Fixed-text Keystroke Analysis

In the keystroke dynamics literature with regard to fixed-text keystroke analysis, the typing patterns to be analyzed are short, fixed, predetermined, and structured.

The research can be separated into two portions based on the concerns the approaches presented. One portion puts their focuses on designing approaches which can be in conjunction with, or in place of traditional authentication mechanism by analyzing the keystroke timing information of username/password pairs typed by individuals. The other portion tries to figure out how to identify the user’s identity from keystroke timing information of predetermined texts typed by individuals for certain times. In the Section 2.3.1, we introduce the algorithms for keystroke timing information analysis of login-password. In the Section 2.3.2, the review of the keystroke analysis methods for predetermined text is presented.

2.3.1. Traditional login-password Authentication Mechanism

Joyce and Gupta [19] proposed a simple and promising approach to analyze four target strings (login, password, first name, last name) during a login process.

Their system requires new users to type the reference signatures in term of four target strings for eight times. The mean reference signature is then given by:

{

Musername Mpassword Mfirstname Mlastname

}

M = , , ,

At the authentication phase, a test signature is presented and compares with reference signature

T

M

to determine the magnitude of the difference between

M

and

T

. Let

M

=

( m

₁,

m

₂,K,

m

_n

)

and

T

=

( t

₁,

t

₂,K,

t

_n

)

where n is the total number of latencies in the signature, the verifier computes the magnitude of the difference between M andT as the norm:

l

₁

∑

⁼

Then a suitable threshold for an acceptable size of the magnitude is chosen for each user based on a measure of the variability of user's signatures. The mean and standard deviation of the norms M −S_i , where is one of the training signatures, are used to decide a threshold for an acceptable norm value of the latency difference vector between a given

S

i

M

and T . If this norm is less than the threshold for the user, the attempt is accepted. Otherwise it is flagged as an imposter attempt. Thirty-three users were participated in the evaluation. 13.3%

(4 out of 30) FRR and 0.17% (1 out of 600) FAR were obtained. EER is not available because they did not conduct the experiment for every possible threshold values.

Magalhaes et al [6, 3] proposed a lightweight algorithm to analyze only one target string with password or pass-phrase. Each user has to type password or pass-phrase for twelve times to form the reference profile. They enhanced [6]

based on [3] by integrated the concept of keyboard gridding in [5]. By using the concept of keyboard gridding, their algorithm is specifically designed and optimized for right-handed users. As a consequence, the algorithm they proposed can not ensure the same results on left-handed users. 5.58 % EER was obtained in [6], and less than 5% EER was achieved in [3].

Ru and Eloff [4] used fuzzy logic to characterize the typing behavior of the users based on the keystroke latencies, the distance of the keys on the keyboard, and typing difficulty of the key combinations. Twenty-five samples are required for enrollment. Username and password are used as target strings to be analyzed.

7.4% FRR and 2.8% FAR were obtained in the experiment [2]. EER is not available because they did not conduct the experiment for every possible

threshold values.

Haidar et al [9] presented a suite of techniques using neural networks, fuzzy logic, statistical methods, and several hybrid combinations of these approaches to learn the typing behavior of a user. In the experiment, 2% FRR and 6% FAR were obtained [2].

Bleha et al [23] proposed two approaches for authentication using minimum distance classifier and Bayesian classifier. The normalized minimum distance classifier was

, and the normalize Bayesian classifier was

( ) ( )

, where the participant is claiming to be user , is the latencies vector,

is the latency means of the reference samples and is the latencies covariance of the reference samples. Both classifiers have defined thresholds for deciding the acceptance of the user. They din not mention the results would come up with while different threshold values were used. In the experiment, 8.1% FRR and 2.8% FAR were obtained. EER is not available because they did not conduct the experiment for every possible threshold values.

i X m

_i

C

i

2.3.2. Predetermined Text

Gaines et al [18] conducted an experiment in which seven professional secretaries were asked to type three passages, about 300-400 words long (the first one is ordinary English text, the second one is the collection of random

words, and the third one is the collection of random phrases), for two different times separately within four months. Keystroke latency of the digraph that appeared more than ten times were computed for each individual. A classical two-sample t-test of statistical independence on the hypothesis that the percentage of the means and variances of the digraphs appeared in both sessions were the same that passed the test were between 80 and 95. Outliers were removed and the rest of data were transformed by logarithm. An assumption was made that the raw data was log-normally distributed, and the transformed data was observed to be approximately normally distributed. 4% FRR (2 out of 55) and 0% FAR were obtained. However, the number of volunteers was too small and the amount of data required to create the reference profiles was insufficient.

Only twenty-six lower-case letters and space key were taken into consideration, resulted that only 27 * 27 = 720 different digraphs. Additionally, since the limitation by the length and content of the three passages, only 87 combinations of digraph were analyzed in the experiments. Consequently, the results of FAR and FRR obtained in the experiment resulted on a lower confidence.

Leggett and Williams [8] proposed an improved approach based on [20].

They reported the results of two experiments similar to the experiment conducted in [18]. In the first experiment, seventeen programmers, with different typing ability, each one provided two samples. First sample was 1400 characters long served as the reference profile, and second one was 300 characters long served as the test profile. In the second experiment, thirty-six participants provided two passages in 537 characters long in two months separately with a delay of at least one month. Their approach compares all digraph latencies between all combinations of digraphs in the samples. The test digraph was classified as valid one if the test digraph latency was within 0.5 standard deviation of the reference

digraph latency mean. 5.5% FRR and 5% FAR were obtained.

Bergadano et al [17] proposed an approach which measure digraph latencies based on the degree of disorder. Given two typing samples of the same text, the digraphs shared between both typing samples are retrieved, and the durations of

n-graphs are computed. The mean of duration is calculated if n-graph is reported

more than one time. Then the shared n-graphs in both typing samples are sorted by the duration and stored in two arrays respectively. The degree of disorder is computed as the sum of the distances between the positions of each n-graph in both sorted array. The predetermined sample texts in the experiment are a passage of one famous Italian novel plus a short text in English. Each sample was produced using only twenty-six lower-case letters, plus the space, the full stop, the comma, the apostrophe and the carriage return keys. 154 volunteers were involved in the experiments. 4% FRR and less than 0.01% FAR were achieved.

在文檔中 敲鍵行為統計學習模型應用於網路身份認證 (頁 14-18)