A Supervised ML Biometric Continuous Authentication System for Industry 4.0

Continuous authentication (CA) is a promising approach to authenticate workers and avoid security breaches in the industry, especially in Industry 4.0, where most interaction between workers and devices takes place. However, introducing CA in industries raises the following unsolved questions regarding machine learning (ML) models: its precision and performance; its robustness; and the issue about if or when to retrain the models. To answer these questions, this article explores these issues with a proposed supervised versus nonsupervised ML-based CA system that uses sensors, applications statistics, or speaker data collected by the operator’s devices. Experiments show supervised models with equal error rates of 7.28% using sensors data, 9.29% with statistics, and 0.31% with voice, a significant improvement of 71.97, 62.14, and 97.08%, respectively, over unsupervised models. Voice is the most robust dimension when adding new workers, with less than 2% of false acceptance rate even if workforce size is doubled

SmartCAMPP - Smartphone-based Continuous Authentication leveraging Motion sensors with Privacy Preservation

Continuous Authentication (Ca) Approaches Are Attracting Attention Due To The Explosion Of Available Sensors From Iot Devices Such As Smartphones. However, A Critical Privacy Concern Arises When Ca Data Is Outsourced. Data From Motion Sensors May Reveal Users&#34 Private Issues. Despite The Need For Ca In Smartphones, No Previous Work Has Explored How To Tackle This Matter Leveraging Motion Sensors In A Privacy-Preserving Way. In This Work, A Mechanism Dubbed Smartcampp Is Proposed To Achieve Ca Based On Gyroscope And Accelerometer Data. Format-Preserving Encryption Techniques Are Applied To Privately Outsource Them. Our Results Show The Suitability Of The Proposed Scheme, Featuring Of Accuracy While Taking 5.12 Ms. Of Computation For Authenticating Each User. Interestingly, The Use Of Cryptography Does Not Lead To A Significant Impact As Compared To A Non-Privacy-Preserving MechanismThis work was partially supported by Spanish MINECO, AEI and European Regional Development Fund (ERDF), through grants TIN2017-84844-C2-1-R (COPCIS) and PID2019-111429RBC21 (ODIO); by Comunidad de Madrid (Spain) through grant P2018/TCS-4566-CM (CYNAMON), co-funded with ERDF, and also jointly with Univ. Carlos III de Madrid, grant CAVTIONS-CM-UC3M. Lorena González and José María de Fuentes would like to thank the Excellence Program for University Researchers. Luis Hernández-Álvarez would like to thank CSIC Project 202050E304 (CASDiM)

Impact of injection attacks on sensor-based continuous authentication for smartphones

Given the relevance of smartphones for accessing personalized services in smart cities, Continuous Authentication (CA) mechanisms are attracting attention to avoid impersonation attacks. Some of them leverage Data Stream Mining (DSM) techniques applied over sensorial information. Injection attacks can undermine the effectiveness of DSM-based CA by fabricating artificial sensorial readings. The goal of this paper is to study the impact of injection attacks in terms of accuracy and immediacy to illustrate the time the adversary remains unnoticed. Two well-known DSM techniques (K-Nearest Neighbours and Hoeffding Adaptive Trees) and three data sources (location, gyroscope and accelerometer) are considered due to their widespread usage Results show that even if the attacker does not previously know anything about the victim, a significant attack surface arises - 1.35 min are needed, in the best case, to detect the attack on gyroscope and accelerometer and 7.27 min on location data. Moreover, we show that the type of sensor at stake and configuration settings may have a dramatic effect on countering this threat.This work was supported by the Spanish Ministry of Science, Innovation and Universities grants TIN2016-79095-C2-2-R (SMOG-DEV), PID2019-111429RBC21(ODIO); by Comunidad de Madrid (CAM) grant P2018/TCS4566 (CYNAMON-CM) funded with European FEDER funds; and CAVTIONS-CM-UC3M funded by UC3M and CAM

BehaveFormer: A Framework with Spatio-Temporal Dual Attention Transformers for IMU enhanced Keystroke Dynamics

Continuous Authentication (CA) using behavioural biometrics is a type of biometric identification that recognizes individuals based on their unique behavioural characteristics, like their typing style. However, the existing systems that use keystroke or touch stroke data have limited accuracy and reliability. To improve this, smartphones' Inertial Measurement Unit (IMU) sensors, which include accelerometers, gyroscopes, and magnetometers, can be used to gather data on users' behavioural patterns, such as how they hold their phones. Combining this IMU data with keystroke data can enhance the accuracy of behavioural biometrics-based CA. This paper proposes BehaveFormer, a new framework that employs keystroke and IMU data to create a reliable and accurate behavioural biometric CA system. It includes two Spatio-Temporal Dual Attention Transformer (STDAT), a novel transformer we introduce to extract more discriminative features from keystroke dynamics. Experimental results on three publicly available datasets (Aalto DB, HMOG DB, and HuMIdb) demonstrate that BehaveFormer outperforms the state-of-the-art behavioural biometric-based CA systems. For instance, on the HuMIdb dataset, BehaveFormer achieved an EER of 2.95\%. Additionally, the proposed STDAT has been shown to improve the BehaveFormer system even when only keystroke data is used. For example, on the Aalto DB dataset, BehaveFormer achieved an EER of 1.80\%. These results demonstrate the effectiveness of the proposed STDAT and the incorporation of IMU data for behavioural biometric authentication

Privacy-aware Security Applications in the Era of Internet of Things

In this dissertation, we introduce several novel privacy-aware security applications. We split these contributions into three main categories: First, to strengthen the current authentication mechanisms, we designed two novel privacy-aware alternative complementary authentication mechanisms, Continuous Authentication (CA) and Multi-factor Authentication (MFA). Our first system is Wearable-assisted Continuous Authentication (WACA), where we used the sensor data collected from a wrist-worn device to authenticate users continuously. Then, we improved WACA by integrating a noise-tolerant template matching technique called NTT-Sec to make it privacy-aware as the collected data can be sensitive. We also designed a novel, lightweight, Privacy-aware Continuous Authentication (PACA) protocol. PACA is easily applicable to other biometric authentication mechanisms when feature vectors are represented as fixed-length real-valued vectors. In addition to CA, we also introduced a privacy-aware multi-factor authentication method, called PINTA. In PINTA, we used fuzzy hashing and homomorphic encryption mechanisms to protect the users\u27 sensitive profiles while providing privacy-preserving authentication. For the second privacy-aware contribution, we designed a multi-stage privacy attack to smart home users using the wireless network traffic generated during the communication of the devices. The attack works even on the encrypted data as it is only using the metadata of the network traffic. Moreover, we also designed a novel solution based on the generation of spoofed traffic. Finally, we introduced two privacy-aware secure data exchange mechanisms, which allow sharing the data between multiple parties (e.g., companies, hospitals) while preserving the privacy of the individual in the dataset. These mechanisms were realized with the combination of Secure Multiparty Computation (SMC) and Differential Privacy (DP) techniques. In addition, we designed a policy language, called Curie Policy Language (CPL), to handle the conflicting relationships among parties. The novel methods, attacks, and countermeasures in this dissertation were verified with theoretical analysis and extensive experiments with real devices and users. We believe that the research in this dissertation has far-reaching implications on privacy-aware alternative complementary authentication methods, smart home user privacy research, as well as the privacy-aware and secure data exchange methods

Leveraging user-related internet of things for continuous authentication: a survey

Among all Internet of Things (IoT) devices, a subset of them are related to users. Leveraging these user-related IoT elements, itis possible to ensure the identity of the user for a period of time, thus avoiding impersonation. This need is known as ContinuousAuthentication (CA). Since 2009, a plethora of IoT-based CA academic research and industrial contributions have been proposed. Weoffer a comprehensive overview of 58 research papers regarding the main components of such a CA system. The status of the industryis studied as well, covering 32 market contributions, research projects and related standards. Lessons learned, challenges and openissues to foster further research in this area are finally presented.This work was supported by the MINECO grant TIN2016-79095-C2-2-R (SMOG-DEV) and by the CAM grants S2013/ICE-3095 (CIBERDINE) and P2018/TCS4566 (CYNAMON-CM) both co-funded with European FEDER funds

WoX+: A Meta-Model-Driven Approach to Mine User Habits and Provide Continuous Authentication in the Smart City

The literature is rich in techniques and methods to perform Continuous Authentication (CA) using biometric data, both physiological and behavioral. As a recent trend, less invasive methods such as the ones based on context-aware recognition allows the continuous identification of the user by retrieving device and app usage patterns. However, a still uncovered research topic is to extend the concepts of behavioral and context-aware biometric to take into account all the sensing data provided by the Internet of Things (IoT) and the smart city, in the shape of user habits. In this paper, we propose a meta-model-driven approach to mine user habits, by means of a combination of IoT data incoming from several sources such as smart mobility, smart metering, smart home, wearables and so on. Then, we use those habits to seamlessly authenticate users in real time all along the smart city when the same behavior occurs in different context and with different sensing technologies. Our model, which we called WoX+, allows the automatic extraction of user habits using a novel Artificial Intelligence (AI) technique focused on high-level concepts. The aim is to continuously authenticate the users using their habits as behavioral biometric, independently from the involved sensing hardware. To prove the effectiveness of WoX+ we organized a quantitative and qualitative evaluation in which 10 participants told us a spending habit they have involving the use of IoT. We chose the financial domain because it is ubiquitous, it is inherently multi-device, it is rich in time patterns, and most of all it requires a secure authentication. With the aim of extracting the requirement of such a system, we also asked the cohort how they expect WoX+ will use such habits to securely automatize payments and identify them in the smart city. We discovered that WoX+ satisfies most of the expected requirements, particularly in terms of unobtrusiveness of the solution, in contrast with the limitations observed in the existing studies. Finally, we used the responses given by the cohorts to generate synthetic data and train our novel AI block. Results show that the error in reconstructing the habits is acceptable: Mean Squared Error Percentage (MSEP) 0.04%

Secure and Usable User-in-a-Context Continuous Authentication in Smartphones Leveraging Non-Assisted Sensors

Smartphones are equipped with a set of sensors that describe the environment (e.g., GPS, noise, etc.) and their current status and usage (e.g., battery consumption, accelerometer readings, etc.). Several works have already addressed how to leverage such data for user-in-a-context continuous authentication, i.e., determining if the porting user is the authorized one and resides in his regular physical environment. This can be useful for an early reaction against robbery or impersonation. However, most previous works depend on assisted sensors, i.e., they rely upon immutable elements (e.g., cell towers, satellites, magnetism), thus being ineffective in their absence. Moreover, they focus on accuracy aspects, neglecting usability ones. For this purpose, in this paper, we explore the use of four non-assisted sensors, namely battery, transmitted data, ambient light and noise. Our approach leverages data stream mining techniques and offers a tunable security-usability trade-off. We assess the accuracy, immediacy, usability and readiness of the proposal. Results on 50 users over 24 months show that battery readings alone achieve 97.05% of accuracy and 81.35% for audio, light and battery all together. Moreover, when usability is at stake, robbery is detected in 100 s for the case of battery and in 250 s when audio, light and battery are applied. Remarkably, these figures are obtained with moderate training and storage needs, thus making the approach suitable for current devices.This work has been partially supported by MINECO grants TIN2013-46469-R (SPINY), TIN2016-79095-C2-2-R (SMOG-DEV); CAM grant S2013/ICE-3095 (CIBERDINE), co-funded with European FEDER funds