Abstract
Implicit authentication (IA) schemes use behavioural biometrics to continuously and transparently authenticate mobile device users. Several IA schemes have been proposed by researchers which employ different behavioural features and provide reasonable detection accuracy. While these schemes work in principle, it is difficult to comprehend from these individual efforts which schemes work best (in terms of detection accuracy, detection delay and processing complexity) under different operating conditions (in terms of attack scenarios and availability of training and classification data). Furthermore, it is critical to evaluate these schemes on unbiased, real-world datasets to determine their efficacy in realistic operating conditions. In this paper, we evaluate six diverse IA schemes on four independently collected datasets from over 300 participants. We first evaluate these schemes in terms of: accuracy; training time and delay on real-world datasets; detection delay; processing and memory complexity for feature extraction, training and classification operations; vulnerability to mimicry attacks; and deployment issues on mobile platforms. We also leverage our real-world device usage traces to determine the proportion of time these schemes are able to afford protection to device owners. Based on our evaluations, we identify: 1) promising IA schemes with high detection accuracy, low performance overhead, and near real-time detection delays, 2) common pitfalls in contemporary IA evaluation methodology, and 3) open challenges for IA research. Finally, we provide an open source implementation of the IA schemes evaluated in this work that can be used for performance benchmarking by future IA research.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Android Authority: Android face unlock hacked (March 2014), http://androidauthority.com/android-jelly-bean-face-unlock-blink-hacking-105556/
Arya, S., Mount, D.M., Netanyahu, N.S., Silverman, R., Wu, A.Y.: An optimal algorithm for approximate nearest neighbor searching fixed dimensions. Journal of the ACM (JACM) 45(6) (1998)
Berndt, D.J., Clifford, J.: Using dynamic time warping to find patterns in time series. In: KDD Workshop, vol. 10 (1994)
Bo, C., Zhang, L., Li, X.Y., Huang, Q., Wang, Y.: Silentsense: silent user identification via touch and movement behavioral biometrics. In: MobiCom. ACM (2013)
Chang, C.C., Lin, C.J.: Libsvm: A library for support vector machines. ACM TIST 2(3) (2011)
Chen, T., Kan, M.-Y.: Creating a live, public short message service corpus: The nus sms corpus. Language Resources and Evaluation 47(2), 299–335 (2013)
Clarke, N., Karatzouni, S., Furnell, S.: Flexible and transparent user authentication for mobile devices. In: Gritzalis, D., Lopez, J. (eds.) SEC 2009. IFIP AICT, vol. 297, pp. 1–12. Springer, Heidelberg (2009)
Clarke, N.L., Furnell, S.: Authenticating mobile phone users using keystroke analysis. International Journal of Information Security 6(1) (2007)
Crawford, H., Renaud, K., Storer, T.: A framework for continuous, transparent mobile device authentication. Elsevier Computers & Security 39 (2013)
De Luca, A., Hang, A., Brudy, F., Lindner, C., Hussmann, H.: Touch me once and i know it’s you!: implicit authentication based on touch screen patterns. In: CHI. ACM (2012)
Feng, T., Liu, Z., Kwon, K.A., Shi, W., Carbunar, B., Jiang, Y., Nguyen, N.: Continuous mobile authentication using touchscreen gestures. In: HST. IEEE (2012)
Feng, T., Yang, J., Yan, Z., Tapia, E.M., Shi, W.: Tips: Context-aware implicit user identification using touch screen in uncontrolled environments. In: HotMobile. ACM (2014)
Feng, T., Zhao, X., Carbunar, B., Shi, W.: Continuous mobile authentication using virtual key typing biometrics. In: TrustCom. IEEE (2013)
Frank, J., Mannor, S., Precup, D.: Activity and gait recognition with time-delay embeddings. In: AAAI (2010)
Frank, M., Biedert, R., Ma, E., Martinovic, I., Song, D.: Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE TIFS 8(1) (2013)
Friedman, N., Geiger, D., Goldszmidt, M.: Bayesian network classifiers. Machine Learning 29(2-3) (1997)
Gafurov, D., Helkala, K., Søndrol, T.: Biometric gait authentication using accelerometer sensor. Journal of Computers 1(7) (2006)
Hayashi, E., Riva, O., Strauss, K., Brush, A., Schechter, S.: Goldilocks and the two mobile devices: Going beyond all-or-nothing access to a device’s applications. In: SOUPS. ACM (2012)
Jain, A.K., Ross, A., Prabhakar, S.: An introduction to biometric recognition. IEEE Transactions on Circuits and Systems for Video Technology 14(1) (2004)
Jolliffe, I.: Principal component analysis. Wiley Online Library (2005)
Kalamandeen, A., Scannell, A., de Lara, E., Sheth, A., LaMarca, A.: Ensemble: Cooperative proximity-based authentication. In: MobiSys. ACM (2010)
Khan, H., Hengartner, U.: Towards application-centric implicit authentication on smartphones. In: HotMobile. ACM (2014)
Klimt, B., Yang, Y.: Introducing the enron corpus. In: CEAS (2004)
Li, L., Zhao, X., Xue, G.: Unobservable reauthentication for smart phones. In: NDSS (2013)
Lookout Blog: Sprint-lookout mobile behavior survey (March 2014), http://blog.lookout.com/blog/2013/10/21
Maiorana, E., Campisi, P., González-Carballo, N., Neri, A.: Keystroke dynamics authentication for mobile phones. In: SAC. ACM (2011)
Mantyjarvi, J., Lindholm, M., Vildjiounaite, E., Makela, S.M., Ailisto, H.: Identifying users of portable devices from gait pattern with accelerometers. In: ICASSP 2005. IEEE (2005)
Muaaz, M., Mayrhofer, R.: An analysis of different approaches to gait recognition using cell phone based accelerometers. In: MoMM. ACM (2013)
Riva, O., Qin, C., Strauss, K., Lymberopoulos, D.: Progressive authentication: deciding when to authenticate on mobile phones. In: USENIX Security (2012)
Schneier on Security: Apple iphone fingerprint reader hacked (March 2014), http://schneier.com/blog/archives/2013/09/apples_iphone_f.html
Serwadda, A., Phoha, V.V.: Examining a large keystroke biometrics dataset for statistical-attack openings. ACM TISSEC 16(2) (2013)
Serwadda, A., Phoha, V.V.: When kids’ toys breach mobile phone security. In: CCS. ACM (2013)
Serwadda, A., Phoha, V.V., Wang, Z.: Which verifiers work?: A benchmark evaluation of touch-based authentication algorithms. In: BTAS. IEEE (2013)
Shahzad, M., Liu, A.X., Samuel, A.: Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it. In: MobiCom. ACM (2013)
Shi, E., Niu, Y., Jakobsson, M., Chow, R.: Implicit authentication through learning user behavior. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 99–113. Springer, Heidelberg (2011)
Shrestha, B., Saxena, N., Truong, H.T.T., Asokan, N.: Drone to the rescue: Relay-resilient authentication using ambient multi-sensing. In: Financial Cryptography and Data Security (2014)
Striegel, A., Liu, S., Meng, L., Poellabauer, C., Hachen, D., Lizardo, O.: Lessons learned from the netsense smartphone study. In: HotPlanet. ACM (2013)
Studer, A., Perrig, A.: Mobile user location-specific encryption (mule): Using your office as your password. In: Wi’Sec. ACM (2010)
Tey, C.M., Gupta, P., Gao, D.: I can be you: Questioning the use of keystroke dynamics as biometrics. In: NDSS (2013)
Threatpost: Samsung android lockscreen bypass (March 2014), http://threatpost.com/lock-screen-bypass-flaw-found-samsung-androids-030413/77580
Wright, S.: Symantec honey stick project. Symantec Corporation (March 2012)
Zhao, X., Feng, T., Shi, W.: Continuous mobile authentication using a novel graphic touch gesture feature. In: BTAS. IEEE (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Khan, H., Atwater, A., Hengartner, U. (2014). A Comparative Evaluation of Implicit Authentication Schemes. In: Stavrou, A., Bos, H., Portokalidis, G. (eds) Research in Attacks, Intrusions and Defenses. RAID 2014. Lecture Notes in Computer Science, vol 8688. Springer, Cham. https://doi.org/10.1007/978-3-319-11379-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-11379-1_13
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11378-4
Online ISBN: 978-3-319-11379-1
eBook Packages: Computer ScienceComputer Science (R0)