Barghouthi, Hafez
Keystroke Dynamics: How typing characteristics differ from one application to another
Topic covered by the project
One of the most important things before giving a person access to any resource is to identify or authenticate him first. A password is one way to do this. A user gives his username (claiming an identity) and then gives his password (ownership of the claimed identity).
However, there are some problems in using passwords. One of them is that long or short passwords can be forgotten if they have a random combination of various characters (difficult to memorize).Another problem with passwords that they can be guessed easily when they are just derived from dictionary words or even they can be stolen easily if they are written down by their owner. Tokens are a second approach to being authenticated through something you have, however they can be forgotten, lost or even stolen by attackers.
Biometrics is a third approach for identifying and authenticating people based on what they are. For example it is highly likely but not proven that everyone has a different fingerprints that can be used to differentiate one person from another one.
Biometrics can be divided into two categories, physiological and behavioral. The first category contains the features that are physically related to a person for example iris, fingerprints and retina. The second category contains the features that people have learned to do. More or less fixed manner examples on this category are walking (gait), writing a signature and typing on a keyboard (Keystroke Dynamics).
In this project we will look at keystroke dynamics as a method for authentication. By keystroke dynamics we mean the way that a person types. This can be characterized by timing when keys are pressed down or released up. it can also be characterized by pressure, angle of pressing the key and more in which case we need special hardware, e.g. a special keyboard or a camera. There are two types of keystroke dynamics. The first one is the static keystroke dynamics in which the data that is typed is fixed and also the time this information is typed in is fixed (during login time). The second one is continuous keystroke dynamics in which case the typing characteristics are analyzed during a complete session. The literature concerning keystroke dynamics is focusing more on the static type, while less literature can be found on continuous type. Many experiments in this field have a small error rate meaning that we can authenticate people in a good manner using keystroke dynamics.
The point is that we can authenticate people through their typing behavior. However we know in advance that the typing characteristics are different when a person uses a different application, a different keyboard or type in a different language. The mentioned topics raise a lot of open question related to keystroke dynamics. In this project we will try to find an answer to one of these questions: How typing characteristics differ from one application to another and do these differences interfere with the authentication process?
Keywords
Biometrics, Authentication, Identification, Keystroke Dynamics, Duration, Latency, Neural Network.
Problem description
Many experiments which are done to investigate the keystroke dynamics as an authentication method have a low error rate between(1.17% and 5%) in which we can rely on such kinds of experiments to authenticate people. Some of the previous studies have proven that keystroke dynamic authentication is resistance against some type of attacks like shoulder sniffing but still weak against some attacks in which the attacker
has feedback about the typing characteristics of the legitimate person. Not a lot of research has been done on how different applications affect the typing characteristics of the user. One of the publications of Furnell is discussing the effect of different application in the keystroke dynamics field. It is important to know if we can still depend on keystroke dynamics to authenticate people when they run different applications. There might be a large difference in typing characteristics when chatting on MSN compared to writing a program in Java. You need to think, to analyze and then to type when you are writing a Java program while in MSN chatting the situation is different. Furthermore when you are writing a Java program you will use much more special characters than when you are writing a formal letter using Microsoft Word. Our target in this project is to investigate this problem, and try to assure the stability of keystroke dynamics techniques.
Justification, motivation and benefits
Keystroke Dynamics will strengthen the security of the system. Even after logging into the system, the user needs to know how to type. The typing rhythm should match with the legitimate users typing rhythm. And even when the user switch to another application, the system must has the ability to authenticate the user without any problem. There is a high demand to agree on a certain template to be used in order to authenticate a user regardless which application is used.
Research questions
In this project we want to investigate the following two research questions:
• How are typing characteristics different from one application to another and where are the similarities?
• How we can benefit from the results of those differences and similarities to generate a reliable template to authenticate a user regardless which application is used?
• Is it possible to authenticate a person based on one general template or we need a set of application dependent templates?
• Is it possible to say that the typing characteristics in application X are more stable than in application Y?
Other minor questions will arise like:
• How we can design an experiment to measure the differences in typing characteristics?
• How many participants should we have?
• Which applications should be chosen?
Planned contributions
Hopefully this project will come up with results in how some different applications affect the ability to recognize people using Keystroke Dynamics. In other words we are going to design an experiment to measure differences in typing characteristics when a user try to use different kinds of applications. If the changing of the application do not significantly impact the recognizing process or if it would be possible to do some special processing according to what the application is, there should be no problems using a Keystroke dynamics to authenticate user regardless which application he used. This of course will strengthen the reliability of Keystroke Dynamics as an authentication method.
