Skip to main content
SpringerLink
Log in

Design and implementation of Negative Authentication System

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Modern society is mostly dependent on online activities like official or social communications, fund transfers and so on. Unauthorized system access is one of the utmost concerns than ever before in cyber systems. For any cyber system, robust authentication is an absolute necessity for ensuring security and reliable access to all type of transactions. However, more than 80% of the current authentication systems are password based, and surprisingly, they are prone to direct and indirect cracking via guessing or side channel attacks. The inspiration of Negative Authentication System (NAS) is based on the negative selection algorithm. In NAS, the password-based authentication data for valid users are termed as password profile or self-region (positive profile); any element other than the self-region is defined as non-self-region in the same representative space. The anti-password detectors are generated which covers most of the non-self-region. There are also some uncovered regions left in the non-self-region for inducing uncertainty to the attackers. In this work, we describe the design and implementation of three approaches of NAS and its efficacy over the other authentication methods. These three approaches represent three different ways to achieve obfuscation of password points with non-password space. The experiments are conducted with both real and simulated password profiles to justify the efficiency of different implementations of NAS.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24
Fig. 25
Fig. 26
Fig. 27

Similar content being viewed by others

Notes

  1. http://geospatial.mit.edu/.

  2. https://vimeo.com/98054594.

References

  1. Bojinov, H., Bursztein, E., Boyen, X., Boneh, D.: Kamouflage: Loss-resistant password management. In: Computer Security—ESORICS 2010, pp. 286–302. Springer, Berlin (2010). http://crypto.stanford.edu/~dabo/papers/passwordmgr.pdf. Accessed 24 Jan 2017

  2. Bond, M.: Comments on gridsure authentication. https://www.cl.cam.ac.uk/~mkb23/research/GridsureComments.pdf. (2008). Accessed 24 Jan 2017

  3. Bonneau, J.: Guessing human-chosen secrets. Ph.D. Thesis, University of Cambridge (2012). https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-819.pdf. Accessed 24 Jan 2017

  4. Brants, T., Franz, A.: The google web 1t 5-gram corpus version 1.1. LDC2006T13 (2006). https://catalog.ldc.upenn.edu/ldc2006t13. Accessed 24 Jan 2017

  5. Butler, R.: List of the 1000 most common surnames in the U.S. (2009). http://names.mongabay.com/most_common_surnames.htm. Accessed 24 Jan 2017

  6. Camenisch, J., Lehmann, A., Neven, G.: Optimal distributed password verification. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 182–194. ACM, New York (2015). http://dl.acm.org/citation.cfm?id=2813722. Accessed 24 Jan 2017

  7. Cubrilovic, N.: Rockyou hack: from bad to worse (2009). https://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/. Accessed 15 Nov 2017

  8. Dasgupta, D., Azeem, R.: An investigation of negative authentication systems. In: Proceedings of the 3rd International Conference on Information Warfare and Security, pp. 117–126 (2008). http://citeseerx.ist.psu.edu/viewdoc/citations;jsessionid=14EA96BC1BB9B1B9B8EFB47ECE961758?doi=10.1.1.372.1491. Accessed 24 Jan 2017

  9. Dasgupta, D., Ferebee, D., Saha, S., Nag, A.K., Madero, A., Sanchez, A., William, J., Subedi, K.P.: G-nas: A grid-based approach for negative authentication. In: Symposium on Computational Intelligence in Cyber Security (CICS) at IEEE Symposium Series on Computational Intelligence (SSCI), IEEE, Orlando, Florida (2014). http://ieeexplore.ieee.org/document/7013362/. Accessed 24 Jan 2017

  10. Dasgupta, D., Forrest, S.: An anomaly detection algorithm inspired by the immune system. In: Dasgupta, D. (ed.) Artificial Immune Systems and Their Applications, pp. 262–277. Springer, Berlin (1999)

  11. Dasgupta, D., Ji, Z., Gonzalez, F.: Artificial immune system (AIS) research in the last five years. In: The 2003 Congress on Evolutionary Computation, 2003. CEC ’03, vol. 1, pp. 123–130 (2003). http://ieeexplore.ieee.org/document/1299565/. Accessed 24 Jan 2017

  12. Dasgupta, D., Saha, S.: Password security through negative filtering. In: 2010 International Conference on Emerging Security Technologies (EST), pp. 83–89. IEEE, Washington (2010). http://dl.acm.org/citation.cfm?id=1902111. Accessed 24 Jan 2017

  13. De Castro, L.N., Timmis, J.: Artificial Immune Systems: A New Computational Intelligence Approach. Springer, Berlin (2002). http://www.springer.com/us/book/9781852335946. Accessed 24 Jan 2017

  14. Esponda, F., Ackley, E.S., Helman, P., Jia, H., Forrest, S.: Protecting data privacy through hard-to-reverse negative databases. In: Information Security, pp. 72–84. Springer, Berlin (2006). https://crypto.stanford.edu/portia/papers/HardNDB.pdf. Accessed 24 Jan 2017

  15. Everspaugh, A., Chaterjee, R., Scott, S., Juels, A., Ristenpart, T.: The pythia PRF service. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 547–562 (2015). https://www.usenix.org/node/190917. Accessed 24 Jan 2017

  16. Feldmeier, D.C., Karn, P.R.: Unix password security-ten years later. In: Advances in Cryptology, CRYPTO89 Proceedings, pp. 44–63. Springer (1990). http://www.cs.technion.ac.il/~cs236350/Material/unix-password-security-ten.pdf. Accessed 24 Jan 2017

  17. Fülöp, Á., Kovács, L., Kurics, T., Windhager-Pokol, E.: Balabit mouse dynamics challenge data set (2016). https://github.com/balabit/Mouse-Dynamics-Challenge

  18. Forrest, S., Perelson, A.S., Allen, L., Cherukuri, R.: Self-nonself discrimination in a computer. In: IEEE Computer Society Symposium on Research in Security and Privacy, p. 202. Institute of Electrical and Electronics Engineers (1994). http://dl.acm.org/citation.cfm?id=884218. Accessed 24 Jan 2017

  19. Fossi, M., Johnson, E., Turner, D., Mack, T., Blackbird, J., McKinney, D., Low, M.K., Adams, T., Laucht, M.P., Gough, J.: Symantec report on the underground economy. Symantec Corporation (2008). http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_underground_economy_report_11-2008-14525717.en-us.pdf. Accessed 24 Jan 2017

  20. Gamboa, H., Fred, A.: A behavioral biometric system based on human-computer interaction. Proc. SPIE 5404, 381–392 (2004)

    Article  Google Scholar 

  21. Gong, L.: Collisionful keyed hash functions with selectable collisions. Inf. Process. Lett. 55(3), 167–170 (1995). http://www.sciencedirect.com/science/article/pii/002001909500085Q. Accessed 24 Jan 2017

  22. Hofmeyr, S.A., Forrest, S.: Architecture for an artificial immune system. Evol. Comput. 8(4), 443–473 (2000). http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.486.3902&rep=rep1&type=pdf. Accessed 24 Jan 2017

  23. Ji, Z.: Negative selection algorithms: from the thymus to v-detector. Ph.D. Thesis (2006). http://dl.acm.org/citation.cfm?id=1237333. AAI3230960

  24. Ji, Z., Dasgupta, D.: V-detector: an efficient negative selection algorithm with probably adequate detector coverage. Inf. Sci. 179(10), 1390–1406 (2009). https://doi.org/10.1016/j.ins.2008.12.015. http://www.sciencedirect.com/science/article/pii/S0020025508005434. Accessed 24 Jan 2017

  25. Juels, A., Rivest, R.L.: Honeywords: Making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 145–160. ACM, New York (2013). https://people.csail.mit.edu/rivest/pubs/JR13.pdf. Accessed 24 Jan 2017

  26. Kanerva, P.: Sparse Distributed Memory. MIT Press, Cambridge (1988). https://mitpress.mit.edu/books/sparse-distributed-memory. Accessed 24 Jan 2017

  27. Khalil, G.: Password security thirty-five years late (2014). https://www.sans.org/reading-room/whitepapers/basics/password-security-thirty-five-years-35592. Accessed 24 Jan 2017

  28. Metropolis, N., Ulam, S.: The Monte Carlo method. J. Am. Stat. Assoc. 44(247), 335–341 (1949). http://homepages.rpi.edu/~angel/MULTISCALE/metropolis_Ulam_1949.pdf. Accessed 24 Jan 2017

  29. Pagh, R., Rodler, F.F.: Cuckoo hashing. J. Algorithms 51(2), 122–144 (2004). http://www.it-c.dk/people/pagh/papers/cuckoo-jour.pdf. Accessed 24 Jan 2017

  30. Perlroth, N.: Hackers in China attacked the times for last 4 months. NY Times, Jan 30 (2013). http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html. Accessed 24 Jan 2017

  31. Schechter, S., Herley, C., Mitzenmacher, M.: Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In: Proceedings of the 5th USENIX Conference on Hot Topics in Security, pp. 1–8. USENIX Association (2010). https://www.microsoft.com/en-us/research/publication/popularity-is-everything-a-new-approach-to-protecting-passwords-from-statistical-guessing-attacks/. Accessed 24 Jan 2017

  32. SkulSecurity: Password-skullsecurity (2011). https://wiki.skullsecurity.org/Passwords. Accessed 24 Jan 2017

  33. Smith, R.E.: Authentication: from passwords to public keys. Addison-Wesley Longman Publishing Co., Inc. (2001). http://dl.acm.org/citation.cfm?id=501593. Accessed 24 Jan 2017

  34. Song, H., Dharmapurikar, S., Turner, J., Lockwood, J.: Fast hash table lookup using extended bloom filter: an aid to network processing. ACM SIGCOMM Comput. Commun. Rev. 35(4), 181–192 (2005). http://conferences.sigcomm.org/sigcomm/2005/paper-SonDha.pdf. Accessed 24 Jan 2017

  35. Zheng, Y., Matsumoto, T., Imai, H.: Structural properties of one-way hash functions. In: Advances in Cryptology—CRYPT090, pp. 285–302. Springer, Berlin (1991). https://pdfs.semanticscholar.org/ed78/92387cd971e26241eb34f779a01807cb143c.pdf. Accessed 24 Jan 2017

Download references

Acknowledgements

This work was supported by IARPA Seedling program and Cooperative Agreement (Number N66001-12-C-2003) administered by the ONR SPAWAR Systems Center. Points of view and opinions on this paper are those of the author(s) and do not necessarily represent the position or policies of the USA. The authors are very thankful to the reviewers for their valuable feedback and thoughtful suggestions to improve the quality of the manuscript.

Author information

Authors and Affiliations

  1. The University of Memphis, Memphis, TN, 38152, USA

    Dipankar Dasgupta, Denise Ferebee, Sanjib Kumar Saha, Kul Prasad Subedi & Arunava Roy

  2. Texas A&M University-Central Texas, Killeen, TX, 76549, USA

    Abhijit Kumar Nag

  3. Massachusetts Institute of Technology, Cambridge, MA, USA

    Alvaro Madero, Abel Sanchez & John R. Williams

  4. Department of Computer Science and Engineering, SRM University, Chennai, 603203, India

    Arunava Roy

Authors
  1. Dipankar Dasgupta
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Abhijit Kumar Nag
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Denise Ferebee
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sanjib Kumar Saha
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Kul Prasad Subedi
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Arunava Roy
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Alvaro Madero
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Abel Sanchez
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. John R. Williams
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Abhijit Kumar Nag.

Appendix

Appendix

See Figs. 26, 27, 28, 29, 30, 31, 32 and 33.

Fig. 28
figure 28

Pseudocode for deletion of existing self-points from the set of self-points in R-NAS and B-NAS

Full size image
Fig. 29
figure 29

Pseudocode for adding of existing self-points to the set of self-points in R-NAS and B-NAS

Full size image
Fig. 30
figure 30

Pseudocode for updating of existing self-points in R-NAS and B-NAS

Full size image
Fig. 31
figure 31

Pseudocode for detector generation algorithm in NAS using mod-based G-NAS model. The ‘convertToInteger’function takes a string input consisting only numbers and produce the integer value of the string

Full size image
Fig. 32
figure 32

Pseudocode for detector generation algorithm in NAS using two-layer-based G-NAS model. The ‘convertToInteger’function takes a string input consisting only numbers and produce the integer value of the string. The ‘concate’function concatenates two strings into one single string

Full size image
Fig. 33
figure 33

Pseudocode for detector generation algorithm in negative detection using XOR-based G-NAS. The ‘convertToInteger’function takes a string input consisting only numbers and produce the integer value of the string. The ‘concate’function concatenates two strings into one single string

Full size image

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Dasgupta, D., Nag, A.K., Ferebee, D. et al. Design and implementation of Negative Authentication System. Int. J. Inf. Secur. 18, 23–48 (2019). https://doi.org/10.1007/s10207-017-0395-8

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-017-0395-8

Keywords

Search

Navigation