Skip to main content
SpringerLink
Log in

Online risk-based authentication using behavioral biometrics

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

In digital home networks, it is expected that independent smart devices communicate and cooperate with each other, without the knowledge of the fundamental communication technology, on the basis of a distributed operating system paradigm. In such context, securing the access rights to some objects such as data, apparatus, and contents, is still a challenge. This paper introduces a risk-based authentication technique based on behavioral biometrics as solution approach to tackle this challenge. Risk-based authentication is an increasingly popular component in the security architecture deployed by many organizations to mitigate online identity fraud. Risk-based authentication uses contextual and historical information extracted from online communications to build a risk profile for the user that can be used accordingly to make authentication and authorization decisions. Existing risk-based authentication systems rely on basic web communication information such as the source IP address or the velocity of transactions performed by a specific account, or originating from a certain IP address. Such information can easily be spoofed, and as such, put in question the robustness and reliability of the proposed systems. In this paper, we propose a new online risk-based authentication system that provides more robust user identity information by combining mouse dynamics and keystroke dynamics biometrics in a multimodal framework. We propose a Bayesian network model for analyzing free keystrokes and free mouse movements involved in web sessions. Experimental evaluation of our proposed model with 24 participants yields an Equal Error Rate of 8.21 %. This is very encouraging considering that we are dealing with free text and free mouse movements, and the fact that many web sessions tend to be very short.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. Weka is an open source data mining software developed by the University of Waikato. It provides various machine learning algorithms.

  2. In this work, we consider the most popular keyboard layout, which is the United States keyboard layout for Windows, Mac OS, and Linux.

References

  1. [Online] Available: http://www.admitonesecurity.com. AdmitOne Security Suite

  2. [Online] Available: http://www.rsa.com. RSA Adaptive Authentication System

  3. Ahmed AA, Traore I (2007) A new biometric technology based on mouse dynamics. IEEE Transactions on Dependable and Secure Computing 4(3):165–179

    Article  Google Scholar 

  4. Aksarı Y, Artuner H (2009) Active authentication by mouse movements. In Proc. of the IEEE 24th Intl. Symposium on Computer and Information Sciences (ISCIS’09), Metu, Northern Cyprus pp. 571–574

  5. Bergadano F, Gunetti D, Picardi C (2002) User authentication through keystroke dynamics. ACM Trans Inf Syst Secur 5(4):367–397

    Article  Google Scholar 

  6. Bouckaert RR (2004) Bayesian network classifiers in Weka. University of Waikato, http://weka.sourceforge.net/manuals/weka.bn.pdf

  7. Bours P, Fullu CJ (2009) A login system using mouse dynamics. In Proc. of the 5th Intl. Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP’09), Kyoto, Japan, Sept. 12–14

  8. Cheng P-C, Rohatgi P, Keser C, Karger P, Wagner GM, Reninger AS (2007) Fuzzy multi–level security: an experiment on quantified risk–adaptive access control. IBM Research Report RC24190

  9. Diep NN, Lee S, Lee Y-K, Lee HJ (2007) Contextual risk-based access control. Secur Manag, pp. 406–412

  10. Dimmock N, Bacon J, Ingram D, Moody K (2005) Risk models for trust–based access control. In Proc. of the 3rd Annual Conference on Trust Management (iTrust’05), Series LNCS, Vol. 3477, Springer, May, 426 pages

  11. Dowland P, Furnell S, Papadaki M (2002) Keystroke analysis as a method of advanced user authentication and response. In Proc. of the 17th Intl. Conference on Information Security: Visions and Perspectives (IFIP TC11), The Netherlands, May 07–09, pp. 215–226

  12. Dowland P, Singh H, Furnell S (2001) A preliminary investigation of user authentication using continuous keystroke analysis”, In Proc. of the 8th IFIP Annual Working Conference on Information Security Management and Small System Security, Las Vegas, Nevada

  13. Enokido T, Takizawa M (2011) Purpose-based information flow control for cyber engineering. IEEE Trans Ind Electro 58(6):2216–2225

    Article  Google Scholar 

  14. Fayyad UM, Irani KB (1993) Multi-interval discretization of continuous-valued attributes for classification learning. In Proc. of the 13th Intl. Joint Conference on Artificial Intelligence, Chambery, France, Aug. 28 – Sept. 3

  15. Friedman N, Geiger D, Goldszmidt M (1997) Bayesian network classifiers. Mach Learn 29:131–163

    Article  MATH  Google Scholar 

  16. Gaine R, Lisowski W, Press SJ, and Shapiro N (1980) Authentication by keystroke timing: Some preliminary results. Rand Report No R-2526-NSF, Rand Corporation

  17. Gamboa H, Fred A (2003) An identity authentication system based on human computer interaction behaviour. In Proc. of the 3rd Intl. Workshop on Pattern Recognition in Information Systems, Angers, France, pp. 46–55

  18. Gunetti D, Picardi C (2005) Keystroke analysis of free text. ACM Trans Inf Syst Secur 8(3):312–347

    Article  Google Scholar 

  19. Jiang C-H, Shieh S, Liu J-C (2007) Keystroke statistical learning model for web authentication. In Proc. of the 2nd ACM Symposium on Information, Computer and Communications Security (ASIACCS’07), Singapore, Mar., pp. 359–361

  20. Kononenko I (1995) On biases in estimating multi-valued attributes. In Proc. of the 14th Intl. Joint Conference on Artificial Intelligence, Montreal, Quebec, Canada, Aug. 20–25

  21. Legget J, Williams G (1988) Dynamic identity verification via keystroke characteristics. International Journal on Man–machine Studies 35:859–870

    Article  Google Scholar 

  22. Lian S, Chen X, Wang J (2012) Content distribution and copyright authentication based on combined indexing and watermarking. Multimedia Tools Appl 57(1):49–66

    Article  Google Scholar 

  23. Monrose F, Rubin A (1997) Authentication via keystroke dynamics”, In Proc. of the 4th ACM Conference on Computer and Communications Security, Zurich, Switzerland, April 01–04, pp. 48–56

  24. Obaidat MS, Macchairllo DT (1993) An on-line neural network system for computer access security. IEEE Trans Ind Electron 40(2):235–242

    Article  Google Scholar 

  25. Obaidat MS, Sadoun B (1997) Verification of computer users using keystroke dynamics. IEEE Transactions on Systems, Man, and Cybernetics, Part B 27(2):261–269

    Article  Google Scholar 

  26. Orozco M, Graydon M, Shirmohammadi S, El Saddik A (2012) Experiments in haptic-based authentication of humans, International Journal of Multimedia Tools and Applications - Springer Science + Business Media B.V. (To Appear)

  27. Pusara M, Brodley C (2004) User Re-authentication via mouse movement. In Proc. of the 11th ACM Workshop on Visualization and Data Mining for Computer Security (CCS’04), Oct. 25–29, Washington, DC, USA

  28. Revett K, Jahankhani H, De Magalhaes S, Santos H (2008) A survey of user authentication based on mouse dynamics, In Proc. of the 4th Intl. Conference on Global E-Security, London, UK, June 23–25, pp. 210–219

  29. Syukri A, Okamoto E, Mambo (1998) A user identification system using signature written with mouse. In Proc. of the Australasian Conference on Information Security and Privacy (ACISP ’98), Vol. 1438, Brisbane, Australia, pp. 403–414

  30. Traore I, Woungang I, Obaidat MS, Nakkabi Y, Lai I (2012) Combining mouse and keystroke dynamics biometrics for risk-based authentication in web environments. In Proc. of the 4th IEEE Intl. Conference on Digital Home (ICDH 2012), Guangzhou, China, pp. 138–145, Nov. 23–25

  31. Tubin G (2005) Emergence of risk-based authentication in online financial services: You Can’t Hide Your Lyin’ IP. Whitepaper #V43:15N, Tower Group, May

  32. Tuptuk N, Lupu E (2007) Risk based authorization for mobile Ad Hoc networks. In Proc. of the 1st Intl. Conference on Autonomous Infrastructure, Management and Security: Inter-Domain Management (AIMS 2007), LNCS 4543, Springer-Verlag, Berlin, Heidelberg, pp. 188–191

  33. Villani M, Tappert C, Giang N, Simone J, Fort H, St., Sung-Hyuk C (2006) Keystroke biometric recognition studies on long-text input under ideal and application-oriented conditions, In Proc. of the IEEE Conference on Computer Vision and Pattern Recognition Workshop (CVPRW’06), New York, USA, June 17–22, pp. 39

Download references

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, University of Victoria, Victoria, BC, V8W 3P6, Canada

    Issa Traore, Youssef Nakkabi & Iris Lai

  2. Department of Computer Science, Ryerson University, Toronto, ON, M5B 2K3, Canada

    Isaac Woungang

  3. Department of Computer Science and Software Engineering, Monmouth University, West Long Branch, NJ, 07764, USA

    Mohammad S. Obaidat

Authors
  1. Issa Traore
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Isaac Woungang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohammad S. Obaidat
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Youssef Nakkabi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Iris Lai
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammad S. Obaidat.

Additional information

An abridged version of this work [30] has been published in the Proc. of the 4th International Conference on Digital Home (ICDH 2012), Guangzhou, China, pp. 138–145, Nov. 23―25, 2012

Rights and permissions

Reprints and permissions

About this article

Cite this article

Traore, I., Woungang, I., Obaidat, M.S. et al. Online risk-based authentication using behavioral biometrics. Multimed Tools Appl 71, 575–605 (2014). https://doi.org/10.1007/s11042-013-1518-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-013-1518-5

Keywords

Search

Navigation