Keystroke-based Authentication Research Articles

A Deep-Learning-Based Approach to Keystroke-Injection Payload Generation

Investigation and detection of cybercrimes has been in the spotlight of cybersecurity research for as long as the topic has existed. Modern methods are required to keep up with the pace of the technology and toolset used to facilitate these crimes. Keystroke-injection attacks have been an issue due to the limitations of hardware and software up until recently. This paper presents comprehensive research on keystroke-injection payload generation that proposes the use of deep learning to bypass the security of keystroke-based authentication systems focusing on both fixed-text and free-text scenarios. In addition, it specifies the potential risks associated with keystroke-injection attacks. To ensure the legitimacy of the investigation, a model is proposed and implemented within this context. The results of the implemented implant model inside the keyboard indicate that deep learning can significantly improve the accuracy of keystroke dynamics recognition as well as help to generate effective payload from a locally collected dataset. The results demonstrate favorable accuracy rates, with reported performance of 93–96% for fixed-text scenarios and 75–92% for free-text. Accuracy across different text scenarios was achieved using a small dataset collected with the proposed implant model. This dataset enabled the generation of synthetic keystrokes directly within a low-computation-power device. This approach offers efficient and almost real-time keystroke replication. The results obtained show that the proposed model is sufficient not only to bypass the fixed-text keystroke dynamics system, but also to remotely control the victim’s device at the appropriate time. However, such a method poses high security risks when deploying adaptive keystroke injection with impersonated payload in real-world scenarios.

Keystroke-Based Biometric Authentication in Mobile Applications

Keystroke dynamics is the study of how people can be distinguished based on their typing rhythms. It is considered as a real alternative to several authentication mechanisms. In order to improve authentication security in mobile applications, especially mobile chat applications , we propose in this work an approach of user keystroke-based authentication which is based on two important mechanisms, firstly the authentication is done on the basis of a supervised classification model trained on the dynamic keystroke database (android platform) the prediction accuracy has reached high values. When the attacker used the same behavior as the legitimate user we are strengthening security by another authentication mechanism based on three parameters during the opening of a communication session between two users (the number of messages per session, connection time and inter-click time). The proposed system has shown satisfactory results by combining user behaviours and connection parameters during an open session between two users to reinforce the authentication aspect.

Utilizing overt and latent linguistic structure to improve keystroke-based authentication

Keystroke production is influenced by a number of factors including linguistic context and structure. Previous studies in keystroke-based authentication have neglected to take these many of these into account. By incorporating the linguistic context under which keystrokes are produced, we are able to improve the accuracy of authentication experiments. We are able to reduce baseline EER by 36% on a dataset of 486 users, from a baseline of 0.0483 using only unigraph holds and digraph intervals to 0.0309 using linguistic context. Our EER results are further improved to 0.0232 by reducing the size of our feature-set through various methods of feature pruning. These results demonstrate the importance of context when authenticating a typist.

Examining a Large Keystroke Biometrics Dataset for Statistical-Attack Openings

Research on keystroke-based authentication has traditionally assumed human impostors who generate forgeries by physically typing on the keyboard. With bots now well understood to have the capacity to originate precisely timed keystroke sequences, this model of attack is likely to underestimate the threat facing a keystroke-based system in practice. In this work, we investigate how a keystroke-based authentication system would perform if it were subjected to synthetic attacks designed to mimic the typical user. To implement the attacks, we perform a rigorous statistical analysis on keystroke biometrics data collected over a 2-year period from more than 3000 users, and then use the observed statistical traits to design and launch algorithmic attacks against three state-of-the-art password-based keystroke verification systems. Relative to the zero-effort attacks typically used to test the performance of keystroke biometric systems, we show that our algorithmic attack increases the mean Equal Error Rates (EERs) of three high performance keystroke verifiers by between 28.6% and 84.4%. We also find that the impact of the attack is more pronounced when the keystroke profiles subjected to the attack are based on shorter strings, and that some users see considerably greater performance degradation under the attack than others. This article calls for a shift from the traditional zero-effort approach of testing the performance of password-based keystroke verifiers, to a more rigorous algorithmic approach that captures the threat posed by today’s bots.

Using trusted computing for privacy preserving keystroke-based authentication in smartphones

Smartphones are increasingly being used to store personal information as well as to access sensitive data from the Internet and the cloud. Establishment of the identity of a user requesting information from smartphones is a prerequisite for secure systems in such scenarios. In the past, keystroke-based user identification has been successfully deployed on production-level mobile devices to mitigate the risks associated with naive username/password based authentication. However, these approaches have two major limitations: they are not applicable to services where authentication occurs outside the domain of the mobile device--such as web-based services; and they often overly tax the limited computational capabilities of mobile devices. In this paper, we propose a protocol for keystroke dynamics analysis which allows web-based applications to make use of remote attestation and delegated keystroke analysis. The end result is an efficient keystroke-based user identification mechanism that strengthens traditional password protected services while mitigating the risks of user profiling by collaborating malicious web services. We present a prototype implementation of our protocol using the popular Android operating system for smartphones.

A Novel and Simple Statistical Fusion Method for User Authentication through Keystroke Features

This paper utilizes a statistical fusion method to extract the characteristic information for keystrokebased authentication (KA) systems to verify users’ identities. The keystroke data is based on the time instances of pressing and releasing a key, and five features based on the time periods are calculated using these data. In the experiment, nineteen users participated as the legitimate users and each account was attacked by between 62 and 82 impostors. The average false acceptance rate is 1.035% and the false rejection rate is 0%. These rates are both competitive with other researches. The proposed method can be used as the classifier in password-based authentication systems to enhance their security.

User authentication using keystroke dynamics for cellular phones

A new approach for keystroke-based authentication when using a cellular phone keypad as input device is presented. In the proposed method, users are authenticated using keystroke dynamics acquired when typing fixed alphabetic strings on a mobile phone keypad. The employed statistical classifier is able to perform user verification with an average equal error rate of about 13%. The obtained experimental results suggest that, when using mobile devices, a strong secure authentication scheme cannot rely on the sole keystroke dynamics, which however can be a module of a more complex system including, as basic security, a password-based protocol eventually hardened by keystroke analysis.