Risk-Based Static Authentication in Web Applications with Behavioral Biometrics and Session Context Analytics

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11605)


In order to improve the security of password-based authentication in web applications, it is a common industry practice to profile users based on their sessions context, such as IP ranges and Browser type. On the other hand, behavioral dynamics such as mouse and keyword features have been proposed in order to improve authentication, but have been shown most effective only in continuous authentication scenarios. In this paper we propose to combine both fingerprinting and behavioral dynamics (for mouse and keyboard) in order to increase security of login mechanisms. We do this by using machine learning techniques that aim at high accuracy, and only occasionally raise alarms for manual inspection. Our combined approach achieves an AUC of 0.957. We discuss the practicality of our approach in industrial contexts.


Behavioral dynamics Static authentication Machine learning 


  1. 1.
    Alaca, F., Van Oorschot, P.C.: Device fingerprinting for augmenting web authentication: classification and analysis of methods. In: Proceedings of the 32nd Annual Conference on Computer Security Applications. pp. 289–301. ACM (2016)Google Scholar
  2. 2.
    Bonneau, J., Herley, C., Stajano, F.M., et al.: Passwords and the evolution of imperfect authentication. Commun. ACM 58, 78–87 (2014)CrossRefGoogle Scholar
  3. 3.
    Nakibly, G., Shelef, G., Yudilevich, S.: Hardware fingerprinting using HTML5, pp. 1–13 (2015)Google Scholar
  4. 4.
    Harilal, A., et al.: The Wolf Of SUTD (TWOS): a dataset of malicious insider threat behavior based on a gamified competition. J. Wirel. Mob. Netw. 9, 54–85 (2018). Scholar
  5. 5.
    Sanchez-Rola, I., Santos, I., Balzarotti, D.: Clock around the clock: time-based device fingerprinting, pp. 1–13 (2018)Google Scholar
  6. 6.
  7. 7.
    Bailey, K.O., Okolica, J.S., Peterson, G.L.: User identification and authentication using multi-modal behavioral biometrics. Comput. Secur. 43, 77–89 (2014)CrossRefGoogle Scholar
  8. 8.
    Misbahuddin, M., Bindhumadhava, B.S., Dheeptha, B.: Design of a risk based authentication system using machine learning techniques. In: 2017 IEEE SmartWorld, Ubiquitous Intelligence Computing, Advanced Trusted Computed, Scalable Computing Communications, Cloud Big Data Computing, Internet of People and Smart City Innovation, pp. 1–6 (2017)Google Scholar
  9. 9.
    Mondal, S., Bours, P.: Combining keystroke and mouse dynamics for continuous user authentication and identification. In: 2016 IEEE International Conference on Identity, Security and Behavior Analysis (ISBA), pp. 1–8. IEEE (2016)Google Scholar
  10. 10.
    Newman, L.: Hacker lexicon: what is credential stuffing? Wired Magazine (2019).
  11. 11.
    Perrig, A.: Shortcomings of password-based authentication. In: 9th USENIX Security Symposium, vol. 130. ACM (2000)Google Scholar
  12. 12.
    Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds.) Insider Attack and Cyber Security. ADIS, vol. 39, pp. 69–90. Springer, Boston (2008). Scholar
  13. 13.
    Shen, C., Cai, Z., Guan, X., Wang, J.: On the effectiveness and applicability of mouse dynamics biometric for static authentication: a benchmark study. In: 2012 5th IAPR International Conference on Biometrics (ICB) (2012)Google Scholar
  14. 14.
    Swati Gurav, R.G., Mhangore, S.: Combining keystroke and mouse dynamics for user authentication. Int. J. Emerg. Trends Technol. Comput. Sci. (IJETTCS) 6, 055–058 (2017)Google Scholar
  15. 15.
    Kohno, T., Broido, A., Claffy, K.C.: Remote physical device fingerprinting, pp. 1–13 (2004)Google Scholar
  16. 16.
    Traore, I., Woungang, I., Obaidat, M.S., Nakkabi, Y., Lai, I.: Combining mouse and keystroke dynamics biometrics for risk-based authentication in web environments. In: 2012 Fourth International Conference on Digital Home (2012)Google Scholar
  17. 17.
    Yampolskiy, R.V., Govindaraju, V.: Behavioural biometrics: a survey and classification. Int. J. Biom. 1(1), 81–113 (2008)Google Scholar
  18. 18.
    Cao, Y., Li, S., Wijmans, E.: (cross-)browser fingerprinting via os and hardware level features, pp. 1–15 (2017)Google Scholar
  19. 19.
    Zheng, N., Paloski, A., Wang, H.: An efficient user verification system via mouse movements. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 139–150. ACM (2011)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Cyxtera TechnologiesCoral GablesUSA

Personalised recommendations