Cong Wu,Kun He,Jing Chen,Ruiying Du

DOI: https://doi.org/10.1109/ICC.2019.8761435

2019-01-01

Abstract:Implicit authentication has become increasingly popular over recent years due to the fact that it relieves users from explicit actions such as remembering and entering passwords. This paper puts forward ICAuth, a general and simple implicit authentication method for mobile devices, to authenticate the current user implicitly and continuously when the screen is awake. Distinct from existing implicit user authentication methods which only focus on behavioral characteristics and ignore contextual information, ICAuth is devised to understand different behaviors in various contexts. We investigate the correlations between the behavioral characteristics and contextual information via sensors on mobile devices and observe that user's behavioral characteristics are strongly related to the context. These sensors are divided into two kinds, including fine-grained sensors and coarse-grained sensors, where fine-grained sensor data represent behavioral features and the coarse-grained depict contextual information. ICAuth provides continuous authentication without the involvement of users. It promotes security via authenticating the current user continuously and improves the usability via eliminating the limitation of specific behaviors. We evaluate ICAuth comprehensively with a large dataset including 340842 samples collected from 142 subjects. Our approach achieves an accuracy of 96.85%, FNR of 2.95%, and FPR of 4.01%. Security analysis is also conducted to demonstrate that ICAuth is resilient against common smartphone authentication threats. Finally, we show the low power consumption and authentication latency with 2.2 seconds of ICAuth.

Yufei Chen,Chao Shen,Zhao Wang,Tianwen Yu

DOI: https://doi.org/10.1109/ISBA.2017.7947694

2017-01-01

Abstract:While the public enjoy the convenience aroused by the proliferation of the smartphones, they also face the risk of exposing their sensitive and secure information to attackers. Extant smartphone authentication methods (e.g., PIN and fingerprint) typically provide one-time identity verification, but the verified user is still subject to session hijacking or masquerading attacks. In this paper, we propose a framework and performance analysis of using onboard-sensor behavior for continuous user authentication on smartphones, which can implicitly and continuously verifies the presence of a smartphone user. When a user carries the smartphone to do daily activities, time-, frequency- and wavelet-domain features are extracted from smartphone sensor data for accurately depicting users' motion patterns. A decision procedure based on one-class learning algorithms is developed and employed in the feature space to perform the continuous authentication task. Analyses are conducted based on sensor-interaction data on five typical daily activities with 27,681 samples across five phonecarrying positions. Extensive experiments in two specific scenarios are included to examine the efficacy of the proposed approach, which achieves a relatively high accuracy with the equal-error rate achieves 2.40% and 5.50% respectively. Our authentication system can be seamlessly integrated with extant smartphone authentication mechanisms, and is nonintrusive to users and does not need extra hardware.

Rui Mao,Heming Ji,Di Cheng,Xiaoyu Wang,Yan Wang,Degang Sun

DOI: https://doi.org/10.1109/iscc55528.2022.9913017

2022-01-01

Abstract:Most existing identity authentication technologies rely on some ways for the first login authentication, such as personal identification number (PIN), track, or biological characteristics. However, these ways exist plenty of security risks, which make people face password guessing attacks, trace attacks, and shoulder surfing attacks for a long time. Once the illegal users forge identity to complete authentication or bypass first login authentication, their subsequent behavior will become out of control. To solve the above problems, we propose an implicit continuous authentication model based on the touch behavior of the mobile terminal. The model uses the data collected by the accelerometer, gyroscope, and magnetometer to generate feature vectors and extracts the feature vectors containing macroscopic features, microscopic features, and joint features. And we design a convolutional bidirectional recurrent neural network model to distinguish the sensor feature vectors. On this basis, we perform various experiments on a large dataset Hand Movement, Orientation, and Grasp (HMOG) with different sensor characteristics. Compared with the most advanced models proposed recently, the results show that our model achieves an equal error rate (EER) of 0.53%, which significantly improves authentication accuracy.

Cong Wu,Kun He,Jing Chen,Ruiying Du,Yang Xiang

DOI: https://doi.org/10.1109/jiot.2020.3006870

IF: 10.6

2020-12-01

IEEE Internet of Things Journal

Abstract:Relieving users from the burden of remembering and inputting authentication information explicitly, such as passwords/PINs and lock patterns, implicit authentication mechanisms have gained an increasing concern. When providing authentication, the existing implicit methods only depend on a specific behavior, such as typing on the screen, performing gestures, or taking a walk. However, in real applications, a user's behavioral characteristics are also decided by the context where behavior is performed. Thus, those existing methods show limited authentication accuracy and usability. To address these issues, we propose CaIAuth, a reliable context-aware implicit authentication framework, which profiles users' behavior and context characteristics in a holistic fashion. It observes the states of context-sensing entities for different smartphone usage patterns and builds a context-aware model to distinguish between legitimate users and illegal ones. We conducted extensive experiments to evaluate system performance with a large data set collected from 142 subjects. The experimental results show that our system achieves a low equal error rate (EER) (e.g., less 7%) and is resilient against common threats, including zero-effect attack and mimicry attack. In addition, CaIAuth achieves a low authentication delay and overhead.

computer science, information systems,telecommunications,engineering, electrical & electronic

Qi Li,Hao Chen

DOI: https://doi.org/10.1145/3316615.3316691

2019-01-01

Abstract:The rapid development of smartphones has greatly facilitated our lives. At the same time, securing the data stored and accessed from smartphones makes it important to authenticate the user. However, current smartphones perform one-time authentication at the entrance while they don't authenticate users continuously when in use, which brings serious privacy and security issues, such as collisions and social engineering to bypass the authentication. This paper introduces CDAS (Continuous Dynamic Authentication System), which uses the Support Vector Machine (SVM) to construct user's behavior model by collecting his touch data to judge him authorized whether or not. CDAS works independently in the background without interacting with users most time. Therefore, CDAS is featured with security, efficiency and continuity. We conducted a two-week experiment involving more than 20 users which shows that the system we design achieves a high accuracy, a low False Accept Rate (FAR) and a low False Reject Rate (FRR), which indicates that CDAS ensures the security and enjoys a promising prospect.

Chao Shen,Yunpeng Li,Tianwen Yu,Sheng Yuan,Xiao Yi,Xiaohong Guan

DOI: https://doi.org/10.1109/wcica.2016.7578519

2016-01-01

Abstract:Existing smartphone authentication methods (e.g., PIN) typically provide one-time identity verification, but the verified user is still subject to session hijacking or masquerading attacks. This paper presents a framework and performance analysis of a sensor-based smartphone authentication system that continuously verifies the presence of a smartphone user. When a user touches the smartphone screen, motion-sensor data are extracted and analyzed to obtain descriptive features for accurately depicting users' touch habit and rhythm. Then a one-class learning algorithm is employed in the feature space to perform the continuous authentication task. Based on touch-tapping data collected from over 50 users, we conduct a series of experiments to validate the efficacy of our proposed approach. Our experimental results show that our verification system achieves a relatively high accuracy with an equal-error rate of 11.05%. Additional experiment on usability to the observation window size is provided to further examine the effectiveness. Our authentication system can be seamlessly integrated with extant smartphone authentication mechanisms, and is non-intrusive to users and does not need extra hardware.

Chao Shen,Yufei Chen,Xiaohong Guan

DOI: https://doi.org/10.1016/j.ins.2017.11.058

IF: 8.1

2018-01-01

Information Sciences

Abstract:The pervasiveness of mobile devices not only facilitates people’s daily life with a wide variety of services, but also brings users risks of private information leakage (e.g., photos, contact lists, bank accounts), which emphasizes the demand for reliable, feasible and user-friendly authentication mechanisms on mobile devices. In this paper, we develop an authentication mechanism using motion sensors (accelerometer and gyroscope) embedded in smartphones. Our proposed mechanism performs authentication continuously and implicitly by monitoring the user daily activities. We extract time-, frequency- and wavelet-domain features from motion-sensor data, and conduct empirical feature analysis to investigate the optimal combination of features, to acquire a fine-grained characterization of users’ movement patterns. To make a systematic performance evaluation, we have established a dataset containing 27,681 samples, including five kinds of actions and five different smartphone placements. In the evaluation procedure, four kinds of contexts are considered (nothing-aware context, action-aware context, placement-aware context and full-information-aware context), and ten one-class detectors are implemented. The best accuracy (represented as EER) for the four conditions achieves 28.22%, 2.21%, 5.50% and 3.28%, respectively, indicating our proposed approach is feasible and applicable in some real scenarios. Moreover, the performance analyses for sensor combinations and feature combinations are also conducted.

Mohsen Ali Alawami,Tamer AbuHamed,Mohammed AbuHamed,Hyoungshick Kim

DOI: https://doi.org/10.1016/j.pmcj.2024.101922

IF: 3.848

2024-04-05

Pervasive and Mobile Computing

Abstract:Traditional one-time authentication mechanisms cannot authenticate smartphone users' identities throughout the session – the concept of using behavioral-based biometrics captured by the built-in motion sensors and touch data is a candidate to solve this issue. Many studies proposed solutions for behavioral-based continuous authentication; however, they are still far from practicality and generality for real-world usage. To date, no commercially deployed implicit user authentication scheme exists because most of those solutions were designed to improve detection accuracy without addressing real-world deployment requirements. To bridge this gap, we tackle the limitations of existing schemes and reach toward developing a more practical implicit authentication scheme, dubbed MotionID, based on a one-class detector using behavioral data from motion sensors when users touch their smartphones. Compared with previous studies, our work addresses the following challenges: 1 Global mobile average to dynamically adjust the sampling rate for sensors on any device and mitigate the impact of using sensors' fixed sampling rate; 2 Over-all-apps to authenticate a user across all the mobile applications, not only on-specific application; 3 Single-device-evaluation to measure the performance with multiple users' (i.e., genuine users and imposters) data collected from the same device; 4 Rapid authentication to quickly identify users' identities using a few samples collected within short durations of touching (1–5 s) the device; 5 Unconditional settings to collect sensor data from real-world smartphone usage rather than a laboratory study. To show the feasibility of MotionID for those challenges, we evaluated the performance of MotionID with ten users' motion sensor data on five different smartphones under various settings. Our results show the impracticality of using a fixed sampling rate across devices that most previous studies have adopted. MotionID is able to authenticate users with an F1-score up to 98.5% for some devices under practical requirements and an F1-score up to roughly 90% when considering the drift concept and rapid authentication settings. Finally, we investigate time efficiency, power consumption, and memory usage considerations to examine the practicality of MotionID.

computer science, information systems,telecommunications

Wenqing Yang,Meilin Wang,Shihong Zou,Junhao Peng,Guosheng Xu

DOI: https://doi.org/10.1145/3456415.3457222

2021-01-01

Abstract:Continuous Implicit Authentication (CIA) provides a imperceptible and passive validation in a whole process of operating the mobile devices. In this paper, we describe users’ behavioral patterns through the build-in sensors of smartphones, and apply them to our authentication system. The current work is mainly implemented in a controlled experimental environment. We prove the effectiveness of the implicit authentication method in the natural environment through the analysis of only the touch screen process and the entire process of the user using the mobile phone. We focus on the multi-class strategy in CIA, in which a classifier has to recognize the “owner” of a series of operations from identity banks. To extract temporal domain and space domain features and enhance the classifier's discriminative power, our system utilizes Resnet with Squeeze-and-Excitation incorporating Attention blocks and Additive Angular Margin Loss. We evaluate our system both in our dataset and BrainRun dataset, and the accuracies of distinguish the correct identity achieves are 96.94% and 87.11% respectively. Specially, with the continuous data in BrainRun, the result is generated from behaviors during 5 s in a more interactive game.

Tao Feng,Ziyi Liu,Kyeong-An Kwon,Weidong Shi,Bogdan Carbunar,Yifei Jiang,Nhung Nguyen

DOI: https://doi.org/10.1109/ths.2012.6459891

2012-01-01

Abstract:Securing the sensitive data stored and accessed from mobile devices makes user authentication a problem of paramount importance. The tension between security and usability renders however the task of user authentication on mobile devices a challenging task. This paper introduces FAST (Fingergestures Authentication System using Touchscreen), a novel touchscreen based authentication approach on mobile devices. Besides extracting touch data from touchscreen equipped smartphones, FAST complements and validates this data using a digital sensor glove that we have built using off-the-shelf components. FAST leverages state-of-the-art classification algorithms to provide transparent and continuous mobile system protection. A notable feature is FAST 's continuous, user transparent post-login authentication. We use touch data collected from 40 users to show that FAST achieves a False Accept Rate (FAR) of 4.66% and False Reject Rate of 0.13% for the continuous post-login user authentication. The low FAR and FRR values indicate that FAST provides excellent post-login access security, without disturbing the honest mobile users.

Renzhong Wang,Dan Tao

DOI: https://doi.org/10.1109/access.2019.2936034

IF: 3.9

2019-01-01

IEEE Access

Abstract:Implicit authentication is a new research direction to enhance the privacy protection of smartphones. However, implicit authentication has low robustness due to its vulnerability to environment. Motivated by this, this paper proposes a context-aware implicit authentication, which is a scheme to improve the robustness of authentication by introducing context awareness module. In the scheme, multi-sensor data (including accelerometer, gyroscope, magnetometer, timestamp, pressure, touch size) is first captured in a fine-grained manner to characterize one's touch action. Then, based on various sensors data, gesture features and touch features are extracted by employing both statistical method and distance measurement method. Particularly, one's body posture when touch action happens can be used as context. In each context, we present a weighted sum fusion rule to fuse the results of different features obtained by One-Class SVM (OC-SVM). We have collected 10000+ sensor data from 87 participants for experimental evaluation. The results show that the authentication in an unrestricted environment can achieve a best equal error rate (EER) of 0.0071%, which is more than one percent lower than the non-context-aware authentication. The proposed method can effectively improve the reliability and practicability of implicit authentication.

Jinghui Zhang,Zichao Li,Hancheng Zhang,Wei Zhang,Zhen Ling,Ming Yang

DOI: https://doi.org/10.1016/j.comcom.2023.06.016

IF: 5.047

2023-08-01

Computer Communications

Abstract:Nowadays, a large amount of users’privacy data is stored in mobile intelligent devices, and authentication systems have become an important defense to protect that data. The traditional explicit authentication, however, is under significant threat from a great deal of side channel attacks, such as those based on computer vision and touch screen attacks. Users’authentication keys are facing a high risk of leakage, whereas implicit authentication is one of the effective methods to resist various side channel attacks. Nevertheless, existing user implicit authentication approaches still have weaknesses in security and usability, which increase users’authentication burdens and pose potential safety issues. To address this problem, our paper proposes a user implicit authentication approach based on physiological and behavioral characteristics, using the most commonly performed actions in daily life to pre-authenticate users. In our method, multiple sensors are utilized to extract physiological and behavioral characteristics of users, and the sensor data is fused by aligning the extracted characteristic data and using the Kalman filter to reduce its noise. Users’authentication results can be determined by comparing the similarities between their reference and authentication samples using the siamese neural network. The experimental results show that our approach improves the performance of implicit authentication while ensuring its security and usability.

computer science, information systems,telecommunications,engineering, electrical & electronic

Asma Ahmad Farhan,Amna Basharat,Nasser Allheeib,Summrina Kanwal

DOI: https://doi.org/10.1038/s41598-024-74473-7

IF: 4.6

2024-10-23

Scientific Reports

Abstract:Smartphones store valuable personal information, necessitating robust authentication methods to protect user data. This research proposes a lightweight bi-model fallback authentication technique that combines dynamic security questions and finger pattern recognition using inertial measurement units. The dynamic security questions are generated based on the smartphone's usage behavior, while the owner's finger movements are captured using four different inertial sensors: accelerometer, gyroscope, gravity sensor, and magnetometer. By combining the answers to the questions and the owner's finger movements, the user can be authenticated even if the primary authentication method fails. In this study, data was collected from 24 participants, including 12 primary phone users and 12 close adversaries, over a span of 28 days. The dynamic security questions, derived from call, SMS, battery charging events, application usage, location, and physical activity categories, achieved high accuracy rates, with call, SMS, and application usage surpassing . Incorporating the inertial measurement units significantly improved the accuracy of all question types, increasing from a maximum of to , while also enhancing the True Positive Rate from 0.79 to 0.99 compared to a previous study. This research presents a promising lightweight bi-model fallback authentication technique that leverages dynamic security questions and inertial measurement units data, demonstrating its effectiveness for enhancing smartphone security.

multidisciplinary sciences

Wei-Han Lee,Ruby B. Lee

DOI: https://doi.org/10.48550/arXiv.1708.09754

2017-08-30

Cryptography and Security

Abstract:Authentication of smartphone users is important because a lot of sensitive data is stored in the smartphone and the smartphone is also used to access various cloud data and services. However, smartphones are easily stolen or co-opted by an attacker. Beyond the initial login, it is highly desirable to re-authenticate end-users who are continuing to access security-critical services and data. Hence, this paper proposes a novel authentication system for implicit, continuous authentication of the smartphone user based on behavioral characteristics, by leveraging the sensors already ubiquitously built into smartphones. We propose novel context-based authentication models to differentiate the legitimate smartphone owner versus other users. We systematically show how to achieve high authentication accuracy with different design alternatives in sensor and feature selection, machine learning techniques, context detection and multiple devices. Our system can achieve excellent authentication performance with 98.1% accuracy with negligible system overhead and less than 2.4% battery consumption.

Zhihao Shen,Shun Li,Xi Zhao,Jianhua Zou

DOI: https://doi.org/10.1109/tifs.2022.3160361

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the wide use of smartphones, more private data are collected and saved in the smartphones. This raises higher requirements for secure and effective user authentication scheme. Continuous authentication leverages behavioral biometrics as identity information and shows promising characteristics for user verification in a continuous and passive means. However, most studies require users to operate the smartphones in a specific mobile application or perform user-defined touch operations. This paper studies the continuous authentication on smartphones in the wild, where it is hard to characterize touching behavior accurately due to the complexity of usage context and cross-use of various types of touch gestures. Towards this end, in this paper, we propose a continuous authentication framework using multiple modalities, named as MMAuth, which integrates the heterogeneous information of user identity from multiple modalities (e.g., motion movement pattern, touch dynamics, usage context). A time-extended behavioral feature set (TEB) and a deep learning based one-class classifier (DeSVDD) are developed for performing more accurate authentication. Evaluations are conducted using a novel unconstrained smartphone usage dataset collected from 100 volunteers in real world as well as a public laboratory dataset. Extensive experimental results demonstrate that the state-of-the-art authentication performance of MMAuth in both unconstrained and laboratory environment, and the effectiveness of its two proposed modules (the TEB feature set and the DeSVDD classifier). Additional experiments on system robustness, in terms of usability to different touch gestures, sensitivity to various mobile applications, and scalability to user space, are also provided to examine the applicability of MMAuth.

Xiaoshi Liang,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1177/1550147719899371

IF: 1.938

2020-01-01

International Journal of Distributed Sensor Networks

Abstract:We propose a new type of authentication system based on behavioral characteristics for smartphone users. With the sensor and touch screen data in the smartphone, the combination of the motion state detection mode and the authentication mode can effectively distinguish between legitimate smartphone users and other users. The system deploys software on the smartphone to collect data from sensors and touch screens, and upload the data to the cloud. We apply random forest algorithm on the data to extract features and achieve motion state detection. Multilayer perceptron algorithm is used for user authentication in corresponding motion state. The system effectively implements an implicit and continuous authentication mode, which can achieve user identity authentication without users' being aware of it. The system proposed in this article can achieve 95.96% accuracy with false rejection rate of 2.55% and false acceptance rate of 6.94%.

Yantao Li,Xinyu Sun,Zhenyu Yang,Hongyu Huang

DOI: https://doi.org/10.1109/jiot.2024.3349533

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Sensor-based continuous authentication mechanisms have demonstrated promising capabilities in enhancing the security of smart devices. In this paper, we present SNNAuth, a novel sensor-based continuous Authentication system on smartphones that utilizes Spiking Neural Networks (SNNs), leveraging biometric behavioral patterns captured by smartphone sensors. To enhance discriminative feature extraction, we introduce positional encoding into the time slicing of normalized sensor data. We design the ANN-SNN model, which transforms the trained artificial neural network (ANN) into an SNN by converting weights and activations into suitable spike neuron models and synaptic connections. The ANN-SNN model, designed for efficient computation and increased the robustness, is specifically trained to extract temporal features of a legitimate user. With the extracted features of a legitimate user, we then train the one-class k-Nearest Neighbors, which is employed for conducting the classification for all users. Based on the trained ANN-SNN and one-class kNN, ANNAuth determines whether the current user is legitimate or an imposter. Finally, we evaluate the performance of ANNAuth on two public datasets and our dataset, and the experimental results demonstrate that ANNAuth outperforms state-of-the-art solutions by achieving the highest accuracy and the lowest equal error rates (EERs) on all three datasets.

computer science, information systems,telecommunications,engineering, electrical & electronic

Long Chen,Yi Zhong,Weidong Ai,Difang Zhang

DOI: https://doi.org/10.1109/isdfs.2019.8757539

2019-01-01

Abstract:Continuous authentication (CA) is the process which continuously verifying a user based on their on-going interaction with a computer system. In this paper, we propose an adaptive continuous authentication method based on the changes of context, in which providing protection for the user's on-going interaction with computer in different contexts. In order to prevent a situation where an attacker tries to avoid detection by limiting to one input device, we considered both keystroke and mouse usage behavior patterns. In this research, collecting 30 users' data in an uncontrolled environment, extracting the user behavior feature from data by a new feature extraction method, using fusion technology to identify users, and then, according to the recognition result we can judge whether the current user is a real user or not. The experiment result shows that our scheme has a false acceptance rate (FAR) of 0%, a false rejection rate (FRR) of 2.04%, and the authentication time that between 10 seconds and 60 seconds for authentication.

Yi Yu,Jingsha He,Nafei Zhu,Fangbo Cai,Muhammad Salman Pathan

DOI: https://doi.org/10.1016/j.procs.2018.04.323

2018-01-01

Procedia Computer Science

Abstract:Password and short message based authentication methods are currently the most popular ones to authenticate mobile users. However, there are many security risks involved in these authentication methods. This is because passwords are mostly static and SMS-based authentication codes are mostly transmitted in plaintext form and can thus be easily intercepted, making users identities easily exposed to adversaries [1]. In recent years, fingerprint identification and face recognition technologies have set off a huge tide in the identification and authentication of mobile terminals. However, some users may not have sufficient fingerprint characteristics while some other users may generate a great number of impressions by making some changes in the face. The visual image of the face can also vary greatly, not to mention that face recognition is affected by illumination conditions, areas of coverage, ages, etc., making facial recognition very unstable for authentication [2, 3]. In this paper, we propose a technique in which we use IMEI (International Mobile Equipment Identity) to apply the backstage hidden automatic identification authentication mode for the user. The proposed scheme has good user experience and can enhance the practicability of identity authentication. In addition, compared to existing authentication schemes, the proposed scheme does not require the transmission of sensitive data in the authentication process, further enhancing security.

Jianzong Zhang,Dan Tao

DOI: https://doi.org/10.1109/icce-tw46550.2019.8992015

2019-01-01

Abstract:Information security has now become an important area of concern. Considering the shortcomings in traditional unlocking ways of smartphones, this paper proposes an implicit identity authentication mechanism by extracting users' touch dynamic characteristics. 86-dimensional features from two types of sensor data (e.g., acceleration and gyroscope) generated when a user unlocks a smartphone are extracted to characterize the user's behavior. Particularly, we adopt three popular classifiers: support vector machine (SVM), K-nearest neighbor (KNN) and random forest (RF) to perform training. Finally, we verify the accuracy of the classifier. Experimental results show that the RF classifier achieves an ideal accuracy rate for passwords with different levels of repetition, and the average accuracy rate is over 98%.