New Research Aims to Improve the Security of User Authentication Through Behavioral Biometrics
By Sheila Yong
“Yahoo, Equifax, Target. These names come up together now because they have all been subject to massive data breaches.” Mahesh Banavar, an assistant professor in electrical and computer engineering, delivered a powerful opening for his pitch at Clarkson’s inaugural pilot grant program competition on March 1.
Banavar is part of a research team that is working on a novel approach to overcome security vulnerabilities and protect against digital data breaches. His collaborators include Stephanie Schuckers, the Paynter-Krigman Endowed Professor in Engineering Science, and Daqing Hou, director of software engineering and professor of electrical and computer engineering. Their proposal, “Next generation behavioral biometrics: capturing more application usage behavior,” won the Nicklas-Ignite Research Fellowship.
With $125,000 in funding, this fellowship will kick-start their research, allowing them to obtain data and perform preliminary research for future external funding applications.
Information vulnerable to data breaches includes names, addresses, dates of birth and social security numbers. Users of many websites are commonly asked to submit these details online when they set up new accounts or forget their passwords.
The team’s solution to overcome this vulnerability is to replace the existing knowledge-based authentication system with a continuous, behavior-based one. Rather than simply requiring passwords or fingerprint scans, this new behavior-based authentication system will analyze how we interact with our devices. Specifically, it will analyze how we use our keyboards, mice and other mobile devices, and compile data that identify a specific user. By monitoring these unique usage patterns, this new authentication system will learn who we are and verify our identities before allowing us to continue accessing our online accounts and apps on our devices. The team has already amassed a database of approximately 12 million keystrokes and is currently collecting additional data on mouse and mobile-device usage patterns.
To demonstrate the feasibility of their proposal, the investigators used their keystroke data to test their keyboard algorithm. In this scenario, users enrolled themselves by each typing 10,000 characters on the keyboard.
Using the keyboard algorithm alone, the investigators could detect an intruder with 97 percent accuracy within three minutes. “Still, we aim to shorten this lead time in order to provide denser protection to the user,” says Hou.
What happens if an enrolled user is unusually slow in typing because of an injury, or when the user makes mistakes? The team believes that their algorithm will still be able to verify the user’s identity. “The underlying algorithm looks at more than just the typing speed. It also analyzes the user’s more subtle traits such as relative speeds between different keystroke patterns,” Hou says.
“As you change over time, your profile on your devices will have to keep up with you,” Banavar says. Future research will investigate such scenarios more closely.
The researchers plan to incorporate safety features and combine these features with traditional biometrics and protections that lock a user out if the algorithm detects a certain number of mistakes in succession. This measure is similar to the one often used in classic authentication methods, when a user is locked out of an online account after entering the wrong password multiple times.
The team also plans to include a “transfer learning” feature in the algorithm that will allow user profiles to be transferred from one device to another, even when the types of data collected are different, such as keystrokes and mouse usage versus swipes and gestures.
The team is collaborating with several companies through Clarkson’s Center for Identification Technology Research (CITeR), a National Science Foundation Industry/University Cooperative Research Center, of which Schuckers is the director. The investigators believe that these collaborations will help them fine-tune their algorithm design and help protect data in today’s digital world.