Web Security Summer Term 2008

abdomendebonairSecurity

Nov 2, 2013 (4 years and 11 days ago)

128 views

IIG University of Freiburg
Web Security Summer Term 2008
Keystroke Behavioural Biometrics
Dr.E.Benoist
Summer Term 2008
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
1
Table of Contents
1
Behavioral Biometrics of Web Users
2
Biometrics
3
Creating a Profile
4
Verification and Identification
5
Web Profiling
6
Results
7
Details of the implementation
8
Possible Attacks
9
Conclusion
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
2
Behavioral Biometrics of Web Users

How do you Surf:Speed at which you swap pages

How do you Click:How do you click on images (place and
pace)

How do you move your Mouse:Mouse movements tracking

How do you type text:Keystroke Biometrics
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
3
Biometrics

Two Phases:

Enrollment (Create a User’s Profile)
Store a profile for each person

Store an extract of the fingerprint

Store data extracted from the Iris

Store data extracted from the keystroke of Web Users
We produce a Template

Identification:The system gets the biometrics of a person
and search for a match:

Test if the person using his/her computer can be the one
he/she pretends to be,
One to One

Find in a database if the person is already known.
One to Many
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
4
Biometrics (Cont.)

Systems used to find matchings

Distance between patterns
for instance Haming Distance in Iris recognition

Patterns are Iris-Scans that have be transformed using
different image manipulation tools (interpolation,wavelets)

The observer determines the distance between a measured
pattern (i.e.image) and a pre-stored pattern.

The pattern is composed of pixels.Distance is 0 if pixels are
equal and 1 if pixels are different.

If the sum of all different pixels is smaller than a given
threshold,the person is recognized.

Neural Networks
for instance pattern regognition

Neural Network is used to test a match for persons

The pattern is the Network

When new data arrives,it is passed to the network which
answers “Match” or “No Match”.
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
5
FAR and FRR
Efficiency of a system is measured with two values

Two Important Errors

False Positives:Persons are accepted even if they should not

False Negatives:Persons are rejected even if they where OK

False Acceptance Rate - FAR

The number of false positive compared to the number of tests

This number should remain small for security reason

FAR is sensible

False Rejection Rate - FRR

The number of false negative compared to the number of tests

This should remain small for convenience of users

FRR is less sensible,but very problematic for users
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
6
False Acceptence Rate

FAR is higher when the Threshold (for distance) gets
bigger
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
7
False Rejection Rate

FRR is reduced when the Threshold (for distance) is
higher
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
8
Equal Error Rate

FRR and FAR are functions.They do not have ONE
value

We can use Equal Error Rate to describe a system
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
9
Keystroke Biometrics

Principles

Keystroke belongs to behavioral Biometrics

Each person can be characterized using the pace of keystroke

Can be tested using a browser

How does it work

Catch Keyboard Events:Key-down and Key-Up

Measures the time a key is pressed (between key-down and
key-up)

Measures the time for a combination

Measures the interval between two letters

Measures the time for keyboard combinations (Shift I or
AltGr ] for instance)
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
10
Creating a template

Suppose the user types “fidis” at the keyboard
The system gets the following inputs (We start measuring
when the first key is pressed):

F down at time t=0

F up at time t=100

I down at time t=125

D down at time t=230

I up at time t=235

D up at time t=300

I down at time t=400

S down at time t=475

I up at time t=510

S up at time t=530

Duration (Interval between key-down and key-up)
F=100 I=105 D=70 I=110 S=55

Interval between letters
F-I=25 I-D=-5 D-I=100 I-S=75
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
11
From the template to the profile

We repeat the same operation many times (for instance
15 times)

F=110 I=109 D=75 I=108 S=50
F-I=20 I-D=3 D-I=110 I-S=73

F=120 I=106 D=60 I=110 S=35
F-I=25 I-D=-12 D-I=95 I-S=114

F=112 I=103 D=60 I=110 S=75
F-I=25 I-D=5 D-I=100 I-S=105

...

A Profile aggregates all the results

F=110±10 I=106±3 D=63±5 I=110±1 S=55±20
F-I=25±3 I-D=-5±10 D-I=100±10 I-S=95±20

Such a profile is computed for each user
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
12
Matching?
When the system wants to identify a user

Get a new sample (template) for the tested user
F=130 I=116 D=65 I=130 S=35
F-I=25 I-D=-12 D-I=95 I-S=114

System computes a distance between this sample and one (or
all) of the profiles.

If the distance is smaller than a given threshold,the person is
identified.
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
13
One principle,different technics

Templates can be created using various types of text

Username+password (always the same short text,from 20 to
30 chars)

Pass-phrase (same text)

Free text (while writing a mail for instance)

Text dictation (long unknown text)

Different algorithms for creating templates

Duration,Interval,

Duration of combination of letters (bigrams,trigrams)

Restricted to some bigrams or trigrams

Different ways to find matchings

Difference with reference time

Distance from time taking standard deviation into account

...
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
14
Possible Use

Authentication of login
Two ways authentication is used for login (password and
keystroke)

Remote Reseting of a password
Resetting password of users having lost their access is a boring
(and nevertheless useful) activity of all the Help-desks.This
can be improved using Behavioral Biometrics on the Web.

Intrusion detection
Send a signal when a user behaves in a way that is not
“normal”.
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
15
It is adapted for web profiling

Data can be acquired remotely

Using a Java Applet
Program is written in Java,inserted inside a Web page and is
run by the Java Virtual Machine.
User types in a filed contained in the Applet,the applet sends
the data to the server.

Using a Flash Animation
Program is written in Flash (or Flex) and is executed inside a
plug-in,information is sent directly by the plug-in to the server

The user is in a separate application
Data typed in the normal forms can not be used for
biometrics.
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
16
It is adapted for web profiling (Cont.)

Something new:AJAX (Asynchronous Javascript and
XML)

A program is written in javascript,

Transfered within a page (user does not see anything)

Can read any field on the page

Transfer can be done without knowledge of the user

Very useful for monitoring users

No awareness of the user

Can be inserted in a server for mails or blogs or comments,...
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
17
Known Problems/Bias

Keyboards
Keystroke is influenced by the keyboard used (desktop,laptop,
ergonomic keyboard,language of the keyboard,...)

Repetition
If a user types always the same phrase (pass-phrase or
username password) he “learns” the phrase.

Language
The speed in typing a text depends on the language used.I
would have problems to type a text in dutch.
The accented characters are specially problematic (not always
accessed with the same combination of keys).

Misspelling
When typing a long unknown text a user makes mistakes,the
way he/she corrects the text influences the result.
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
18
Results

Verification with “username password”

Enrollment:type 15 times the same two strings

www.biopassword.com

EER of 3%

Identification using random text

User has to choose a language

Enrollment:5 texts of 100 chars (randomly chosen in a data
base)

http://wb.chillzone.ch

EER of 10%
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
19
Details of the implementation

Recognition works with our without knowledge (and will)
of the user

Keystroke can be monitored on any case

Regularity may be seen only on same text or long texts

Gathering of data must be done client side

Javascript captures events:Key-Down/Key-Up

No way to get events on the server side

Transfer of data from the Client to the server

Raw data must be generated on the client (key-up and
key-down events)

Raw Data can be manipulated client-side:for spoofing or
anonymizing the data.

Anonymizing:Randomize the intervals

Spoofing:Repeat attack (for instance)
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
20
Details of the implementation (Cont.)
Matching?

Using Neural Networks:

Each user receives a neural network

It is trained to recognize the User and not recognize the others
other possibility

The system has only one big Neural Network with as many
output as users

The system is trained on all the users

Using Distances

Each user has a “profile”

When new data is provided (for recognizing a user),it is
compared with existing data

The distance (Haming or any other system) is computed
between the profiles and the new data.

If distance remains under a given Threshold,the system
recoginzes the user.
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
21
Possible Attacks

Man in the Middle

If data is sent unencrypted,

Raw data can be spotted

And used to spoof the system

Key Logger

Can be installed on the client

Can monitor all the keystrokes of the users

Traces left without consent

User just visits any site

Types any text

=> Profile has been generated
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
22
Conclusion (Behavioural Biometrics)

Behavioural Biometrics on the web are efficient

We have small ERR (between 3% and 10%)

Can be used with knowledge of the user or without

Used for verification (double the use of password)

Or used for password recovery

Not satisfactory from the point of view of the security

Easy to spoof

Lot of Bias

One person could not be recognized

Whereas his data could be stollen.
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
23
Conclusion (Web Security)

Network Security

Has acquired Maturity

Lots of protocols are secure

Application Security

Has just started to be a topic in Universities

Is a developping field

Web Security

from the architecure design

to the marketing

via programming

Most unpredictable part in the System:The USER

Misconfiguration

No awareness to the security problems

No teaching of security measures
Web Security Summer Term 2008 12 Keystroke Behavioural Biometrics on the Web
24