Examining a large keystroke biometrics dataset for statistical-attack openings

Abdul Serwadda, Vir V. Phoha

Research output: Contribution to journalArticle

26 Scopus citations

Abstract

Research on keystroke-based authentication has traditionally assumed human impostors who generate forgeries by physically typing on the keyboard. With bots now well understood to have the capacity to originate precisely timed keystroke sequences, this model of attack is likely to underestimate the threat facing a keystroke-based system in practice. In this work, we investigate how a keystroke-based authentication system would perform if it were subjected to synthetic attacks designed to mimic the typical user. To implement the attacks, we perform a rigorous statistical analysis on keystroke biometrics data collected over a 2-year period from more than 3000 users, and then use the observed statistical traits to design and launch algorithmic attacks against three state-of-the-art password-based keystroke verification systems. Relative to the zero-effort attacks typically used to test the performance of keystroke biometric systems, we show that our algorithmic attack increases the mean Equal Error Rates (EERs) of three high performance keystroke verifiers by between 28.6% and 84.4%. We also find that the impact of the attack is more pronounced when the keystroke profiles subjected to the attack are based on shorter strings, and that some users see considerably greater performance degradation under the attack than others. This article calls for a shift from the traditional zero-effort approach of testing the performance of password-based keystroke verifiers, to a more rigorous algorithmic approach that captures the threat posed by today's bots.

Original languageEnglish
Article number8
JournalACM Transactions on Information and System Security
Volume16
Issue number2
DOIs
StatePublished - Sep 2013

Keywords

  • Biometrics
  • Keystroke dynamics
  • Spoofing attacks

Fingerprint Dive into the research topics of 'Examining a large keystroke biometrics dataset for statistical-attack openings'. Together they form a unique fingerprint.

  • Cite this