Preventing Lunchtime Attacks: Fighting Insider Threats With Eye Movement Biometrics

Abstract

We introduce a novel biometric based on distinctive eye movement patterns. The biometric consists of 21 features that allow us to reliably distinguish users based on differences in these patterns. We leverage this distinguishing power along with the ability to gauge the users' task familiarity, i.e., level of knowledge, to address insider threats. In a controlled experiment we test how both time and task familiarity influence eye movements and feature stability, and how different subsets of features affect the classifier performance. These feature subsets can be used to tailor the eye movement biometric to different authentication methods and threat models. Our results show that eye movement biometrics support reliable and stable identification and authen- tication of users. We investigate different approaches in which an attacker could attempt to use inside knowledge to mimic the legitimate user. Our results show that while this advance knowledge is measurable, it does not increase the likelihood of successful impersonation. In order to determine the time stability of our features we repeat the experiment twice within two weeks. The results indicate that we can reliably authenticate users over the entire period. We show that the classification decision depends on all features and mimicking a few of them will not be sufficient to trick the classifier. We discuss the advantages and limitations of our approach in detail and give practical insights on the use of this biometric in a real-world environment. I. INTRODUCTION In this paper, we evaluate the effectiveness of using eye movement biometrics as a novel defence against the lunchtime by an insider threat. An insider threat in this context refers to a person with physical access to a workstation that he is not supposed to use (e.g., using a coworker's workstation while he is at lunch). As such our system serves as a second line of defense after the workstation has already been compromised (i.e., the attacker has physical access and the workstation is either unlocked or he is in possession of all necessary passwords and access tokens). Our approach considers both users that are simply careless and users that are actively collaborating with the attacker by giving up information. The second case makes this attack notoriously difficult to defend against. We propose a set of features that can be extracted from human eye movements and analyze their distinctiveness and robustness using a systematic experimental design. The human eyes offer a rich feature space based on volun- tary, involuntary, and reflexive eye movements. Traditionally, the analysis of eye movements has been used in the medical domain to facilitate diagnosis of different ocular and neuronal disorders. Eye tracking devices have become much cheaper within the last years and even low-cost open-source hardware and software is available (1). Recent advances in video-based eye tracking technology makes eye tracking applicable to a conventional workplace as it does not require any physical contact with the users (more detail on eye tracking is given in Section II). Our experimental design captures the unique characteristics of each user's eye movements as measured by the eye tracker. We also consider ways in which the attacker could use his position to gain inside information about the user and the system through observation or social engineering. We define metrics to measure this advance knowledge through eye movement data and determine whether it affects the authentication decision. We consider three scenarios in particular: (i) no prior knowledge, i.e., no information advantage; (ii) knowledge gained through a description, e.g., the adversary is provided with a textual description by a colluding legitimate user; and (iii) knowledge gain through observation, e.g., by looking over the shoulder of a legitimate user performing a task (shoulder-surfing). We perform these experiments with 30 subjects recruited from the general public and repeat them after two weeks to test the time-stability of the proposed features. While our experimental results show that an adversary does benefit from an increased level of knowledge when executing a task, the analysis of the proposed features also shows that he cannot utilize that knowledge to circumvent the eye movement biometric. Our main contributions are a set of 21 features and measurements that confirm that these features are suitable to perform user authentication. We carefully consider various error sources and validate our design by looking at the learning behavior of our test subjects. We further show that it is possible to gauge the level of familiarity with a specific task through the eye tracker biometric. This property is very useful when dealing with an insider threat. Finally we also present a basic authentication system based on this biometric as well as a discussion of the robustness of our results over time.