DARPA's Active Authentication - connect:ID

DARPA’s Active Authentication

Moving Beyond Passwords

Program Overview Briefing March 17, 2014

Approved for Public Release, Distribution Unlimited

Users are the weak link…

3/26/2014 Approved for Public Release, Distribution Unlimited

2

How many passwords do we really use? DoD IT Asset Type NIPRnet Laptop Encryption DARPA VPN PDA SIPRnet JWICS Source Selection Contract Management Contract Invoicing Payroll Benefits HR Training

DARPA Reference System Windows DMSS Guardian Edge Nortel Blackberry/iPhone Windows DSN Windows DJN TFIMs, I2O BAA Tool GSA Advantage, SPS Wide Area Workflow MyPay Benefeds.com hr.dla.mil DAU Defense Connect Collaboration Online Financial System, Local Momentum Financial System, Agency DFAS Credit Union PFCU, NCU, etc.

Non-DoD IT Asset Type American Honda Motor Co. Bank of America Carnegie Mellon University Citigroup Clarkson University Countrywide Financial Corp. Fidelity Investments Heartland Payment Systems IBM Johns Hopkins Hospital SAIC Sony Stanford University TD Ameritrade Holding Corp. Texas A&M University TJMax Stores U.S. Depart. of Veteran Affairs U.S. Marine Corp – PSU research Visa, MasterCard, and American Express

Hacked Credentials on lost 27-Dec-10 4.9m 25-May-11 1.2m 8-Oct-07 19k 27-Jul-10 30m 10-Sep-08 245 2-Aug-08 17m 24-Sep-07 8.7m 20-Jan-09 130m 15-May-07 2k 22-Oct-10 152k 7-May-08 630k 27-Apr-11 12m 6-Jun-08 82k 14-Sep-07 6.5m 9-Nov-08 13k 17-Jan-07 100m 14-May-07 103m 26-Jul-07 208k 27-Dec-10 4.9m

Source: www.privacyrights.org/data-breach


3

Patterns will always be hackable

Number of passwords cracked by contest winner

Defcon 2010 Contest on Password Hacking of 53,000 passwords

Add special characters or numbers to beginning or end of dictionary words in guessing algorithm

Add cracked passwords as dictionary words to guessing algorithm

Updated the dictionary word to include locally relevant words (vegas, defcon) in guessing algorithm

Start with normal dictionary attack against 6 character passwords

Date/Time

(2 hour increments over 48 hours)


Source: http://contest.korelogic.com/

4

Why will passwords always be a problem?

*Keyboard

6tFcVbNh^TfCvBn *Keyboard

R%t6Y&u8I(o0P-[ *Keyboard

#QWqEwReTrYtUyI 3/26/2014 Approved for Public Release, Distribution Unlimited

Source: Visualizing Keyboard Pattern Passwords, US AF Academy 11 Oct, 2009 5

How do we move from proxies for you to the actual you?


6

The Active Authentication Program A continuous authentication solution that takes the data available on a DoD computer system and makes an informed decision on the identity of the user of the computer

You

Untapped Range of Behavioral Biometrics

Computational linguistics (How you use language)

Structural semantic analysis (how you construct sentences); Forensic authorship Keystroke pattern; Mouse movement

Traditional Range of Biometrics

Fingerprint; Iris pattern; Vein pattern; Facial geometry; DNA; Eye movement Non-cooperative behavioral biometrics allow the validation of identity simply by the user acting normally, not requiring interruption of the user


7

The Active Authentication Program Plan Phase 1

•

(started summer 2012): Expand research in new biometric modalities (contracts June 2012-June 2013) • Focus on new types of biometric modalities that do not require additional sensors

•

Research new modalities and validate on human subjects

•

Develop a Platform that can interconnect biometrics

Transition to CERDEC/I2WD

Phase 2 (Kick-off Sept •

2013): Expand research in new biometric modalities for mobile devices Research new modalities and validate on human subjects

Develop a Platform that can interconnect biometrics

Transition

Images © Microsoft ClipArt


8

Active Authentication Performers


9

Phase 1 Performers Research Focus Performer

Research Area

Functional Area

Allure Security Technology, Inc

User Search behavior characteristics verified by decoys placed on the file system to detect masqueraders

How you look for information

Behaviosec

Keystroke and mouse dynamics in context of applications

How you type in the context of applications you use

Coveros

User behavior patterns as seen from the operating system

How you interact with programs on your computer

Drexel University

Stylometry augmented by author classification and verification

How your construct thoughts in writing, as well as personal attributes of the writer

Iowa State

Stylometry focused on thought processing time

The time you take to think while typing

Naval Post Graduate School

Behavioral manifestations of human thought processes

How you make decisions

New York Institute of Technology

Stylometry focused on how a user types without regard to the actual words

How you compose writing

Naval Research Labs

Identification of users through Web browsing behavior

Where you surf on the web (and when)

SWRI

Use covert games disguised as computer anomalies

How you deal with computer interruptions

University of Maryland

Information processing from computer screens

How you visually process information


10

What are we working on in the Active Authentication Program? Solutions using desktops User Search Patterns – Allure Security Technology, Inc. Using the user’s patterns of application use and searching for information on the computer, verified by decoys placed on the file system to detect masqueraders . Stylometry focused on Cognitive Processing Time –Iowa State University Using stylometric methods to validate the user based on natural pauses in the way they type. Stylometry focused on keystroke dynamics, cogni-linguistic features, and demographic classification – Louisiana Tech University Develop a collection of keystroke-based algorithms that analyze free-text input to capture unique aspects of -- how a user types, how the user composes text and uses language, and the demographic classifications to which the user belongs.


Phase 2 Performers Research Focus, page 1 of 2 Performer

Research Area

Functional Area

Allure Security Technology, Inc*

User Search behavior characteristics verified by decoys placed on the file system to detect masqueraders (D) incorporating additional modalities (eg. voice, image) (M)

How you look for information

AMI Research

Fast Pattern Recognition Applied to Kinematic Gestures and Finger Images authentication (M)

Fingerprint identification from swipes

BAE Systems

Mobile perpetual authentication (M)

How your phone moves when you move

BehavioSec*

Type and swipe authentication (M)

How you type/swipe in the context of applications you use

Drexel University*

Stylometry integrated with eye tracking (M)

How your construct thoughts (and where you focus)

Iowa State University*

Stylometry focused on Cognitive Processing Time (D) (M)

The time you take to think while typing/swiping

JPL

Detection of Heartbeat through wave changed in signals emitted from your mobile device (M)

Your heartbeat

Kryptowire

Power, touch, and movement authentication (M)

How the device changes during usage

Li Creative Tech

Human voice authentication using text dependent verification for point authentication and text independent verification for continuous authentication (M)

How you talk (static and continuous) (D) = Desktop solution (M) = mobile solution * = expansion on Phase 1 research


12

Phase 2 Performers Research Focus, page 2 of 2 Performer

Research Area

Functional Area

Louisiana Tech University*

Stylometry focused on keystroke dynamics, cogni-linguistic features, and demographic classification (D) Context aware kinetic authentication (M)

How your construct thoughts (and personal attributes)

SWRI*

Use covert games disguised as computer anomalies (M)

How you deal with computer interruptions

SRI International

Joint Physiological and Behavioral authentication mechanism extracting fine-grained anthropometric & behavioral signatures from the motion induced on the mobile (M)

How your phones moves when it is in use

University of Maryland*

“Visual fingerprint” through visual images of the operator acquired through the front camera, the back camera, and the screen recorder respectively. (M)

Passive facial recognition

New York Institute of Technology*

Spatial-temporal hand micro-movements and oscillations (hand movement, device orientation, and grasping patterns) during two modes of user interaction with the touch screen: (1) touch-burst and (2) cognitive-pause. (M)

The movements that occur when you are writing/swiping

SRI International

Continuous authentication through natural speech and language activity performed by the user (spoken and written inputs) on mobile devices (M)

How your thought processes show up in your language use

(D) = Desktop solution (M) = mobile solution * = expansion on Phase 1 research


13

Mr. Richard Guidorizzi Program Manager DARPA, I2O

www.darpa.mil

Debbie Waung Director Novetta Solutions


14

Phase 2 Effort – expansion of Phase 1

Active Authentication Performer Overview and Status

Allure Security Technology and Accenture Federal Systems USER SEARCH & App BEHAVIOR BIOMETRIC FOR ACTIVE AUTHENTICATION

PERFORMER OVERVIEW AND STATUS User search behavior characteristics, how a user searches their own files and directories for information they seek. Decoy files are used to detect adversarial information gathering activities. User app behavior characteristics, how a user runs their apps. Decoy apps are used to detect masqueraders and to gather attacker information.

Key Objectives • Establish statistics-based biometrics for User search and app behavior modeling • Capture host OS event features on desktop related to: file, window, process, network manipulation. Capture app events on mobile. • Develop learning statistical model the evolves over time and tracks change in User behavior. • Quantify the characteristics of unique User behavior as a measurement of these features and design new statistical models that encapsulate these measurements. • Develop mitigation strategies in response to a failed reauthentication. • Decoy document and decoy app implants for intrusion trip-wiring, data leakage tracking, and information gathering about attacker: • Automatically generated decoy docs, and decoy Android app • Automatically implanted in Volunteer Human Subject’s file system or mobile home screen • Decoys are believable, enticing, non-interfering, stealthy • Abnormal Volunteer Human Subject behavior and unusual decoy app

touches indicates a masquerader with very high accuracy

Status  Host sensor for desktop Windows and MacOS operational and under incremental development of new features  Decoy app development underway with prototype to explore alternative implementation strategies

© Allure Security in association with Accenture

Team Members Principal Investigator: Salvatore J Stolfo, Allure Security, New York, NY • • • •

Malek Ben Salem (Co-PI), Accenture, Arlington, VA Jonathan Voris (co-PI), Allure Security, New York, NY Yingbo Song (Researcher), Allure Security, New York, NY Shlomo Hershkop (Researcher), Allure Security, New York, NY


15


Iowa State University PERFORMER OVERVIEW AND STATUS mouse dynamics.

Evaluate the effectiveness of

Capturing Cognitive Fingerprints for Active Authentication

Gestures and virtual keyboards as biometrics, accounting for swiping, multi-touch zooming, tapping, scrolling, and cognitive processing time. Key Objectives • Mouse dynamics (TA1a) • We study mouse dynamics including the pause-to-click time (the pause time between pointing to an object and actually clicking on it) which has to do with thought processing time of a decision • Gestures (TA1b) • We study touch gestures including the timing between the end of each scrolling (swiping or multitouch zooming) and the beginning of next action (e.g. tapping or another scrolling) • Virtual Keyboards (TA1b) • Combine current keystroke dynamics with new features, such as pressure, area and exact coordinate from touch screen) • Large scale experiments • We plan to develop mobile Apps for iOS and Android platforms as testbed to sample gestures and virtual keyboard activities of individuals in large-scale testing of 1000 participants at Iowa State University. • Final integration of biometric modalities • We plan to exploit the attributes of biometric modalities and couple with customized fusion methods to improve the effectiveness of the final integration of biometric modalities Status  Developing the system which can collect data from different platforms with 1000 users simultaneously  Designing the experiments that can capture biometrics from users

Team Members Principal Investigator: Morris Chang, Iowa State University •Sun-Yuan Kung, Princeton University


16


Louisiana Tech University PERFORMER OVERVIEW AND STATUS Atomic keystroke latencies enhanced with word context, Cogni-linguistic features, Demographic features; Typing behavior, Swiping behavior, Body movements

Key Objectives • (Desktop) Develop a collection of effective keyboard-based biometric algorithms that analyze free text input in a variety of ways in order to capture • the unique mechanics of how a user types (atomic keystroke dynamics) and how they vary within a “word” context, • the unique aspects of how the user composes text and uses language (cogni-linguistic features), and, • the demographic classifications (such as handedness, number of fingers used, sex, native language) to which the user belongs. (Mobile) Define and extract features for typing behavior, swiping behavior, body movements. • Build user profiles based on the best features, and design a fusion based framework that integrates different modalities in a contextaware fashion. • Analyze algorithmic forgeries for robotic attacks (mobile only), nonzero effort attacks and zero effort attacks and design countermeasures. Status  The following are in place  (Desktop) Host sensors from Phase 1– need adaptation to new requirements; atomic, cogni-linguistic, demographic feature extractors from Phase 1- need enhancements and refinements; datasets used in Phase 1; some atomic keystroke latency based authentication algorithms  (Mobile) Sensors; performance evaluation of initial set of swiping features using an existing dataset; results from initial robotic experiments based on the Lego system-need refinements •

ACTIVE AUTHENTICATION USING KEYSTROKES, TOUCH GESTURES AND BODY MOVEMENTS Desktop Atomic Keystroke Features

(Enhanced)

Higher Level Keystroke Features

Mobile Sensor Readings Typing (T) Swiping (S)

Cognilinguistic

Demographic

Accelerometer (A) T+A

A S+A

A

S+A

Behavior Modeling and Fusion

Authentication, Feedback for Template Update © Louisiana Tech University

Team Members Principal Investigator: Vir V. Phoha, Louisiana Tech University • Mike O’Neal (Co-PI), Louisiana Tech University • Kiran S. Balagani (Co-PI), New York Institute of Technology • Andrew Rosenberg (Co-PI), City University of New York • Craig Spohn (Co-PI), Cyber Innovation Center • Md Enamul Karim (Researcher), Louisiana Tech University • Aaron Elliot (Researcher), Cyber Innovation Center • Abdul Serwadda (Researcher), Louisiana Tech University
