learning for real-time activity recognitionand estimation of energy expenditure,” Ph.D. dissertation, Citeseer, 2008.

[26] S. Yazji, X. Chen, R. P. Dick, and P. Scheuermann, “Implicit user re-authentication for mobile devices.” in UIC. Springer, 2009.

[27] S. Yi, Z. Qin, E. Novak, Y. Yin, and Q. Li, “Glassgesture: Exploringhead gesture interface of smart glasses,” in IEEE INFOCOM 2016.

[28] Y. Zeng, P. H. Pathak, and P. Mohapatra, “Wiwho: wifi-based personidentification in smart spaces,” in Proceedings of the 15th InternationalConference on Information Processing in Sensor Networks. IEEE Press,2016, p. 4.

wearia: wearable device implicit authentication based...

Documents