Content uploaded by Jagadamaba Guru
Author content
All content in this area was uploaded by Jagadamaba Guru on Dec 17, 2020
Content may be subject to copyright.
Content uploaded by Jagadamaba Guru
Author content
All content in this area was uploaded by Jagadamaba Guru on Aug 06, 2019
Content may be subject to copyright.
A Secured Authentication System Using
an Effective Keystroke Dynamics
G. Jagadamba, S. P. Sharmila and Thejas Gouda
Abstract In the field of computer security, most promising field is securing the
data by allowing ease access to authorized users. The biometric techniques like
face recognition, voice recognition and digital signatures provide good authenti-
cation security. The keystroke dynamics is defined to be a low cost, strong
behavioral biometric-based authentication system, based on consistent typing
rhythm patterns at a keyboard terminal, which will be individually unique. This
paper exhibits an effective, efficient and robust user authentication. Authentication
system is based on effective Adaptive Learning Classification (ALC) algorithm,
where a self-threshold for each user was decided based on user input. Training and
testing data lead to an average false reject rate of 10.00 % and the average false
accept rate of 0.0025 %.
Keywords Biometrics Keystroke dynamics Rejection rate Acceptance rate
1 Introduction
The increasing use of automated information systems together with our pervasive
use of computers has greatly simplified our lives, while making us immensely
dependent on computers and digital networks. For any information system to serve
G. Jagadamba (&)T. Gouda
Department of Information Science and Engineering, Siddaganga Institute of Technology,
Tumkur-03, India
e-mail: jagadambasu@gmail.com
T. Gouda
e-mail: thejas777777@gmail.com
S. P. Sharmila
Department of Computer Science and Engineering, Siddaganga Institute of Technology,
Tumkur-03, India
e-mail: sharmila.h.shukthij@gmail.com
V. Sridhar et al. (eds.), Emerging Research in Electronics, Computer Science
and Technology, Lecture Notes in Electrical Engineering 248,
DOI: 10.1007/978-81-322-1157-0_46, ÓSpringer India 2014
453
its purpose, information should be protected from unauthorized access, disclosure,
disruption, modification, perusal, inspection, recording or destruction. Information
security includes five security characters [1] like confidentiality, integrity, avail-
ability, authenticity and accountability, which can be mutually exclusive.
‘‘User authentication is an assurance that communicating entity is the one
claimed.’’ User authentication is the basis for most types of access control and for
user accountability. It can be categorized into three classes [2–5], namely,
Knowledge based: such as password or secret information.
Object or Possession: such as smart card, passport and driver’s licenses.
Biometric based: such as fingerprint, iris and voice.
Biometrics user authentications are the technologies that are measurable on
physiological or behavioral characteristics [6]. A behavioral biometric recognition
system can run in two different modes; identification and verification. Here,
automated approaches will be defined for an identity for each user (human or
process). The verification process realizes the data capture and the feature
extraction and the comparison with the biometric model. Two commonly used
standards in biometrics according to [1] are False Rejection Rate (FRR) and False
Acceptance rate (FAR), and these should be as less as possible for any good
biometric system. Keystroke rhythm is a natural choice for computer security,
which is an art of recognizing an individual based on typing patterns. It includes
several different measurements like latency between consecutive keystrokes,
duration of the keystroke and hold-time [6], which can be detected when the user
presses the keys in the keyboard. In this paper, we propose an efficient safeguard
system based on authenticating a user to access computers by recognizing certain
unique and habitual patterns with a user’s typing rhythm. Rest of the paper is
organized as follows: Sect. 2 highlights related work, Sect. 3 focuses on keystroke
latency metrics and implementation of user authentication system, Sect. 4 includes
testing results, and Sect. 5 concludes the proposed work.
2 Related Work
The keystroke rhythms of the user are measured to develop a unique biometric
template of the user’s typing pattern for future authentication. Raw measurements
available from each keyboard can be recorded to determine dwell time (the time a
key is pressed) or flight time (the time between key down and the next key down
and the time between key up and the next key up). After recording, data are
processed through the algorithm, which serves the primary pattern for future
comparison and analysis.
Different methodologies have been adopted depending upon dwell time and
flight time. A summary of existing methodologies with remarks has been collected
from [2,6–10] are listed here (Table 1).
454 G. Jagadamba et al.
3 User Authentication Using Keystroke Dynamics
In this model, we adopt a static keystroke authentication methodology, which is
perfectly suitable to authenticate an individual by asking user to type his own
password. Before login to his computer session, typing rhythm is verified with the
prototype stored in the server database. Changing the password implies to enroll
again, because the methods are not able to work with a different password. When
we build a model, we take the latencies between adjacent keystrokes among
several samples of a user stored in the database and then compute a vector of
means and standard deviations for the latencies between each pair of keystrokes
using an adaptive learning classification (ALC) algorithm. The vector of means
and standard deviations then represents the user’s profile and used to classify the
users as authenticator or intruder.
Table 1 Different keystroke methodologies used for training and testing
Sl.
No
Methodology Remarks
1 Hold key timings Total time periods and pressure were measured using
Euclidian distance measure between two vectors of
typed characters, stored as template
2 Ant colony optimization
technique
Mean and standard deviation was used to extract the
features from the keystroke duration, latency and
digraph
3 Keystroke timings Successive keystrokes were recorded and used for
authentication and result with FAR 4 % for seven
users
4 Standard and measure The mean, standard deviation of keystroke latencies and
digraph between reference profile and test data are
compared. A result of 17 % FAR and 30 % FRR was
obtained
5 Pattern recognition and neural
network
Fuzzy ARTMAP, RBFN and LVQ neural network
paradigms were used. BPSTF, potential function and
Bayes’ rule algorithms gave moderate performance
6 Bio password This technique is fast, accurate, transparent and scalable
7 Parallel decision trees (DTs) on
keystroke patterns
By this method the average false reject rate was 9.62 %
and the average false accept rate was 0.88 %
8 Telling hUman and bot apart
(TUBA)
Monitoring user’s keystroke-dynamics patterns and
identifying intruders. The bot-generated keystroke
sequences are detected with high true positive rates
93 %.
9 Virtual key force This method improves the accuracy by 90.4 % and
reduces the training and testing time within 0.025 s
A Secured Authentication System Using an Effective Keystroke Dynamics 455
3.1 Keystroke Latency Metrics
In our approach, we monitor all the key events that the user types which includes
alphanumeric values including shift, backspace and caps lock. Typing one key
triggers a pair of key events: press and release, which we call a keystroke. The
Press Release-latencies and Release Press-latencies are grouped, respectively, in
three different ways: bigram, trigram and word-gram. A key event can be a bigram
event, a trigram event or a word-gram event [2]. For our proposed system, we
considered the word-gram and bigram event.
3.2 Implementation
The system architecture consists of client, server and database. The client acts like
an end user with various types of activities. Client performs activities like login to
system, transactions, view to his data. Server includes the functions like registering
the server with Remote Method Invocation (RMI) registry, establishing the
communication to client, processing of all clients requests, running keystroke
procedure to check for valid user, sending the successful key typing latencies to
database and provides application services to authenticated clients, if any variation
a third-level security policies will be defined. Where third-level policies may
include sending random code to user’s mobile, user’s email account or check
security answer sent by client and proceed further processing. Database is
responsible for storing all the relevant keystroke latency data and also user
information. It will receive the queries from the server process, execute them and
return the corresponding results back to the server process. A database server is
used to store various information required by the server process. Information like
user details, commodity prices, details of transactions, incoming and outgoing
messages is stored on the database in different tables. The secret information of a
user, that is, password will be stored in an encrypted form.
3.3 Adaptive Learning Classification Algorithm
When the user signs up, user typing samples are captured without his knowledge
for first five consecutive times. After sample collection process, the keystroke
biometrics authentication mechanism comes into operation. Whenever the user
tries to login to the system, the average of the recent five successful transactions
typing frequency is considered to cross check with the current typing frequency. In
addition, a threshold value is provided for the respective users, where the threshold
is the standard deviation of the samples. If the typing frequency of the users is
between the above or below the average threshold, then the user is authenticated;
456 G. Jagadamba et al.
otherwise a user is unauthenticated and third-level security policies will be pre-
sented. The following steps are followed in ALC algorithm to make the decision
authenticator or intruder.
ALC Algorithm
1. Initialization: Capturing the values, x =d, from username =‘Specific User’.
2. Template Design: Mean and standard deviation is calculated for the specific
user, and the corresponding threshold is calculated.
l¼Pn
i¼1xi
N
r¼ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
PiðxilÞ2
N
s
Upper Threshold ¼lþrðÞ
Lower Threshold ¼lrðÞ
3. Analysis: if (Lower Threshold BlBUpper Threshold)-authenticator, else
intruder.
4. Decision: if (Authenticator) Service is continued else (intruder) third-level
security policies will be introduced.
4 Testing Results
Testing was carried out in password string latency, that is, flight time between the
first and the last key pressed and password character latency, that is, flight time
between the successive pair of keys pressed. During the experiment, the delete
operations and irrelevant shift key pressed were eliminated from the data. A user is
able to login successfully only when successful match is made between stored
genuine template and live sample falls below the specified threshold. The false
match is registered when a live sample exceeds the specified threshold, then the
user will not be authenticated. In the testing procedure of string latency, four
participants were allowed to login to their own account and data collected where
analyzed. The Fig. 1shows the frequency variations for 10 attempts, and Fig. 2
shows the experimental results where failure rates of FRR falls around 10–40 %.
In the same way, character latencies where collected for 4 participants by allowing
them to login to a particular account and frequency variations are depicted in
Fig. 3. The success rate of FAR falls between 0 and 20 % and success rate of FAR
is almost 0.0025 %, which is shown in Fig. 4. All the tests are done for an Internet
banking application, and the response time was observed to be in terms of 2–5 ms
A Secured Authentication System Using an Effective Keystroke Dynamics 457
with the Internet connectivity of 10.0 Mbps, with some 50 % of traffic in the
channel in client–server architecture. The third-party policy verification response
times are observed to be almost 2 ms for the designed system.
Fig. 1 Frequency variations
of string latency
Fig. 2 FRR and FAR for
string latency
Fig. 3 Frequency variations
of character latency
458 G. Jagadamba et al.
5 Conclusion
We have presented a framework for defining a quick and secure authentication
approach and do not need any special hardware except keyboard for the appli-
cations in the highly connected world of tomorrow. This approach has no effect on
someone’s privacy, since the behavior of an individual is considered. As individual
behavior cannot be copied, it becomes an identification token for verification. Our
keystroke biometrics exhibits an inexpensive user authentication system for
applications like Internet banking. This can be easily adoptable for all online
commerce. Performance can be improved by minimizing the FAR by adapting
relative keystrokes with good fault tolerance methods.
References
1. Giot R, Dorizziy B, Rosenberger C (2011) Analysis of template update strategies for
keystroke dynamics. In: Proceedings of IEEE symposium series on computational
intelligence, vol 1. Paris, pp 21–28
2. Shanmugapriya D, Padmavathi G (2011) An efficient feature selection technique for user
authentication using keystroke dynamics. Proc Int J Comput Sci Netw Secur 11(10):191–195
3. Bishop M (2003) Computer security: art and science. In: Proceedings of 51th symposium on
networked and distributed system security, Addison-Wesley Professional. Boston, MA, ISBN
0-201-44099-7, p 123130
4. Sukhai NB (2004) Access control & biometrics. In: Proceedings of ACM 1st annual
conference on information security curriculum development. New York, pp 124–127
5. Williams JM (2002) Biometrics or biohazards? In: Proceedings of ACM workshop new
security paradigms. New York, pp 97–107
6. Karnan M, Krishnaraj N (2010) Bio password-keystroke dynamic approach to secure mobile
devices. In: Proceedings of conference IEEE-2010, international conference on
computational intelligence and computing research, doi:10.1109/ICCIC
7. O’Gorman L (2003) Comparing passwords, tokens, and biometrics for user authentication.
Proc IEEE 91(12):2019–2040
Fig. 4 FRR and FAR for
character latency
A Secured Authentication System Using an Effective Keystroke Dynamics 459
8. Karnan M, Akila M, Kalamani A (2009) Feature subset selection in keystroke dynamics
using ant colony optimization. Proc J Eng Technol Res 1(5):072–080
9. Sheng Y, Phoha VV, Rovnyak SM (2005) A parallel decision tree-based method for user
authentication based on keystroke patterns. In: Proc IEEE Trans Syst Man Cybern Part B:
Cybern 35(4):826–833
10. Stefan D, Shu X, Yao D (2011) Robustness of keystroke-dynamic based biometrics against
synthetic forgeries. Elsevier ltd, doi:10.1016/j.cose.1011.10.001
460 G. Jagadamba et al.