Identifying Users with Wearable Sensors based on Activity Patterns

We live in a world where ubiquitous systems surround us in the form of automated homes, smart appliances and wearable devices. These ubiquitous systems not only enhance productivity but can also provide assistance given a variety of different scenarios. However, these systems are vulnerable to the risk of unauthorized access, hence the ability to authenticate the end-user seamlessly and securely is important. This paper presents an approach for user identification given the physical activity patterns captured using on-body wearable sensors, such as accelerometer, gyroscope, and magnetometer. Three machine learning classifiers have been used to discover the activity patterns of users given the data captured from wearable sensors. The recognition results prove that the proposed scheme can effectively recognize a user’s identity based on his/her daily living physical activity patterns

Pre-Interaction Identification by Dynamic Grip Classification

We present a novel authentication method to identify users as they pick up a mobile device. We use a combination of back-of-device capacitive sensing and accelerometer measurements to perform classification, and obtain increased performance compared to previous accelerometer-only approaches. Our initial results suggest that users can be reliably identified during the pick-up movement before interaction commences

I Know It\u27s You: Touch Behavioral Characteristics Recognition on Smartphone Based on Pattern Password

In recent years, pattern password has been widely used for user authentication on smartphones and other mobile devices in addition to the traditional password protection approach. However, pattern password authentication mechanism is incapable of protecting users from losses when a user\u27s login credential information is stolen. We propose an identity verification scheme based on user’s touching behaviors when inputting a pattern password on the smartphone screen. By exploiting the biometrical features, such as position, pressure, size, and time when a user inputs a pattern password to a smartphone, the proposed user verification mechanism can validate whether the user is the true owner of the smartphone. We adopted fuzzy logic, artificial neural network, and support vector machine, to build classifiers, using the behavioral data collected from 10 users. The experimental results show that all the three algorithms have significant recognition capacity, and the fuzzy logic algorithm is the best one with its false acceptance rate and false rejection rate as 4.7% and 4.468% respectively

Mind How You Answer Me! (Transparently Authenticating the User of a Smartphone when Answering or Placing a Call)

In this paper we propose a new biometric measure to authenticate the user of a smartphone: the movement the user performs when answering (or placing) a phone call. The biometric measure lever- ages features that are becoming commodities in new smartphones, i.e. accelerometer and orientation sensors. We argue that this new biometric measure has a unique feature. That is, it allows a trans- parent authentication (not requiring an additional specific interac- tion for this) to check that the user that is answering (or placing) a phone call is the one authorized to do that. At the same time, this biometric measure can also be used as a non transparent au- thentication method, e.g. the user may need to move the phone as if answering a call, in order to unlock the phone to get access to SMSs or emails. As a consequence of being a biometric measure, an adversary that spies on the movement (e.g. captures it with a camera) and tries to replicate it, will not be granted access to the phone. We prototyped our solution and conducted several experiments to assess its feasibility. Results show that the method is effective, and the performance is comparable to that of other transparent au- thentication methods, like face or voice recognition

Implicit Smartphone User Authentication with Sensors and Contextual Machine Learning

Authentication of smartphone users is important because a lot of sensitive data is stored in the smartphone and the smartphone is also used to access various cloud data and services. However, smartphones are easily stolen or co-opted by an attacker. Beyond the initial login, it is highly desirable to re-authenticate end-users who are continuing to access security-critical services and data. Hence, this paper proposes a novel authentication system for implicit, continuous authentication of the smartphone user based on behavioral characteristics, by leveraging the sensors already ubiquitously built into smartphones. We propose novel context-based authentication models to differentiate the legitimate smartphone owner versus other users. We systematically show how to achieve high authentication accuracy with different design alternatives in sensor and feature selection, machine learning techniques, context detection and multiple devices. Our system can achieve excellent authentication performance with 98.1% accuracy with negligible system overhead and less than 2.4% battery consumption.Comment: Published on the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) 2017. arXiv admin note: substantial text overlap with arXiv:1703.0352

User Behavior-Based Implicit Authentication

In this work, we proposed dynamic retraining (RU), wind vane module (WVM), BubbleMap (BMap), and reinforcement authentication (RA) to improve the efficacy of implicit authentication (IA). Motivated by the great potential of implicit and seamless user authentication, we have built an implicit authentication system with adaptive sampling that automatically selects dynamic sets of activities for user behavior extraction. Various activities, such as user location, application usage, user motion, and battery usage have been popular choices to generate behaviors, the soft biometrics, for implicit authentication. Unlike password-based or hard biometric-based authentication, implicit authentication does not require explicit user action or expensive hardware. However, user behaviors can change unpredictably, which renders it more challenging to develop systems that depend on them. In addition to dynamic behavior extraction, the proposed implicit authentication system differs from the existing systems in terms of energy efficiency for battery-powered mobile devices. Since implicit authentication systems rely on machine learning, the expensive training process needs to be outsourced to the remote server. However, mobile devices may not always have reliable network connections to send real-time data to the server for training. In addition, IA systems are still at their infancy and exhibit many limitations, one of which is how to determine the best retraining frequency when updating the user behavior model. Another limitation is how to gracefully degrade user privilege when authentication fails to identify legitimate users (i.e., false negatives) for a practical IA system.To address the retraining problem, we proposed an algorithm that utilizes Jensen-Shannon (JS)-dis(tance) to determine the optimal retraining frequency, which is discussed in Chapter 2. We overcame the limitation of traditional IA by proposing a W-layer, an overlay that provides a practical and energy-efficient solution for implicit authentication on mobile devices. The W-layer is discussed in Chapter 3 and 4. In Chapter 5, a novel privilege-control mechanism, BubbleMap (BMap), is introduced to provide fine-grained privileges to users based on their behavioral scores. In the same chapter, we describe reinforcement authentication (RA) to achieve a more reliable authentication

Inferences from Interactions with Smart Devices: Security Leaks and Defenses

We unlock our smart devices such as smartphone several times every day using a pin, password, or graphical pattern if the device is secured by one. The scope and usage of smart devices\u27 are expanding day by day in our everyday life and hence the need to make them more secure. In the near future, we may need to authenticate ourselves on emerging smart devices such as electronic doors, exercise equipment, power tools, medical devices, and smart TV remote control. While recent research focuses on developing new behavior-based methods to authenticate these smart devices, pin and password still remain primary methods to authenticate a user on a device. Although the recent research exposes the observation-based vulnerabilities, the popular belief is that the direct observation attacks can be thwarted by simple methods that obscure the attacker\u27s view of the input console (or screen). In this dissertation, we study the users\u27 hand movement pattern while they type on their smart devices. The study concentrates on the following two factors; (1) finding security leaks from the observed hand movement patterns (we showcase that the user\u27s hand movement on its own reveals the user\u27s sensitive information) and (2) developing methods to build lightweight, easy to use, and more secure authentication system. The users\u27 hand movement patterns were captured through video camcorder and inbuilt motion sensors such as gyroscope and accelerometer in the user\u27s device

Human-Computer Interaction: Security Aspects

Along with the rapid development of intelligent information age, users are having a growing interaction with smart devices. Such smart devices are interconnected together in the Internet of Things (IoT). The sensors of IoT devices collect information about users' behaviors from the interaction between users and devices. Since users interact with IoT smart devices for the daily communication and social network activities, such interaction generates a huge amount of network traffic. Hence, users' behaviors are playing an important role in the security of IoT smart devices, and the security aspects of Human-Computer Interaction are becoming significant. In this dissertation, we provide a threefold contribution: (1) we review security challenges of HCI-based authentication, and design a tool to detect deceitful users via keystroke dynamics; (2) we present the impact of users' behaviors on network traffic, and propose a framework to manage such network traffic; (3) we illustrate a proposal for energy-constrained IoT smart devices to be resilient against energy attack and efficient in network communication. More in detail, in the first part of this thesis, we investigate how users' behaviors impact on the way they interact with a device. Then we review the work related to security challenges of HCI-based authentication on smartphones, and Brain-Computer Interfaces (BCI). Moreover, we design a tool to assess the truthfulness of the information that users input using a computer keyboard. This tool is based on keystroke dynamics and it relies on machine learning technique to achieve this goal. To the best of our knowledge, this is the first work that associates the typing users' behaviors with the production of deceptive personal information. We reached an overall accuracy of 76% in the classification of a single answer as truthful or deceptive. In the second part of this thesis, we review the analysis of network traffic, especially related to the interaction between mobile devices and users. Since the interaction generates a huge amount of network traffic, we propose an innovative framework, GolfEngine, to manage and control the impact of users behavior on the network relying on Software Defined Networking (SDN) techniques. GolfEngine provides users a tool to build their security applications and offers Graphical User Interface (GUI) for managing and monitoring the network. In particular, GolfEngine provides the function of checking policy conflicts when users design security applications and the mechanism to check data storage redundancy. GolfEngine not only prevents the malicious inputting policies but also it enforces the security about network management of network traffic. The results of our simulation underline that GolfEngine provides an efficient, secure, and robust performance for managing network traffic via SDN. In the third and last part of this dissertation, we analyze the security aspects of battery-equipped IoT devices from the energy consumption perspective. Although most of the energy consumption of IoT devices is due to user interaction, there is still a significant amount of energy consumed by point-to-point communication and IoT network management. In this scenario, an adversary may hijack an IoT device and conduct a Denial of Service attack (DoS) that aims to run out batteries of other devices. Therefore, we propose EnergIoT, a novel method based on energetic policies that prevent such attacks and, at the same time, optimizes the communication between users and IoT devices, and extends the lifetime of the network. EnergIoT relies on a hierarchical clustering approach, based on different duty cycle ratios, to maximize network lifetime of energy-constrained smart devices. The results show that EnergIoT enhances the security and improves the network lifetime by 32%, compared to the earlier used approach, without sacrificing the network performance (i.e., end-to-end delay)

Transparent User Authentication For Mobile Applications

The use of smartphones in our daily lives has grown steadily, due to the combination of mobility and round-the-clock multi-connectivity. In particular, smartphones are used to perform activities, such as sending emails, transferring money via mobile Internet banking, making calls, texting, surfing the Internet, viewing documents, storing medical, confidential and personal information, shopping online and playing games. Some active applications are considered sensitive and confidential and the risks are high in the event of the loss of any sensitive data or privacy breaches. In addition, after the point of entry, using techniques such as a PIN or password, the user of the device can perform almost all tasks, of different risk levels, without having to re-authenticate periodically to re-validate the user’s identity. Furthermore, the current point-of-entry authentication mechanisms consider all the applications on a mobile device to have the same level of importance and so do not apply any further access control rules. As a result, with the rapid growth of smartphones for use in daily life, securing the sensitive data stored upon them makes authentication of paramount importance. In this research, it is argued that within a single mobile application there are different processes operating on the same data but with differing risks attached. The unauthorised disclosure or modification of mobile data has the potential to lead to a number of undesirable consequences for the user. Thus, there is no single level of risk associated with a given application and the risk level changes during use. In this context, a novel mobile applications data risk assessment model is proposed to appreciate the risk involved within an application (intra-process security). Accordingly, there is a need to suggest a method to be applied continuously and transparently (i.e., without obstructing the user’s activities) to authenticate legitimate users, which is maintained beyond point of entry, without the explicit involvement of the user. To this end, a transparent and continuous authentication mechanism provides a basis for convenient and secure re-authentication of the user. The mechanism is used to gather user data in the background without requiring any dedicated activity, by regularly and periodically checking user behaviour to provide continuous monitoring for the protection of the smartphone. In order to investigate the feasibility of the proposed system, a study involving data collected from 76 participants over a one-month period using 12 mobile applications was undertaken. A series of four experiments were conducted based upon data from one month of normal device usage. The first experiment sought to explore the intra-process (i.e., within-app) and inter-process (i.e., access-only app) access levels across different time windows. The experimental results show that this approach achieved desirable outcomes for applying a transparent authentication system at an intra-process level, with an average of 6% intrusive authentication requests. Having achieved promising experimental results, it was identified that there were some users who undertook an insufficient number of activities on the device and, therefore, achieved a high level of intrusive authentication requests. As a result, there was a need to investigate whether a specific combination of time windows would perform better with a specific type of user. To do this, the numbers of intrusive authentication requests were computed based on three usage levels (high, medium and low) at both the intra- and inter-process access levels. This approach achieved better results when compared with the first set of results: the average percentage of intrusive authentication requests was 3%, which indicates a clear enhancement. The second and third experiments investigated only the intra-process and inter-process, respectively, to examine the effect of the access level. Finally, the fourth experiment investigated the impact of specific biometric modalities on overall system performance. In this research study, a Non-Intrusive Continuous Authentication (NICA) framework was applied by utilising two security mechanisms: Alert Level (AL) and Integrity Level (IL). During specific time windows, the AL process is used to seek valid samples. If there are no samples, the identity confidence is periodically reduced by a degradation function, which is 10% of current confidence in order to save power while the mobile device is inactive. In the case of the mobile user requesting to perform a task, the IL is applied to check the legitimacy of that user. If the identity confidence level is equal to or greater than the specified risk action level, transparent access is allowed. Otherwise, an intrusive authentication request is required in order to proceed with the service. In summary, the experimental results show that this approach achieved sufficiently high results to fulfil the security obligations. The shortest time window of AL= 2 min / IL = 5 min produced an average intrusive authentication request rate of 18%, whereas the largest time window (AL= 20 min / IL = 20 min) provided 6%. Interestingly, when the participants were divided into three levels of usage, the average intrusive authentication request rate was 12% and 3% for the shortest time window (AL = 2 min / IL = 5 min) and the largest time window (AL= 20 min / IL = 20), respectively. Therefore, this approach has been demonstrated to provide transparent and continuous protection to ensure the validity of the current user by understanding the risk involved within a given application.Royal Embassy of Saudi Arabia Cultural Bureau in U