Gametrics: towards attack-resilient behavioral authentication with simple cognitive games

Proceedings of the 32nd Annual Conference on Computer Security Applications Pub Date : 2016-12-05 DOI:10.1145/2991079.2991096

Manar Mohamed, Nitesh Saxena

{"title":"Gametrics: towards attack-resilient behavioral authentication with simple cognitive games","authors":"Manar Mohamed, Nitesh Saxena","doi":"10.1145/2991079.2991096","DOIUrl":null,"url":null,"abstract":"Authenticating a user based on her unique behavioral bio-metric traits has been extensively researched over the past few years. The most researched behavioral biometrics techniques are based on keystroke and mouse dynamics. These schemes, however, have been shown to be vulnerable to human-based and robotic attacks that attempt to mimic the user's behavioral pattern to impersonate the user. In this paper, we aim to verify the user's identity through the use of active, cognition-based user interaction in the authentication process. Such interaction boasts to provide two key advantages. First, it may enhance the security of the authentication process as multiple rounds of active interaction would serve as a mechanism to prevent against several types of attacks, including zero-effort attack, expert trained attackers, and automated attacks. Second, it may enhance the usability of the authentication process by actively engaging the user in the process. We explore the cognitive authentication paradigm through very simplistic interactive challenges, called Dynamic Cognitive Games, which involve objects floating around within the images, where the user's task is to match the objects with their respective target(s) and drag/drop them to the target location(s). Specifically, we introduce, build and study Gametrics (\"Game-based biometrics\"), an authentication mechanism based on the unique way the user solves such simple challenges captured by multiple features related to her cognitive abilities and mouse dynamics. Based on a comprehensive data set collected in both online and lab settings, we show that Gametrics can identify the users with a high accuracy (false negative rates, FNR, as low as 0.02) while rejecting zero-effort attackers (false positive rates, FPR, as low as 0.02). Moreover, Gametrics shows promising results in defending against expert attackers that try to learn and later mimic the user's pattern of solving the challenges (FPR for expert human attacker as low as 0.03). Furthermore, we argue that the proposed biometrics is hard to be replayed or spoofed by automated means, such as robots or malware attacks.","PeriodicalId":419419,"journal":{"name":"Proceedings of the 32nd Annual Conference on Computer Security Applications","volume":"198 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 32nd Annual Conference on Computer Security Applications","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2991079.2991096","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 10

Abstract

Authenticating a user based on her unique behavioral bio-metric traits has been extensively researched over the past few years. The most researched behavioral biometrics techniques are based on keystroke and mouse dynamics. These schemes, however, have been shown to be vulnerable to human-based and robotic attacks that attempt to mimic the user's behavioral pattern to impersonate the user. In this paper, we aim to verify the user's identity through the use of active, cognition-based user interaction in the authentication process. Such interaction boasts to provide two key advantages. First, it may enhance the security of the authentication process as multiple rounds of active interaction would serve as a mechanism to prevent against several types of attacks, including zero-effort attack, expert trained attackers, and automated attacks. Second, it may enhance the usability of the authentication process by actively engaging the user in the process. We explore the cognitive authentication paradigm through very simplistic interactive challenges, called Dynamic Cognitive Games, which involve objects floating around within the images, where the user's task is to match the objects with their respective target(s) and drag/drop them to the target location(s). Specifically, we introduce, build and study Gametrics ("Game-based biometrics"), an authentication mechanism based on the unique way the user solves such simple challenges captured by multiple features related to her cognitive abilities and mouse dynamics. Based on a comprehensive data set collected in both online and lab settings, we show that Gametrics can identify the users with a high accuracy (false negative rates, FNR, as low as 0.02) while rejecting zero-effort attackers (false positive rates, FPR, as low as 0.02). Moreover, Gametrics shows promising results in defending against expert attackers that try to learn and later mimic the user's pattern of solving the challenges (FPR for expert human attacker as low as 0.03). Furthermore, we argue that the proposed biometrics is hard to be replayed or spoofed by automated means, such as robots or malware attacks.

查看原文本刊更多论文

Gametrics:用简单的认知游戏实现抗攻击的行为认证

在过去的几年里，基于用户独特的行为生物特征来验证用户的身份已经得到了广泛的研究。研究最多的行为生物识别技术是基于击键和鼠标动力学。然而，这些方案已被证明容易受到基于人类和机器人的攻击，这些攻击试图模仿用户的行为模式来冒充用户。在本文中，我们的目标是通过在认证过程中使用主动的、基于认知的用户交互来验证用户的身份。这种互动提供了两个关键优势。首先，它可以增强身份验证过程的安全性，因为多轮主动交互可以作为一种机制来防止几种类型的攻击，包括零努力攻击、经过专家训练的攻击者和自动攻击。其次，它可以通过积极地让用户参与到认证过程中来增强认证过程的可用性。我们通过非常简单的交互式挑战(称为动态认知游戏)来探索认知认证范式，其中涉及图像中浮动的对象，用户的任务是将对象与其各自的目标相匹配，并将其拖放到目标位置。具体来说，我们介绍，建立和研究Gametrics(“基于游戏的生物识别技术”)，这是一种基于用户解决与她的认知能力和鼠标动态相关的多个特征捕获的简单挑战的独特方式的认证机制。基于在线和实验室环境中收集的综合数据集，我们表明Gametrics可以以高精度(假阴性率，FNR，低至0.02)识别用户，同时拒绝零努力攻击者(假阳性率，FPR，低至0.02)。此外，Gametrics在防御那些试图学习并模仿用户解决挑战模式的专家攻击者(专家攻击者的FPR低至0.03)方面显示出了令人满意的结果。此外，我们认为所提出的生物识别技术很难被自动化手段(如机器人或恶意软件攻击)重播或欺骗。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 32nd Annual Conference on Computer Security Applications

自引率

0.00%

发文量