Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Behavioral biometrics mechanism for delaying password obsolescence

  • Be the first to comment

Behavioral biometrics mechanism for delaying password obsolescence

  1. 1. Why? Watermarks; hwing; SDW; I AM MY PHONE
  2. 2. A password is a single-factor authentication factor that creates an “assurance” that an individual is who they say they are. Passwords are doomed, and hated, and unnecessarily difficult, and perhaps irreplaceable.
  3. 3. The password is a miserable authenticator  if it’s complex enough, it’s too hard to remember  if it’s simple enough, bad guys will guess it  can’t re-use them  can’t write them down  the places they are used often have surveillance systems & people with recording devices  bad guys steal huge batches of them (sort of)  disconnect between cost and true necessity
  4. 4. Unfortunately, no one is going to give up using passwords. It’s all they know. They’ve spent their lifetimes naming their pets accordingly. Something must be done to SAVE the PASSWORD.
  5. 5. passphrases mnemonics strength checkers password management tool Single sign on openID+ NIST tips!
  6. 6. life experience passwords graphical password drawn passwords / signatures uSig (know the pic/have the gizmo) questions gestures multi-touch gestures tokens (have the gizmo) e-signature (requires “device”)
  7. 7. Not a single scheme is dominant over passwords, i.e., does better on one or more benefits and does at least as well on all others. Almost all schemes do better than passwords in some criteria… Thus, the current state of the world is a Pareto equilibrium. Replacing passwords with any of the schemes examined is not a question of giving up an inferior technology for something unarguably better, but of giving up one set of compromises and trade-offs in exchange for another. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes Joseph Bonneau University of Cambridge / Cormac Herley Microsoft Research / Paul C. van Oorschot Carleton University / Frank Stajanoy University of Cambridge
  8. 8. iris retina fingerprint heart rate face ear geometry hand geometry palm vein pattern thermal signature odor bioimpedance +
  9. 9. Physical Biometrics is a miserable authenticator  people don’t want to give them up  once it’s in the wild, it’s gone  actual features identify a person, but does the digital representation adequately represent the actual feature  vulnerable – replay attacks+
  10. 10. Exploring novel, not-novel and failed mechanisms for multi-factor authentication
  11. 11. handwriting voice gait interactions like keyboarding touch phone movement/position decisionmaking linguistics app behaviors diligence web browsing / app switching transportation (method/route/speed) outbound social behavior + everything else
  12. 12. BehavioSec • Keyboard Capture Intervals • Application Switching • Touch Motion • Mouse Motion Others • Stylometry • Application start • Search behavior • Covert games RSA Conference – Asia Pacific – 2013 DARPA Active Authentication Program: Behavioral Biometrics
  13. 13. burstiness length of session average time on a page time between revisits genre (diffbot.com) User Authentication from Web Browsing Behavior Myriam Abramson Naval Research Laboratory / David W. Aha Naval Research Laboratory
  14. 14. Behavioral Biometrics may be better  transparent to users  can be used continuously but  requires privacy and security by design  adequate processing for adequately complex analysis is not yet available  requires authentication unit / chip
  15. 15. For regular smartphone users, aggregating behavior information will be adequate to verify identity. Our phones could “know who we are”, if we taught them to “look at our behavior”. Rather than replacing passwords, which still have some security purposes, as well as a psychological/cultural value, in the future we could consider passwords to be the 2nd Factor – and behavioral biometrics to be the1st Factor. (mention the two Bs and EU Data Protection here)
  16. 16. a theoretical app used to brainstorm about facets of human/phone interaction and convergence (or a real app if someone wants to develop it)
  17. 17. language (abbreviations, case usage, grammar, word omissions, slang, emoticons + ) keyboarding (use of autocomplete + ) errors and error correction (backspace/autocorrect) locations / travel app usage gaming and in-game behavior search behavior phone positioning unlock behavior “telephone” usage (Bluetooth/speaker/handheld) financial transactions The role of VARIATION: The extent to which each facet VARIES in similar and different contexts and assessed against other facets, is itself an essential facet.
  18. 18. The elements of the outside world that interact with you converge on only one person.* The way they contact you and the way you respond is an authentication factor. For today, we will call it “convergence”. The measureable facets of “convergence” include:  how (text, email, app)  when  where  extent (“length of interaction”)  response time * of course, there are exceptions “Outbound interactions” are a behavioral biometric. “Inbound interactions” are not. The combination of the two can be used as an authentication factor.
  19. 19. The theoretical “am I me” app makes a go/no-go decision regarding allowing password submission. The in-phone process creates “virtual images” that represent the person's range of behaviors and connections (who/how+). The images are generated over time via fly-by. Variability is critical; contrary to instinct, it is an identifying feature. The "images" (akin to perceptual hashes) are the only aggregation point. The data does not exist as a single unit except as represented in the image. The images are stored in the app server. Then the current/recent "image" is verified to the server images using complicated math. Based on the result, the phone attests (or doesn’t attest) to the user, and a password can be submitted. (In-phone verification is "possible" but seems (perhaps impossibly) more vulnerable.)
  20. 20. After here… some references and slides I didn’t use
  21. 21. RE THE NEED FOR AN AUTHENTICATION PROCESSING UNIT The challenge lies in assuring the security of the completed system and for this, experience shows that general-purpose computing systems cannot be made secure enough to resist compromise by a determined adversary. Historically, special-purpose computing needs have resulted in the development of dedicated, special-purpose computing hardware. Early in the history of computing, the Arithmetic Logic Unit (ALU) was developed to augment the numerical processing capabilities of more limited general-purpose CPUs. Likewise, Graphics Processing Units (GPUs) were developed to provide high-performance graphics handling. Similarly, designing and implementing a hardware “Authentication Processing Unit” (APU) implementing the principles of authentication outlined above would be an expected outcome of such consideration. Principles of Authentication Ed Talbot UC Davis / Sean Peisert UC Davis and Berkeley Lab / Matt Bishop UC Davis (SOUPS 2014)
  22. 22. Core Characteristics for Evaluating Authenticators Bruce K. Marshall PasswordResearch.com Alternatives to passwords: Replacing the ubiquitous authenticator Ron Condon in Computer Weekly Principles of Authentication Ed Talbot UC Davis / Sean Peisert UC Davis and Berkeley Lab / Matt Bishop UC Davis (SOUPS 2014) Who You Are by way of What You Are: Behavioral Biometric Approaches to Authentication Michael Karlesky, Napa Sae-Bae, Katherine Isbister, Nasir Memon NYU Polytechnic School of Engineering (SOUPS 2014) User Authentication from Web Browsing Behavior Myriam Abramson Naval Research Laboratory / David W. Aha Naval Research Laboratory The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes Joseph Bonneau University of Cambridge / Cormac Herley Microsoft Research / Paul C. van Oorschot Carleton University / Frank Stajanoy University of Cambridge DARPA Active Authentication Website:
  23. 23. Abraham Aha The authentication problem has been addressed in the context of masquerade detection in computer security by modeling user command line sequences (Schonlau et al. 2001). In the masquerade detection problem, the task is to positively identify masqueraders but not to positively identify a particular user. Recent experiments modeling user issued OS commands as bag-of-words without timing information have obtained a 72.7% true positive rate and a 6.3% false positive rate (Salem and Stolfo 2010) on a set of 15000 commands for 70 users grouped in sets of 100 commands. In that work, a one-class support vector machine (SVM) (Schölkopf et al. 2000) was shown to produce better performance results than threshold-based comparison with a distance metric. We extend the results of this work to features of Web browsing behavior individually and in combination with an ensemble. LATER The goal of this study is to verify the claim that users can be authenticated from their Web browsing behavior. All experiments were conducted in the Weka machine learning workbench (Hall et al. 2009) augmented by our own ensemble algorithms. We extracted the features of Web browsing behavior described above from each user session and aggregated them into one feature vector. A user’s dataset consisted of all sessions collected for that user. For each user, we compared the false rejection rate (FRR) (i.e., false negative rate)and the false acceptance rate (FAR) (i.e., false positive rate) for classifiers derived from each feature set and an ensemble classifier composed of classifiers based on a weighted random sample of those features. FRR results were obtained using cross-validation on the user’s dataset while FAR results were obtained by applying the classifier obtained on a dataset containing the data of all the other users. LATER One-class classification is pertinent in the context of classification with only positive examples where negative examples are hard to come by or do not fit into a unique category. Some applications for one-class classification include anomaly detection, fraud detection, outlier detection, authorship verification and document classification where categories are learned individually. The goal of one-class classification is to detect all classes that differ from the target class without knowing them in advance. One-class classification is similar to unsupervised learning but tries to solve a discriminative problem (i.e., self or not self) rather than a generative problem as in clustering algorithms or density estimation. Several algorithms have been modified to perform one-class classification. We used a one-class SVM available with LibSVM (Schölkopf et al. 2000) as part of the Weka machine learning toolbench. SVMs are large-margin classifiers that map feature vectors to a higher dimensional space using kernels based on similarity metrics. The optimization objective in SVMs is to find a linear separating hyperplane with maximum margin between class boundaries.
  24. 24. Attacks Masquerade attacks Linkage attacks – like a database join Graphical passwords – pattern based attacks
  25. 25. Abraham/Aha Attribution is broadly defined as the assignment of an effect to a cause. We differentiate between authentication and identification as two techniques for attribution of identity. Authentication is defined as the verification of claimed identification (Jain, Bolle, and Pankanti 1999). Their distinction is subtle in the sense that authentication is usually obtained through identification. Likewise, identification can be obtained from authentication attempts of each user in turn. Identification involves recognition as a one-to-many matching problem while authentication is a one-to-one matching problem. This paper focuses on the authentication problem. User syntactic patterns Power Law distribution
  26. 26. Passwords lack integrity based on... how difficult they are to guess, forge, or steal or inadvertently reveal or give away or USE without the individual’s willing participation
  27. 27. Wikipedia says there are “Three categories of authentication factors”  Knowledge – things the user knows (passwords)  Possession – things the user has (card)  Inherence - things the user is (biometrics) - physical biometrics - behavioral biometrics There’s at least one more. There’s “convergence” which is the interactions of the outside world with you.

×