Mobile devices typically rely on entry-point and other one-time authentication mechanisms such as a password,
PIN, fingerprint, iris, or face. But these authentication types are prone to a wide attack vector and worse
1 INTRODUCTION
Currently smartphones are predominantly protected
a patterned password is prone to smudge attacks, and
fingerprint scanning is prone to spoof attacks. Other
forms of attacks include video capture and shoulder
surfing. Given the increasingly important roles
smartphones play in e-commerce and other operations
where security is crucial, there lies a strong need
of continuous authentication mechanisms to complement
and enhance one-time authentication such that
even if the authentication at the point of login gets
compromised, the device is still unobtrusively protected
by additional security measures in a continuous
fashion.
The research community has investigated several
continuous authentication mechanisms based on
unique human behavioral traits, including typing,
swiping, and gait. To this end, we focus on investigating
physiological
traits. While interacting with hand-held devices,
individuals strive to achieve stability and precision.
This is because a certain degree of stability is
required in order to manipulate and interact successfully
with smartphones, while precision is needed for
tasks such as touching or tapping a small target on
the touch screen (Sitov´a et al., 2015). As a result,
to achieve stability and precision, individuals tend to
develop their own postural preferences, such as holding
a phone with one or both hands, supporting hands
on the sides of upper torso and interacting, keeping
the phone on the table and typing with the preferred
finger, setting the phone on knees while sitting crosslegged
and typing, supporting both elbows on chair
handles and typing. On the other hand, physiological
traits, such as hand-size, grip strength, muscles, age,
424
Ray, A., Hou, D., Schuckers, S. and Barbir, A.
Continuous Authentication based on Hand Micro-movement during Smartphone Form Filling by Seated Human Subjects.
DOI: 10.5220/0010225804240431
In Proceedings of the 7th International Conference on Information Systems Security and Privacy (ICISSP 2021), pages 424-431
ISBN: 978-989-758-491-6
Copyrightc 2021 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
still, once compromised, fail to protect the user’s account and data. In contrast, continuous authentication,
based on traits of human behavior, can offer additional security measures in the device to authenticate against
unauthorized users, even after the entry-point and one-time authentication has been compromised. To this end, we have collected a new data-set of multiple behavioral biometric modalities (49 users) when a user fills out an account recovery form in sitting using an Android app. These include motion events (acceleration and angular velocity), touch and swipe events, keystrokes, and pattern tracing. In this paper, we focus on authentication based on motion events by evaluating a set of score level fusion techniques to authenticate users based on the acceleration and angular velocity data. The best EERs of 2.4% and 6.9% for intra- and inter-session respectively, are achieved by fusing acceleration and angular velocity using Nandakumar et al.’s likelihood ratio (LR) based score fusion.
more »
« less
Poster: Making Retrospective Data Management Usable
Online archives, including social media and cloud storage, store vast troves of personal data accumulated over many years. Recent work suggests that users feel the need to retrospectively manage security and privacy for this huge volume of content. However, few mechanisms and systems help these users complete this daunting task. To that end, we propose the creation of usable retrospective data management mechanisms, outlining our vision for a possible architecture to address this challenge.
more »
« less
- Award ID(s):
- 1801663
- NSF-PAR ID:
- 10095897
- Date Published:
- Journal Name:
- Proceedings of the Fourteenth Symposium on Usable Privacy and Security (SOUPS)
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
The ubiquity of mobile devices nowadays necessitates securing the apps and user information stored therein. However, existing one-time entry-point authentication mechanisms and enhanced security mechanisms such as Multi-Factor Authentication (MFA) are prone to a wide vector of attacks. Furthermore, MFA also introduces friction to the user experience. Therefore, what is needed is continuous authentication that once passing the entry-point authentication, will protect the mobile devices on a continuous basis by confirming the legitimate owner of the device and locking out detected impostor activities. Hence, more research is needed on the dynamic methods of mobile security such as behavioral biometrics-based continuous authentication, which is cost-effective and passive as the data utilized to authenticate users are logged from the phone's sensors. However, currently, there are not many mobile authentication datasets to perform benchmarking research. In this work, we share two novel mobile datasets (Clarkson University (CU) Mobile datasets I and II) consisting of multi-modality behavioral biometrics data from 49 and 39 users respectively (88 users in total). Each of our datasets consists of modalities such as swipes, keystrokes, acceleration, gyroscope, and pattern-tracing strokes. These modalities are collected when users are filling out a registration form in sitting both as genuine and impostor users. To exhibit the usefulness of the datasets, we have performed initial experiments on selected individual modalities from the datasets as well as the fusion of simultaneously available modalities.more » « less
-
When releasing data to the public, a vital concern is the risk of exposing personal information of the individuals who have contributed to the data set. Many mechanisms have been proposed to protect individual privacy, though less attention has been dedicated to practically conducting valid inferences on the altered privacy-protected data sets. For frequency tables, the privacy-protection-oriented perturbations often lead to negative cell counts. Releasing such tables can undermine users’ confidence in the usefulness of such data sets. This paper focuses on releasing one-way frequency tables. We recommend an optimal mechanism that satisfies ϵ-differential privacy (DP) without suffering from having negative cell counts. The procedure is optimal in the sense that the expected utility is maximized under a given privacy constraint. Valid inference procedures for testing goodness-of-fit are also developed for the DP privacy-protected data. In particular, we propose a de-biased test statistic for the optimal procedure and derive its asymptotic distribution. In addition, we also introduce testing procedures for the commonly used Laplace and Gaussian mechanisms, which provide a good finite sample approximation for the null distributions. Moreover, the decaying rate requirements for the privacy regime are provided for the inference procedures to be valid. We further consider common users’ practices such as merging related or neighboring cells or integrating statistical information obtained across different data sources and derive valid testing procedures when these operations occur. Simulation studies show that our inference results hold well even when the sample size is relatively small. Comparisons with the current field standards, including the Laplace, the Gaussian (both with/without post-processing of replacing negative cell counts with zeros), and the Binomial-Beta McClure-Reiter mechanisms, are carried out. In the end, we apply our method to the National Center for Early Development and Learning’s (NCEDL) multi-state studies data to demonstrate its practical applicability.more » « less
-
Database Management Systems (DBMSes) secure data against regular users through defensive mechanisms such as access control, and against privileged users with detection mechanisms such as audit logging. Interestingly, these security mechanisms are built into the DBMS and are thus only useful for monitoring or stopping operations that are executed through the DBMS API. Any access that involves directly modifying database files (at file system level) would, by definition, bypass any and all security layers built into the DBMS itself. In this paper, we propose and evaluate an approach that detects direct modifications to database files that have already bypassed the DBMS and its internal security mechanisms. Our approach applies forensic analysis to first validate database indexes and then compares index state with data in the DBMS tables. We show that indexes are much more difficult to modify and can be further fortified with hashing. Our approach supports most relational DBMSes by leveraging index structures that are already built into the system to detect database storage tampering that would currently remain undetectable.more » « less
-
Database Management Systems (DBMSes) secure data against regular users through defensive mechanisms such as access control, and against privileged users with detection mechanisms such as audit logging. Interestingly, these security mechanisms are built into the DBMS and are thus only useful for monitoring or stopping operations that are executed through the DBMS API. Any access that involves directly modifying database files (at file system level) would, by definition, bypass any and all security layers built into the DBMS itself. In this paper,we propose and evaluate an approach that detects direct modifications to database files that have already bypassed the DBMS and its internal security mechanisms. Our approach applies forensic analysis to first validate database indexes and then compares index state with data in the DBMS tables. We show that indexes are much more difficult to modify and can be further fortified with hashing. Our approach supports most relational DBMSes by leveraging index structures that are already built into the system to detect database storage tampering that would currently remain undetectable.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- The DOI is not currently available.
