Visible to the public Biblio

Filters: Keyword is Continuous Authentication  [Clear All Filters]
2023-02-03
Song, Yangxu, Jiang, Frank, Ali Shah, Syed Wajid, Doss, Robin.  2022.  A New Zero-Trust Aided Smart Key Authentication Scheme in IoV. 2022 IEEE International Conference on Pervasive Computing and Communications Workshops and other Affiliated Events (PerCom Workshops). :630–636.
With the development of 5G networking technology on the Internet of Vehicle (IoV), there are new opportunities for numerous cyber-attacks, such as in-vehicle attacks like hijacking occurrences and data theft. While numerous attempts have been made to protect against the potential attacks, there are still many unsolved problems such as developing a fine-grained access control system. This is reflected by the granularity of security as well as the related data that are hosted on these platforms. Among the most notable trends is the increased usage of smart devices, IoV, cloud services, emerging technologies aim at accessing, storing and processing data. Most popular authentication protocols rely on knowledge-factor for authentication that is infamously known to be vulnerable to subversions. Recently, the zero-trust framework has drawn huge attention; there is an urgent need to develop further the existing Continuous Authentication (CA) technique to achieve the zero-trustiness framework. In this paper, firstly, we develop the static authentication process and propose a secured protocol to generate the smart key for user to unlock the vehicle. Then, we proposed a novel and secure continuous authentication system for IoVs. We present the proof-of-concept of our CA scheme by building a prototype that leverages the commodity fingerprint sensors, NFC, and smartphone. Our evaluations in real-world settings demonstrate the appropriateness of CA scheme and security analysis of our proposed protocol for digital key suggests its enhanced security against the known attack-vector.
2023-01-13
Anderson, John, Huang, Qiqing, Cheng, Long, Hu, Hongxin.  2022.  BYOZ: Protecting BYOD Through Zero Trust Network Security. 2022 IEEE International Conference on Networking, Architecture and Storage (NAS). :1–8.
As the COVID-19 pandemic scattered businesses and their workforces into new scales of remote work, vital security concerns arose surrounding remote access. Bring Your Own Device (BYOD) also plays a growing role in the ability of companies to support remote workforces. As more enterprises embrace concepts of zero trust in their network security posture, access control policy management problems become a more significant concern as it relates to BYOD security enforcement. This BYOD security policy must enable work from home, but enterprises have a vested interest in maintaining the security of their assets. Therefore, the BYOD security policy must strike a balance between access, security, and privacy, given the personal device use. This paper explores the challenges and opportunities of enabling zero trust in BYOD use cases. We present a BYOD policy specification to enable the zero trust access control known as BYOZ. Accompanying this policy specification, we have designed a network architecture to support enterprise zero trust BYOD use cases through the novel incorporation of continuous authentication & authorization enforcement. We evaluate our architecture through a demo implementation of BYOZ and demonstrate how it can meet the needs of existing enterprise networks using BYOD.
2022-10-16
Sarıtaş, Serkan, Forssell, Henrik, Thobaben, Ragnar, Sandberg, Henrik, Dán, György.  2021.  Adversarial Attacks on CFO-Based Continuous Physical Layer Authentication: A Game Theoretic Study. ICC 2021 - IEEE International Conference on Communications. :1–6.
5G and beyond 5G low power wireless networks make Internet of Things (IoT) and Cyber-Physical Systems (CPS) applications capable of serving massive amounts of devices and machines. Due to the broadcast nature of wireless networks, it is crucial to secure the communication between these devices and machines from spoofing and interception attacks. This paper is concerned with the security of carrier frequency offset (CFO) based continuous physical layer authentication. The interaction between an attacker and a defender is modeled as a dynamic discrete leader-follower game with imperfect information. In the considered model, a legitimate user (Alice) communicates with the defender/operator (Bob) and is authorized by her CFO continuously. The attacker (Eve), by listening/eavesdropping the communication between Alice and Bob, tries to learn the CFO characteristics of Alice and aims to inject malicious packets to Bob by impersonating Alice. First, by showing that the optimal attacker strategy is a threshold policy, an optimization problem of the attacker with exponentially growing action space is reduced to a tractable integer optimization problem with a single parameter, then the corresponding defender cost is derived. Extensive simulations illustrate the characteristics of optimal strategies/utilities of the players depending on the actions, and show that the defender’s optimal false positive rate causes attack success probabilities to be in the order of 0.99. The results show the importance of the parameters while finding the balance between system security and efficiency.
2022-08-01
Husa, Eric, Tourani, Reza.  2021.  Vibe: An Implicit Two-Factor Authentication using Vibration Signals. 2021 IEEE Conference on Communications and Network Security (CNS). :236—244.
The increased need for online account security and the prominence of smartphones in today’s society has led to smartphone-based two-factor authentication schemes, in which the second factor is a code received on the user’s smartphone. Evolving two-factor authentication mechanisms suggest using the proximity of the user’s devices as the second authentication factor, avoiding the inconvenience of user-device interaction. These mechanisms often use low-range communication technologies or the similarities of devices’ environments to prove devices’ proximity and user authenticity. However, such mechanisms are vulnerable to colocated adversaries. This paper proposes Vibe-an implicit two-factor authentication mechanism, which uses a vibration communication channel to prove users’ authenticity in a secure and non-intrusive manner. Vibe’s design provides security at the physical layer, reducing the attack surface to the physical surface shared between devices. As a result, it protects users’ security even in the presence of co-located adversaries-the primary drawback of the existing systems. We prototyped Vibe and assessed its performance using commodity hardware in different environments. Our results show an equal error rate of 0.0175 with an end-to-end authentication latency of approximately 3.86 seconds.
2022-04-19
Rodriguez, Daniel, Wang, Jing, Li, Changzhi.  2021.  Spoofing Attacks to Radar Motion Sensors with Portable RF Devices. 2021 IEEE Radio and Wireless Symposium (RWS). :73–75.
Radar sensors have shown great potential for surveillance and security authentication applications. However, a thorough analysis of their vulnerability to spoofing or replay attacks has not been performed yet. In this paper, the feasibility of performing spoofing attacks to radar sensor is studied and experimentally verified. First, a simple binary phase-shift keying system was used to generate artificial spectral components in the radar's demodulated signal. Additionally, an analog phase shifter was driven by an arbitrary signal generator to mimic the human cardio-respiratory motion. Characteristic time and frequency domain cardio-respiratory human signatures were successfully generated, which opens possibilities to perform spoofing attacks to surveillance and security continuous authentication systems based on microwave radar sensors.
2020-01-28
Ayotte, Blaine, Banavar, Mahesh K., Hou, Daqing, Schuckers, Stephanie.  2019.  Fast and Accurate Continuous User Authentication by Fusion of Instance-Based, Free-Text Keystroke Dynamics. 2019 International Conference of the Biometrics Special Interest Group (BIOSIG). :1–6.

Keystroke dynamics study the way in which users input text via their keyboards, which is unique to each individual, and can form a component of a behavioral biometric system to improve existing account security. Keystroke dynamics systems on free-text data use n-graphs that measure the timing between consecutive keystrokes to distinguish between users. Many algorithms require 500, 1,000, or more keystrokes to achieve EERs of below 10%. In this paper, we propose an instance-based graph comparison algorithm to reduce the number of keystrokes required to authenticate users. Commonly used features such as monographs and digraphs are investigated. Feature importance is determined and used to construct a fused classifier. Detection error tradeoff (DET) curves are produced with different numbers of keystrokes. The fused classifier outperforms the state-of-the-art with EERs of 7.9%, 5.7%, 3.4%, and 2.7% for test samples of 50, 100, 200, and 500 keystrokes.

2020-01-21
Huang, Jiaju, Klee, Bryan, Schuckers, Daniel, Hou, Daqing, Schuckers, Stephanie.  2019.  Removing Personally Identifiable Information from Shared Dataset for Keystroke Authentication Research. 2019 IEEE 5th International Conference on Identity, Security, and Behavior Analysis (ISBA). :1–7.

Research on keystroke dynamics has the good potential to offer continuous authentication that complements conventional authentication methods in combating insider threats and identity theft before more harm can be done to the genuine users. Unfortunately, the large amount of data required by free-text keystroke authentication often contain personally identifiable information, or PII, and personally sensitive information, such as a user's first name and last name, username and password for an account, bank card numbers, and social security numbers. As a result, there are privacy risks associated with keystroke data that must be mitigated before they are shared with other researchers. We conduct a systematic study to remove PII's from a recent large keystroke dataset. We find substantial amounts of PII's from the dataset, including names, usernames and passwords, social security numbers, and bank card numbers, which, if leaked, may lead to various harms to the user, including personal embarrassment, blackmails, financial loss, and identity theft. We thoroughly evaluate the effectiveness of our detection program for each kind of PII. We demonstrate that our PII detection program can achieve near perfect recall at the expense of losing some useful information (lower precision). Finally, we demonstrate that the removal of PII's from the original dataset has only negligible impact on the detection error tradeoff of the free-text authentication algorithm by Gunetti and Picardi. We hope that this experience report will be useful in informing the design of privacy removal in future keystroke dynamics based user authentication systems.

2019-01-16
Zhao, Tianming, Wang, Yan, Liu, Jian, Chen, Yingying.  2018.  Your Heart Won'T Lie: PPG-based Continuous Authentication on Wrist-worn Wearable Devices. Proceedings of the 24th Annual International Conference on Mobile Computing and Networking. :783–785.
This paper presents a photoplethysmography (PPG)-based continuous user authentication (CA) system, which especially leverages the PPG sensors in wrist-worn wearable devices to identify users. We explore the uniqueness of the human cardiac system captured by the PPG sensing technology. Existing CA systems require either the dedicated sensing hardware or specific gestures, whereas our system does not require any users' interactions but only the wearable device, which has already been pervasively equipped with PPG sensors. Notably, we design a robust motion artifacts (MA) removal method to mitigate the impact of MA from wrist movements. Additionally, we explore the characteristic fiducial features from PPG measurements to efficiently distinguish the human cardiac system. Furthermore, we develop a cardiac-based classifier for user identification using the Gradient Boosting Tree (GBT). Experiments with the prototype of the wrist-worn PPG sensing platform and 10 participants in different scenarios demonstrate that our system can effectively remove MA and achieve a high average authentication success rate over \$90%\$.
2018-05-16
Schiavone, E., Ceccarelli, A., Bondavalli, A..  2017.  Continuous Biometric Verification for Non-Repudiation of Remote Services. Proceedings of the 12th International Conference on Availability, Reliability and Security. :4:1–4:10.
As our society massively relies on ICT, security services are becoming essential to protect users and entities involved. Amongst such services, non-repudiation provides evidences of actions, protects against their denial, and helps solving disputes between parties. For example, it prevents denial of past behaviors as having sent or received messages. Noteworthy, if the information flow is continuous, evidences should be produced for the entirety of the flow and not only at specific points. Further, non-repudiation should be guaranteed by mechanisms that do not reduce the usability of the system or application. To meet these challenges, in this paper, we propose two solutions for non-repudiation of remote services based on multi-biometric continuous authentication. We present an application scenario that discusses how users and service providers are protected with such solutions. We also discuss the technological readiness of biometrics for non-repudiation services: the outcome is that, under specific assumptions, it is actually ready.
2018-05-01
Eberz, Simon, Rasmussen, Kasper B., Lenders, Vincent, Martinovic, Ivan.  2017.  Evaluating Behavioral Biometrics for Continuous Authentication: Challenges and Metrics. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. :386–399.
In recent years, behavioral biometrics have become a popular approach to support continuous authentication systems. Most generally, a continuous authentication system can make two types of errors: false rejects and false accepts. Based on this, the most commonly reported metrics to evaluate systems are the False Reject Rate (FRR) and False Accept Rate (FAR). However, most papers only report the mean of these measures with little attention paid to their distribution. This is problematic as systematic errors allow attackers to perpetually escape detection while random errors are less severe. Using 16 biometric datasets we show that these systematic errors are very common in the wild. We show that some biometrics (such as eye movements) are particularly prone to systematic errors, while others (such as touchscreen inputs) show more even error distributions. Our results also show that the inclusion of some distinctive features lowers average error rates but significantly increases the prevalence of systematic errors. As such, blind optimization of the mean EER (through feature engineering or selection) can sometimes lead to lower security. Following this result we propose the Gini Coefficient (GC) as an additional metric to accurately capture different error distributions. We demonstrate the usefulness of this measure both to compare different systems and to guide researchers during feature selection. In addition to the selection of features and classifiers, some non- functional machine learning methodologies also affect error rates. The most notable examples of this are the selection of training data and the attacker model used to develop the negative class. 13 out of the 25 papers we analyzed either include imposter data in the negative class or randomly sample training data from the entire dataset, with a further 6 not giving any information on the methodology used. Using real-world data we show that both of these decisions lead to significant underestimation of error rates by 63% and 81%, respectively. This is an alarming result, as it suggests that researchers are either unaware of the magnitude of these effects or might even be purposefully attempting to over-optimize their EER without actually improving the system.
2018-04-30
Eberz, Simon, Rasmussen, Kasper B., Lenders, Vincent, Martinovic, Ivan.  2017.  Evaluating Behavioral Biometrics for Continuous Authentication: Challenges and Metrics. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. :386–399.

In recent years, behavioral biometrics have become a popular approach to support continuous authentication systems. Most generally, a continuous authentication system can make two types of errors: false rejects and false accepts. Based on this, the most commonly reported metrics to evaluate systems are the False Reject Rate (FRR) and False Accept Rate (FAR). However, most papers only report the mean of these measures with little attention paid to their distribution. This is problematic as systematic errors allow attackers to perpetually escape detection while random errors are less severe. Using 16 biometric datasets we show that these systematic errors are very common in the wild. We show that some biometrics (such as eye movements) are particularly prone to systematic errors, while others (such as touchscreen inputs) show more even error distributions. Our results also show that the inclusion of some distinctive features lowers average error rates but significantly increases the prevalence of systematic errors. As such, blind optimization of the mean EER (through feature engineering or selection) can sometimes lead to lower security. Following this result we propose the Gini Coefficient (GC) as an additional metric to accurately capture different error distributions. We demonstrate the usefulness of this measure both to compare different systems and to guide researchers during feature selection. In addition to the selection of features and classifiers, some non- functional machine learning methodologies also affect error rates. The most notable examples of this are the selection of training data and the attacker model used to develop the negative class. 13 out of the 25 papers we analyzed either include imposter data in the negative class or randomly sample training data from the entire dataset, with a further 6 not giving any information on the methodology used. Using real-world data we show that both of these decisions lead to significant underestimation of error rates by 63% and 81%, respectively. This is an alarming result, as it suggests that researchers are either unaware of the magnitude of these effects or might even be purposefully attempting to over-optimize their EER without actually improving the system.

2018-02-27
Alshehri, A., Coenen, F., Bollegala, D..  2017.  Spectral Keyboard Streams: Towards Effective and Continuous Authentication. 2017 IEEE International Conference on Data Mining Workshops (ICDMW). :242–249.

In this paper, an innovative approach to keyboard user monitoring (authentication), using keyboard dynamics and founded on the concept of time series analysis, is presented. The work is motivated by the need for robust authentication mechanisms in the context of on-line assessment such as those featured in many online learning platforms. Four analysis mechanisms are considered: analysis of keystroke time series in their raw form (without any translation), analysis consequent to translating the time series into a more compact form using either the Discrete Fourier Transform or the Discrete Wavelet Transform, and a "benchmark" feature vector representation of the form typically used in previous related work. All four mechanisms are fully described and evaluated. A best authentication accuracy of 99% was obtained using the wavelet transform.

2017-06-05
Mirsky, Yisroel, Shabtai, Asaf, Rokach, Lior, Shapira, Bracha, Elovici, Yuval.  2016.  SherLock vs Moriarty: A Smartphone Dataset for Cybersecurity Research. Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. :1–12.

In this paper we describe and share with the research community, a significant smartphone dataset obtained from an ongoing long-term data collection experiment. The dataset currently contains 10 billion data records from 30 users collected over a period of 1.6 years and an additional 20 users for 6 months (totaling 50 active users currently participating in the experiment). The experiment involves two smartphone agents: SherLock and Moriarty. SherLock collects a wide variety of software and sensor data at a high sample rate. Moriarty perpetrates various attacks on the user and logs its activities, thus providing labels for the SherLock dataset. The primary purpose of the dataset is to help security professionals and academic researchers in developing innovative methods of implicitly detecting malicious behavior in smartphones. Specifically, from data obtainable without superuser (root) privileges. To demonstrate possible uses of the dataset, we perform a basic malware analysis and evaluate a method of continuous user authentication.

2017-03-08
Roth, J., Liu, X., Ross, A., Metaxas, D..  2015.  Investigating the Discriminative Power of Keystroke Sound. IEEE Transactions on Information Forensics and Security. 10:333–345.
The goal of this paper is to determine whether keystroke sound can be used to recognize a user. In this regard, we analyze the discriminative power of keystroke sound in the context of a continuous user authentication application. Motivated by the concept of digraphs used in modeling keystroke dynamics, a virtual alphabet is first learned from keystroke sound segments. Next, the digraph latency within the pairs of virtual letters, along with other statistical features, is used to generate match scores. The resultant scores are indicative of the similarities between two sound streams, and are fused to make a final authentication decision. Experiments on both static text-based and free text-based authentications on a database of 50 subjects demonstrate the potential as well as the limitations of keystroke sound.
Mondal, S., Bours, P..  2015.  Continuous Authentication in a real world settings. 2015 Eighth International Conference on Advances in Pattern Recognition (ICAPR). :1–6.

Continuous Authentication by analysing the user's behaviour profile on the computer input devices is challenging due to limited information, variability of data and the sparse nature of the information. As a result, most of the previous research was done as a periodic authentication, where the analysis was made based on a fixed number of actions or fixed time period. Also, the experimental data was obtained for most of the previous research in a very controlled condition, where the task and environment were fixed. In this paper, we will focus on actual continuous authentication that reacts on every single action performed by the user. The experimental data was collected in a complete uncontrolled condition from 52 users by using our data collection software. In our analysis, we have considered both keystroke and mouse usages behaviour pattern to avoid a situation where an attacker avoids detection by restricting to one input device because the continuous authentication system only checks the other input device. The result we have obtained from this research is satisfactory enough for further investigation on this domain.