敲鍵行為統計學習模型應用於網路身份認證

國 立 交 通 大 學

資 訊 科 學 與 工 程 研 究 所

碩 士 論 文

敲鍵行為統計學習模型應用於網路身份認

證

Keystroke Statistical Learning Model for Web

Authentication

研 究 生：江檉皇

指導教授：謝續平 博士

敲鍵行為統計學習模型應用於網路身份認證

Keystroke Statistical Learning Model for Web

Authentication

研 究 生: 江檉皇 Student: Cheng-Huang Jiang

指導教授: 謝續平 博士 Advisor: Dr. Shiuh-Pyng Shieh

國 立 交 通 大 學

資 訊 科 學 與 工 程 研 究 所

碩 士 論 文

A Thesis

Submitted to

Department of Computer Science and Information Engineering

College of Electrical Engineering and Computer Science

National Chiao Tung University

In Partial Fulfillment of the Requirements

For the Degree of

Master

In

Computer Science and Information Engineering

June 2006

Hsinchu, Taiwan, Republic of China

敲鍵行為統計學習模型應用於網路身份認證

研究生：江檉皇 指導教授：謝續平

國立交通大學 資訊科學與工程研究所

摘 要

Keystroke Statistical Learning Model for Web

Authentication

Student: Cheng-Huang Jiang Advisor: Shiuh-Pyng Shieh

Department of Computer Science and Information Engineering

National Chiao Tung University

Abstract

As the rapid evolution of E-commerce, traditional password authentication mechanism is insufficient to provide strong security and reliability for identity

verification of web-based applications. Under the circumstance that the intruder could make use of the username and password stolen from the innocent individual,

conventional password authentication mechanisms are incapable to distinguish the discrepancy between the intruder and the innocent individual. Keystroke typing

characteristics is one of the most novel and creative biometric techniques. The low-cost and transparency of keystroke typing characteristics make it appropriate to

complement, but not to replace traditional password authentication mechanism used by web-based applications.

In this thesis, we proposed a statistical model for keystroke typing characteristics based on Hidden Markov Model and Gaussian Modeling from Statistical Learning

Theory. The accuracy of the identity authentication can be substantially enhanced by analyzing keystroke timing information of the username and password using our

proposed model. The results of the experiment showed that, with the condition on both the minimum length of the username and password restricted to be greater than

誌 謝

Table of Contents

2.3. Fixed-text Keystroke Analysis...7

2.4. Free-text Keystroke Analysis...11

2.5. Summary ...13

3. MODELING AND METHODOLOGY...16

3.1. Features...16

3.2. Gaussian Modeling ...17

3.3. Maximum Likelihood Estimation of the Parameters ...18

3.4. Hidden Markov Model...18

3.5. Forward Algorithm...22

3.6. General Modules for Keystroke Analysis...23

3.7. Scheme and Measures...28

4. EXPERIMENTS AND RESULTS...31

4.1. Experiment Setting...31

4.2. Data Collection ...31

4.3. Evaluation ...32

5. CONCLUSIONS...41

List of Figures

FIGURE 2.1:EER IS THE CROSS POINT AT WHICH THE FRR AND FAR ARE EQUAL. ...6

FIGURE 3.1:THE HIDDEN MARKOV MODEL FOR KEYSTROKE ANALYSIS. ...19

FIGURE 3.2:GRAPHICAL MODE FOR DIGRAPH WITH KEYSTROKE SEQUENCE “BANANA”...20

FIGURE 3.3:FLOW CHART FOR PROFILE BUILDING MODULE...25

FIGURE 3.4:FLOW CHART FOR AUTHENTICATION MODULE...26

FIGURE 3.5:FLOW CHART FOR IDENTIFICATION MODULE...28

FIGURE 3.5:FLOW CHART OF TRAINING PHASE FOR FIXED-TEXT KEYSTROKE ANALYSIS...29

FIGURE 3.6:FLOW CHART OF RECOGNITION PHASE FOR FIXED-TEXT KEYSTROKE ANALYSIS...30

FIGURE 4.1:TARGET STRING LENGTH DISTRIBUTION OF REFERENCE SAMPLES...32

FIGURE 4.2:O-STRATEGY -MINIMUM TARGET STRING LENGTH =9, REFERENCE SAMPLE SIZE =5...33

FIGURE 4.3:O-STRATEGY -MINIMUM TARGET STRING LENGTH =9, REFERENCE SAMPLE SIZE =10,EER= 5.71% ...33

FIGURE 4.4:O-STRATEGY -MINIMUM TARGET STRING LENGTH =9, REFERENCE SAMPLE SIZE =15,EER= 5.24% ...34

FIGURE 4.5:O-STRATEGY -MINIMUM TARGET STRING LENGTH =9, REFERENCE SAMPLE SIZE =20,EER= 4.76% ...35

FIGURE 4.6:A-STRATEGY -MINIMUM TARGET STRING LENGTH =9, REFERENCE SAMPLE SIZE =5,EER= 6.19% ...35

FIGURE 4.7:A-STRATEGY -MINIMUM TARGET STRING LENGTH =9, REFERENCE SAMPLE SIZE =10,EER =3.81%...36

FIGURE 4.8:A-STRATEGY -MINIMUM TARGET STRING LENGTH =9, REFERENCE SAMPLE SIZE =15,EER =2.91%...36

FIGURE 4.9:A-STRATEGY -MINIMUM TARGET STRING LENGTH =9, REFERENCE SAMPLE SIZE =20,EER =2.54%...37

FIGURE 4.10:O-STRATEGY –EER VS.MINIMUM TARGET STRING LENGTH...38

FIGURE 4.11:A-STRATEGY –EER VS.MINIMUM TARGET STRING LENGTH...38

FIGURE 4.12:O-STRATEGY:FRR WITH DIFFERENT NUMBER OF REFERENCE SAMPLES...39

FIGURE 4.13:O-STRATEGY:FAR WITH DIFFERENT NUMBER OF REFERENCE SAMPLES...39

FIGURE 4.14:A-STRATEGY:FRR WITH DIFFERENT NUMBER OF REFERENCE SAMPLES...40

1. Introduction

1.1. Background

As the web interface becoming more powerful and convenient, the trend has

been shown that more and more applications are developed for web-based services instead of for local use only. Web-based services change the way people

using computer, and makes it more easily for people to globally and ubiquitously acquire information and resources. Unfortunately, it also makes more chances for

malicious attack and intrusion to be happened. As a consequence, guarantee the accuracy of the user identity for web-based services has became a significant

issue.

Conventionally web-based services employ username/password pairs to

authenticate the identities of the users. After the users pass the authentication phase, the systems assume the identities of the users are consistent and rarely use

other mechanism to constantly assure the identities of the users. This comes up with two acute security issues. First one is at the authentication phase. An

attacker can steal the username/password pair by any means from the user, say Alice, log on to the web-based services by claiming to be Alice, and gain access

to the web-based service as Alice. Second one is after the authentication phase has been legally passed by Alice. An attacker can access the web-based services

and act as Alice when she is temporarily leaving the computer without log out the systems or close the browser. Hence we need another security mechanism to

complement or serve as a robust safeguard to prevent legal users from being impersonated and unauthorized.

keyboard typing rhythms, is one of the most novel and creative biometric techniques. There are two types of biometrics: physiological biometrics and

behavioral metrics. Physiological biometrics requires user to provide a given physical characteristic in different positions and/or conditions, but always the

same characteristic, such as fingerprint, facial recognition, hand geometry, iris scan, retinal scan, vascular patterns and DNA. Most of them require expensive

hardware to support the dedicated function. As a result, they are impractical and inefficient to combine with the authentication mechanism of the web-based

services. Behavioral biometrics requires user to behave in a consistent manner, including speaker recognition, keystroke dynamics, hand-writing and mouse

movement. Keystroke dynamics has following advantages over others:

♦ It is non-intrusive, since user will be typing at the keyboard anyway. ♦ It is transparent, since keystroke patterns can be captured silently

without interrupting user’s normal activity.

♦ It is low-cost, since the hardware requirement is only the keyboard which is already presented, and the analysis can be conducted and

implemented by software.

Keyboard dynamics has the disadvantage of instability inherited from behavioral

biometrics while the people may behave differently and be influenced by the environment, physiology status or different keyboards. Other than that, keystroke

dynamics is considered to be an economical and practical measure to be in conjunction with, or in place of traditional authentication method of web-based

services.

Keystroke dynamics is based on the assumption that different people have

unique habitual rhythm patterns in the way they type. Previous work ([19, 11]) has been shown that keystroke dynamics is good evidence of identity. Within the

keystroke dynamics literatures, the research can be divided into two categories: fixed-text keystroke analysis and free-text keystroke analysis, according to the

structures of the typing patterns to be analyzed. In the fixed-text keystroke analysis, the patterns are short, fixed and structured, such as login-password pairs

at the authentication phase or the pass-phrase predetermined by the authentication system. The methods [2, 3, 4, 6, 9, 19] proposed for fixed-text

keystroke analyses are usually encouraged to integrated with or replace of traditional web-based authentication method. As to the free-text keystroke

analysis, the patterns are diverse and long. They can be collections of keystrokes from an email sending by an employee or anything a user typed in any period of

time. Free-text keystroke analyses [1, 11, 15, 16] are suitable for continuously identity verification after the authentication phase has passed.

1.2. Contribution

In this thesis, we present a formal statistical model for keystroke dynamics

analysis using Hidden Markov Model and Gaussian Modeling. Underlying the proposed model and the schemes for fixed-text keystroke analysis can be applied

to web-based services as authentication mechanism for enhancing security strength according to different security requirements. The proposed model can be

extended to devise scheme for free-text keystroke analysis. The experiment of our scheme for authentication resulted on 2.54 % of Equal Error Rate, which is

the best so far in the literature.

1.3. Synopsis

This thesis is organized as follows. The related work of keystroke dynamics is presented in Chapter 2. In Chapter 3, formal model along with schemes for

results are given in Chapter 4. Finally, a conclusion and future work is given in Chapter 5.

2. Related Work

In this chapter, we first review the features used to analyze by keystroke dynamics in Section 2.1, and the performance measurements for keystroke

dynamics evaluation are presented in Section 2.2. Furthermore, we review the literature with regard to fixed-text keystroke analysis in Section 2.3. We present

a review for free-text keystroke analysis in Section 2.4.

2.1. Features

There are several measurements can be used by keystroke dynamics analysis when the user press the keys on the keyboard. The possible measurements can be

listed as follows:

♦ Keystroke duration: The time a key stays pressed.

♦ Keystroke latency: The time interval between two consecutive keystrokes (also referred to as digraph). It can be extended to N

consecutive keystrokes (also referred to as n-graph).

♦ Keystroke frequency: the number of times the keystroke appeared. First two of the list above is the most popular features used in the literature. The mean and standard deviation of the keystroke duration or latencies are the basis

measurement to combine with other techniques for timing characteristics analysis.

2.2. Performance Measures

Typically biometric performance has three metrics for describing performance in

terms of decision rates with regard to accuracy [21]:

♦ False Reject Rate (FRR): The expected portion of valid user attempts identified as imposters. A false rejection is also referred to as a “Type

I” Error in mathematical literature, or false alarm rate (FAR). The higher the FRR is, the lower the feasibility and convenience the

systems will perform.

♦ False Accept Rate (FAR): The expected portion of imposter attempts identified as valid users. A false acceptance is also referred to as a “Type II” error in mathematical literature, or imposter pass rate (IPR).

The higher the FAR is, the more opportunities the systems give the imposters to breach in.

♦ Equal Error Rate (EER): In Figure 2.1, the value of the cross point at which the FAR and FRR are equal for a determined threshold. The

threshold is the parameters which can be adjusted for different security strength in the algorithms. EER is also referred to as crossover error

rate (CER).

♦ Average False Rate (AFR): Average of FRR and FAR.

Figure 2.1: EER is the cross point at which the FRR and FAR are equal.

In most of the literature, the terms false reject rate and false accept rate are used interchangeably with false alarm rate and imposter pass rate. For the sake of

clarity, in this thesis we will use FRR to denote the false reject rate, FAR to denote the false accept rate, and ERR to denote the equal error rate respectively.

2.3. Fixed-text Keystroke Analysis

In the keystroke dynamics literature with regard to fixed-text keystroke analysis,

the typing patterns to be analyzed are short, fixed, predetermined, and structured. The research can be separated into two portions based on the concerns the

approaches presented. One portion puts their focuses on designing approaches which can be in conjunction with, or in place of traditional authentication

mechanism by analyzing the keystroke timing information of username/password pairs typed by individuals. The other portion tries to figure out how to identify

the user’s identity from keystroke timing information of predetermined texts typed by individuals for certain times. In the Section 2.3.1, we introduce the

algorithms for keystroke timing information analysis of login-password. In the Section 2.3.2, the review of the keystroke analysis methods for predetermined

text is presented.

2.3.1. Traditional login-password Authentication Mechanism

Joyce and Gupta [19] proposed a simple and promising approach to analyze four target strings (login, password, first name, last name) during a login process.

Their system requires new users to type the reference signatures in term of four target strings for eight times. The mean reference signature is then given by:

{

}

M = , , ,

At the authentication phase, a test signature is presented and compares with reference signature

T

M to determine the magnitude of the difference between M and T . Let M =

(

)

(

)

total number of latencies in the signature, the verifier computes the magnitude of the difference between M andT as the norm: l₁

∑

Then a suitable threshold for an acceptable size of the magnitude is chosen for each user based on a measure of the variability of user's signatures. The mean

and standard deviation of the norms M −S_i , where is one of the training signatures, are used to decide a threshold for an acceptable norm value of the latency difference vector between a given

i

S

M and T . If this norm is less than

the threshold for the user, the attempt is accepted. Otherwise it is flagged as an imposter attempt. Thirty-three users were participated in the evaluation. 13.3%

(4 out of 30) FRR and 0.17% (1 out of 600) FAR were obtained. EER is not available because they did not conduct the experiment for every possible

threshold values.

Magalhaes et al [6, 3] proposed a lightweight algorithm to analyze only one

target string with password or pass-phrase. Each user has to type password or pass-phrase for twelve times to form the reference profile. They enhanced [6]

based on [3] by integrated the concept of keyboard gridding in [5]. By using the concept of keyboard gridding, their algorithm is specifically designed and

optimized for right-handed users. As a consequence, the algorithm they proposed can not ensure the same results on left-handed users. 5.58 % EER was obtained

in [6], and less than 5% EER was achieved in [3].

Ru and Eloff [4] used fuzzy logic to characterize the typing behavior of the

users based on the keystroke latencies, the distance of the keys on the keyboard, and typing difficulty of the key combinations. Twenty-five samples are required

for enrollment. Username and password are used as target strings to be analyzed. 7.4% FRR and 2.8% FAR were obtained in the experiment [2]. EER is not

threshold values.

Haidar et al [9] presented a suite of techniques using neural networks, fuzzy

logic, statistical methods, and several hybrid combinations of these approaches to learn the typing behavior of a user. In the experiment, 2% FRR and 6% FAR

were obtained [2].

Bleha et al [23] proposed two approaches for authentication using minimum

distance classifier and Bayesian classifier. The normalized minimum distance classifier was

(

) (

)

m

X

m

X

m

X

D

⋅

−

−

=

, and the normalize Bayesian classifier was

(

)

(

)

, where the participant is claiming to be user , is the latencies vector,

is the latency means of the reference samples and is the latencies covariance

of the reference samples. Both classifiers have defined thresholds for deciding

the acceptance of the user. They din not mention the results would come up with while different threshold values were used. In the experiment, 8.1% FRR and

2.8% FAR were obtained. EER is not available because they did not conduct the experiment for every possible threshold values.

i X m_i

i

C

2.3.2. Predetermined Text

Gaines et al [18] conducted an experiment in which seven professional

secretaries were asked to type three passages, about 300-400 words long (the first one is ordinary English text, the second one is the collection of random

words, and the third one is the collection of random phrases), for two different times separately within four months. Keystroke latency of the digraph that

appeared more than ten times were computed for each individual. A classical two-sample t-test of statistical independence on the hypothesis that the

percentage of the means and variances of the digraphs appeared in both sessions were the same that passed the test were between 80 and 95. Outliers were

removed and the rest of data were transformed by logarithm. An assumption was made that the raw data was log-normally distributed, and the transformed data

was observed to be approximately normally distributed. 4% FRR (2 out of 55) and 0% FAR were obtained. However, the number of volunteers was too small

and the amount of data required to create the reference profiles was insufficient. Only twenty-six lower-case letters and space key were taken into consideration,

resulted that only 27 * 27 = 720 different digraphs. Additionally, since the limitation by the length and content of the three passages, only 87 combinations

of digraph were analyzed in the experiments. Consequently, the results of FAR and FRR obtained in the experiment resulted on a lower confidence.

Leggett and Williams [8] proposed an improved approach based on [20]. They reported the results of two experiments similar to the experiment conducted

in [18]. In the first experiment, seventeen programmers, with different typing ability, each one provided two samples. First sample was 1400 characters long

served as the reference profile, and second one was 300 characters long served as the test profile. In the second experiment, thirty-six participants provided two

passages in 537 characters long in two months separately with a delay of at least one month. Their approach compares all digraph latencies between all

combinations of digraphs in the samples. The test digraph was classified as valid one if the test digraph latency was within 0.5 standard deviation of the reference

digraph latency mean. 5.5% FRR and 5% FAR were obtained.

Bergadano et al [17] proposed an approach which measure digraph latencies

based on the degree of disorder. Given two typing samples of the same text, the digraphs shared between both typing samples are retrieved, and the durations of

n-graphs are computed. The mean of duration is calculated if n-graph is reported

more than one time. Then the shared n-graphs in both typing samples are sorted

by the duration and stored in two arrays respectively. The degree of disorder is computed as the sum of the distances between the positions of each n-graph in

both sorted array. The predetermined sample texts in the experiment are a passage of one famous Italian novel plus a short text in English. Each sample

was produced using only twenty-six lower-case letters, plus the space, the full stop, the comma, the apostrophe and the carriage return keys. 154 volunteers

were involved in the experiments. 4% FRR and less than 0.01% FAR were achieved.

2.4. Free-text Keystroke Analysis

Monrose and Rubin [11] proposed the method using Euclidean Distance and

probabilistic calculations on structured and unstructured texts. They made the assumption that the digraph latencies exhibit Gaussian distribution similar to the

assumption in this thesis. As to the dynamic identity verification, the author pointed out that their approaches were not qualified to authenticate the user

during the lifetime of a login session. Their approaches would fall hopelessly behind as the new measurements arriving almost each second, since the

continuous nature of the problem and the expensive computation of their approaches. The experiments required forty-two users to type a few sentences

accurate classification rate was achieved on structured texts, and only 23% of accurate classification rate was obtained on unstructured texts.

Dowland et al [15, 16] reported a preliminary result on determining which approaches provide the basis for further research on continuous authentication

with keystroke timing characteristics. Statistical analysis and data-mining analysis were used to investigate. 50% of accurate classification rate was

obtained in [15], and 60% of accurate classification rate was improved in [16]. Gunetti and Picardi [1] improved the approach proposed in [17] and introduced

two measures, R measure and A measure, to compute the degree of disorder between two samples of free texts. R measure was the one described in [17]. The

authors concluded that the length of two typing samples must be long enough to gather enough shared n-graphs between two typing samples, resulted on the

typing patterns to be analyzed were free text. If the number of shared n-graph was not sufficient, the degree of disorder computed for the free texts is less

representative. A measure is to suppose that the durations of the same n-graph from two sample texts which came from the same individual are similar. The

author combined two proposed measure with different n-graph to conduct the experiments. In the experiments, forty volunteers, each one provided 15 samples

for building reference profiles. Another one hundred and sixty-five people, each one provided one samples as imposters. All of them were native Italians and the

samples were written in Italian. No more than one sample provided each day via browser, and the samples were collected on the basis of the availability and

willingness of volunteers over a period of six month. Each size of the samples is about 700 to 900 characters long. The limitation of their approach is that the

length of the samples must be long enough. Furthermore, their approach is computationally expensive, and it is infeasible to be applied on verification of

identity via keystroke analysis in real time.

2.5. Summary

After the review of the keystroke dynamics analysis in the literature so far, we can see that the most common method the different approaches used as basis is

that most of them leveraged the mean and standard deviation of the digraph latencies or durations. The approaches determined the valid attempts by checking

whether the latencies or durations of the digraphs typed by the volunteers fall within the standard variation of the digraph latencies or duration mean as

follows: p p p p wD D D wD Dμ − σ ≤ ≤ μ + σ

, where D is one of the digraph latencies or durations in the test profile,

and are the corresponding digraph in the individual’s reference profile, and

is the weighting factor.

p

Dμ p

Dσ

w

There are several issues concerned by keystroke analysis for it to be feasible and practical as follows.

♦ The length of target strings to be analyzed. The longer the target string is, the more the digraphs can be used to compare between reference

profiles and test profiles. By the nature limitation of traditional authentication method with username/password, it is difficult to force

the users to remember their account information in terms of username and password with ten characters long respectively or even more. This

limitation lead to the situation that the methods proposed in the literature can only have spare timing information to analyze.

of calculating the mean and standard deviation of the digraph latencies and duration is to model the personal typing characteristics in statistics.

The more the number of sampled provided, the higher the accuracy of the mean and variance is close to the actual behavior of individual’s

typing characteristics. However, the number of samples also influences the feasibility of the methods in practical. In static keystroke analysis,

all methods required the volunteers to type the same structured or predetermined texts for several times. The number of repetition times

is inverse propositional to the desire of the volunteers and the users to adopt the proposed methods.

Previous works, regarding continuously monitor and analyze the typing patterns for real time identification of individuals have not yielded satisfied

results. Even if the accuracy is acceptable, it takes too long to recognize the identities of individuals. Consequently, it is infeasible in the environment with

high security level, such as government and military computers, since the confidential information could have been stolen for long enough without raising

the alarm. As the result, the time it takes for identification is a critical issue. In the literature with regard to this portion, the computation costs of the proposed

algorithms are high. As a result, it is a problem to verify the user's identity in real time. Unlike the limitation in static keystroke analysis, the sample texts can be of

any length, usually longer enough to have sufficient number of digraph combinations and repetition times for calculating more accurate mean and

standard deviation to fit the individual’s typing behavior. But it has corresponding limitation that the reference samples and the test samples could be

two totally different texts. The situation could happen while the digraphs in the test samples are not existent in the reference samples. The literatures regarding

free-text keystroke analysis have not discussed this issue, either they made the assumption that both the length of reference samples and test samples must be

longer enough to exist shared digraph, or made the constraint that only twenty-six lower-case letter plus several punctuation marks were taken into

consideration to construct the text to analyze.

As to the experiment setting, it is very difficult to obtain a sample

representative of the population, since we do not know how to characterize the population [6]. The experiment setting in each of the proposed method is

different, such as the number of the volunteers involved, the length of the target strings, the number of samples to construct the reference profiles, and where the

experiments were conducted. With all these variations resulted on that there is no fair standpoint to compare the results achieved by each method.

3. Modeling and Methodology

In this chapter, we first make a formal definition of features we will use for keystroke analysis in Section 3.1. The Gaussian Modeling for n-graph timing

information is presented in Section 3.2, and we introduce how to calculate parameters for Gaussian Modeling with Maximum Likelihood Estimation in

Section 3.3. In Section 3.4, the Hidden Markov Model is used to model the timing information given a keystroke sequence, and the Forward algorithm used

to calculate the probability given a keystroke sequence is presented in Section 3.5. In Section 3.6, we devise three general modules for keystroke analysis.

Furthermore, we introduce the schemes for keystroke analysis in Section 3.7.

3.1. Features

In the related work, we have reviewed the features used to analyze keystroke dynamics. In this section, we will give more formal definition on the features

that will be taken into consideration in our model. A single keystroke will trigger two events, the key press event and the key release event, along with the time

while both events occurred. Denote the set of keys of interest as Q, and let Q denote the cardinality of the set .We define the time point while the key is

pressed as . We refer to N consecutive keystrokes as n-graph. The

special case of single keystroke is referred to as unigraph. Two consecutive

keystrokes are referred to as digraph in the literatures, and trigraph means three consecutive keystrokes, etc. Given a sequence of consecutive keystrokes

, where m is the number of keystroke sequence, we have

n-graph with the size of Q pressed TKS

{

}

1 1 , 3 2 1, , , , } { _{∈ ≤≤ − +} = d d d dk k N k m n GD _K as follows:

TKS

TKS

The durations of n-graph are used as timing features for further analysis in our model.

3.2. Gaussian Modeling

Previous work [10, 11, 13, 18] have shown that the durations distribution of a

given set of digraphs forms an approximate Gaussian distribution. Therefore we

make a natural assumption that the n-graph , with duration , ,

forms a Gaussian distribution, such that

n Q q∈ y Pr

[ ]

2

1

]

|

Pr[

e

q

y

σ

π

=

where μ is the mean value of the duration for n-graph , and q y q σ is the q

standard deviation. Since behavioral characteristics of the individuals could be influenced by many reasons, the statistical analysis method used by previous

work can be viewed as the same probability was given to the valid attempts of digraph latencies and durations within the standard deviations of the mean

durations. By using Gaussian Modeling, we can give higher probability to the

n-graph durations of test samples that is more close to the n-graph mean

durations of reference samples, and lower probability to the n-graph duration that is far from the mean of the n-graph for the reason that the individuals could be

temporarily out of regular typing behavior, and we can take the irregular typing behavior without discarding the possibility that the set of n-graph durations

3.3. Maximum Likelihood Estimation of the Parameters

With the limitation that we are unable to collect all the typing keystrokes of the

individual and calculate the exact parameters of the means and variances for each

distinct combination of n-graph durations. We have to deduce

{

(

)

}

likelihood estimation of the parameters. Fortunately, the maximum likelihood estimation of the parameters for Gaussian distribution can compute the sample

mean and sample variance as follows.

S

[

]

∑

∑

, where is the number of n-graph appeared in . k q S

3.4. Hidden Markov Model

Hidden Markov Models (HMMs) [12, 14, 22] are proper for modeling sequential

data, such as the sequence of keystroke timing information that we take into consideration in this thesis. HMMs have been widely applied in areas such as

speech recognition, optical character recognition, machine translation, bioinformatics, and genomics. A Markov process is a stochastic process with the

property that the probability of transitioning from previous state to current state depends only on the previous state and was independent of all other previous

states. In general, a Markov model is a way of describing a process that goes through a series of states [14]. In a general Markov Model, the state is directly

observed by the observer. In a Hidden Markov Model, the state is not directly visible, and some outputs from the state are observed. A Hidden Markov Model

t

y

can be viewed as a chain of mixtures models with unknown parameters.

The HMM we use to model the timing information of keystroke sequence is

shown in Figure 3.1. It is a statistical graphical model, where each circle is a

random variable. Unshaded circles represent are unknown (hidden) state

variables we wish to infer, and shaded circles are observed state variables,

where is a specific point in time.

t

q

t A is a state transition matrix holding the

probabilities of transitioning from to , where (or ) means the

i-th (or j-th) state. So we have

i t q j t q 1 + i q j q

(

)

matrix holding the output probability

(

)

t t q

y

P of i-th state. π_i is the initial state probability of i-th state. A compact notation λ =(A,η,π) is used to indicate the complete parameter set of the

model.

Figure 3.1: The Hidden Markov Model for keystroke analysis.

In our setting, given a keystroke sequence , n-graph , [n+1]-graph

, such that

S G

{

}

}

,

,

,

,

{

}

,

,

,

,

{

,

,

,

g

g

g

g

G

g

g

g

g

G

s

s

s

S

′

′

′

′

=

′

=

=

K

K

K

The state transition matrix A is the probability of the frequency that the [n+1]-graph appeared in the S as follows.

n m g A_{g g} t t t − ′ = +1 ,

For instance in Figure 3.2, given a keystroke sequence “banana” and digraph is of interest, the digraph “na” is following the digraph “an”. We have 5 (6-2+1)

digraphs in “banana”, 4 (6-3+1) trigraph in “banana”, and the trigraph “ana”

appears two times. As a result, we have the transition probability of 2 =₄ 0.5 from “an” to “na”.

Figure 3.2: Graphical mode for digraph with keystroke sequence “banana”

The state emission matrix η here is defined as the Gaussian distribution probability of the n-graph G={g₁,g₂,g₃,_K,g_m−n+1} with duration

( ) ( ) ( )

(

)

{ _{1 1 2 2 3 3 −+1 − +1}

= d g d g d g d_{m n} g_{m n}

( )

(

)

( )

[

]

⎪

⎪

⎩

⎪⎪

⎨

⎧

′

≠

′

=

=

′

=

′

g

g

g

g

e

g

g

d

g

d

,

0

,

2

1

]

|

Pr[

σ

π

η

For example, given a sample duration 80ms of digraph “na” with the mean 100ms and the standard deviation 30ms, we can calculate the emission

probability of sample digraph duration as follows.

(

)

[

]

0

.

010648267

30

2

1

"

|"

100

Pr

80

=

⋅

=

=

e

na

ms

ms

π

η

The initial probability vector π is the probability of the frequency that the

n-graph appeared in the S.

There are three basic problems to solve with the HMM λ=(A,η,π). These problems are the following.

♦ Given a model parameters λ=(A,η,π) and observation output sequence O=O₁O₂O_3KO_t, compute the probability P(O|λ) of the

observation output sequence.

♦ Given a model parameters λ=(A,η,π) and observation output sequence O=O₁O₂O_3KO_t, find the most probable state sequence

t

Q Q Q Q

Q= _{1 2 3K} which could have generated the observation output

sequence.

♦ Given a observation output sequence O=O₁O₂O_3KO_t, generate a

HMM λ =(A,η,π) to maximize the P(O|λ).

We make the assumption that each individual has his/her own HMM with )

, , ( η π

λ = A for individual’s keystroke timing characteristics. The problem to

to choose one from the number of HMMs which has the highest probability to generate the keystroke sequence . Consequently, first we have to calculate the probability of keystroke sequence for each HMM. This is similar to the first

basic problem to solve with HMM as described above, and we will show how to

solve the problem with Forward algorithm in the next section.

S S

3.5. Forward Algorithm

The problem of finding the probability of keystroke sequence can be viewed as how well a given HMM

S

) , , ( η π

λ= A would score on . We use the

Forward algorithm [

S

22] to calculate the probability of a m long keystroke sequence S with n-graph G, and n-graph durations GD,

{

}

}

,

,

,

,

{

}

,

,

,

,

{

,

,

,

=

=

=

d

d

d

d

GD

g

g

g

g

G

s

s

s

S

K

K

K

The state probabilities α's of each state can be computed by first calculating

α for all states at t=1.

( )

( )

( )

1

g

π

g

η

d

α

=

⋅

Then for each time step t=2 K, ,k , the state probability α is calculated

recursively for each state.

( )

( )

1 +

(

)

+ t

=

⋅

⋅

g

α

g

A

η

d

α

Finally, the probability of keystroke sequence given a HMM S λ=(A,η,π)

is as follows.

[

S

,

G

,

GD

|

λ

]

=

α

( )

g

=

α

(

g

)

⋅

A

⋅

η

(

d

)

Pr

The Forward algorithm described above has certain difference from the original one in [22]. The emission probabilities take less computation to obtain

since we use the Gaussian distribution to model observed states. Additionally the observed states are only connected to the corresponding unknown states because

we know the exact combination of n-graph the individual typed. So the summation of all partial probability of the state at time is ignored and only

one probability is calculated.

t

In original version of the Forward algorithm, the computation involved in

the calculation of α_t

( )

observations in the sequence and is the number of states in the model,

requires

N

( )

O 2 calculations. In our modified version of the Forward

algorithm, we can see that it only requires O

( )

3.6. General Modules for Keystroke Analysis

In general, there are two problems can be solved using our model.

♦ Given a keystroke sequence S , and a HMM λ describing individual’s keystroke timing information, we wish to determine whether S come from λ or not. (Authentication)

♦ Given a keystroke sequence and a set of HMMs S λ's describing

different individuals’ keystroke timing information, we wish to know which HMM most probably generated S. (Identification)

The first problem is that, given a test sample of keystroke sequence and a reference profile, we have to decide whether the sample belongs to the reference

profile or not. The second problem is very similar to the solutions provided by physiological biometrics. In this section, we devise three modules: Profile

Building Module, Authentication Module and Identification Module underlying the model and algorithm described in the previous sections.

In the Profile Building Module, first we have to build the reference profile for each user. It requires the user to provide the reference samples. The more

quantity of reference samples provided, the more exact parameters can be extracted. After collecting sufficient number of reference samples, we use the

maximum likelihood estimation for Gaussian Modeling to calculate the parameters of each n-graph duration. We also have to compute the transition

probability matrix and initial probability vector with respect to Hidden Markov Model. Then the parameters calculated for Hidden Markov Model are treated as

the base element of the reference profile for each user. The flow chart of Profile Building Module is shown in Figure 3.3.

User provide sufficient number of reference samples

Transform the reference samples as combination of n-graph and duration

time for each n-graph

Apply maximum likelihood estimation for Gaussian Modeling to calculate the duration mean and duration standard

deviation of each distinct n-graph

Compute the transition probability matrix and initial probability vector of each n-graph state for Hidden Markov

Model

A : Transition probability matrix of HMM η : Emission probability matrix of HMM π : Initial probability vector of HMM

Store the profile of the particular User with the form of HMM λ={A, η, π} into User

Figure 3.3: Flow chart for Profile Building Module

In the Authentication Module, given a keystroke sequence of target

string from a user with claimed identity

S

ID, we wish to examine the possibility

that S generated by ID. First we transform the keystroke sequence to n-graph combinations and calculate the timing information of n-graph

duration as usual. At this moment, we have

S G GD S =

{

}

vector GDT, such that

}

,

,

,

{

−

−

−

=

GDT

μ

εσ μ

εσ

K

μ

εσ

, where ε is the weighting factor, k

g

μ is ID ’s duration mean of n-graph , and

k

g

k

g

σ is ID ’s duration standard deviation of n-graph . is the

n-graph duration vector to evaluate the threshold value of the probability

produced by modified Forward algorithm. With the inputs , , and

k

g GDT

GD GDT λ_ID,

we can apply modified version of Forward algorithm to obtain two probability value Pr[S,G,GD|λ_ID] and Pr[S,G,GDT|λ_ID]. Pr[S,G,GDT|λ_ID] can be

viewed as the possibility if all the n-graphs durations in G are deviating ε times of duration σ from duration μ. Pr[S,G,GDT|λ_ID] is the threshold value of probability used to decide that the acceptance of the keystroke sequence

is confirmed if following expression is true.

S ] | , , Pr[ ] | , , Pr[S G GD λ_ID ≥ S G GDT λ_ID

The weighting factor ε can be specified with respect to different level of security strength. The flow chart of Authentication Module is shown in Figure

3.4.

Figure 3.4: Flow chart for Authentication Module

In the Identification Module, given a keystroke sequence

from the individual and a set of HMMs

{

}

}

{

s λ λ λ λ

λ' = ₁, ₂, _3K, , where is the number of HMM. The problem is to choose the best one from

l s

'

λ which most probably generated or there is no such one existed. In the beginning, the keystroke sequence is transformed to

n-graph combinations and the timing information of

n-graph duration S S } , , , , { _{1 2 3 − +1} = g g g g_{m n} G _K } , , , , { _{1 2 3 −+1} = d d d d_{m n} GD _K is calculated. l j N j j GD G S, , | ] _{∈ 1},_{≤ ≤}

Forward algorithm. We select user U with the maximum probability over others’, such as

(

)

After that, we produce a vector GDT for user U , such that

}

,

,

,

{

GDT

−

−

−

=

μ

εσ

μ

εσ

_K

μ

εσ

, where ε is the weighting factor, is U ’s duration mean of n-graph , and is U ’s duration standard deviation of n-graph . Again we use the

modified Forward algorithm to calculate the . If the

expression , the keystroke sequence

generated by user U is confirmed. Otherwise, we consider the keystroke sequence is not generated by any user in the User Profile Database. The flow

chart is shown in Figure 3.5.

U k g μ g_k U k g σ g_k ] | , , Pr[ U U GDT G S λ ] , , Pr[ ] | , , U U U S G GDT GD G λ ≥ |λ Pr[S S S

User provide testing sample with claimed identity ID.

Transform the testing sample as combination of n-graph and duration

time for each n-graph

Produce GDT with weighting factor ε

Apply modified Forward algorithm to calculate Pr[S, G, GD | λ] for each HMM in the User Profile Database

Confirmed that testing sample S is generated by

user U

ID : The claimed identity of the user S : Keystroke sequence of target string G : n-graph vector generated from S GD : n-graph duration vector for G from S GDTU_{: n-graph duration vector for G from the}

Gaussian Modeling parameters of user U λ : HMM parameters of user

J : the number of profile in User Profile Database

Pr[S, G, GD | λU] >= Pr[S, G, GDTU| λU]

Unknown user in the User Profile Database No

Yes Select

Pr[S, G, GD | λU] = max(Pr[S, G, GD | λj])

for all j in J

Figure 3.5: Flow chart for Identification Module

3.7. Scheme and Measures

Within the literature of fixed-text keystroke analysis, most of the proposed approaches put the emphasis on the application of authentication. There are

♦ The target string to be analyzed could be username, password, first name, last name, or pass-phrase, which are normally short and usually

three to sixteen characters in length.

♦ The samples used to build the reference profiles and the samples used to compare are identical and fixed strings, the difference is the timing information extracted from them.

We devise the scheme for fixed-text keystroke analysis according to the concerns listed above. There are two phases in the scheme for static keystroke analysis,

the training phase and the recognition phase. The training phase is to build the user profiles as the database for recognition phase to compare with.

In the training phase, we have to decide the number of reference samples from each target string, and the size of n-graph to segment the target string.

Figure 3.5 depicts the process of training phase.

Figure 3.5: Flow chart of training phase for fixed-text keystroke analysis

In the recognition phase, we divide it into two parts according the function

for dedicated requirement: Authentication or Identification. Figure 3.6 depicts the process of recognition phase.

Authentication Module τ, TS, λτ Acceptance or Rejection of the claimed identity τ User Profile Database

τ : Claimed identity of the user

TS : Testing samples of keystroke sequences and timing information

λτ : Profile for τ as HMM parameters λ's : All user profile in User Profile Database τm : Identity matched TS Recognition Phase λτ TS, λ's Identification Module λ's τm found to match TS or report TS is unknown to User Profile Database

Figure 3.6: Flow chart of recognition phase for fixed-text keystroke analysis

3.8. Authentication Strategy

The target strings to be analyzed in traditional login-password authentication mechanism are username and password. We can use two strategies as follows:

♦ O-Strategy

The claimed identity is accepted if both username and password passed

the verification phase. This strategy requires users make no mistakes on both target strings.

♦ A-Strategy

The claimed identity is rejected if both username and password denied

at the recognition phase. This strategy allows users to make almost most one mistake on one of the target strings.

4. Experiments and Results

4.1. Experiment Setting

The experiment was conducted via web browser. A client-side JavaScript is used

to gather the timing information of keystroke. Parts of the volunteers are colleagues and alumni of NCTU. Other parts of volunteers were anonymous

from Internet. User provided their login name and password via html form, just like the way commonly employed by the web-based application. The timing

accuracy we used is 1 millisecond. In this experiment, we use digraph as the segment size of keystroke sequence.

4.2. Data Collection

For the collection of reference samples, 58 volunteers provided two familiar

strings as login name and password for 20 times. As to the collection of testing samples, the above 58 volunteer tried to be authenticated in their own account as

legitimate users for 15 times, 870 testing samples were used to evaluate FRR. Another 257 anonymous volunteers tried to be authenticated in legitimate users’

accounts. Each account was attacked between 44 and 82 times. Total 3528 imposter testing samples were collected.

The lengths of login name and password are between 4 and 14. Figure 4.1 show the distribution of target string length.

58 46 38 30 27 14 7 2 0 10 20 30 40 50 60 Numb er o f Pr of il es 4 5 6 7 8 9 10 11

Minimum Target String Length

Figure 4.1: Target string length distribution of reference samples

4.3. Evaluation

We evaluate the value of standard deviation weighting factor ε between 0.2

and 3.5 with interval of 0.1 for both strategy. Figure 4.2 to Figure 4.5 shows the FAR and FRR of O-Strategy with minimum target length of 9, reference sample

0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% 0.2 0.5 0.8 1.1 1.4 1.7 2 2.3 2.6 2.9 3.2 3.5

Threshold of Standard Deviation

FR

R vs.

FAR _FAR

FRR

Figure 4.2: O-Strategy - Minimum target string length = 9, reference sample size = 5 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% 0.2 0.5 0.8 1.1 1.4 1.7 2 2.3 2.6 2.9 3.2 3.5

Threshold of Standard Deviation

FR

R vs.

FAR _FAR

FRR

= 10, EER = 5.71% 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% 0.2 0.5 0.8 1.1 1.4 1.7 2 2.3 2.6 2.9 3.2 3.5

Threshold of Standard Deviation

FR

R vs.

FAR _FAR

FRR

Figure 4.4: O-Strategy - Minimum target string length = 9, reference sample size = 15, EER = 5.24% 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% 0.2 0.5 0.8 1.1 1.4 1.7 2 2.3 2.6 2.9 3.2 3.5

Threshold of Standard Deviation

FR

R vs.

FAR _FAR

Figure 4.5: O-Strategy - Minimum target string length = 9, reference sample size = 20, EER = 4.76%

Figure 4.6 to Figure 4.9 shows the FAR and FRR of A-Strategy with minimum target length of 9, reference sample size of 5, 10, 15, 20, and 35 possible

standard deviation weighting factor.

0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% 0.2 0.5 0.8 1.1 1.4 1.7 2 2.3 2.6 2.9 3.2 3.5

Threshold of Standard Deviation

FR

R vs.

FAR _FAR

FRR

Figure 4.6: A-Strategy - Minimum target string length = 9, reference sample size = 5, EER = 6.19%

0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% 0.2 0.5 0.8 1.1 1.4 1.7 2 2.3 2.6 2.9 3.2 3.5

Threshold of Standard Deviation

FR

R vs.

FAR _FAR

FRR

Figure 4.7: A-Strategy - Minimum target string length = 9, reference sample size = 10, EER =3.81% 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% 0.2 0.5 0.8 1.1 1.4 1.7 2 2.3 2.6 2.9 3.2 3.5

Threshold of Standard Deviation

FR

R vs.

FAR _FAR

FRR

= 15, EER =2.91% 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% 0.2 0.5 0.8 1.1 1.4 1.7 2 2.3 2.6 2.9 3.2 3.5

Threshold of Standard Deviation

FR

R vs.

FAR _FAR

FRR

Figure 4.9: A-Strategy - Minimum target string length = 9, reference sample size = 20, EER =2.54%

We can see from Figure 4.2 to Figure 4.9 that A-Strategy obtained better ERR than O-Strategy. In Figure 4.10 and Figure 4.11, we show that the relation of

0.00% 1.00% 2.00% 3.00% 4.00% 5.00% 6.00% 7.00% 8.00% 4 5 6 7 8 9 10 11

Minimum Target String Length

Eq ual Er ror Ra te r_size = 10 r_size = 15 r_size = 20

Figure 4.10: O-Strategy – EER vs. Minimum target string length

0.00% 2.00% 4.00% 6.00% 8.00% 10.00% 12.00% 4 5 6 7 8 9 10 11

Minimum Target String Length

Equa l Error Rate r_size = 5 r_size = 10 r_size = 15 r_size = 20

Figure 4.11: A-Strategy – EER vs. Minimum target string length

O-Strategy 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Number of Reference Samples

Fa lse Rej ect io n R ate ε= 1.0 ε= 2.0 ε= 3.0

Figure 4.12: O-Strategy: FRR with different number of reference samples

O-Strategy 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Number of Reference Samples

Fa lse Accept ance Ra te ε= 1.0 ε= 2.0 ε= 3.0

A-Strategy 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Number of Reference Samples

False Rejection

Rate

ε= 1.0 ε= 2.0 ε= 3.0

Figure 4.14: A-Strategy: FRR with different number of reference samples

A-Strategy 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Number of Reference Samples

False Ac ce pt an ce Ra te ε= 1.0 ε= 2.0 ε= 3.0

Figure 4.15: A-Strategy: FAR with different number of reference samples

We can see from Figure 4.12 to Figure 4.15 that FRR of both strategies drop as the number of reference samples increase, and FAR of both strategies lift slightly

5. Conclusions

Our approach achieved the EER of 2.54%, which is near 2 % - values generally considered to be acceptable for this type of system. The ERR of our scheme can

be improved as we conduct more experiment to collect more reference sample with length longer than 10.

As to future work, we can combine the proposed scheme with the analysis of the surfing route to the login page. The proposed model can be extended to

devise scheme for free-text keystroke analysis, such as continuously real-time identity verification.

6. References

[1] D. Gunetti and C. Picardi, “Keystroke Analysis of Free Text”, ACM Transactions on Information and System Security (TISSEC), vol. 8, no. 3, pp. 312-347, Aug 2005.

[2] L. C. F. Araujo, L. H. R. Sucupira Jr., M. G. Lizarraga, L. L. Ling, and J. B. T. Uabu-Tti, “User Authentication Through Typing Biometrics Features”, IEEE Transactions on Signal Processing, vol. 53, no. 2, pp. 851-855, Feb. 2005.

[3] S. T. Magalhaes, K. Revett, and H. M. D. Santos, “Password Secured Sites – Stepping Forward with Keystroke Dynamics”, Proceedings of the International Conference on Next Generation Web Services Practices (NWeSP’05), pp. 293-298, Aug. 2005.

[4] W. G. de Ru and J. H. P. Eloff, “Enhanced Password Authentication through fuzzy logic,” IEEE Expert, vol. 17, no. 6, pp. 38–45, Nov. 1997.

[5] K. Revett and A. Khan, “Enhancing Login Security Using Keystroke hardening and Keyboard Gridding”, Proceedings of the IADIS MCCSIS, 2005.

[6] S. T. Magalhaes, H. M. D. Santos, “An Improved Statistical Keystroke Dynamics Algorithm”, Proceedings of the IADIS MCCSIS, 2005.

[7] A. Peacock, X. Ke, and M. Wilkerson, “Typing Patterns: A Key to User Identification”, IEEE Security & Privacy, vol. 2, no. 5, pp. 40-47, Sep 2004. [8] J. Leggett and G. Williams, “Verifying Identity via Keystroke

Characteristics”, International Journal of Man-Machine Studies, vol. 28, no. 1, pp. 67-76, 1988.

[9] S. Haidar, A. Abbas, and A. K. Zaidi, “A multi-technique approach for user identification through keystroke dynamics,” in Proc. IEEE International Conference on Systems, Man, and Cybernetics, vol. 2, pp. 1336–1341, 2000.

[10] D. Song, P. Venable, and A. Perrig, “User Recognition by Keystroke Latency Pattern Analysis”, Apr. 1997.

[11] F. Monrose and A. Rubin, “Authentication via Keystroke Dynamics”, Proceedings of the 4th ACM conference on Computer and Communication Security, pp. 48-56, Apr. 1997.

[12] M. I. Jordan, “An Introduction to Probabilistic Graphical Models”. In preparation.

[13] D. X. Song, D. Wagner, and X. Tian, “Timing Analysis of Keystrokes and Timing Attacks on SSH”, In 10th USENIX Security Symposium,

pp.337-352, Aug. 2001.

[14] S. Russell and P. Norvig, “Artificial Intelligence, A Modern Approach”, Prentice Hall, 1995.

[15] P. Dowland, H. Singh, and S. M. Furnell, “A Preliminary Investigation of User Authentication using Continuous Keystroke Analysis”, Proceedings of 8th IFIP Annual Working Conference on Information Security Management and Small System Security, Sep. 2001.

[16] P. Dowland, H. Singh, and S. M. Furnell, “Keystroke Analysis as a Method of Advanced User Authentication and Response”, Proceedings of the IFIP TC11 17th International Conference on Information Security: Vision and Perspectives, pp. 215-226, May. 2002.

[17] F. Bergadano, D. Gunetti, and C. Picardi, “User Authentication through Keystroke Dynamics”, ACM Transactions on Information and System Security (TISSEC), vol. 5, no. 4, pp. 367-397, Nov 2002.

[18] R. S. Gaines, W. Lisowski, S.J. Press, and N. Shapiro, “Authentication by Keystroke Timing: Some Preliminary Results”, Rand Report R-256-NSF. Rand Corporation, 1980.

[19] R. Joyce and G. Gupta, “Identity Authentication Based on Keystroke Latencies”, Communication s of the ACM, vol. 33, no. 2, pp. 168–176, 1990.

[20] D. Umphress and G. Williams, “Identity Verification through Keyboard Characteristics”, International Journal of Man-Machine Studies, vol. 23, no. 3, pp. 263-273, 1985.

[21] A. J. Mansfield and J. L. Wayman, “Best Practices in Testing and Reporting Performance of Biometric Devices”, Biometrics Working Group, Aug. 2002.

[22] L. R. Rabiner, “A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition”, Proceedings of the IEEE, vol. 77, No. 2, Feb. 1989.

[23] S. Bleha, C. Slivinsky, and B. Hussien, “Computer-Access Security Systems Using Keystroke Dynamics”, IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 12, no. 12, Dec. 1990.