darpa’s active authentication - connectid · darpa’s active authentication ... • expand...

Approved for Public Release, Distribution Unlimited

DARPA’s Active Authentication

Moving Beyond Passwords

Program Overview Briefing

March 17, 2014

Users are the weak link…

3/26/2014 2 Approved for Public Release, Distribution Unlimited

How many passwords do we really use?


DoD IT Asset Type

DARPA Reference System

NIPRnet Windows DMSS

Laptop Encryption Guardian Edge

DARPA VPN Nortel

PDA Blackberry/iPhone

SIPRnet Windows DSN

JWICS Windows DJN

Source Selection TFIMs, I2O BAA Tool

Contract Management GSA Advantage, SPS

Contract Invoicing Wide Area Workflow

Payroll MyPay

Benefits Benefeds.com

HR hr.dla.mil

Training DAU

Collaboration Defense Connect Online

Financial System, Local Momentum

Financial System, Agency DFAS

Credit Union PFCU, NCU, etc.

Non-DoD IT Asset Type

American Honda Motor Co.

Bank of America

Carnegie Mellon University

Citigroup

Clarkson University

Countrywide Financial Corp.

Fidelity Investments

Heartland Payment Systems

IBM

Johns Hopkins Hospital

SAIC

Sony

Stanford University

TD Ameritrade Holding Corp.

Texas A&M University

TJMax Stores

U.S. Depart. of Veteran Affairs

U.S. Marine Corp – PSU research

Visa, MasterCard, and American Express

Hacked on

Credentials lost

27-Dec-10 4.9m

25-May-11 1.2m

8-Oct-07 19k

27-Jul-10 30m

10-Sep-08 245

2-Aug-08 17m

24-Sep-07 8.7m

20-Jan-09 130m

15-May-07 2k

22-Oct-10 152k

7-May-08 630k

27-Apr-11 12m

6-Jun-08 82k

14-Sep-07 6.5m

9-Nov-08 13k

17-Jan-07 100m

14-May-07 103m

26-Jul-07 208k

27-Dec-10 4.9m

Source: www.privacyrights.org/data-breach

Patterns will always be hackable


Num

ber

of

pass

word

s cr

ack

ed

by c

onte

st w

inner

Defcon 2010 Contest on Password Hacking of 53,000 passwords

Updated the dictionary word to include locally relevant words (vegas, defcon) in guessing algorithm

Add cracked passwords as dictionary words to guessing algorithm

Start with normal dictionary attack against 6 character passwords

Add special characters or numbers to beginning or end of dictionary

words in guessing algorithm

Date/Time (2 hour increments over 48 hours)

Source: http://contest.korelogic.com/

Why will passwords always be a problem?


6tFcVbNh^TfCvBn

R%t6Y&u8I(o0P-[

#QWqEwReTrYtUyI Source: Visualizing Keyboard Pattern Passwords, US AF Academy 11 Oct, 2009

*Keyboard

*Keyboard

*Keyboard

How do we move from proxies for you to the actual you?


The Active Authentication Program


A continuous authentication solution that takes the data available on a DoD computer system and makes an informed decision on the identity of the user of the computer

Computational linguistics (How you use language)

Structural semantic analysis (how you construct sentences); Forensic authorship

Keystroke pattern; Mouse movement

Fingerprint; Iris pattern; Vein pattern; Facial geometry; DNA; Eye movement

Non-cooperative behavioral biometrics allow the validation of identity simply by the user acting normally,

not requiring interruption of the user

You

Traditional Range of Biometrics

Untapped Range of Behavioral Biometrics

The Active Authentication Program Plan


Research new modalities and validate on human subjects

Transition to CERDEC/I2WD

Develop a Platform that can interconnect biometrics

• Phase 1 (started summer 2012): • Expand research in new biometric modalities (contracts June 2012-June 2013)

• Focus on new types of biometric modalities that do not require additional sensors

Research new modalities and validate on human subjects

Transition Develop a Platform that can

interconnect biometrics

• Phase 2 (Kick-off Sept 2013): • Expand research in new biometric modalities for mobile devices

Images © Microsoft ClipArt

9

Active Authentication Performers

3/26/2014 Approved for Public Release, Distribution Unlimited

Performer Research Area Functional Area

Allure Security Technology, Inc

User Search behavior characteristics verified by decoys placed on the file system to detect masqueraders

How you look for information

Behaviosec Keystroke and mouse dynamics in context of applications

How you type in the context of applications you use

Coveros User behavior patterns as seen from the operating system

How you interact with programs on your computer

Drexel University Stylometry augmented by author classification and verification

How your construct thoughts in writing, as well as personal attributes of the writer

Iowa State Stylometry focused on thought processing time The time you take to think while typing

Naval Post Graduate School

Behavioral manifestations of human thought processes How you make decisions

New York Institute of Technology

Stylometry focused on how a user types without regard to the actual words

How you compose writing

Naval Research Labs Identification of users through Web browsing behavior Where you surf on the web (and when)

SWRI Use covert games disguised as computer anomalies How you deal with computer interruptions

University of Maryland

Information processing from computer screens How you visually process information

Phase 1 Performers Research Focus


What are we working on in the Active Authentication Program?

User Search Patterns – Allure Security Technology, Inc.

Using the user’s patterns of application use and searching for information on the computer, verified by decoys placed on the file system to detect masqueraders .

Stylometry focused on Cognitive Processing Time –Iowa State University

Using stylometric methods to validate the user based on natural pauses in the way they type.

Stylometry focused on keystroke dynamics, cogni-linguistic features, and demographic classification – Louisiana Tech University

Develop a collection of keystroke-based algorithms that analyze free-text input to capture unique aspects of -- how a user types, how the user composes text and uses language, and the demographic classifications to which the user belongs.


Solutions using desktops


Allure Security Technology, Inc*

User Search behavior characteristics verified by decoys placed on the file system to detect masqueraders (D) incorporating additional modalities (eg. voice, image) (M)

How you look for information

AMI Research Fast Pattern Recognition Applied to Kinematic Gestures and Finger Images authentication (M)

Fingerprint identification from swipes

BAE Systems Mobile perpetual authentication (M) How your phone moves when you move

BehavioSec* Type and swipe authentication (M) How you type/swipe in the context of applications you use

Drexel University*

Stylometry integrated with eye tracking (M) How your construct thoughts (and where you focus)

Iowa State University*

Stylometry focused on Cognitive Processing Time (D) (M) The time you take to think while typing/swiping

JPL Detection of Heartbeat through wave changed in signals emitted from your mobile device (M)

Your heartbeat

Kryptowire Power, touch, and movement authentication (M) How the device changes during usage

Li Creative Tech Human voice authentication using text dependent verification for point authentication and text independent verification for continuous authentication (M)

How you talk (static and continuous)

Phase 2 Performers Research Focus, page 1 of 2

3/26/2014 12

(D) = Desktop solution (M) = mobile solution * = expansion on Phase 1 research



Louisiana Tech University*

Stylometry focused on keystroke dynamics, cogni-linguistic features, and demographic classification (D) Context aware kinetic authentication (M)

How your construct thoughts (and personal attributes)

SWRI* Use covert games disguised as computer anomalies (M) How you deal with computer interruptions

SRI International Joint Physiological and Behavioral authentication mechanism extracting fine-grained anthropometric & behavioral signatures from the motion induced on the mobile (M)

How your phones moves when it is in use

University of Maryland*

“Visual fingerprint” through visual images of the operator acquired through the front camera, the back camera, and the screen recorder respectively. (M)

Passive facial recognition

New York Institute of Technology*

Spatial-temporal hand micro-movements and oscillations (hand movement, device orientation, and grasping patterns) during two modes of user interaction with the touch screen: (1) touch-burst and (2) cognitive-pause. (M)

The movements that occur when you are writing/swiping

SRI International Continuous authentication through natural speech and language activity performed by the user (spoken and written inputs) on mobile devices (M)

How your thought processes show up in your language use

Phase 2 Performers Research Focus, page 2 of 2

3/26/2014 13

(D) = Desktop solution (M) = mobile solution * = expansion on Phase 1 research


www.darpa.mil

Approved for Public Release, Distribution Unlimited 14 3/26/2014

Mr. Richard Guidorizzi Program Manager

DARPA, I2O

Debbie Waung Director

Novetta Solutions

15

Active Authentication Performer Overview and Status

Allure Security Technology and Accenture Federal Systems

Team Members Principal Investigator: Salvatore J Stolfo, Allure Security, New York, NY • Malek Ben Salem (Co-PI), Accenture, Arlington, VA • Jonathan Voris (co-PI), Allure Security, New York, NY • Yingbo Song (Researcher), Allure Security, New York, NY • Shlomo Hershkop (Researcher), Allure Security, New York, NY

PERFORMER OVERVIEW AND STATUS

User search behavior characteristics, how a user searches their own files and directories for information they seek. Decoy files are used to detect adversarial information gathering activities.

User app behavior characteristics, how a user runs their apps. Decoy apps are used to detect masqueraders and to gather attacker information.

Key Objectives

• Establish statistics-based biometrics for User search and app behavior modeling

• Capture host OS event features on desktop related to: file, window, process, network manipulation. Capture app events on mobile.

• Develop learning statistical model the evolves over time and tracks change in User behavior.

• Quantify the characteristics of unique User behavior as a measurement of these features and design new statistical models that encapsulate these measurements.

• Develop mitigation strategies in response to a failed re-authentication.

• Decoy document and decoy app implants for intrusion trip-wiring, data leakage tracking, and information gathering about attacker:

• Automatically generated decoy docs, and decoy Android app

• Automatically implanted in Volunteer Human Subject’s file system or mobile home screen

• Decoys are believable, enticing, non-interfering, stealthy

• Abnormal Volunteer Human Subject behavior and unusual decoy app touches indicates a masquerader with very high accuracy

Status

Host sensor for desktop Windows and MacOS operational and under incremental development of new features

Decoy app development underway with prototype to explore alternative implementation strategies


© Allure Security in association with Accenture

USER SEARCH & App BEHAVIOR BIOMETRIC FOR ACTIVE AUTHENTICATION

Phase 2 Effort – expansion of Phase 1

16


Iowa State University

Team Members Principal Investigator: Morris Chang, Iowa State University •Sun-Yuan Kung, Princeton University


Evaluate the effectiveness of mouse dynamics.

Gestures and virtual keyboards as biometrics, accounting for swiping, multi-touch zooming, tapping, scrolling, and cognitive processing time.

Key Objectives

• Mouse dynamics (TA1a)

• We study mouse dynamics including the pause-to-click time (the pause time between pointing to an object and actually clicking on it) which has to do with thought processing time of a decision

• Gestures (TA1b)

• We study touch gestures including the timing between the end of each scrolling (swiping or multitouch zooming) and the beginning of next action (e.g. tapping or another scrolling)

• Virtual Keyboards (TA1b)

• Combine current keystroke dynamics with new features, such as pressure, area and exact coordinate from touch screen)

• Large scale experiments

• We plan to develop mobile Apps for iOS and Android platforms as testbed to sample gestures and virtual keyboard activities of individuals in large-scale testing of 1000 participants at Iowa State University.

• Final integration of biometric modalities

• We plan to exploit the attributes of biometric modalities and couple with customized fusion methods to improve the effectiveness of the final integration of biometric modalities

Status

Developing the system which can collect data from different platforms with 1000 users simultaneously

Designing the experiments that can capture biometrics from users


Capturing Cognitive Fingerprints for Active Authentication


Louisiana Tech University

Team Members Principal Investigator: Vir V. Phoha, Louisiana Tech University • Mike O’Neal (Co-PI), Louisiana Tech University • Kiran S. Balagani (Co-PI), New York Institute of Technology • Andrew Rosenberg (Co-PI), City University of New York • Craig Spohn (Co-PI), Cyber Innovation Center • Md Enamul Karim (Researcher), Louisiana Tech University • Aaron Elliot (Researcher), Cyber Innovation Center • Abdul Serwadda (Researcher), Louisiana Tech University


Atomic keystroke latencies enhanced with word context, Cogni-linguistic features, Demographic features;

Typing behavior, Swiping behavior, Body movements

Key Objectives

• (Desktop) Develop a collection of effective keyboard-based biometric algorithms that analyze free text input in a variety of ways in order to capture

• the unique mechanics of how a user types (atomic keystroke dynamics) and how they vary within a “word” context,

• the unique aspects of how the user composes text and uses language (cogni-linguistic features), and,

• the demographic classifications (such as handedness, number of fingers used, sex, native language) to which the user belongs.

• (Mobile) Define and extract features for typing behavior, swiping behavior, body movements.

• Build user profiles based on the best features, and design a fusion based framework that integrates different modalities in a context-aware fashion.

• Analyze algorithmic forgeries for robotic attacks (mobile only), non-zero effort attacks and zero effort attacks and design counter-measures.

Status

The following are in place

(Desktop) Host sensors from Phase 1– need adaptation to new requirements; atomic, cogni-linguistic, demographic feature extractors from Phase 1- need enhancements and refinements; datasets used in Phase 1; some atomic keystroke latency based authentication algorithms

(Mobile) Sensors; performance evaluation of initial set of swiping features using an existing dataset; results from initial robotic experiments based on the Lego system-need refinements


ACTIVE AUTHENTICATION USING KEYSTROKES, TOUCH GESTURES AND BODY

MOVEMENTS

Atomic Keystroke Features (Enhanced)

Cogni-linguistic

Demographic

© Louisiana Tech University

Higher Level Keystroke Features

Sensor Readings

Typing (T)

Swiping (S)

Accelerometer (A)

S + A T + A S + A A A

Desktop Mobile

Behavior Modeling and Fusion

Authentication, Feedback for Template Update

darpa’s active authentication - connectid · darpa’s active authentication ... • expand...

Documents