The master thesis is going to be about keystroke dynamics in authentication situations. There are written many reports on keystroke dynamics, with varying results when it comes to false acceptance rate (FAR) and false rejection rate (FRR). All reports believe that keystroke dynamics can be used to authenticate users. Some of the reports have tried to imitate legitimate users typing characteristics, they used shoulder sniffing or video tape as the attack technique. Their conclusion was that keystroke dynamics are resistant against attacks. We know that it is difficult to learn sports without training and proper feedback, we assume it is the same for keystroke dynamics. We are going to find a suitable authentication method with keystroke dynamics. And we are going to imitate legitimate users typing using a more advanced attack. By having attackers use a program that helps them learn other’s typing characteristics, we find an answer to the important question; is it possible to imitate legitimate users typing characteristics? The usability of keystroke dynamics depends on the answer.
In computer security we are interested in methods that securely identify and or authenticate users. Identification is when we try to find the identity of an unknown user, this is done by checking if the unknown user matches any of the known users identities. Authentication is when the unknown user gives us his or her identity, and we check if it is true or not. Username and password is one widely know authentication method. The user claims an identity the username and gives his or her password to prove the identity. Authentication is one to one verification, we check if this is the claimed user or not. Identification is one to many verification, like in forensics when a fingerprint is checked with a fingerprint database. Users can be authenticated with three authentication factors. The three authentication factors are:
With biometrics it is possible to authenticate and identify users based on who they are, not what they possess or what they know. With biometrics users are authenticated on something they are. Biometric can be divided in two categories, physiological and behavioural. Physiological means features that are physically related to the user, like fingerprint, face, iris, hand, etc. Physiological features are used in both computer world and in real world. We identify (recognize) people when we see their face. Behaviour means how people do things, like gait, voice, signature, fingerprint, etc. When a close friend calls we can easily identify him or her by their voice. And when a distant friend calls we authenticate (recognize) him or her after the identity (name) is given.
Keystroke dynamics is in the behavioural category, we can identify and authenticate people by the way they type on their keyboard. Under WWII telegraph operators could identify the other operator by the way he or she were typing. The telegraph operators used one button and one finger, when we type a PIN code we use ten buttons and up to four fingers, with a password we use about 50 buttons and up to ten fingers. Due to the much higher number of buttons and fingers we can probably distinguish more accurately between various people, but the drawback is that the system will be much more complex.
Although biometrics is popular, they are seldom used in computer systems, the obstacle has often been price, installation problems, and the fact that users are negative against authentication methods that reduce their efficiency/comfort. Some users are afraid of using the systems, one example is that users are afraid of eye damage during iris or retina scans. Systems that capture biometric features often need special equipment, like fingerprint reader, camera, hand scanner, and so on. Keystroke dynamics on the other hand uses the computer keyboard or the numerical keyboard on an ATM machine. There is no need for new equipment, and the keystroke dynamic system could be almost unnoticeable to the users.
When users are being authenticated with keystroke dynamics, their typing features are compared, which are finger placement, where on the button (center, left, top, etc), typing pressure, finger angle, and so on. But these features require a camera or a special keyboard and are probably only interesting for high security environments, future keyboard/computer designs could make this available for cost important environments. A normal keyboard can register latency between keystrokes, how long a key is pressed (duration) and which key is pressed. We are going to use these standard keyboards.
The features are compared using a distance metric, which is a function that compares two samples and outputs a value for how close or far they are apart. A real life example is when we ask someone how far is placeA, we really ask what the distance between here and placeA is. Depending on the person asked we will get different answers, like 150 kilometres, two hours, etc. It is the same with distance metrics, their results will be different although the inputs are the same. Many distance metrics have been tested, and none of them are perfect. Finding a suitable one is a big task in the master thesis. Another big task is finding which features that gives the most unique values for people. The goal is to have a low false acceptance rate (FAR), and a low false rejection rate (FRR). FRR is the percentage of legitimate users who are incorrectly denied access. FAR is the percentage of persons who incorrectly gets accepted by the system.We must look at intra-class distance and inter-class distance when we want to find a good distance metric. In keystroke dynamics intra-class distance is the distance between typing sessions for one user, inter-class distance is the distance between different users. Our aim is to find a distance metric that gives a small intra-class distance and a large inter-class distance. The new typing sample is compared with a stored typing template. The template is created in the enrolment phase, when the user is added to the system. A template could be something like the average of five samples. The template could adapt to new typing characteristics of the user, example is if the ten last successful login samples are used as the template.
A high FRR makes the system unusable, since legitimate users have to authenticate themselves several times before they are accepted, if they are accepted at all. A high FAR makes the system insecure. Designers adjust the system to have suitable FAR and FRR values for the specific situation, this is achieved by adjusting the threshold and/or deciding which features is best suited. The result from the distance metric is checked against the chosen threshold, a value below means that the user is accepted, and otherwise denied. A small threshold means that we get a high FRR and a low FAR, a large threshold gives a small FRR and a large FAR. By varying the threshold we can draw a Receiver Operating Characteristic (ROC) curve, a ROC curve shows the relation between FAR and FRR. We especially interested in the point where FAR equals FRR, this point is called Equal Error Rate (EER). We want the EER for our authentication system to be as low as possible.
Many reports have tested their distance metrics by checking how easy it is to imitate users. Most of them have done this by using keystroke dynamics for identification, that is comparing the typed text against all user templates, and if the typed text is similarly to the template of the wrong user, then that is one false acceptance. Others have tried to see how legitimate users type, and then trying to imitate that. A few have tried to videotape legitimate users, and then replicate their typing. None of the test has resulted in a large FAR rate, but we are going to perform a new and possibly better attack on keystroke dynamics. People only learn the basics of snowboarding by watching others doing it, and will not become good without feedback. We are going to teach attackers to imitate the keystroke dynamics of legitimate users, by giving them feedback on their performance.
