Authentication Using Deep Learning on User Generated Mouse Movement Images

Enström, Olof

January 2019

Continuous authentication using behavioral biometrics can provide an additional layer of protection against online account hijacking and fraud. Mouse dynamics classification is the concept of determining the authenticity of a user through the use of machine learning algorithms on mouse movement data. This thesis investigates the viability of state of the art deep learning technologies in mouse dynamics classification by designing convolutional neural network classifiers taking mouse movement images as input. For purposes of comparison, classifiers using the random forest algorithm and engineered features inspired by related works are implemented and tested on the same data set as the neural network classifier. A technique for lowering bias toward the on-screen location of mouse movement images is introduced, although its effectiveness is questionable and requires further research to thoroughly investigate. This technique was named 'centering', and is used for the deep learning-based classification methods alongside images not using the technique. The neural network classifiers yielded single action classification accuracies of 66% for centering, and 78% for non-centering. The random forest classifiers achieved the average accuracy of 79% for single action classification, which is very close to the results of other studies using similar methods. In addition to single action classification, a set based classification is made. This is the method most suitable for implementation in an actual authentication system as the accuracy is much higher. The neural network and random forest classifiers have different strengths. The neural network is proficient at classifying mouse actions that are of similar appearance in terms of length, location, and curvature. The random forest classifiers seem to be more consistent in these regards, although the accuracy deteriorates for especially long actions. As the different classification methods in this study have different strengths and weaknesses, a composite classification experiment was made where the output was determined by the least ambiguous output of the two models. This composite classification had an accuracy of 83%, meaning it outperformed both the individual models.

Machine Learning

Authentication

Behavioral Biometrics

Deep Learning

Convolutional Neural Networks

Computer Engineering

Datorteknik

Stress Detection for Keystroke Dynamics

Lau, Shing-hon

01 May 2018

Background. Stress can profoundly affect human behavior. Critical-infrastructure operators (e.g., at nuclear power plants) may make more errors when overstressed; malicious insiders may experience stress while engaging in rogue behavior; and chronic stress has deleterious effects on mental and physical health. If stress could be detected unobtrusively, without requiring special equipment, remedies to these situations could be undertaken. In this study a common computer keyboard and everyday typing are the primary instruments for detecting stress. Aim. The goal of this dissertation is to detect stress via keystroke dynamics – the analysis of a user’s typing rhythms – and to detect the changes to those rhythms concomitant with stress. Additionally, we pinpoint markers for stress (e.g., a 10% increase in typing speed), analogous to the antigens used as markers for blood type. We seek markers that are universal across all typists, as well as markers that apply only to groups or clusters of typists, or even only to individual typists. Data. Five types of data were collected from 116 subjects: (1) demographic data, which can reveal factors (e.g., gender) that influence subjects’ reactions to stress; (2) psychological data, which capture a subject’s general susceptibility to stress and anxiety, as well as his/her current stress state; (3) physiological data (e.g., heart-rate variability and blood pressure) that permit an objective and independent assessment of a subject’s stress level; (4) self-report data, consisting of subjective self-reports regarding the subject’s stress, anxiety, and workload levels; and (5) typing data from subjects, in both neutral and stressed states, measured in terms of keystroke timings – hold and latency times – and typographical errors. Differences in typing rhythms between neutral and stressed states were examined to seek specific markers for stress. Method. An ABA, single-subject design was used, in which subjects act as their own controls. Each subject provided 80 typing samples in each of three conditions: (A) baseline/neutral, (B) induced stress, and (A) post-stress return/recovery-to-baseline. Physiological measures were analyzed to ascertain the subject’s stress level when providing each sample. Typing data were analyzed, using a variety of statistical and machine learning techniques, to elucidate markers of stress. Clustering techniques (e.g., K-means) were also employed to detect groups of users whose responses to stress are similar. Results. Our stressor paradigm was effective for all 116 subjects, as confirmed through analysis of physiological and self-report data. We were able to identify markers for stress within each subject; i.e., we can discriminate between neutral and stressed typing when examining any subject individually. However, despite our best attempts, and the use of state-of-the-art machine learning techniques, we were not able to identify universal markers for stress, across subjects, nor were we able to identify clusters of subjects whose stress responses were similar. Subjects’ stress responses, in typing data, appear to be highly individualized. Consequently, effective deployment in a realworld environment may require an approach similar to that taken in personalized medicine.

Keystroke dynamics

keystroke biometrics

behavioral biometrics

stress

stress detection

affect detection

USER ATTRIBUTION IN DIGITAL FORENSICS THROUGH MODELING KEYSTROKE AND MOUSE USAGE DATA USING XGBOOST

Shruti Gupta (12112488)

20 April 2022

<p>The increase in the use of digital devices, has vastly increased the amount of data used and consequently, has increased the availability and relevance of digital evidence. Typically, digital evidence helps to establish the identity of an offender by identifying the username or the user account logged into the device at the time of offense. Investigating officers need to establish the link between that user and an actual person. This is difficult in the case of computers that are shared or compromised. Also, the increasing amount of data in digital investigations necessitates the use of advanced data analysis approaches like machine learning, while keeping pace with the constantly evolving techniques. It also requires reporting on known error rates for these advanced techniques. There have been several research studies exploring the use of behavioral biometrics to support this user attribution in digital forensics. However, the use of the state-of-the-art XGBoost algorithm, hasn’t been explored yet. This study builds on previously conducted research by modeling user interaction using the XGBoost algorithm, based on features related to keystroke and mouse usage, and verifying the performance for user attribution. With an F1 score and Area Under the Receiver Operating Curve (AUROC) of .95, the algorithm successfully attributes the user event to the right user. The XGBoost model also outperforms other classifiers based on algorithms such as Support Vector Machines (SVM), Boosted SVM and Random Forest.</p>

Computer System Security

Computer-Human Interaction

digital forensics

user attribution

behavioral biometrics

Ověřování identity uživatele založené na behaviorálních charakteristikách / User Identity Verification Based on Behavioral Characteristics

Kuchyňová, Karolína

January 2020

Verifying the identity of a user logged into a secure system is an important task in the field of information security. In addition to a password, it may be appropriate to include behavioral biometrics in the authentication process. The biometrics-based system monitors the user's behavior, compares it with his usual actions, and can thus point out suspicious inconsistencies. The goal of this thesis is to explore the possibility of creating a user identity verification model based on his behavior (usage of mouse and keyboard) in a web application. The work includes creation of a new keystroke and mouse dynamics dataset. The main part of the thesis provides the analysis of features (user characteristics) which can be extracted from the obtained data. Subsequently, we report the authentication accuracy rates achieved by basic machine learning models using the selected set of features. 1

Improving the Security of the Android Pattern Lock using Biometrics and Machine Learning

Nilsson, Jacob

January 2017

With the increased use of Android smartphones, the Android Pattern Lock graphical password has become commonplace. The Android Pattern Lock is advantageous in that it is easier to remember and is more complex than a five digit numeric code. However, it is susceptible to a number of attacks, both direct and indirect. This fact shows that the Android Pattern Lock by itself is not enough to protect personal devices. Other means of protection are needed as well. In this thesis I have investigated five methods for the analysis of biometric data as an unnoticable second verification step of the Android Pattern Lock. The methods investigated are the euclidean barycentric anomaly detector, the dynamic time warping barycentric anomaly detector, a one-class support vector machine, the local outlier factor anomaly detector and a normal distribution based anomaly detector. The models were trained using an online training strategy to enable adaptation to changes in the user input behaviour. The model hyperparameters were fitted using a data set with 85 users. The models are then tested with other data sets to illustrate how different phone models and patterns affect the results.        The euclidean barycentric anomaly detector and dynamic time warping (DTW) barycentric anomaly detector have a sub 10 \% equal error rate in both mean and median, while the other three methods have an equal error rate between 15 \% and 20 \% in mean and median. The higher performance of the euclidean and DTW barycentric anomaly detector is likely because they account for the time series nature of the data, while the other methods do not. Each user in the data set have provided each pattern at most 50 times, meaning that the long-term effects of user adaptation could not be studied.

Android Pattern Lock

Dynamic Time Warping

Anomaly Detection

Time Series

Behavioral Biometrics

Other Computer and Information Science

Annan data- och informationsvetenskap

Human Computer Interaction

User authentication through behavioral biometrics using multi-class classification algorithms : A comprehensive study of machine learning algorithms for keystroke and mouse dynamics / Användarautentisering med beteendemässig biometri och användning av multi-class klassificeringsalgoritmer : En djupgående studie av maskininlärningsalgoritmer för tangentbords- och musdynamik

Lantz, Emil

January 2023

User authentication is vital in a secure system. Authentication is achieved through something a genuine user knows, has, or is. The latter is called biometrics, commonly attributed with fingerprint and face modalities. It is also possible to identify a user based on their behavior, called behavioral biometrics. In this study, keyboard and mouse behavior were considered. Previous research indicate promise for this authentication method. The research however is scarce, old and often not comprehensive. This study focus on two available data sets, the CMU keystroke dynamics dataset and the ReMouse data set. The data was used together with a comprehensive set of multi-class supervised classification machine learning algorithms from the scikit-learn library for Python. By performing hyperparameter optimization, two optimal algorithms with modified hyperparameters were found that improved results compared with previous research. For keystroke dynamics a classifier based on a neural network, multi-layer perceptron, achieved an Equal Error Rate (EER) of 1.26%. For mouse dynamics, a decision tree classifier achieved an EER of 0.43%. The findings indicate that the produced biometric classifiers can be used in an authentication model and importantly to strengthen existing authentication models such as password based login as a safe alternative to traditional Multi-Factor Authentication (MFA). / Användarautentisering är vitalt i ett säkert system. Autentisering genomförs med hjälp av något en genuin användare vet, har eller är. Det senare kallas biometri, ofta ihopkopplat med fingeravtryck och ansiktigenkänning. Det är även möjligt att identifiera en användare baserat på deras beteende, så kallad beteendemässig biometri. I denna studie används tangentbords- och musanvändning. Tidigare forskning tyder på att denna autentiseringsmetod är lovande. Forskningen är dock knapp, äldre och svårbegriplig. Denna studie använder två publika dataset, CMU keystroke dynamics dataset och ReMouse data set. Datan används tillsammans med en utförlig mängd maskininlärningsalgoritmer från scitkit-learn biblioteket för programmeringsspråket Python. Genom att optimera algoritmernas hyper parametrar kunde två stycken optimala klassificerare tas fram som åstadkom förbättrade resultat mot tidigare forskning. För tangentbordsbeteende producerades en klassificerare baserat på neurala nätverk, så kallad multi-layer perceptron som åstadkom en EER på 1.26%. För musrörelser kunde en modell baserat på beslutsträd åstadkomma en EER på 0.43%. Resultatet av dessa upptäckter är att liknande klassificerare kan användas i en autentiseringsmodell men också för att förbättra säkerheten hos etablerade inloggningssätt som exempelvis lösenord och därmed utgöra ett säkert alternativ till traditionell MFA.

Behavioral biometrics

keystroke dynamics

mouse dynamics

machine learning

neural networks

decision trees.

Beteendemässig biometri

maskininlärning

neurala nätverk

beslutsträd.

Elektroteknik och elektronik