Skip to main content
SpringerLink
Log in

Adversarial attacks against mouse- and keyboard-based biometric authentication: black-box versus domain-specific techniques

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Adversarial attacks have recently gained popularity due to their simplicity, impact, and applicability to a wide range of machine learning scenarios. However, knowledge of a particular security scenario can be advantageous for adversaries to craft better attacks. In other words, in some scenarios, attackers may come up naturally with ad hoc black-box attack techniques inspired directly by problem space characteristics rather than using generic adversarial techniques. This paper explores an intuitive attack technique based on reusing legitimate user inputs and applying it to mouse-based behavioral biometrics and keyboard-based behavioral biometrics. Moreover, it compares the model’s effectiveness against adversarial machine learning attacks, achieving attack success rates up to 87 and 86% for the mouse and keyboard settings, respectively. We show that attacks leveraging domain knowledge have higher transferability when applied to various machine-learning techniques and are more challenging to defend against. We also propose countermeasures against such attacks and discuss their effectiveness.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Data availability

The datasets analyzed during the current study are available in The Wolf of SUTD (TWOS) [23], Balabit [20], and The Typing Behavior Dataset (Typing-BD http://cvlab.cse.msu.edu/typing-behavior-dataset.html) [43]

Notes

  1. We take only the first detection and do not continue looking for more coincidences.

  2. The goal-oriented attack phrases were generated from http://www.randomtextgenerator.com/.

  3. The text used for our evaluation was generated through the random text generator tool available on the web page http://www.randomtextgenerator.com/.

References

  1. Ahmed, A.A.E., Traore, I.: A new biometric technology based on mouse dynamics. IEEE Trans Dependable Secur Comput 4(3), 165–179 (2007)

    Article  Google Scholar 

  2. Akila, M., Kumar, V.S., Anusheela, N., Sugumar, K.: A novel feature subset selection algorithm using artificial bee colony in keystroke dynamics. In: Proceedings of the International Conference on Soft Computing for Problem Solving (SocProS 2011) December 20-22, 2011, pp 813–820. Springer (2012)

  3. Almalki, S., Chatterjee, P., Roy, K.: Continuous authentication using mouse clickstream data analysis. In: International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage, pp. 76–85. Springer (2019)

  4. Alshanketi, F., Traoré, I., Awad, A.: Multimodal mobile keystroke dynamics biometrics combining fixed and variable passwords. Secur. Privacy 2(1), e48 (2019). https://doi.org/10.1002/spy2.48

    Article  Google Scholar 

  5. Alsultan, A., Warwick, K., Wei, H.: Improving the performance of free-text keystroke dynamics authentication by fusion. Appl. Soft Comput. J. 70, 1024–1033 (2018). https://doi.org/10.1016/j.asoc.2017.11.018

    Article  Google Scholar 

  6. Antal, M., Egyed-Zsigmond, E.: Intrusion detection using mouse dynamics. IET Biom. 8(5), 285–294 (2019)

    Article  Google Scholar 

  7. Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. In: Dy J., Krause A. (eds.) Proceedings of the 35th International Conference on Machine Learning, PMLR, Stockholmsmässan, Stockholm Sweden, Proceedings of Machine Learning Research, vol. 80, pp. 274–283, (2018) http://proceedings.mlr.press/v80/athalye18a.html

  8. Bailey, K.O., Okolica, J.S., Peterson, G.L.: User identification and authentication using multi-modal behavioral biometrics. Comput. Secur. 43, 77–89 (2014)

    Article  Google Scholar 

  9. Ballard, L., Monrose, F., Lopresti, D.P.: Biometric authentication revisited: understanding the impact of wolves in sheep’s clothing. In: USENIX Security Symposium, USENIX Association, pp. 29–41 (2006)

  10. Bhattacharyya, D., Ranjan, R., Alisherov, F., Choi, M., et al.: Biometric authentication: a review. Int. J. Serv. Sci. Technol. 2(3), 13–28 (2009)

    Google Scholar 

  11. Brendel, W., Rauber, J., Bethge, M.: Decision-based adversarial attacks: reliable attacks against black-box machine learning models. (2017) arXiv preprint arXiv:1712.04248

  12. Ceker, H., Upadhyaya, S.: Enhanced recognition of keystroke dynamics using gaussian mixture models. In: MILCOM 2015-2015 IEEE Military Communications Conference, IEEE, pp. 1305–1310 (2015)

  13. Chatterjee, K., et al.: Continuous user authentication system: a risk analysis based approach. Wirel. Pers. Commun. 108(1), 281–295 (2019)

    Article  Google Scholar 

  14. Chong, P., Tan, Y.X.M., Guarnizo, J., Elovici, Y., Binder, A.: Mouse authentication without the temporal aspect—what does a 2d-cnn learn? In: 2018 IEEE Security and Privacy Workshops (SPW), IEEE, pp. 15–21 (2018)

  15. Cimato, S., Gamassi, M., Piuri, V., Sassi, R., Scotti, F.: Privacy-aware biometrics: design and implementation of a multimodal verification system. In: 2008 Annual Computer Security Applications Conference (ACSAC), IEEE, pp. 130–139 (2008)

  16. Cser, A.: The forrester wave: risk-based authentication, q2 2020. Technical report, “Forrester” (2020)

  17. Deng, Y., Zhong, Y.: Keystroke dynamics user authentication based on Gaussian mixture model and deep belief nets. ISRN Signal Process. 2013, 1–7 (2013). https://doi.org/10.1155/2013/565183

    Article  Google Scholar 

  18. Feher, C., Elovici, Y., Moskovitch, R., Rokach, L., Schclar, A.: User identity verification via mouse dynamics. Inf. Sci. 201, 19–36 (2012)

    Article  Google Scholar 

  19. Fridman, L., Stolerman, A., Acharya, S., Brennan, P., Juola, P., Greenstadt, R., Kam, M.: Multi-modal decision fusion for continuous authentication. Comput. Electr. Eng. 41, 142–156 (2015)

    Article  Google Scholar 

  20. Fülöp, A., Kovács, T., Land, K., Windhager-Pokol, E.: Balabit Mouse Dynamics Challenge data set. Available at https://github.com/balabit/Mouse-Dynamics-Challenge (2016)

  21. Gamboa, H., Fred, A.L.: An identity authentication system based on human computer interaction behaviour. In: PRIS, pp. 46–55 (2003)

  22. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. (2014) arXiv preprint arXiv:1412.6572

  23. Harilal, A., Toffalini, F., Homoliak, I., Castellanos, J., Guarnizo, J., Mondal, S., Ochoa, M.: The wolf of sutd (twos): a dataset of malicious insider threat behavior based on a gamified competition. J. Wirel. Mob. Netw. 9, 54–85 (2018)

    Google Scholar 

  24. Hashia, S., Pollett, C., Stamp, M.: On using mouse movements as a biometric. In: Proceeding in the International Conference on Computer Science and its Applications, The International Conference on Computer Science and its Applications (ICCSA), vol. 1, p. 5 (2005)

  25. Hu, S., Bai, J., Liu, H., Wang, C., Wang, B.: Deceive mouse-dynamics-based authentication model via movement simulation. In: 2017 10th International Symposium on Computational Intelligence and Design (ISCID), IEEE, vol. 1, pp. 482–485 (2017)

  26. Hu, T., Niu, W., Zhang, X., Liu, X., Lu, J., Liu, Y.: An insider threat detection approach based on mouse dynamics and deep learning. Secur. Commun. Netw. 2019, 3898951 (2019)

    Article  Google Scholar 

  27. Kataria, A.N., Adhyaru, D.M., Sharma, A.K., Zaveri, T.H.: A survey of automated biometric authentication techniques. In: 2013 Nirma University International Conference on Engineering (NUiCONE), IEEE, pp. 1–6 (2013)

  28. Khan, F.A., Kunhambu, S., et al.: Behavioral biometrics and machine learning to secure website logins. In: International Symposium on Security in Computing and Communication, pp. 667–677, Springer, (2018)

  29. Kim, J., Kim, H., Kang, P.: Keystroke dynamics-based user authentication using freely typed text based on user-adaptive feature extraction and novelty detection. Appl. Soft Comput. J. 62, 1077–1087 (2018). https://doi.org/10.1016/j.asoc.2017.09.045

    Article  Google Scholar 

  30. Kufel, M.: Adversarial Attacks against Behavioral-based Continuous Authentication. Technical reports, KTH Royal Institute of Technology (2020)

  31. Loy, C.C., Lim, C.P., Lai, W.K.: Pressure-based typing biometrics user authentication using the fuzzy artmap neural network. In: Proceedings of the Twelfth International Conference on Neural Information Processing (ICONIP 2005), Citeseer, pp. 647–652 (2005)

  32. Marrone, S., Sansone, C.: An Adversarial perturbation approach against CNN-based soft biometrics detection. In: Proceedings of the International Joint Conference on Neural Networks, Institute of Electrical and Electronics Engineers Inc., vol. 2019-July, pp. 1–8 (2019) https://doi.org/10.1109/IJCNN.2019.8851997

  33. Meng, D., Chen, H.: MagNet: a two-pronged defense against adversarial examples. In: Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, New York, NY, USA, pp. 135–147 (2017) arXiv:1705.09064

  34. Monaco, J.V., Tappert, C.C.: The partially observable hidden Markov model and its application to keystroke dynamics. Pattern Recognit. 76, 449–462 (2018)

    Article  Google Scholar 

  35. Mondal, S., Bours, P.: A study on continuous authentication using a combination of keystroke and mouse biometrics. Neurocomputing 230, 1–22 (2017)

    Article  Google Scholar 

  36. Nakkabi, Y., Traoré, I., Ahmed, A.A.E.: Improving mouse dynamics biometric performance using variance reduction via extractors with separate features. IEEE Trans. Syst. Man Cybern. Part A Syst. Hum. 40(6), 1345–1353 (2010)

    Article  Google Scholar 

  37. Nazar, A.: Synthesis & simulation of mouse dynamics. PhD thesis, University of Victoria (2007)

  38. Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., Swami, A.: Practical black-box attacks against machine learning. In: Proceedings of the 2017 ACM on Asia conference on computer and communications security, pp. 506–519 (2017)

  39. Rahman, K.A., Balagani, K.S., Phoha, V.V.: Snoop-forge-replay attacks on continuous verification with keystrokes. IEEE Trans. Inf. Forens. Secur. 8(3), 528–541 (2013). https://doi.org/10.1109/TIFS.2013.2244091

    Article  Google Scholar 

  40. Ratha, N.K., Connell, J.H., Bolle, R.M.: Enhancing security and privacy in biometrics-based authentication systems. IBM Syst. J. 40(3), 614–634 (2001)

    Article  Google Scholar 

  41. Raul, N., Shankarmani, R., Joshi, P.: A Comprehensive Review of Keystroke Dynamics-Based Authentication Mechanism. Adv. Intell. Syst. Comput. 1059, 149–162 (2020). https://doi.org/10.1007/978-981-15-0324-5_13

    Article  Google Scholar 

  42. Ren, K., Zheng, T., Qin, Z., Liu, X.: Adversarial attacks and defenses in deep learning. Engineering 6(3), 346–360 (2020)

    Article  Google Scholar 

  43. Roth, J., Liu, X., Ross, A., Metaxas, D.: Biometric authentication via keystroke sound. In: Proceeding 6th IAPR International Conference on Biometrics, Madrid, Spain, pp. 1–8 (2013)

  44. Samangouei, P., Kabkab, M., Chellappa, R.: Defense-GAN: protecting classifiers against adversarial attacks using generative models. (2018) arXiv:1805.06605

  45. Sayed, B., Traoré, I., Woungang, I., Obaidat, M.S.: Biometric authentication using mouse gesture dynamics. IEEE Syst. J. 7(2), 262–274 (2013)

    Article  Google Scholar 

  46. Serwadda, A., Phoha, V.V.: Examining a large keystroke biometrics dataset for statistical-attack openings. ACM Trans. Inf. Syst. Secur. 16(2), 1–30 (2013). https://doi.org/10.1145/2516960

    Article  Google Scholar 

  47. Shen, C., Cai, Z., Guan, X., Du, Y., Maxion, R.A.: User authentication through mouse dynamics. IEEE Trans. Inf. Forens. Secur. 8(1), 16–30 (2012)

    Article  Google Scholar 

  48. Solano, J., Lopez, C., Rivera, E., Castelblanco, A., Tengana, L., Ochoa, M.: Scrap: synthetically composed replay attacks vs. adversarial machine learning attacks against mouse-based biometric authentication. In: Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security, pp. 37–47 (2020a)

  49. Solano, J., Tengana Hurtado, L., Castelblanco, A., Rivera, E., Lopez, C., Ochoa, M.: A few-shot practical behavioral biometrics model for login authentication in web applications. In: Proceedings of the Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb ‘20), San Diego, CA, pp. 1–11 (2020b)

  50. Solano, J., Camacho, L., Correa, A., Deiro, C., Vargas, J., Ochoa, M.: Combining behavioral biometrics and session context analytics to enhance risk-based static authentication in web applications. Int. J. Inf. Secur. (2021). https://doi.org/10.1007/s10207-020-00510-x

    Article  Google Scholar 

  51. Stefan, D., Shu, X., Yao, D.: Robustness of keystroke-dynamics based biometrics against synthetic forgeries. Comput. Secur. 31, 109–121 (2012)

    Article  Google Scholar 

  52. Tan, Y.X.M., Iacovazzi, A., Homoliak, I., Elovici, Y., Binder, A.: Adversarial attacks on remote user authentication using behavioural mouse dynamics. In: 2019 International Joint Conference on Neural Networks (IJCNN), IEEE, pp. 1–10 (2019)

  53. Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., McDaniel, P.: Ensemble adversarial training: attacks and defenses. 6th International Conference on Learning Representations, ICLR 2018—Conference Track Proceedings (2017) arXiv:1705.07204

  54. Traore, I., Woungang, I., Obaidat, MS., Nakkabi, Y., Lai, I.: Combining mouse and keystroke dynamics biometrics for risk-based authentication in web environments. In: 2012 fourth international conference on digital home, IEEE, pp. 138–145 (2012)

  55. Wallace, E., Stern, M., Song, D.: Imitation attacks and defenses for black-box machine translation systems. In: Webber, B., Cohn, T., He, Y., Liu, Y. (eds.) Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing, EMNLP 2020, Online, November 16-20, 2020, Association for Computational Linguistics, pp. 5531–5546 (2020) https://doi.org/10.18653/v1/2020.emnlp-main.446,

  56. Weaver, A.C.: Biometric authentication. Computer 39(2), 96–97 (2006). https://doi.org/10.1109/MC.2006.47

    Article  Google Scholar 

  57. Zantedeschi, V., Nicolae, M.I., Rawat, A.: Efficient defenses against adversarial atacks. In: AISec 2017—Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2017, Association for Computing Machinery, Inc, New York, New York, USA, pp. 39–49 (2017) https://doi.org/10.1145/3128572.3140449

  58. Zheng, N., Paloski, A., Wang, H.: An efficient user verification system via mouse movements. In: Proceedings of the 18th ACM conference on Computer and communications security, pp. 139–150 (2011)

Download references

Author information

Authors and Affiliations

  1. Appgate Inc., Bogotá, Colombia

    Christian López, Jesús Solano, Esteban Rivera, Lizzy Tengana, Johana Florez-Lozano & Alejandra Castelblanco

  2. Department of Computer Science, ETH Zurich, Zurich, Switzerland

    Martín Ochoa

Authors
  1. Christian López
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jesús Solano
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Esteban Rivera
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lizzy Tengana
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Johana Florez-Lozano
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Alejandra Castelblanco
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Martín Ochoa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Johana Florez-Lozano.

Ethics declarations

Conflict of interest

All authors worked for Appgate Inc. at the time of the execution of the project, but no specific funding was received for this work.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

López, C., Solano, J., Rivera, E. et al. Adversarial attacks against mouse- and keyboard-based biometric authentication: black-box versus domain-specific techniques. Int. J. Inf. Secur. 22, 1665–1685 (2023). https://doi.org/10.1007/s10207-023-00711-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-023-00711-0

Keywords

Search

Navigation