Mar 17, 2014 - Using the user's patterns of application use and searching for information .... We plan to develop mobile
DARPA’s Active Authentication
Moving Beyond Passwords
Program Overview Briefing March 17, 2014
Approved for Public Release, Distribution Unlimited
Users are the weak link…
3/26/2014 Approved for Public Release, Distribution Unlimited
2
How many passwords do we really use? DoD IT Asset Type NIPRnet Laptop Encryption DARPA VPN PDA SIPRnet JWICS Source Selection Contract Management Contract Invoicing Payroll Benefits HR Training
DARPA Reference System Windows DMSS Guardian Edge Nortel Blackberry/iPhone Windows DSN Windows DJN TFIMs, I2O BAA Tool GSA Advantage, SPS Wide Area Workflow MyPay Benefeds.com hr.dla.mil DAU Defense Connect Collaboration Online Financial System, Local Momentum Financial System, Agency DFAS Credit Union PFCU, NCU, etc.
Non-DoD IT Asset Type American Honda Motor Co. Bank of America Carnegie Mellon University Citigroup Clarkson University Countrywide Financial Corp. Fidelity Investments Heartland Payment Systems IBM Johns Hopkins Hospital SAIC Sony Stanford University TD Ameritrade Holding Corp. Texas A&M University TJMax Stores U.S. Depart. of Veteran Affairs U.S. Marine Corp – PSU research Visa, MasterCard, and American Express
Hacked Credentials on lost 27-Dec-10 4.9m 25-May-11 1.2m 8-Oct-07 19k 27-Jul-10 30m 10-Sep-08 245 2-Aug-08 17m 24-Sep-07 8.7m 20-Jan-09 130m 15-May-07 2k 22-Oct-10 152k 7-May-08 630k 27-Apr-11 12m 6-Jun-08 82k 14-Sep-07 6.5m 9-Nov-08 13k 17-Jan-07 100m 14-May-07 103m 26-Jul-07 208k 27-Dec-10 4.9m
Source: www.privacyrights.org/data-breach
3/26/2014 Approved for Public Release, Distribution Unlimited
3
Patterns will always be hackable
Number of passwords cracked by contest winner
Defcon 2010 Contest on Password Hacking of 53,000 passwords
Add special characters or numbers to beginning or end of dictionary words in guessing algorithm
Add cracked passwords as dictionary words to guessing algorithm
Updated the dictionary word to include locally relevant words (vegas, defcon) in guessing algorithm
Start with normal dictionary attack against 6 character passwords
Date/Time
(2 hour increments over 48 hours)
3/26/2014 Approved for Public Release, Distribution Unlimited
Source: http://contest.korelogic.com/
4
Why will passwords always be a problem?
*Keyboard
6tFcVbNh^TfCvBn *Keyboard
R%t6Y&u8I(o0P-[ *Keyboard
#QWqEwReTrYtUyI 3/26/2014 Approved for Public Release, Distribution Unlimited
Source: Visualizing Keyboard Pattern Passwords, US AF Academy 11 Oct, 2009 5
How do we move from proxies for you to the actual you?
3/26/2014 Approved for Public Release, Distribution Unlimited
6
The Active Authentication Program A continuous authentication solution that takes the data available on a DoD computer system and makes an informed decision on the identity of the user of the computer
You
Untapped Range of Behavioral Biometrics
Computational linguistics (How you use language)
Structural semantic analysis (how you construct sentences); Forensic authorship Keystroke pattern; Mouse movement
Traditional Range of Biometrics
Fingerprint; Iris pattern; Vein pattern; Facial geometry; DNA; Eye movement Non-cooperative behavioral biometrics allow the validation of identity simply by the user acting normally, not requiring interruption of the user
3/26/2014 Approved for Public Release, Distribution Unlimited
7
The Active Authentication Program Plan Phase 1
•
(started summer 2012): Expand research in new biometric modalities (contracts June 2012-June 2013) • Focus on new types of biometric modalities that do not require additional sensors
•
Research new modalities and validate on human subjects
•
Develop a Platform that can interconnect biometrics
Transition to CERDEC/I2WD
Phase 2 (Kick-off Sept •
2013): Expand research in new biometric modalities for mobile devices Research new modalities and validate on human subjects
Develop a Platform that can interconnect biometrics
Transition
Images © Microsoft ClipArt
3/26/2014 Approved for Public Release, Distribution Unlimited
8
Active Authentication Performers
3/26/2014 Approved for Public Release, Distribution Unlimited
9
Phase 1 Performers Research Focus Performer
Research Area
Functional Area
Allure Security Technology, Inc
User Search behavior characteristics verified by decoys placed on the file system to detect masqueraders
How you look for information
Behaviosec
Keystroke and mouse dynamics in context of applications
How you type in the context of applications you use
Coveros
User behavior patterns as seen from the operating system
How you interact with programs on your computer
Drexel University
Stylometry augmented by author classification and verification
How your construct thoughts in writing, as well as personal attributes of the writer
Iowa State
Stylometry focused on thought processing time
The time you take to think while typing
Naval Post Graduate School
Behavioral manifestations of human thought processes
How you make decisions
New York Institute of Technology
Stylometry focused on how a user types without regard to the actual words
How you compose writing
Naval Research Labs
Identification of users through Web browsing behavior
Where you surf on the web (and when)
SWRI
Use covert games disguised as computer anomalies
How you deal with computer interruptions
University of Maryland
Information processing from computer screens
How you visually process information
3/26/2014 Approved for Public Release, Distribution Unlimited
10
What are we working on in the Active Authentication Program? Solutions using desktops User Search Patterns – Allure Security Technology, Inc. Using the user’s patterns of application use and searching for information on the computer, verified by decoys placed on the file system to detect masqueraders . Stylometry focused on Cognitive Processing Time –Iowa State University Using stylometric methods to validate the user based on natural pauses in the way they type. Stylometry focused on keystroke dynamics, cogni-linguistic features, and demographic classification – Louisiana Tech University Develop a collection of keystroke-based algorithms that analyze free-text input to capture unique aspects of -- how a user types, how the user composes text and uses language, and the demographic classifications to which the user belongs.
Approved for Public Release, Distribution Unlimited
Phase 2 Performers Research Focus, page 1 of 2 Performer
Research Area
Functional Area
Allure Security Technology, Inc*
User Search behavior characteristics verified by decoys placed on the file system to detect masqueraders (D) incorporating additional modalities (eg. voice, image) (M)
How you look for information
AMI Research
Fast Pattern Recognition Applied to Kinematic Gestures and Finger Images authentication (M)
Fingerprint identification from swipes
BAE Systems
Mobile perpetual authentication (M)
How your phone moves when you move
BehavioSec*
Type and swipe authentication (M)
How you type/swipe in the context of applications you use
Drexel University*
Stylometry integrated with eye tracking (M)
How your construct thoughts (and where you focus)
Iowa State University*
Stylometry focused on Cognitive Processing Time (D) (M)
The time you take to think while typing/swiping
JPL
Detection of Heartbeat through wave changed in signals emitted from your mobile device (M)
Your heartbeat
Kryptowire
Power, touch, and movement authentication (M)
How the device changes during usage
Li Creative Tech
Human voice authentication using text dependent verification for point authentication and text independent verification for continuous authentication (M)
How you talk (static and continuous) (D) = Desktop solution (M) = mobile solution * = expansion on Phase 1 research
3/26/2014 Approved for Public Release, Distribution Unlimited
12
Phase 2 Performers Research Focus, page 2 of 2 Performer
Research Area
Functional Area
Louisiana Tech University*
Stylometry focused on keystroke dynamics, cogni-linguistic features, and demographic classification (D) Context aware kinetic authentication (M)
How your construct thoughts (and personal attributes)
SWRI*
Use covert games disguised as computer anomalies (M)
How you deal with computer interruptions
SRI International
Joint Physiological and Behavioral authentication mechanism extracting fine-grained anthropometric & behavioral signatures from the motion induced on the mobile (M)
How your phones moves when it is in use
University of Maryland*
“Visual fingerprint” through visual images of the operator acquired through the front camera, the back camera, and the screen recorder respectively. (M)
Passive facial recognition
New York Institute of Technology*
Spatial-temporal hand micro-movements and oscillations (hand movement, device orientation, and grasping patterns) during two modes of user interaction with the touch screen: (1) touch-burst and (2) cognitive-pause. (M)
The movements that occur when you are writing/swiping
SRI International
Continuous authentication through natural speech and language activity performed by the user (spoken and written inputs) on mobile devices (M)
How your thought processes show up in your language use
(D) = Desktop solution (M) = mobile solution * = expansion on Phase 1 research
3/26/2014 Approved for Public Release, Distribution Unlimited
13
Mr. Richard Guidorizzi Program Manager DARPA, I2O
www.darpa.mil
Debbie Waung Director Novetta Solutions
3/26/2014 Approved for Public Release, Distribution Unlimited
14
Phase 2 Effort – expansion of Phase 1
Active Authentication Performer Overview and Status
Allure Security Technology and Accenture Federal Systems USER SEARCH & App BEHAVIOR BIOMETRIC FOR ACTIVE AUTHENTICATION
PERFORMER OVERVIEW AND STATUS User search behavior characteristics, how a user searches their own files and directories for information they seek. Decoy files are used to detect adversarial information gathering activities. User app behavior characteristics, how a user runs their apps. Decoy apps are used to detect masqueraders and to gather attacker information.
Key Objectives • Establish statistics-based biometrics for User search and app behavior modeling • Capture host OS event features on desktop related to: file, window, process, network manipulation. Capture app events on mobile. • Develop learning statistical model the evolves over time and tracks change in User behavior. • Quantify the characteristics of unique User behavior as a measurement of these features and design new statistical models that encapsulate these measurements. • Develop mitigation strategies in response to a failed reauthentication. • Decoy document and decoy app implants for intrusion trip-wiring, data leakage tracking, and information gathering about attacker: • Automatically generated decoy docs, and decoy Android app • Automatically implanted in Volunteer Human Subject’s file system or mobile home screen • Decoys are believable, enticing, non-interfering, stealthy • Abnormal Volunteer Human Subject behavior and unusual decoy app
touches indicates a masquerader with very high accuracy
Status Host sensor for desktop Windows and MacOS operational and under incremental development of new features Decoy app development underway with prototype to explore alternative implementation strategies
© Allure Security in association with Accenture
Team Members Principal Investigator: Salvatore J Stolfo, Allure Security, New York, NY • • • •
Malek Ben Salem (Co-PI), Accenture, Arlington, VA Jonathan Voris (co-PI), Allure Security, New York, NY Yingbo Song (Researcher), Allure Security, New York, NY Shlomo Hershkop (Researcher), Allure Security, New York, NY
Approved for Public Release, Distribution Unlimited
15
Active Authentication Performer Overview and Status
Iowa State University PERFORMER OVERVIEW AND STATUS mouse dynamics.
Evaluate the effectiveness of
Capturing Cognitive Fingerprints for Active Authentication
Gestures and virtual keyboards as biometrics, accounting for swiping, multi-touch zooming, tapping, scrolling, and cognitive processing time. Key Objectives • Mouse dynamics (TA1a) • We study mouse dynamics including the pause-to-click time (the pause time between pointing to an object and actually clicking on it) which has to do with thought processing time of a decision • Gestures (TA1b) • We study touch gestures including the timing between the end of each scrolling (swiping or multitouch zooming) and the beginning of next action (e.g. tapping or another scrolling) • Virtual Keyboards (TA1b) • Combine current keystroke dynamics with new features, such as pressure, area and exact coordinate from touch screen) • Large scale experiments • We plan to develop mobile Apps for iOS and Android platforms as testbed to sample gestures and virtual keyboard activities of individuals in large-scale testing of 1000 participants at Iowa State University. • Final integration of biometric modalities • We plan to exploit the attributes of biometric modalities and couple with customized fusion methods to improve the effectiveness of the final integration of biometric modalities Status Developing the system which can collect data from different platforms with 1000 users simultaneously Designing the experiments that can capture biometrics from users
Team Members Principal Investigator: Morris Chang, Iowa State University •Sun-Yuan Kung, Princeton University
Approved for Public Release, Distribution Unlimited
16
Active Authentication Performer Overview and Status
Louisiana Tech University PERFORMER OVERVIEW AND STATUS Atomic keystroke latencies enhanced with word context, Cogni-linguistic features, Demographic features; Typing behavior, Swiping behavior, Body movements
Key Objectives • (Desktop) Develop a collection of effective keyboard-based biometric algorithms that analyze free text input in a variety of ways in order to capture • the unique mechanics of how a user types (atomic keystroke dynamics) and how they vary within a “word” context, • the unique aspects of how the user composes text and uses language (cogni-linguistic features), and, • the demographic classifications (such as handedness, number of fingers used, sex, native language) to which the user belongs. (Mobile) Define and extract features for typing behavior, swiping behavior, body movements. • Build user profiles based on the best features, and design a fusion based framework that integrates different modalities in a contextaware fashion. • Analyze algorithmic forgeries for robotic attacks (mobile only), nonzero effort attacks and zero effort attacks and design countermeasures. Status The following are in place (Desktop) Host sensors from Phase 1– need adaptation to new requirements; atomic, cogni-linguistic, demographic feature extractors from Phase 1- need enhancements and refinements; datasets used in Phase 1; some atomic keystroke latency based authentication algorithms (Mobile) Sensors; performance evaluation of initial set of swiping features using an existing dataset; results from initial robotic experiments based on the Lego system-need refinements •
ACTIVE AUTHENTICATION USING KEYSTROKES, TOUCH GESTURES AND BODY MOVEMENTS Desktop Atomic Keystroke Features
(Enhanced)
Higher Level Keystroke Features
Mobile Sensor Readings Typing (T) Swiping (S)
Cognilinguistic
Demographic
Accelerometer (A) T+A
A S+A
A
S+A
Behavior Modeling and Fusion
Authentication, Feedback for Template Update © Louisiana Tech University
Team Members Principal Investigator: Vir V. Phoha, Louisiana Tech University • Mike O’Neal (Co-PI), Louisiana Tech University • Kiran S. Balagani (Co-PI), New York Institute of Technology • Andrew Rosenberg (Co-PI), City University of New York • Craig Spohn (Co-PI), Cyber Innovation Center • Md Enamul Karim (Researcher), Louisiana Tech University • Aaron Elliot (Researcher), Cyber Innovation Center • Abdul Serwadda (Researcher), Louisiana Tech University
Approved for Public Release, Distribution Unlimited