CASTRA: Seamless and Unobtrusive Authentication of Users to Diverse Mobile Services

Abstract

This paper presents context-aware security technology for responsive and adaptive protection (CASTRA), an “always-on” context-aware authentication and access control framework that seamlessly and unobtrusively authenticate users to mobile applications of varying sensitivity levels. CASTRA uses a continuous and multifaceted behavioral biometrics authentication that passively authenticates the user in the background while the device is being in contact with the user, and a context-aware risk assessment and access control that provides access to applications based on the perceived threat level around the device. The behavioral authentication module is constructed by exploiting a combination of supervised and unsupervised learning techniques on raw sensor and GPS data passively gathered from the mobile device. Multiple inferences about the user (or user behavioral traits ) such as frequently visited locations, location transition patterns, physical proximity of user with the device (e.g., device in the pocket or placed on the table), and walking patterns are automatically inferred and extracted. Analytical studies were conducted to derive optimal thresholds to fuse these multiple traits and an adaptive trust score is generated every user-defined time period to determine the degree to which the user is trustworthy to access the applications. CASTRA is implemented in a client-server mode, utilizing the Android and the Amazon Cloud computing platform. The novelty of CASTRA stems from the design and fusion of multiple behavioral biometric-based authentication factors and the development and deployment of a practical end-to-end architecture that enables real-time data acquisition, automatic training and learning of user behavioral patterns, and context-aware risk assessment and access control. The performance of CASTRA was evaluated under natural settings, on 15 subjects, using different variants of the Samsung devices. Multiple realistic attack scenarios (e.g., stolen, lost, and shared devices) targeting mobile devices were designed to prove the security and user-friendliness of the proposed scheme. We also present techniques to reduce energy and bandwidth consumption and ways to unobtrusively acquire data for supervised learning algorithms without requiring explicit user annotation.