Abstract
The fragility of password-based authentication has been recognized and studied for several decades. It is an increasingly common industry practice to profile users based on their sessions context, such as IP ranges and Browser type in order to build a risk profile on an incoming authentication attempt. On the other hand, behavioral dynamics such as mouse and keyword features have been proposed in the scientific literature order to improve authentication, but have been shown most effective in continuous authentication scenarios. In this paper we propose to combine both fingerprinting and behavioral dynamics (for mouse and keyboard) in order to increase security of login mechanisms. We do this by using machine learning techniques that aim at high accuracy, and only occasionally raise alarms for manual inspection. We evaluate our approach on a dataset containing mouse, keyboard and session context information of 24 users and simulated attacks. We show that while context analysis and behavioural analysis on their own achieve around 0.7 accuracy on this dataset, a combined approach reaches up to 0.9 accuracy using a linear combination of the outcomes of the single models.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Perrig, A.: Shortcomings of password-based authentication. In: 9th USENIX Security Symposium, vol. 130. ACM (2000)
Bonneau, J., Herley, C., Stajano, F.M., et al.: Passwords and the evolution of imperfect authentication. Commun. ACM 58, 78–87 (2014)
Newman, L.: Hacker Lexicon: What is Credential Stuffing? Wired Magazine (2019). https://www.wired.com/story/what-is-credential-stuffing/. Accessed 12 Sept 2019
Kaspersky: Zeus malware. Online (2019). https://usa.kaspersky.com/resource-center/threats/zeus-virus. Accessed 12 Sept 2019
Alaca, F., Van Oorschot, P.C.: Device fingerprinting for augmenting web authentication: classification and analysis of methods. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 289–301. ACM (2016)
Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds.) Insider Attack and Cyber Security, pp. 69–90. Springer, Boston (2008)
Yampolskiy, R.V., Govindaraju, V.: Behavioural biometrics: a survey and classification. Int. J. Biom. 1(1), 81–113 (2008)
Zheng, N., Paloski, A., Wang, H.: An efficient user verification system via mouse movements. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 139–150. ACM (2011)
Mondal, S., Bours, P.: Combining keystroke and mouse dynamics for continuous user authentication and identification. In: 2016 IEEE International Conference on Identity, Security and Behavior Analysis (ISBA), pp. 1–8. IEEE (2016)
Shen, C., Cai, Z., Guan, X., Wang, J.: On the effectiveness and applicability of mouse dynamics biometric for static authentication: a benchmark study. In: 2012 5th IAPR International Conference on Biometrics (ICB) (2012)
Solano, J., Camacho, L., Correa, A., Deiro, C., Vargas, J., Ochoa, M.: Risk-based static authentication in web applications with behavioral biometrics and session context analytics. In: Zhou, J., Deng, R., Li, Z., Majumdar, S., Meng, W., Wang, L., Zhang, K. (eds.) Applied Cryptography and Network Security Workshops, pp. 3–23. Springer, Berlin (2019)
Harilal, A., Toffalini, F., Homoliak, I., Castellanos, J., Guarnizo, J., Mondal, S., Ochoa, M.: The wolf of SUTD (twos): a dataset of malicious insider threat behavior based on a gamified competition. J. Wirel. Mob. Netw. (2018). https://doi.org/10.22667/JOWUA.2018.03.31.054
Traore, I., Woungang, I., Obaidat, M.S., Nakkabi, Y., Lai, I.: Combining mouse and keystroke dynamics biometrics for risk-based authentication in web environments. In: 2012 Fourth International Conference on Digital Home (2012)
Swati Gurav, R.G., Mhangore, S.: Combining keystroke and mouse dynamics for user authentication. Int. J. Emerg. Trends Technol. Comput. Sci. (IJETTCS) 6, 055–058 (2017)
Cao, Y., Li, S., Wijmans, E.: (Cross-)browser fingerprinting via OS and hardware level features. In: NDSS (2017). https://doi.org/10.14722/ndss.2017.23152
Nakibly, G., Shelef, G., Yudilevich, S.: Hardware fingerprinting using HTML5 (2015). arXiv:1503.01408v3
Sanchez-Rola, I., Santos, I., Balzarotti, D.: Clock around the clock: time-based device fingerprinting. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1502–1514 (2018)
Kohno, T., Broido, A., Claffy, K.C.: Remote physical device fingerprinting. IEEE Trans. Dependable Secure Comput. 2(2), 93–108 (2005)
Bailey, K.O., Okolica, J.S., Peterson, G.L.: User identification and authentication using multi-modal behavioral biometrics. Comput. Secur. 43, 77–89 (2014)
Misbahuddin, M., Bindhumadhava, B.S., Dheeptha, B.: Design of a risk based authentication system using machine learning techniques. In: 2017 IEEE SmartWorld, Ubiquitous Intelligence Computing, Advanced Trusted Computed, Scalable Computing Communications, Cloud Big Data Computing, Internet of People and Smart City Innovation, pp. 1–6 (2017)
Solano, J., Tengana, L., Castelblanco, A., Rivera, E., Lopez, C., Ochoa, M.: A few-shot practical behavioral biometrics model for login authentication in web applications. In: NDSS Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb’20) (2020)
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
All authors were Cyxtera employees (now AppGate Inc.) at the time of writing this manuscript and declare no conflict of interest. Parts of this study use the TWOS dataset, which is a public dataset based on the behaviour of 24 students during a gamified experiment and shared in an anonymized fashion by the Singapore University of Technology and Design. Authors of the original study obtained SUTD’s IRB consent to carry out and share the data used in this paper.
Ethical standard
In this work we also used a proprietary dataset of log-in contextual information (based on HTTP parameters), that was anonymized and which cannot be associated with any particular individual. Moreover, we only disclose aggregated results based on this dataset. So in sum all procedures performed in studies involving human participants were in accordance with the ethical standards of the institutional research committee and with the 1964 Helsinki declaration and its later amendments or comparable ethical standards.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Solano, J., Camacho, L., Correa, A. et al. Combining behavioral biometrics and session context analytics to enhance risk-based static authentication in web applications. Int. J. Inf. Secur. 20, 181–197 (2021). https://doi.org/10.1007/s10207-020-00510-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-020-00510-x