Chao Shen,Yunpeng Li,Tianwen Yu,Sheng Yuan,Xiao Yi,Xiaohong Guan

DOI: https://doi.org/10.1109/wcica.2016.7578519

2016-01-01

Abstract:Existing smartphone authentication methods (e.g., PIN) typically provide one-time identity verification, but the verified user is still subject to session hijacking or masquerading attacks. This paper presents a framework and performance analysis of a sensor-based smartphone authentication system that continuously verifies the presence of a smartphone user. When a user touches the smartphone screen, motion-sensor data are extracted and analyzed to obtain descriptive features for accurately depicting users' touch habit and rhythm. Then a one-class learning algorithm is employed in the feature space to perform the continuous authentication task. Based on touch-tapping data collected from over 50 users, we conduct a series of experiments to validate the efficacy of our proposed approach. Our experimental results show that our verification system achieves a relatively high accuracy with an equal-error rate of 11.05%. Additional experiment on usability to the observation window size is provided to further examine the effectiveness. Our authentication system can be seamlessly integrated with extant smartphone authentication mechanisms, and is non-intrusive to users and does not need extra hardware.

Chao Shen,Yufei Chen,Xiaohong Guan

DOI: https://doi.org/10.1016/j.ins.2017.11.058

IF: 8.1

2018-01-01

Information Sciences

Abstract:The pervasiveness of mobile devices not only facilitates people’s daily life with a wide variety of services, but also brings users risks of private information leakage (e.g., photos, contact lists, bank accounts), which emphasizes the demand for reliable, feasible and user-friendly authentication mechanisms on mobile devices. In this paper, we develop an authentication mechanism using motion sensors (accelerometer and gyroscope) embedded in smartphones. Our proposed mechanism performs authentication continuously and implicitly by monitoring the user daily activities. We extract time-, frequency- and wavelet-domain features from motion-sensor data, and conduct empirical feature analysis to investigate the optimal combination of features, to acquire a fine-grained characterization of users’ movement patterns. To make a systematic performance evaluation, we have established a dataset containing 27,681 samples, including five kinds of actions and five different smartphone placements. In the evaluation procedure, four kinds of contexts are considered (nothing-aware context, action-aware context, placement-aware context and full-information-aware context), and ten one-class detectors are implemented. The best accuracy (represented as EER) for the four conditions achieves 28.22%, 2.21%, 5.50% and 3.28%, respectively, indicating our proposed approach is feasible and applicable in some real scenarios. Moreover, the performance analyses for sensor combinations and feature combinations are also conducted.

Chao Shen,Yuanxun Li,Yufei Chen,Xiaohong Guan,Roy A. Maxion

DOI: https://doi.org/10.1109/tifs.2017.2737969

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The increasing use of smartphones as personal computing platforms to access personal information has stressed the demand for secure and usable authentication techniques, and for constantly protecting privacy. Smartphone sensors can measure users' unique behavioral characteristics when they interact with smartphones, based on different habits, gestures, and angle preferences of touch actions. This paper investigates the reliability and applicability of using motion-sensor behavior for active and continuous smartphone authentication across various operational scenarios, and presents a systematic evaluation of the distinctiveness and permanence properties of the behavior. For each sample of sensor behavior, kinematic information sequences are extracted and analyzed, which are characterized by statistic-, frequency-, and wavelet-domain features, to provide accurate and fine-grained characterization of users' touch actions. A Markov-based decision procedure, using one-class learning techniques, is developed and applied to the feature space for performing authentication. Analyses are conducted using the sensor data of 520 200 touch actions from 102 subjects across various operational scenarios. Extensive experiments show that motion-sensor behavior exhibits sufficient discriminability and stability for active and continuous authentication, and can achieve a false-rejection rate of 5.03% and a false-acceptance rate of 3.98%. Additional experiments on usability to operation length, sensitivity to application scenario, scalability to user size, contribution to different sensors, and response to behavior change are provided to further explore the effectiveness and applicability. We also implement an authentication system into the Android system that can react to the presence of the legitimate user.

Xiaozi Liu,Chao Shen,Yufei Chen

DOI: https://doi.org/10.1007/978-3-319-97909-0_71

2018-01-01

Abstract:Analyzing smartphone users' behavioral characteristics for recognizing the identities has received growing interest from security and biometric researchers. Extant smartphone authentication methods usually provide one-time identity verification in some specific applications, but the authenticated user is still subject to masquerader attacks or session hijacking. This paper presents a novel smartphone authentication approach by analyzing multi-source user-machine usage behavior (i.e., power consumption, physical sensors, and touchscreen interactions), which can continuously verify the presence of a smartphone user. Extensive experiments are conducted to show that our authentication approach can be up to a relatively high accuracy with an equal-error rate of 5.5%. This approach can also be seamlessly integrated with existing authentication methods, which does not need additional hardware and is transparent to users.

Wei-Han Lee,Ruby Lee

DOI: https://doi.org/10.48550/arXiv.1703.03378

2017-03-10

Abstract:The widespread use of smartphones gives rise to new security and privacy concerns. Smartphone thefts account for the largest percentage of thefts in recent crime statistics. Using a victim's smartphone, the attacker can launch impersonation attacks, which threaten the security of the victim and other users in the network. Our threat model includes the attacker taking over the phone after the user has logged on with his password or pin. Our goal is to design a mechanism for smartphones to better authenticate the current user, continuously and implicitly, and raise alerts when necessary. In this paper, we propose a multi-sensors-based system to achieve continuous and implicit authentication for smartphone users. The system continuously learns the owner's behavior patterns and environment characteristics, and then authenticates the current user without interrupting user-smartphone interactions. Our method can adaptively update a user's model considering the temporal change of user's patterns. Experimental results show that our method is efficient, requiring less than 10 seconds to train the model and 20 seconds to detect the abnormal user, while achieving high accuracy (more than 90%). Also the combination of more sensors provide better accuracy. Furthermore, our method enables adjusting the security level by changing the sampling rate.

Cryptography and Security

Wei-Han Lee,Ruby B. Lee

DOI: https://doi.org/10.48550/arXiv.1708.09754

2017-08-30

Cryptography and Security

Abstract:Authentication of smartphone users is important because a lot of sensitive data is stored in the smartphone and the smartphone is also used to access various cloud data and services. However, smartphones are easily stolen or co-opted by an attacker. Beyond the initial login, it is highly desirable to re-authenticate end-users who are continuing to access security-critical services and data. Hence, this paper proposes a novel authentication system for implicit, continuous authentication of the smartphone user based on behavioral characteristics, by leveraging the sensors already ubiquitously built into smartphones. We propose novel context-based authentication models to differentiate the legitimate smartphone owner versus other users. We systematically show how to achieve high authentication accuracy with different design alternatives in sensor and feature selection, machine learning techniques, context detection and multiple devices. Our system can achieve excellent authentication performance with 98.1% accuracy with negligible system overhead and less than 2.4% battery consumption.

Huanran Wang,Hui He,Chen Song,Hao Tang,Yanwei Sun,Yanchen Qiao,Weizhe Zhang

DOI: https://doi.org/10.1155/2022/6339407

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Recently, mobile technology has become closely linked with our daily activities. Smartphones are used for multiple personal tasks involving private information, such as communication, healthcare, and banking. Therefore, there is a high demand for user-friendly authentication methods that prevent unauthorized access to sensitive information. This paper proposes a novel feature representation tactic for continuous authentication named Multiple Channels Biological Graph (MCBG). Unlike conventional techniques, MCBG divides the smartphone usage scenarios into more fine-grained cases, including the operation interval features. To this end, we extract the screen touch and handheld features from multiple built-in sensors without extra user interaction. We conduct experiments on 180 participants (130 adults and 50 minors) and investigate the sufficiency of different sensor combinations required to authenticate identity accurately. Results show that our MCBG-based model achieves 99.38% authentication accuracy within 1.9 seconds. Furthermore, MCBG also represents the intrinsic differences between grown-ups and minors, achieving 96% identification accuracy.

Chao Shen,Yong Zhang,Zhongmin Cai,Tianwen Yu,Xiaohong Guan

DOI: https://doi.org/10.1109/icb.2015.7139046

2015-01-01

Abstract:The increasing use of smartphones to access sensitive and privacy data has given rise to the need of secure authentication technique. Existing authentication mechanisms on smartphones can only provide one-time verification, but the verified users are still vulnerable to the session hijacking. In this article, we propose a transparent and continuous authentication system based on users' touch interaction data. We consider four common types of touch operations, and extract behavioral features to characterize users' touch behavior. Distance-measurement technique is applied to mitigate the behavioral variability. Then a multiple decision procedure is developed to perform continuous authentication, in which one-class classification algorithms are applied for classification. The efficacy of our approach is validated through a series of experiments in four real-world application scenarios. Our experimental results show that the proposed approach could verify a user in an accurate and timely manner, and suffice to be an enhancement for traditional authentication mechanisms in smartphones.

Zhihao Shen,Shun Li,Xi Zhao,Jianhua Zou

DOI: https://doi.org/10.1109/tifs.2022.3160361

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the wide use of smartphones, more private data are collected and saved in the smartphones. This raises higher requirements for secure and effective user authentication scheme. Continuous authentication leverages behavioral biometrics as identity information and shows promising characteristics for user verification in a continuous and passive means. However, most studies require users to operate the smartphones in a specific mobile application or perform user-defined touch operations. This paper studies the continuous authentication on smartphones in the wild, where it is hard to characterize touching behavior accurately due to the complexity of usage context and cross-use of various types of touch gestures. Towards this end, in this paper, we propose a continuous authentication framework using multiple modalities, named as MMAuth, which integrates the heterogeneous information of user identity from multiple modalities (e.g., motion movement pattern, touch dynamics, usage context). A time-extended behavioral feature set (TEB) and a deep learning based one-class classifier (DeSVDD) are developed for performing more accurate authentication. Evaluations are conducted using a novel unconstrained smartphone usage dataset collected from 100 volunteers in real world as well as a public laboratory dataset. Extensive experimental results demonstrate that the state-of-the-art authentication performance of MMAuth in both unconstrained and laboratory environment, and the effectiveness of its two proposed modules (the TEB feature set and the DeSVDD classifier). Additional experiments on system robustness, in terms of usability to different touch gestures, sensitivity to various mobile applications, and scalability to user space, are also provided to examine the applicability of MMAuth.

Mohsen Ali Alawami,Tamer AbuHamed,Mohammed AbuHamed,Hyoungshick Kim

DOI: https://doi.org/10.1016/j.pmcj.2024.101922

IF: 3.848

2024-04-05

Pervasive and Mobile Computing

Abstract:Traditional one-time authentication mechanisms cannot authenticate smartphone users' identities throughout the session – the concept of using behavioral-based biometrics captured by the built-in motion sensors and touch data is a candidate to solve this issue. Many studies proposed solutions for behavioral-based continuous authentication; however, they are still far from practicality and generality for real-world usage. To date, no commercially deployed implicit user authentication scheme exists because most of those solutions were designed to improve detection accuracy without addressing real-world deployment requirements. To bridge this gap, we tackle the limitations of existing schemes and reach toward developing a more practical implicit authentication scheme, dubbed MotionID, based on a one-class detector using behavioral data from motion sensors when users touch their smartphones. Compared with previous studies, our work addresses the following challenges: 1 Global mobile average to dynamically adjust the sampling rate for sensors on any device and mitigate the impact of using sensors' fixed sampling rate; 2 Over-all-apps to authenticate a user across all the mobile applications, not only on-specific application; 3 Single-device-evaluation to measure the performance with multiple users' (i.e., genuine users and imposters) data collected from the same device; 4 Rapid authentication to quickly identify users' identities using a few samples collected within short durations of touching (1–5 s) the device; 5 Unconditional settings to collect sensor data from real-world smartphone usage rather than a laboratory study. To show the feasibility of MotionID for those challenges, we evaluated the performance of MotionID with ten users' motion sensor data on five different smartphones under various settings. Our results show the impracticality of using a fixed sampling rate across devices that most previous studies have adopted. MotionID is able to authenticate users with an F1-score up to 98.5% for some devices under practical requirements and an F1-score up to roughly 90% when considering the drift concept and rapid authentication settings. Finally, we investigate time efficiency, power consumption, and memory usage considerations to examine the practicality of MotionID.

computer science, information systems,telecommunications

Hui Xu,Yangfan Zhou,Michael R. Lyu

2014-01-01

Abstract:Current smartphones generally cannot continuously authenticate users during runtime. This poses severe security and privacy threats: A malicious user can manipulate the phone if bypassing the screen lock. To solve this problem, our work adopts a continuous and passive authentication mechanism based on a user's touch operations on the touchscreen. Such a mechanism is suitable for smartphones, as it requires no extra hardware or intrusive user interface. We study how to model multiple types of touch data and perform continuous authentication accordingly. As a first attempt, we also investigate the fundamentals of touch operations as biometrics by justifying their distinctiveness and permanence. A one-month experiment is conducted involving over 30 users. Our experiment results verify that touch biometrics can serve as a promising method for continuous and passive authentication.

Chao Shen,Tianwen Yu,Sheng Yuan,Yunpeng Li,Xiaohong Guan

DOI: https://doi.org/10.3390/s16030345

IF: 3.9

2016-01-01

Sensors

Abstract:The growing trend of using smartphones as personal computing platforms to access and store private information has stressed the demand for secure and usable authentication mechanisms. This paper investigates the feasibility and applicability of using motion-sensor behavior data for user authentication on smartphones. For each sample of the passcode, sensory data from motion sensors are analyzed to extract descriptive and intensive features for accurate and fine-grained characterization of users’ passcode-input actions. One-class learning methods are applied to the feature space for performing user authentication. Analyses are conducted using data from 48 participants with 129,621 passcode samples across various operational scenarios and different types of smartphones. Extensive experiments are included to examine the efficacy of the proposed approach, which achieves a false-rejection rate of 6.85% and a false-acceptance rate of 5.01%. Additional experiments on usability with respect to passcode length, sensitivity with respect to training sample size, scalability with respect to number of users, and flexibility with respect to screen size were provided to further explore the effectiveness and practicability. The results suggest that sensory data could provide useful authentication information, and this level of performance approaches sufficiency for two-factor authentication on smartphones. Our dataset is publicly available to facilitate future research.

Renzhong Wang,Dan Tao

DOI: https://doi.org/10.1109/access.2019.2936034

IF: 3.9

2019-01-01

IEEE Access

Abstract:Implicit authentication is a new research direction to enhance the privacy protection of smartphones. However, implicit authentication has low robustness due to its vulnerability to environment. Motivated by this, this paper proposes a context-aware implicit authentication, which is a scheme to improve the robustness of authentication by introducing context awareness module. In the scheme, multi-sensor data (including accelerometer, gyroscope, magnetometer, timestamp, pressure, touch size) is first captured in a fine-grained manner to characterize one's touch action. Then, based on various sensors data, gesture features and touch features are extracted by employing both statistical method and distance measurement method. Particularly, one's body posture when touch action happens can be used as context. In each context, we present a weighted sum fusion rule to fuse the results of different features obtained by One-Class SVM (OC-SVM). We have collected 10000+ sensor data from 87 participants for experimental evaluation. The results show that the authentication in an unrestricted environment can achieve a best equal error rate (EER) of 0.0071%, which is more than one percent lower than the non-context-aware authentication. The proposed method can effectively improve the reliability and practicability of implicit authentication.

Lingjun Li,Xinxin Zhao,Guoliang Xue

2013-01-01

Abstract:The widespread usage of smartphones gives rise to new security and privacy concerns. Smartphones are becoming a personal entrance to networks, and may store private information. Due to its small size, a smartphone could be easily taken away and used by an attacker. Using a victim’s smartphone, the attacker can launch an impersonation attack, which threatens the security of current networks, especially online social networks. Therefore, it is necessary to design a mechanism for smartphones to re-authenticate the current user’s identity and alert the owner when necessary. Such a mechanism can help to inhibit smartphone theft and safeguard the information stored in smartphones. In this paper, we propose a novel biometric-based system to achieve continuous and unobservable re-authentication for smartphones. The system uses a classifier to learn the owner’s finger movement patterns and checks the current user’s finger movement patterns against the owner’s. The system continuously re-authenticates the current user without interrupting user-smartphone interactions. Experiments show that our system is efficient on smartphones and achieves high accuracy.

Sakorn Mekruksavanich,Anuchit Jitpattanakul

DOI: https://doi.org/10.3390/s21227519

2021-11-12

Abstract:Smartphones as ubiquitous gadgets are rapidly becoming more intelligent and context-aware as sensing, networking, and processing capabilities advance. These devices provide users with a comprehensive platform to undertake activities such as socializing, communicating, sending and receiving e-mails, and storing and accessing personal data at any time and from any location. Nowadays, smartphones are used to store a multitude of private and sensitive data including bank account information, personal identifiers, account passwords and credit card information. Many users remain permanently signed in and, as a result, their mobile devices are vulnerable to security and privacy risks through assaults by criminals. Passcodes, PINs, pattern locks, facial verification, and fingerprint scans are all susceptible to various assaults including smudge attacks, side-channel attacks, and shoulder-surfing attacks. To solve these issues, this research introduces a new continuous authentication framework called DeepAuthen, which identifies smartphone users based on their physical activity patterns as measured by the accelerometer, gyroscope, and magnetometer sensors on their smartphone. We conducted a series of tests on user authentication using several deep learning classifiers, including our proposed deep learning network termed DeepConvLSTM on the three benchmark datasets UCI-HAR, WISDM-HARB and HMOG. Results demonstrated that combining various motion sensor data obtained the highest accuracy and energy efficiency ratio (EER) values for binary classification. We also conducted a thorough examination of the continuous authentication outcomes, and the results supported the efficacy of our framework.

Zhenyang Guo,Jin Cao,Xiaomeng Bai,Ang Li,Ben Niu,Hui Li

DOI: https://doi.org/10.1109/jsen.2023.3315523

IF: 4.3

2023-01-01

IEEE Sensors Journal

Abstract:Information security and user comfort are the games that smartphone manufacturers have always had to face. The explicit authentication methods, including password, fingerprint recognition, and face recognition, have become the most popular ways to unlock smartphones. However, these methods also incur some troubles in users’ daily lives and even suffer from security problems like shoulder surfing attacks and password reuse attacks. Unlike the explicit authentication methods, the implicit authentication methods employ the user’s behavior, posture, etc., to confirm who the user is. The "Smart Lock (SL)," as a new implicit authentication introduced by the biggest smartphone system manufacturer, Google, has effectively increased user comfort while ensuring user information security. However, we found that the SL is not secure enough, where anyone wearing a smart device can be authenticated. In this paper, based on the "Trusted Devices (DEVICE)" approach in SL, we design a band with sensors commonly found on smart wearables and two authentication models to improve the security of SL scenarios. We use our designed band to collect data in order to evaluate our models. The experimental results show that our designed band is universal. Our authentication model for power-constrained devices such as wearables has 97.01% accuracy and a power overhead of 0.0195mAh per time. The designed authentication model for smartphones has an accuracy of 99.67% and power consumption of 0.83mAh per time. Therefore, our scheme can meet the implicit authentication for different security requirements in different scenarios.

engineering, electrical & electronic,instruments & instrumentation,physics, applied

Xiaojian Pang,Li Yang,Maozhen Liu,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-030-21548-4_29

2019-01-01

Abstract:The increasing use of smartphones raises many concerns related to data security, as the loss of a smartphone could compromise sensitive data. Authentication on smartphones plays an important role in protecting users' data from attacks. However, traditional authentication methods cannot provide continuous protection for a user's data after the user has passed the initial authentication. In this paper, we present a novel continuous authentication approach called MineAuth based on the user's daily interactive behaviours with his/her smartphone. We construct interactive behaviours from data captured by the smartphone. We then propose a weighting-based time period frequent pattern mining algorithm called WeMine to mine user's frequent patterns to characterize the habits of mobile users. We build an authenticator using a one-class classification technique that only relies on the legitimate user data. We also develop a decision procedure to perform the task continuously. The entire process occurs on the smartphone, which provides better privacy guarantees to users and eliminates dependency on cloud connectivity. We also integrate our approach into the Android system and evaluate the performance of our approach. Our approach can achieve good performance. Additionally, it can achieve a high authentication accuracy of up to 98.3%. Regarding resource consumption, our approach consumes less than 0.4% of power while running for an entire day.

Imane Lamiche,Guo Bin,Yao Jing,Zhiwen Yu,Abdenour Hadid

DOI: https://doi.org/10.1007/s12652-018-1123-6

IF: 3.662

2018-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:Behavioral biometrics, such as gait patterns and keystroke dynamics, have been becoming increasingly used in human identity recognition research for enhancing the smartphone security. A new multimodal authentication method able to strengthen the smartphone authentication system is proposed in this paper. The proposed mechanism acquires gait patterns from the accelerometer, as well as keystroke dynamics, continuously without user intervention through simultaneous walk and text input. More specifically, features are extracted from both modalities. Afterward, a feature level fusion method is applied to build a multimodal biometrics profile for the user. Fused feature vectors are subjected to the sequential floating forward selection algorithm to reduce their dimensions as well as the computational complexity. The effectiveness of the proposed method is examined through a real multimodal dataset collected from 20 subjects under various scenarios, using different machine learning classifiers. The experimental results achieved a promising accuracy of 99.11% when using multilayer perceptron classifier with the average false acceptance rate, false rejection rate and equal error rate values of 0.684%, 7%, and 1%, respectively. Furthermore, the security strength of the proposed method was evaluated against two types of attacks, the zero-effort attack and minimal-effort mimicking attack. Results demonstrate that our approach represents a robust and secure authentication solution.

Debayan Deb,Arun Ross,Anil K. Jain,Kwaku Prakah-Asante,K. Venkatesh Prasad

DOI: https://doi.org/10.1109/icb45273.2019.8987433

2019-06-01

Abstract:Prevailing user authentication schemes on smartphones rely on explicit user interaction, where a user types in a passcode or presents a biometric cue such as face, fingerprint, or iris. In addition to being cumbersome and obtrusive to the users, such authentication mechanisms pose security and privacy concerns. Passive authentication systems can tackle these challenges by unobtrusively monitoring the user’s interaction with the device. We propose a Siamese Long Short-Term Memory (LSTM) network architecture for passive authentication, where users can be verified without requiring any explicit authentication step. On a dataset comprising of measurements from 30 smartphone sensor modalities for 37 users, we evaluate our approach on 8 dominant modalities, namely, keystroke dynamics, GPS location, accelerometer, gyroscope, magnetometer, linear accelerometer, gravity, and rotation sensors. Experimental results find that a genuine user can be correctly verified 96.47% a false accept rate of 0.1% within 3 seconds.

Abdulaziz Alzubaidi,Jugal Kalita

DOI: https://doi.org/10.48550/arXiv.1911.04104

2019-11-11

Cryptography and Security

Abstract:Smartphones and tablets have become ubiquitous in our daily lives. Smartphones, in particular, have become more than personal assistants. These devices have provided new avenues for consumers to play, work, and socialize whenever and wherever they want. Smartphones are small in size, so they are easy to handle and to stow and carry in users' pockets or purses. However, mobile devices are also susceptible to various problems. One of the greatest concerns is the possibility of breach in security and privacy if the device is seized by an outside party. It is possible that threats can come from friends as well as strangers. Due to the size of smart devices, they can be easily lost and may expose details of users' private lives. In addition, this might enable pervasive observation or imitation of one's movements and activities, such as sending messages to contacts, accessing private communication, shopping with a credit card, and relaying information about where one has been. This paper highlights the potential risks that occur when smartphones are stolen or seized, discusses the concept of continuous authentication, and analyzes current approaches and mechanisms of behavioral biometrics with respect to methodology, associated datasets and evaluation approaches.