Behavior-based user authentication on mobile devices in various usage contexts

EURASIP Journal on Information Security - Tập 2022 Số 1
Dmytro Progonov1, Valentyna Cherniakova1, Pavlo Kolesnichenko1, Andriy Oliynyk1
1Security Team, Samsung R &D Institute Ukraine, 57, Lva Tolstogo Street, 01032, Kyiv, Ukraine

Tóm tắt

AbstractReliable and non-intrusive user identification and authentication on mobile devices, such as smartphones, are topical tasks today. The majority of state-of-the-art solutions in this domain are based on “device unlock” scenario—checking of information (authentication factors) provided by the user for unlocking a smartphone. As such factors, we may use either single strong authentication factor, for example, password or PIN, or several “weaker” factors, such as tokens, biometrics, or geolocation data. However, these solutions require additional actions from a user, for example, password typing or taking a fingerprint, that may be inappropriate for on-the-fly authentication. In addition, biometric-based user authentication systems tend to be prone to presentation attack (spoofing) and typically perform well in fixed positions only, such as still standing or sitting.We propose BehaviorID solution that is passwordless (transparent) user-adaptive context-dependent authentication method. The feature of BehaviorID is usage of new “device lock” scenario—smartphone is stayed unlocked and can be fast locked if non-owner’s actions are detected. This is achieved by tracking of user’s behavior with embedded sensors after triggering events, such as actions in banking apps, e-mails, and social services. The advanced adaptive recurrent neural network (A-RNN) is used for accurate estimation and adaptation of behavioral patterns to a new usage context. Thus, proposed BehaviorID solution allows reliable user authentication in various usage contexts by preserving low battery consumption.Performance evaluation of both state-of-the-art and proposed solutions in various usage contexts proved the effectiveness of BehaviorID in real situations. Proposed solution allows reducing error levels up to three times in comparison with modern Abuhamad’s solutions (Abuhamad et al., IEEE Internet Things J 7(6):5008–5020, 2020) (about $$0.3\%$$ 0.3 %  false acceptance rate (FAR) and $$1.3\%$$ 1.3 %  false rejection rate (FRR)) by preserving high robustness to spoofing attack ($$2.5\%$$ 2.5 %  spoof acceptance rate (SAR)). In addition, BehaviorID showed low drift of error level in case of long-term usage in contrast to modern solutions. This makes the proposed BehaviorID solution an attractive candidate for next-generation behavior-based user authentication systems on mobile devices.

Từ khóa


Tài liệu tham khảo

M. Papadopouli, A. Arnes, J.A. Bombin, E. Boschi, S. Buchegger, R.B. Cortiñas, et al., Mobile identity management. IDM report. Eur. Netw. Inf. Secur. Agency. (2010). https://www.enisa.europa.eu/publications/Mobile20IDM. Accessed 24 June 2020

M.A. Ferrag, L. Maglaras, A. Derhab, H. Janicke, Authentication schemes for smart mobile devices: threat models, countermeasures, and open research issues. Telecommun. Syst. 73, 317–348 (2020)

Google. Lockscreen and authentication improvements in Android 11. (2020). https://android-developers.googleblog.com/2020/09/lockscreen-and-authentication.html. Accessed 23 May 2022

C. Wu, K. He, J. Chen, Z. Zhao, R. Du, Liveness is not enough: enhancing fingerprint authentication with behavioral biometrics to defeat puppet attacks. in 29th USENIX Security Symposium (USENIX Security 20) (2020), p. 2219–2236. https://www.usenix.org/conference/usenixsecurity20/presentation/wu. Accessed 12 July 2021

C. Burt, U.S. DISA develops prototype multi-biometric smartphone for “assured identity”. (2019). https://www.biometricupdate.com/201908/u-s-disa-develops-prototype-multi-biometric-smartphone-for-assured-identity. Accessed 23 May 2022

M. Ehatisham-ul Haq, M.A. Azam, J. Loo, K. Shuang, S. Islam, U. Naeem, et al., Authentication of smartphone users based on activity recognition and mobile sensing. Sensors. 17(9), (2017). https://www.mdpi.com/1424-8220/17/9/2043. Accessed 12 July 2021

A. Alzubaidi, J. Kalita, Authentication of smartphone users using behavioral biometrics. IEEE Commun. Surv. Tutor. 18(3), 1998–2026 (2016)

O. Riva, C. Qin, K. Strauss, D. Lymberopoulos, Progressive authentication: deciding when to authenticate on mobile phones. in 21st USENIX Security Symposium (USENIX Security 12) (Bellevue, 2012), p. 301–316. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/riva. Accessed 12 July 2021

M. Abuhamad, T. Abuhmed, D. Mohaisen, D. Nyang, AUToSen: deep-learning-based implicit continuous authentication using smartphone sensors. IEEE Internet Things J. 7(6), 5008–5020 (2020)

A. Cser, M. Merritt, The future of identity and access management. FORRESTER Inc. (2019). https://www.forrester.com/report/The+Future+Of+Identity+And+Access+Management/-/E-RES136522. Accessed 24 Jun 2020

RSA SecurID Suite. https://www.rsa.com/en-us/products/rsa-securid-suite. Accessed 24 Jun 2020

NuData Security. https://nudatasecurity.com/. Accessed 24 Jun 2020

Apple Inc . Touch ID and Face ID technologies description. https://support.apple.com/en-us/HT208108. Accessed 24 Jun 2020

SecureAuth Identity Platform. https://www.secureauth.com/products/identity-platform. Accessed 24 Jun 2020

Amazon GuardDuty: protect your AWS accounts with intelligent threat detection. https://aws.amazon.com/guardduty/?nc1=h_ls. Accessed 23 May 2022

TwoSense.AI: continuous multifactor authentication. https://www.twosense.ai/. Accessed 23 May 2022

Biometric signature ID. https://biosig-id.com/. Accessed 23 May 2022

OneSpan: do more business with better security & simplified customer experiences. https://www.onespan.com/. Accessed 23 May 2022

Zighra: insights and resources. https://zighra.com/. Accessed 23 May 2022

Context-aware identity management framework. Alliance Telecommun. Ind. Solutions. (2018). https://access.atis.org/apps/group_public/download.php/43565/ATIS-I-0000070.pdf. Accessed 24 Jun 2020

Ping identity announces the acquisition of SecuredTouch to accelerate identity fraud capabilities. https://www.pingidentity.com/en/company/ping-newsroom/press-releases/2021/securedtouch.html. Accessed 23 May 2022

E. Koster, Why Samsung NEXT and HYPR believe the future will be passwordless. https://news.samsung.com/us/samsung-next-hypr-believe-future-will-passwordless/. Accessed 23 May 2022

H.G. Kayacik, et al. Data Driven Authentication: On the Effectiveness of User Behaviour Modelling with Mobile Device Sensors. Cornell University preprint repository. arXiv:1410.7743 (2014)

M.A. Alqarni, S.H. Chauhdary, M.N. Malik, et al., Identifying smartphone users based on how they interact with their phones. Hum. Cent. Comput. Inf. Sci. 10(7), (2020). https://doi.org/10.1186/s13673-020-0212-7

S. Salvador, P. Chan, Toward accurate dynamic time warping in linear time and space. Intell. Data Anal. 11(5), 561–580 (2007)

K. Zhao, Y. Li, C. Zhang, C. Yang, H. Xu, Adaptive recurrent neural network based on mixture layer. (2018). arXiv e-prints. http://arxiv.org/abs/1801.08094

I. Goodfellow, Y. Bengio, A. Courville, Deep learning (The MIT Press, Cambridge, 2016)

W.H. Lee, X. Liu, Y. Shen, H. Jin, R.B. Lee, Secure pick up: implicit authentication when you start using the smartphone. (2017). arXiv e-prints. http://arxiv.org/abs/1708.09366

K. Murao, H. Tobise, T. Terada, T. Iso, M. Tsukamoto, T. Horikoshi, Mobile phone user authentication with grip gestures using pressure sensors. Int. J. Pervasive Comput. Commun. 11(3), 288–301 (2015)

S.J. Alghamdi, L.A. Elrefaei, Dynamic authentication of smartphone users based on touchscreen gestures. Arab. J. Sci. Eng. 43, 789–810 (2018)

M. Gholamrezaii, S.M. Taghi Almodarresi, "Human Activity Recognition Using 2D Convolutional Neural Networks," 2019 27th Iranian Conference on Electrical Engineering (ICEE), pp. 1682–1686, (2019) https://doi.org/10.1109/IranianCEE.2019.8786578

D. Garcia-Gonzalez, D. Rivero, E. Fernandez-Blanco, M.R. Luaces, A public domain dataset for human activity recognition using smartphones. Sensors. 20(8), (2020)

A. Logacjov, K. Bach, A. Kongsvold, H.B. Bårdstu, P.J. Mork. HARTH: a human activity recognition dataset for machine learning. Sensors (Basel). 21(23), (2021)

N. Sikder, A.A. Nahid, KU-HAR: an open dataset for heterogeneous human activity recognition. Pattern Recognit. Lett. 146, 46–54 (2021)

Y. Vaizman, K. Ellis, G. Lanckriet, Recognizing detailed human context in the wild from smartphones and smartwatches. IEEE Pervasive Comput. 16(4), 62–74 (2017)

M. Malekzadeh, R.G. Clegg, A. Cavallaro, H. Haddadi, Mobile sensor data anonymization, in Proceedings of the International Conference on Internet of Things Design and Implementation. IoTDI ’19. (ACM, New York, 2019), pp.49–58

Y. Mirsky, A. Shabtai, L. Rokach, B. Shapira, Y. Elovici, "Sherlock vs moriarty: A smartphone dataset for cybersecurity research", Proc. ACM Workshop Artif. Intell. Secur. pp. 1–12, (2016). https://doi.org/10.1145/2996758.2996764

Z. Sitová, J. Šeděnka, Q. Yang, G. Peng, G. Zhou, P. Gasti et al., HMOG: new behavioral biometric features for continuous authentication of smartphone users. IEEE Trans. Inf. Forensic. Secur. 11(5), 877–892 (2016)

U. Mahbub, S. Sarkar, V.M. Patel, R. Chellappa, "Active user authentication for smartphones: A challenge data set and benchmark results," 2016 IEEE 8th International Conference on Biometrics Theory, Applications and Systems (BTAS), (2016), pp. 1–8, https://doi.org/10.1109/BTAS.2016.7791155

A.K. Belman, L. Wang, S.S. Iyengar, P. Sniatala, R. Wright, R. Dora, et al., Insights from BB-MAS – a large dataset for typing, gait and swipes of the same person on desktop, tablet and phone. (2019), arXiv e-prints. http://arxiv.org/abs/1912.02736

D. Reichinger, E. Sonnleitner, M. Kurz, Continuous mobile user authentication using combined biometric traits. Appl. Sci. 11(24), (2021)

Z. Shen, S. Li, X. Zhao, J. Zou, MMAuth: a continuous authentication framework on smartphones using multiple modalities. IEEE Trans. Inf. Forensic. Secur. 17, 1450–1465 (2022)

G. Rowe, N. Nikols, D. Simmons, The future of identity management (2018-2023). TechVision Res. (2018). https://techvisionresearch.com/wp-content/uploads/2018/01/The-Future-of-Identity-Management-2018-final.pdf. Accessed 24 Jun 2020

Thông tin
Thông tin xuất bản

EURASIP Journal on Information Security

Tập 2022 Số 1

Thông tin tác giả