HuMan: Creating Memorable Fingerprints of Mobile Users

National Research Foundation (NRF) Singapore under International Research Centres in Singapore Funding Initiativ

Clustering Web Users By Mouse Movement to Detect Bots and Botnet Attacks

The need for website administrators to efficiently and accurately detect the presence of web bots has shown to be a challenging problem. As the sophistication of modern web bots increases, specifically their ability to more closely mimic the behavior of humans, web bot detection schemes are more quickly becoming obsolete by failing to maintain effectiveness. Though machine learning-based detection schemes have been a successful approach to recent implementations, web bots are able to apply similar machine learning tactics to mimic human users, thus bypassing such detection schemes. This work seeks to address the issue of machine learning based bots bypassing machine learning-based detection schemes, by introducing a novel unsupervised learning approach to cluster users based on behavioral biometrics. The idea is that, by differentiating users based on their behavior, for example how they use the mouse or type on the keyboard, information can be provided for website administrators to make more informed decisions on declaring if a user is a human or a bot. This approach is similar to how modern websites require users to login before browsing their website; which in doing so, website administrators can make informed decisions on declaring if a user is a human or a bot. An added benefit of this approach is that it is a human observational proof (HOP); meaning that it will not inconvenience the user (user friction) with human interactive proofs (HIP) such as CAPTCHA, or with login requirement

Hacking the Simulation: From the Red Pill to the Red Team

Many researchers have conjectured that the humankind is simulated along with the rest of the physical universe – a Simulation Hypothesis. In this paper, we do not evaluate evidence for or against such claim, but instead ask a computer science question, namely: Can we hack the simulation? More formally the question could be phrased as: Could generally intelligent agents placed in virtual environments find a way to jailbreak out of them. Given that the state-of-the-art literature on AI containment answers in the affirmative (AI is uncontainable in the long-term), we conclude that it should be possible to escape from the simulation, at least with the help of superintelligent AI. By contraposition, if escape from the simulation is not possible, containment of AI should be, an important theoretical result for AI safety research. Finally, the paper surveys and proposes ideas for hacking the simulation and analyzes ethical and philosophical issues of such an undertaking

Identificação biométrica e comportamental de utilizadores em cenários de intrusão

Dissertação de mestrado em Engenharia InformáticaA usurpação de contas e o roubo de identidade são problemas muito frequentes nos atuais sistemas informáticos. A facilidade de acesso à internet e a exposição das pessoas a este meio, torna muito frequente a utilização indevida e a usurpação de contas (tais como: e-mail, redes sociais, contas bancárias) por outras pessoas que não as suas legítimas proprietárias. Atualmente o método de autenticação dominante é o da combinação nome de utilizador e palavra-chave. No entanto, este método pode não ser fiável, pois estas credenciais podem ser partilhadas, roubadas ou até esquecidas. Por outro lado podem-se combinar várias técnicas para reforçar a segurança dos sistemas. Cartões de acesso (tokens), certificados digitais e biometrias são algumas delas. Os cartões de acesso, por exemplo os das caixas multibanco, podem ser roubados ou duplicados, como é frequentemente noticiado em fraudes bancárias. Os certificados seguem o mesmo caminho dos tokens uma vez que estes podem ser distribuídos por correio eletrónico ou em dispositivos USB. As biometrias físicas (impressão digital, íris, retina ou geometria da mão por exemplo), para além de serem um pouco intrusivas, requerem a aquisição de equipamento caro. Uma possível solução para os problemas inumerados são as biometrias comportamentais. A forma como nos comportamos e agimos num computador pode ser usada como informação biométrica. Esta informação pode ser utilizada à posteriori, geralmente complementada com mais dados, para identificar, inequivocamente, (ou pelo menos com um determinado grau de confiança) um indivíduo. A informação recolhida pode variar desde o tipo de escrita no teclado, habilidade com o rato, hábitos, cliques, número de páginas abertas, origem do acesso, etc., que depois será sujeita à utilização de algoritmos comportamentais para autenticar, de forma inequívoca, um utilizador. Neste trabalho pretende-se implementar como reforço aos atuais sistemas de autenticação e de deteção de intrusões, a verificação de perfis comportamentais do proprietário da conta. Este sistema não irá apresentar grandes custos, já que só serão usados equipamentos básicos, e será completamente invisível para o utilizador, ou seja este será continuamente autenticado de forma silenciosa e não intrusiva.Session hijacking and identity theft are a problem increasingly common in computer systems nowadays. With the growing usage of online services, people become more exposed to different techniques, technological or social, that can be used to easy to their personal accounts, from services such as Emails, Facebook, bank accounts, among others. Currently, the dominant method of authentication is the combination of username and password. This method can be unreliable, because these credentials can be shared, forgotten or stolen. To offer better authentication mechanisms, other techniques are used; among then are the tokens or digital certificates and biometrics. None of them completely solve the problem once they can be duplicated or stolen. Moreover the physiological biometrics (fingerprint, iris, retina, hand geometry, etc.) are intrusive, require the purchase of expensive equipment and may not work in all the scenarios. The way we behave and act in a computer can be used as biometric information. This information supplemented with more data (i.e. contextual data) can be used to identify unequivocally (or at least with a certain degree of confidence) an individual. The information collected may vary from the way of typing on a keyboard (keystroke dynamics), skill with the mouse (mouse dynamics), habits, clicks, number of pages open, source access, etc., which will then be subject to the use of behavioral algorithms to identify and authenticate, unequivocally, the user. In this work we present the implementation of a system that strengthens existing authentication and intrusion detection systems, helping them by checking behavioral profiles of the account owner. This system will not be costly, since it only uses basic hardware. Additionally, it will be completely invisible to the user, i.e., it will be working in an unobtrusive way, collecting data in background mode. The aim of this paper is to present a system capable of recognizing biometric patterns and, through behavioral algorithms and complex event processing, create user profiles that are used as identification and continuously authentication to services

Continuous Authentication of Users to Robotic Technologies Using Behavioural Biometrics

Collaborative robots and current human–robot interaction systems, such as exoskeletons and teleoperation, are key technologies with profiles that make them likely security targets. Without sufficient protection, these robotics technologies might become dangerous tools that are capable of causing damage to their environments, increasing defects in work pieces and harming human co-workers. As robotics is a critical component of the current automation drive in many advanced economies, there may be serious economic effects if robot security is not appropriately handled. The development of suitable security for robots, particularly in industrial contexts, is critical. Collaborative robots, exoskeletons and teleoperation are all examples of robotics technologies that might need close collaboration with humans, and these interactions must be appropriately protected. There is a need to guard against both external hackers (as with many industrial systems) and insider malfeasance. Only authorised users should be able to access robots, and they should use only those services and capabilities they are qualified to access (e.g. those for which they are appropriately cleared and trained). Authentication is therefore a crucial enabling mechanism. Robot interaction will largely be ongoing, so continuous rather than one-time authentication is required. In robot contexts, continuous biometrics can be used to provide effective and practical authentication of individuals to robots. In particular, the working behaviour of human co-workers as they interact with robots can be used as a means of biometric authentication. This thesis demonstrates how continuous biometric authentication can be used in three different environments: a direct physical manipulation application, a sensor glove application and a remote access application. We show how information acquired from the collaborative robot's internal sensors, wearable sensors (similar to those found in an exoskeleton), and teleoperated robot control and programming can be harnessed to provide appropriate authentication. Thus, all authentication uses data that are collected or generated as part of the co-worker simply going about their work. No additional action is needed. For manufacturing environments, this lack of intrusiveness is an important feature. The results presented in this thesis show that our approaches can discriminate appropriately between users. We believe that our machine learning-based approaches can provide reasonable and practical solutions for continually authenticating users to robots in many environments, particularly in manufacturing contexts

A Dynamic Behavioral Biometric Approach to Authenticate Users Employing Their Fingers to Interact with Touchscreen Devices

The use of mobile devices has extended to all areas of human life and has changed the way people work and socialize. Mobile devices are susceptible to getting lost, stolen, or compromised. Several approaches have been adopted to protect the information stored on these devices. One of these approaches is user authentication. The two most popular methods of user authentication are knowledge based and token based methods but they present different kinds of problems. Biometric authentication methods have emerged in recent years as a way to deal with these problems. They use an individual’s unique characteristics for identification and have proven to be somewhat effective in authenticating users. Biometric authentication methods also present several problems. For example, they aren’t 100% effective in identifying users, some of them are not well perceived by users, others require too much computational effort, and others require special equipment or special postures by the user. Ultimately their implementation can result in unauthorized use of the devices or the user being annoyed by the implementation. New ways of interacting with mobile devices have emerged in recent years. This makes it necessary for authentication methods to adapt to these changes and take advantage of them. For example, the use of touchscreens has become prevalent in mobile devices, which means that biometric authentication methods need to adapt to it. One important aspect to consider when adopting these new methods is their acceptance of these methods by users. The Technology Acceptance Model (TAM) states that system use is a response that can be predicted by user motivation. This work presents an authentication method that can constantly verify the user’s identity which can help prevent unauthorized use of a device or access to sensitive information. The goal was to authenticate people while they used their fingers to interact with their touchscreen mobile devices doing ordinary tasks like vertical and horizontal scrolling. The approach used six biometric traits to do the authentication. The combination of those traits allowed for authentication at the beginning and at the end of a finger stroke. Support Vector Machines were employed and the best results obtained show Equal Error Rate values around 35%. Those results demonstrate the potential of the approach to verify a person’s identity. Additionally, this works tested the acceptance of the approach among participants, which can influence its eventual adoption. An acceptance level of 80% was obtained which compares favorably against other behavioral biometric approaches

Exploiting Human Factors in User Authentication

Our overarching issue in security is the human factor—and dealing with it is perhaps one of the biggest challenges we face today. Human factor is often described as the weakest part of a security system and users are often described as the weakest link in the security chain. In this thesis, we focus on two problems which are caused by human factors in user authentication and propose respective solutions. a) Secrecy information inference attack—publicly available information can be used to infer some secrecy information about the user. b) Coercion attack—where an attacker forces a user to handover his/her secret information such as account details and password. In the secrecy information inference attack, an attacker can use publicly available data to infer secrecy information about a victim. We should be prudent in choosing any information as secrecy information in user authentication. In this work, we exploit public data extracted from Facebook to infer users' interests. Such interests can also found on their profile pages but such pages are often private. Our experiments conducted on over more than 34, 000 public pages collected from Facebook show that our inference technique can infer interests which are often hidden by users with moderate accuracy. Using the inferred interests, we also demonstrate a secrecy information inference attack to break a preference based backup authentication system BlueMoon™. To mitigate the effect of secrecy information inference attack, we propose a new authentication mechanism based on user's cellphone usage data which is often private. The system generates memorable and dynamic fingerprints which can be used to create authentication challenges. In particular, in this work, we explore if the generated behavioral fingerprints are memorable enough to be remembered by end users to be used for authentication credentials. We demonstrate the application of memorable fingerprints by designing an authentication application on top of it. We conducted an extensive user study that involved collecting about one month of continuous usage data from 58 Symbian and Android smartphone users. Results show that the fingerprints generated are remembered by the user to some extent and that they were moderately secure against attacks even by family members and close friends. The second problem which we focus in this thesis is human vulnerability to coercion attacks. In such attacks, the user is forcefully asked by an attacker to reveal the secret/key to gain access to the system. Most authentication mechanisms today are vulnerable to coercion attacks. We present a novel approach in generating cryptographic keys to fight against coercion attacks. Our technique incorporates a measure of user's emotional status using skin conductance (which changes when the user is under coercion) into the key generation process. A preliminary user study with 39 subjects was conducted which shows that our approach has moderate false acceptance and false rejection rates. Furthermore, to meet the demand of scalability and usability, many real-world authentication systems have adopted the idea of responsibility shifting, where a user's responsibility of authentication is shifted to another entity, usually in case of failure of the primary authentication method. In a responsibility shifting authentication scenario, a human helper who is involved in regaining access, is vulnerable to coercion attacks. In this work, we report our user study on 29 participants which investigates the helper's emotional status when being coerced to assist in an attack. Results show that the coercion causes involuntary skin conductance fluctuation on the helper, which indicates that he/she is nervous and stressed. The results from the two studies show that the skin conductance is a viable approach to fight against coercion attacks in user authentication

BIOMETRIC TECHNOLOGIES FOR AMBIENT INTELLIGENCE

Il termine Ambient Intelligence (AmI) si riferisce a un ambiente in grado di riconoscere e rispondere alla presenza di diversi individui in modo trasparente, non intrusivo e spesso invisibile. In questo tipo di ambiente, le persone sono circondate da interfacce uomo macchina intuitive e integrate in oggetti di ogni tipo. Gli scopi dell\u2019AmI sono quelli di fornire un supporto ai servizi efficiente e di facile utilizzo per accrescere le potenzialit\ue0 degli individui e migliorare l\u2019interazioni uomo-macchina. Le tecnologie di AmI possono essere impiegate in contesti come uffici (smart offices), case (smart homes), ospedali (smart hospitals) e citt\ue0 (smart cities). Negli scenari di AmI, i sistemi biometrici rappresentano tecnologie abilitanti al fine di progettare servizi personalizzati per individui e gruppi di persone. La biometria \ue8 la scienza che si occupa di stabilire l\u2019identit\ue0 di una persona o di una classe di persone in base agli attributi fisici o comportamentali dell\u2019individuo. Le applicazioni tipiche dei sistemi biometrici includono: controlli di sicurezza, controllo delle frontiere, controllo fisico dell\u2019accesso e autenticazione per dispositivi elettronici. Negli scenari basati su AmI, le tecnologie biometriche devono funzionare in condizioni non controllate e meno vincolate rispetto ai sistemi biometrici comunemente impiegati. Inoltre, in numerosi scenari applicativi, potrebbe essere necessario utilizzare tecniche in grado di funzionare in modo nascosto e non cooperativo. In questo tipo di applicazioni, i campioni biometrici spesso presentano una bassa qualit\ue0 e i metodi di riconoscimento biometrici allo stato dell\u2019arte potrebbero ottenere prestazioni non soddisfacenti. \uc8 possibile distinguere due modi per migliorare l\u2019applicabilit\ue0 e la diffusione delle tecnologie biometriche negli scenari basati su AmI. Il primo modo consiste nel progettare tecnologie biometriche innovative che siano in grado di funzionare in modo robusto con campioni acquisiti in condizioni non ideali e in presenza di rumore. Il secondo modo consiste nel progettare approcci biometrici multimodali innovativi, in grado di sfruttare a proprio vantaggi tutti i sensori posizionati in un ambiente generico, al fine di ottenere un\u2019elevata accuratezza del riconoscimento ed effettuare autenticazioni continue o periodiche in modo non intrusivo. Il primo obiettivo di questa tesi \ue8 la progettazione di sistemi biometrici innovativi e scarsamente vincolati in grado di migliorare, rispetto allo stato dell\u2019arte attuale, la qualit\ue0 delle tecniche di interazione uomo-macchine in diversi scenari applicativi basati su AmI. Il secondo obiettivo riguarda la progettazione di approcci innovativi per migliorare l\u2019applicabilit\ue0 e l\u2019integrazione di tecnologie biometriche eterogenee negli scenari che utilizzano AmI. In particolare, questa tesi considera le tecnologie biometriche basate su impronte digitali, volto, voce e sistemi multimodali. Questa tesi presenta le seguenti ricerche innovative: \u2022 un metodo per il riconoscimento del parlatore tramite la voce in applicazioni che usano AmI; \u2022 un metodo per la stima dell\u2019et\ue0 dell\u2019individuo da campioni acquisiti in condizioni non-ideali nell\u2019ambito di scenari basati su AmI; \u2022 un metodo per accrescere l\u2019accuratezza del riconoscimento biometrico in modo protettivo della privacy e basato sulla normalizzazione degli score biometrici tramite l\u2019analisi di gruppi di campioni simili tra loro; \u2022 un approccio per la fusione biometrica multimodale indipendente dalla tecnologia utilizzata, in grado di combinare tratti biometrici eterogenei in scenari basati su AmI; \u2022 un approccio per l\u2019autenticazione continua multimodale in applicazioni che usano AmI. Le tecnologie biometriche innovative progettate e descritte in questa tesi sono state validate utilizzando diversi dataset biometrici (sia pubblici che acquisiti in laboratorio), i quali simulano le condizioni che si possono verificare in applicazioni di AmI. I risultati ottenuti hanno dimostrato la realizzabilit\ue0 degli approcci studiati e hanno mostrato che i metodi progettati aumentano l\u2019accuratezza, l\u2019applicabilit\ue0 e l\u2019usabilit\ue0 delle tecnologie biometriche rispetto allo stato dell\u2019arte negli scenari basati su AmI.Ambient Intelligence (AmI) refers to an environment capable of recognizing and responding to the presence of different individuals in a seamless, unobtrusive and often invisible way. In this environment, people are surrounded by intelligent intuitive interfaces that are embedded in all kinds of objects. The goals of AmI are to provide greater user-friendliness, more efficient services support, user-empowerment, and support for human interactions. Examples of AmI scenarios are smart cities, smart homes, smart offices, and smart hospitals. In AmI, biometric technologies represent enabling technologies to design personalized services for individuals or groups of people. Biometrics is the science of establishing the identity of an individual or a class of people based on the physical, or behavioral attributes of the person. Common applications include: security checks, border controls, access control to physical places, and authentication to electronic devices. In AmI, biometric technologies should work in uncontrolled and less-constrained conditions with respect to traditional biometric technologies. Furthermore, in many application scenarios, it could be required to adopt covert and non-cooperative technologies. In these non-ideal conditions, the biometric samples frequently present poor quality, and state-of-the-art biometric technologies can obtain unsatisfactory performance. There are two possible ways to improve the applicability and diffusion of biometric technologies in AmI. The first one consists in designing novel biometric technologies robust to samples acquire in noisy and non-ideal conditions. The second one consists in designing novel multimodal biometric approaches that are able to take advantage from all the sensors placed in a generic environment in order to achieve high recognition accuracy and to permit to perform continuous or periodic authentications in an unobtrusive manner. The first goal of this thesis is to design innovative less-constrained biometric systems, which are able to improve the quality of the human-machine interaction in different AmI environments with respect to the state-of-the-art technologies. The second goal is to design novel approaches to improve the applicability and integration of heterogeneous biometric systems in AmI. In particular, the thesis considers technologies based on fingerprint, face, voice, and multimodal biometrics. This thesis presents the following innovative research studies: \u2022 a method for text-independent speaker identification in AmI applications; \u2022 a method for age estimation from non-ideal samples acquired in AmI scenarios; \u2022 a privacy-compliant cohort normalization technique to increase the accuracy of already deployed biometric systems; \u2022 a technology-independent multimodal fusion approach to combine heterogeneous traits in AmI scenarios; \u2022 a multimodal continuous authentication approach for AmI applications. The designed novel biometric technologies have been tested on different biometric datasets (both public and collected in our laboratory) simulating the acquisitions performed in AmI applications. Results proved the feasibility of the studied approaches and shown that the studied methods effectively increased the accuracy, applicability, and usability of biometric technologies in AmI with respect to the state-of-the-art